Screenshots

Features

Comprehensive Nmap XML Parsing

• Multiple File Support: Parse and analyze two Nmap XML output files.
• Structured Data: Converts Nmap’s XML output into a structured format for further processing.

Comparative Analysis

• Change Detection: Compare results from two Nmap scans to identify new, altered, or removed services and ports. Useful for when you scan the same IPs from different source IPs or over time.
• Excel Reporting: Automatically generates detailed Excel spreadsheets with the comparison results and some stats.

Statistical Overview And Visualization

• Network Exposure Statistics: Offers statistical analysis on detected services and open ports.
• Excel Visualizations: Includes pie charts in Excel reports for a graphical representation of the network’s security posture.

AI-Powered Insights With GPT

• GPT Report Generation: Uses OpenAI’s GPT to generate insightful analysis reports based on Nmap result stats. The tool uses a hardcoded prompt that sets the tone and requirements, then the script inserts the stats (no identifying information is provided) and if -c –context has been provided, it’ll add the context to the bottom of the prompt.
• Customizable Context: Enhance GPT analysis by providing additional context, tailoring the report to specific needs.

Usage

The script prints the help page if no args are passed, or you can access with python nmap-analysis.py -h

• Comparing Nmap Scans:

python nmap-analysis.py compare -ff (--first-nmap-file) path/to/first.xml -lf (--last-nmap-file) path/to/second.xml

• Generating a GPT Report:

python nmap-analysis.py gpt-report -gf (--gpt-nmap-file) path/to/nmap.xml -c (--context) "Your optional context here"

Installation and Setup

Prerequisites

• 3.10+ probably (created using 3.12)
• An OpenAI API key for GPT report generation that is set in local env

Secure Installation with venv

1. Clone the Repository:

git clone https://github.com/FlyingPhish/Nmap-Analysis
cd nmap-analysis-tool

2. Create a Virtual Environment:

python3 -m venv venv

3. Activate the Virtual Environment:

• On Windows:

.\venv\Scripts\activate

The post Nmap Analysis Tool – Enhancing Network Security Through Advanced Analysis And Reporting appeared first on Tech Chronicles.

Graudit: Source Code Auditing Tool

This tool involves different databases which are included within the tool which are compared with extended regular expressions (POSIX). The user has the option to add additional databases or create their own ones if needed. The databases support a huge range of languages from JavaScript to Python. Lastly, the user has the option to scan a single file or scan multiple files at the same time.

Features:

• Portable, Flexible and easy to use
• Option to add custom databases
• Ensure that source code does not have any vulnerabilities saving the user from future headaches
• Supports many different languages ensuring that whichever language you use, you will be protected with this tool
• When compared with other tools, this tool has lower technical requirments ensuring it can run on most systems

Supported Platforms:

• Linux

Requirements:

• None

Install

Clone the GitHub repo:

$ git clone https://github.com/wireghoul/graudi 

You can then symlink graudit so it is in path:

$ ln -s ~/graudit/graudit ~/bin/graudit 

Graudit Usage

Enter the following command:

$ graudit -h 

Available Options:

===========================================================
                                      .___ __  __   
          _________________  __ __  __| _/|__|/  |_ 
         / ___\_` __ \__  \ |  |  \/ __ | | \\_  __\
        / /_/  >  | \// __ \|  |  / /_/ | |  ||  |  
        \___  /|__|  (____  /____/\____ | |__||__|  
       /_____/            \/           \/           
              grep rough audit - static analysis tool
                  v2.6 written by @Wireghoul
=================================[justanotherhacker.com]===
Usage: graudit [opts] /path/to/scan

OPTIONS 
  -d  database to use or /path/to/file.db (uses default if not specified) 
  -A scan ALL files 
  -x exclude these files (comma separated list: -x *.js,*.sql) 
  -i case in-sensitive scan 
  -c  number of lines of context to display, default is 2 

  -B suppress banner 
  -L vim friendly lines 
  -b colour blind friendly template 
  -z suppress colors 
  -Z high contrast colors 

  -l lists databases available 
  -v prints version number 
  -h prints this help screen

The post Graudit: Source Code Auditing Tool appeared first on Tech Chronicles.

Features of Grype Vulnerability Scanner For Container Images & Filesystems

Scan the contents of a container image or filesystem to find known vulnerabilities and find vulnerabilities for major operating system packages in:

• Alpine
• BusyBox
• CentOS / Red Hat
• Debian
• Ubuntu

Find vulnerabilities for language-specific packages:

• Ruby (Bundler)
• Java (JARs, etc)
• JavaScript (NPM/Yarn)
• Python (Egg/Wheel)
• Python pip/requirements.txt/setup.py listings

Grype Supports Docker and OCI image formats.

Using Grype Vulnerability Scanner For Container Images & Filesystems

To scan for vulnerabilities in an image:

grype <image>

Grype can scan a variety of sources beyond those found in Docker.

The output format for Grype is configurable as well:
grype <image> -o <format>

Where the formats available are:

• json: Use this to get as much information out of Grype as possible!
• cyclonedx: An XML report conforming to the CycloneDX 1.2 specification.
• table: A columnar summary (default).

Getting started

Install the binary, and make sure that grype is available in your path. To scan for vulnerabilities in an image:

grype <image>

The above command scans for vulnerabilities that are visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the vulnerability scan, regardless of its presence in the final image, provide --scope all-layers:

grype <image> --scope all-layers

Grype can scan a variety of sources beyond those found in Docker.

# scan a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)
grype path/to/image.tar

# scan a directory
grype dir:path/to/dir

Grype’s Database

Grype pulls a database of vulnerabilities derived from the publicly available Anchore Feed Service. This database is updated at the beginning of each scan, but an update can also be triggered manually.

Shell Completion

Grype supplies shell completion through its CLI implementation (cobra). Generate the completion code for your shell by running one of the following commands:

• grype completion <bash|fish>
• go run main.go completion <bash|fish>

This will output a shell script to STDOUT, which can then be used as a completion script for Grype. Running one of the above commands with the -h or --help flags will provide instructions on how to do that for your chosen shell.

You can download Grype or read more here.

The post Grype – Vulnerability Scanner For Container Images & Filesystems appeared first on Tech Chronicles.

Mapping the system’s attack surface is a practice that enables you to think about most of your assets and their value. DNS Lookup, WHOIS Lookup, etc., techniques help to map the attack surface.

Let’s get going to have a proper understanding of Attack Surface Mapping.

What is an Attack Surface?

The Attack Surface is a term that defines all the various points where an intruder might gain access to a system and access information.

These flaws are usually associated with a system’s privacy issues. A simple security measure is to make the attack surface as minimal as practicable.

What About the Attack Surface Types?

There are two kinds of attack surfaces: the digital and the physical attack surface.

Since these dual attack surfaces intersect and are linked, it is critical to protect them together. Web services, networks, networking protocols, and domain names are all part of the digital attack surface. The physical attack surface refers to the external threats against an organization, such as building windows, manufacturing services, or a flame.

Visualize an Attack Surface

As per Skybox Security’s white paper, there are three measures to grasp and visualize an attack surface.

1. To envision a company’s infrastructure by mapping out all the systems, routes, and channels.
2. To compare each indication of a weakness that reveals to its last step’s visualized chart.
3. Look for compromise measures. It is a sign that a threat is already accomplishing.

How Can You Assess Your Attack Surface?

Identifying your information system’s attack surface is a challenge that allows you to consider most of your resources and the importance they have. To build a global map, you will need to do the following:

• List down
  • DNS records, sub-domains, etc.
  • External and known servers like FTP, SSH, etc.
  • Different software as well as their variants.
• Take account of physical access to the corporation’s properties (structures, system robbery, manufacturing facility, etc.).
• Look for more networks and servers to exploit after identifying all hosts of an organization.
• Consider a standard web server; the open ports themselves (HTTP, RDP, etc.) are all sources of threat. It is crucial to map out the virtual clients operating on the server; web apps running on any of them are also an attack vector.
• Most domains have a DNS server, SMTP server, etc. While evaluating the attack surface, these would be the first reference point. Using DNS lookup and WHOIS, map out where the A records, MX records, and DNS records services get housed.

Examples

DNS Lookup

To locate the IP address of a specific domain name, use a DNS lookup method. The IP addresses in the DNS records obtained from name servers include in the outcome. Two categories to DNS lookups:

• Forward DNS lookup.

The Forward DNS lookup or basic DNS lookup is a widely use DNS method. Discovering a domain’s IP address is the forward method to DNS.

• Reverse DNS lookup.

The procedure is similar in a reverse DNS lookup, only that it begins via an IP address and ends with the domain name.

IP Netblocks

IP netblocks are sets of IP addresses that belong to a specific server. Regional Internet Registry (RIRs) allocate IP blocks to netblock users who are usually ISPs and big firms with many IP addresses.

WHOIS Lookup

Whois is a popular Internet database. It outlines who possesses a domain name, IP address, etc. Whois databases are valuable and have become an indispensable tool for ensuring the legality of the domain name registry and website management procedures. A Whois database includes all the contact details for the user, community, or organization that owns a domain name.

Mitigate Attack Surface?

Monitor the attack surface and determine the threats involved with it until you know what it is. Once the attack surface is crucial, the inventory also aids in the prioritization of the components to secure. Identifying the attack surface helps in reducing it and implement appropriate defenses. With fewer potential attack sources, defense measures get focus, resulting in increased security. A few recommendations are:

• Delete unnecessary files and documents.
• Monitor network devices and logs.
• Segment the networks.
• Strong passwords.
• Monthly awareness training for employees.
• Monitor zero-day vulnerabilities.
• Apply patches on vulnerable systems.
• Use Honeypots.

The post The Attack Surface Mapping guide for Ethical Hackers appeared first on Tech Chronicles.

It is currently has vulnerability scanning (poc) and exploiting (exp) modes. Use “-m” to select which mode to use, and the default poc mode is the default. In poc mode, it also supports “-f” batch target scanning, “-o” File output results and other main functions, Other functions Options Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited.

Try to use “-a” to establish target types to reduce false positives, such as “-a solr”

Installation

The operating system must have python3, python3.7 or higher is recommended

• Installation dependency

pip3 install -r requirements.txt

• Linux & MacOS & Windows

python3 vulmap.py -u http://example.com

Options

optional arguments:
-h, –help show this help message and exit
-u URL, –url URL Target URL (e.g. -u “http://example.com”)
-f FILE, –file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f “/home/user/list.txt”)
-m MODE, –mode MODE The mode supports “poc” and “exp”, you can omit this option, and enter poc mode by default
-a APP, –app APP Specify a web app or cms (e.g. -a “weblogic”). default scan all
-c CMD, –cmd CMD Custom RCE vuln command, Other than “netstat -an” and “id” can affect program judgment. defautl is “netstat -an”
-v VULN, –vuln VULN Exploit, Specify the vuln number (e.g. -v “CVE-2020-2729”)
–list Displays a list of vulnerabilities that support scanning
–debug Debug mode echo request and responses
–delay DELAY Delay check time, default 0s
–timeout TIMEOUT Scan timeout time, default 10s
–output FILE Text mode export (e.g. -o “result.txt”)

Examples

• Test all vulnerabilities poc mode

python3 vulmap.py -u http://example.com

• For RCE vuln, use the “id” command to test the vuln, because some linux does not have the “netstat -an” command

python3 vulmap.py -u http://example.com -c “id”

• Check http://example.com for struts2 vuln

python3 vulmap.py -u http://example.com -a struts2

python3 vulmap.py -u http://example.com -m poc -a struts2

• Exploit the CVE-2019-2729 vuln of WebLogic on http://example.com:7001

python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729

python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729

• Batch scan URLs in list.txt

python3 vulmap.py -f list.txt

• Export scan results to result.txt

python3 vulmap.py -u http://example.com:7001 -o result.txt

Vulnerability List

Vulmap supported vulnerabilities are as follows

+-------------------+------------------+-----+-----+-------------------------------------------------------------+
 | Target type       | Vuln Name        | Poc | Exp | Impact Version && Vulnerability description                 |
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+
 | Apache Shiro      | CVE-2016-4437    |  Y  |  Y  | <= 1.2.4, shiro-550, rememberme deserialization rce         |
 | Apache Solr       | CVE-2017-12629   |  Y  |  Y  | < 7.1.0, runexecutablelistener rce & xxe, only rce is here  |
 | Apache Solr       | CVE-2019-0193    |  Y  |  N  | < 8.2.0, dataimporthandler module remote code execution     |
 | Apache Solr       | CVE-2019-17558   |  Y  |  Y  | 5.0.0 - 8.3.1, velocity response writer rce                 |
 | Apache Struts2    | S2-005           |  Y  |  Y  | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce   |
 | Apache Struts2    | S2-008           |  Y  |  Y  | 2.0.0 - 2.3.17, debugging interceptor rce                   |
 | Apache Struts2    | S2-009           |  Y  |  Y  | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce         |
 | Apache Struts2    | S2-013           |  Y  |  Y  | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce        |
 | Apache Struts2    | S2-015           |  Y  |  Y  | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce        |
 | Apache Struts2    | S2-016           |  Y  |  Y  | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce          |
 | Apache Struts2    | S2-029           |  Y  |  Y  | 2.0.0 - 2.3.24.1, ognl interpreter rce                      |
 | Apache Struts2    | S2-032           |  Y  |  Y  | 2.3.20-28, cve-2016-3081 rce can be performed via method    |
 | Apache Struts2    | S2-045           |  Y  |  Y  | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce     |
 | Apache Struts2    | S2-046           |  Y  |  Y  | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce     |
 | Apache Struts2    | S2-048           |  Y  |  Y  | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce             |
 | Apache Struts2    | S2-052           |  Y  |  Y  | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce  |
 | Apache Struts2    | S2-057           |  Y  |  Y  | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce  |
 | Apache Struts2    | S2-059           |  Y  |  Y  | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce           |
 | Apache Struts2    | S2-devMode       |  Y  |  Y  | 2.1.0 - 2.5.1, devmode remote code execution                |
 | Apache Tomcat     | Examples File    |  Y  |  N  | all version, /examples/servlets/servlet/SessionExample      |
 | Apache Tomcat     | CVE-2017-12615   |  Y  |  Y  | 7.0.0 - 7.0.81, put method any files upload                 |
 | Apache Tomcat     | CVE-2020-1938    |  Y  |  Y  | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read  |
 | Drupal            | CVE-2018-7600    |  Y  |  Y  | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution          |
 | Drupal            | CVE-2018-7602    |  Y  |  Y  | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce            |
 | Drupal            | CVE-2019-6340    |  Y  |  Y  | < 8.6.10, drupal core restful remote code execution         |
 | Jenkins           | CVE-2017-1000353 |  Y  |  N  | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution    |
 | Jenkins           | CVE-2018-1000861 |  Y  |  Y  | <= 2.153, LTS <= 2.138.3, remote code execution             |
 | Nexus OSS/Pro     | CVE-2019-7238    |  Y  |  Y  | 3.6.2 - 3.14.0, remote code execution vulnerability         |
 | Nexus OSS/Pro     | CVE-2020-10199   |  Y  |  Y  | 3.x  <= 3.21.1, remote code execution vulnerability         |
 | Oracle Weblogic   | CVE-2014-4210    |  Y  |  N  | 10.0.2 - 10.3.6, weblogic ssrf vulnerability                |
 | Oracle Weblogic   | CVE-2017-3506    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce       |
 | Oracle Weblogic   | CVE-2017-10271   |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce       |
 | Oracle Weblogic   | CVE-2018-2894    |  Y  |  Y  | 12.1.3.0, 12.2.1.2-3, deserialization any file upload       |
 | Oracle Weblogic   | CVE-2019-2725    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |
 | Oracle Weblogic   | CVE-2019-2729    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |
 | Oracle Weblogic   | CVE-2020-2551    |  Y  |  N  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |
 | Oracle Weblogic   | CVE-2020-2555    |  Y  |  Y  | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce  |
 | Oracle Weblogic   | CVE-2020-2883    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |
 | Oracle Weblogic   | CVE-2020-14882   |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce     |
 | RedHat JBoss      | CVE-2010-0738    |  Y  |  Y  | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |
 | RedHat JBoss      | CVE-2010-1428    |  Y  |  Y  | 4.2.0 - 4.3.0, web-console deserialization any files upload |
 | RedHat JBoss      | CVE-2015-7501    |  Y  |  Y  | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |
 | ThinkPHP          | CVE-2019-9082    |  Y  |  Y  | < 3.2.4, thinkphp rememberme deserialization rce            |
 | ThinkPHP          | CVE-2018-20062   |  Y  |  Y  | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce  |
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+

Docker

docker build -t vulmap/vulmap .
docker run –rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com

The post Vulmap : Web Vulnerability Scanning & Verification Tools appeared first on Tech Chronicles.

Features

Hacker Dashboard

• Hacker News [thehackernews.com/]
• New Exploits [Exploit-db.com]
• Hacking Tutorials Video [youtube.com]
• The Latest Prices OF Digital Currencies [Rials , Usd]

Information Gathering

• Bypass Cloud Flare
• Cms Detect
• Trace Toute
• Reverse IP
• Port Scan
• IP location Finder
• Show HTTP Header
• Find Shared DNS
• Whois
• DNS Lookup

Exploits

• Reference exploit-db.com

Social Engineering

• Get system Information with link
• Screen Captrue With Link
• Play Sound With Link

Installation On Windows

$ Download https://github.com/Ultrasecurity/DarkSide
$ cd DarkSide
$ python -m pip install -r requirments.txt
$ Download PHP V-7 in php.net AND Add To Path php.exe
$ python run.py

The post DarkSide: Tool for Information Gathering & Social Engineering appeared first on Tech Chronicles.

This powerful and simple tool can be used for everything from installing new add-ons to grabbing a WPA handshake in a matter of seconds. Plus, it’s easy to install, set up, and utilize.

Diclaimer: “Usage of this framework for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state, federal, and international laws.”

Ehtools: Entynet Hacker Tools

With 58 tools included in Ehtools and the ability to add more tools, this is a great tool for all enthusiasts. This Framwork has also combined many of these tools into a simple workflow to allow the user to use them more easily and quickly. With the automation of so many processes, the user can disable an entire network in a matter of seconds. Add to this the option of the ‘PRO’ version, and the user surely has a deadly weapon in his reach.

Features:

• More than 58 tools included within this framework.
• Automation and streamlining of processes saves valuable time of even the most experienced penetration tester
• Option to upgrade to the ‘PRO’ version
• Simple UI for easy navigation
• Ability to install tools depending on the user’s requirements.
• Range of functions from attacking wi-fi networks, remote access to website attack tools.
• Renowned tools ‘Metasploit’ and ‘Wireshark’ are included 

Supported Platforms:

• Kali Linux
• Parrot OS

Getting started

System requirements

• Ehtools Framework only supports two OS.

Ehtools Framework only supports two 
operating systems - Kali Linux and Parrot OS!

• Full root access and access to /root folder.

All ehtools files and folders will be copied to /root,
/bin and /etc system folders, to copy ehtools data to
your system Ehtools Framework needs full root access!

Ehtools installation

cd ehtools

chmod +x install.sh

./install.sh

Ehtools uninstallation

1. Start Ehtools Framework.

2. Open Ehtools Framework settings.

3. Select Uninstall Ehtools Framework.

Selecting framework version

After executing install.sh it will be ask you 
to select version of Ehtools Framework - PRO os LITE. 
Select LITE if you did not buy Ehtools Framework PRO. 
If you bought Ehtools Framework PRO, select PRO.

./install.sh

Activating PRO version

This key you can buy on the ehtools site! This key is used to activate 
ehtools PRO enter it in the input field of the activation key in the file 
install.sh and then you can install ehtools and use it only for educational 
purposes! The key works only one week then it changes! You 
should to have time to enter it before it is updated!

./install.sh

Also, we do not recommend to change the source code of ehtools because 
it is very complex and you can mess up something and disrupt the framework!

Ehtools Framework execution

To run Ehtools Framework you should 
execute the following command.

ehtools

Why Ehtools Framework

• More than 58 tools for pentesting installed by default.

More than 58 options installed by default 
you can find in ehtools, this is tools such 
as MetaSploit, Pupy and other tools!

• Password protection and config encryption.

In version 2.1.6 we added pasword protection, we added 
it for users who think that his/her friend or parents will 
turn into ehtools and will remove or destroy it. Only for this 
people we created Ehtools Framework password protection.

• UX/UI impruvements for beginners.

It uses the names you supply to connect to the tools needed to 
execute any attacks you select! Aside from that initial input, the majority 
of the possible attacks can be performed merely by choosing the option number 
from the menu. This means you can grab a network handshake or download a new 
hacking tool like Pupy by just selecting from one of the menu options!

DOWNLOAD Ehtools

Ehtools Framework disclaimer

Usage of the Ehtools Framework for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state, federal, and international laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program.

The post Ehtools: Entynet Hacker Tools [Ehtools Framework] appeared first on Tech Chronicles.

This CLI framework is based on sploitkit and is an attempt to gather hacking techniques and exploits especially focused on drone hacking. For the ease of use, the interface has a layout that looks like Metasploit.

Setup

This project is available on PyPi and can be simply installed using Pip:

pip3 install dronesploit

Basics

Interface

Modules

This example shows an example of module for DroneSploit aimed to change the password or the SSID of a particular model of drone.

Setup

This project is available on PyPi and can be simply installed using Pip:

pip3 install dronesploit

1. Startup

$ python3 main.py --help
usage: ./main.py [--dev] [-h] [-v]

Main

optional arguments:
  --dev          development mode (default: False)

extra arguments:
  -h, --help     show this help message and exit
  -v, --verbose  verbose mode (default: False)

The console is started using the launcher main.py. It may ask for sudo rights as it must have the permission for setting WiFi interfaces.

$ python3 main.py
[sudo] password for user:

[...]

At startup, a banner is shown and a summary of the available modules is shown.

Some requirements can be unsatisfied at startup like in the picture above. The command show issues allows to identify how this can be fixed.

2.1 From the root console

dronesploit > help
[...]

This will display multiple sections in function of the context ;

• General commands are always displayed. Example: Getting help in DroneSploit – General commands

• Level-specific commands are displayed according to the current console. Example: Getting help in DroneSploit – Specific commands:

2.2 From the project console

dronesploit > select test
dronesploit[test] > help
[...]

Now being into the context of a project, we now see the general commands again but with the project commands as the section for level-specific commands; Example: Getting help in DroneSploit – Project-level commands:

2.3 From the module console

dronesploit[test] > use auxiliary/wifi/deauth
dronesploit[test] auxiliary(wifi/deauth) > help
[...]

Now being into the context of a module, we now see the general commands again but with the module commands as the section for level-specific commands; Example: Getting help in DroneSploit – Module-level commands:

3. Listing available modules

This can be achieved by executing the following command:

4. Enabling the WiFi monitor mode

The toggle command allows to toggle the WiFi mode for an interface. It autocompletes through the list of WiFi interfaces present on the system.

When executed, it switches between the managed and monitor modes

5. Scanning for targets

The scan command allows to quickly scan for targets (and requires a WiFi interface in monitor mode).

The targets command then allows to list the discovered targets and their characteristics.

6. Breaking into a target

Now that we have a target, we can start an attack. For this purpose, we start the appropriate attack module. Note that, in the example hereafter, the ESSID and INTERFACE options are automatically filled in with the current information.

The attack succeeded and the password is then known in the targets list.

Sadly, lots of light commercial drones have the same default password ; the password command allows to fill in the password without having to run an attack.

7. Connecting to the target

At this point, we have a password for a target, we can know connect to it using the connectcommand.

We can also connect to another target.

In the case herebefore, we call a module for which the required model of target can not be found as connected to the attack machine, therefore raising a warning. If we show the options for this module, we get several required values that are not filled in.

8. Executing a module

We can now use a module for the connected drone using the use command.

Finally, we can run the module by using the run command.

The post DroneSploit appeared first on Tech Chronicles.

nosqli was developed as an open source NoSQL scanner written in Go. It’s configurable with command line options, and runs a large number of injection attempts against targets. It’s mostly focused on Mongo injections, but does work to a lesser extent against any database that uses JavaScript.

$ nosqli
NoSQLInjector is a CLI tool for testing Datastores that 
do not depend on SQL as a query language. 

nosqli aims to be a simple automation tool for identifying and exploiting 
NoSQL Injection vectors.

Usage:
  nosqli [command]

Available Commands:
  help        Help about any command
  scan        Scan endpoint for NoSQL Injection vectors
  version     Prints the current version

Flags:
      --config string       config file (default is $HOME/.nosqli.yaml)
  -d, --data string         Specify default post data (should not include any injection strings)
  -h, --help                help for nosqli
  -p, --proxy string        Proxy requests through this proxy URL. Defaults to HTTP_PROXY environment variable.
  -r, --request string      Load in a request from a file, such as a request generated in Burp or ZAP.
  -t, --target string       target url eg. http://site.com/page?arg=1
  -u, --user-agent string   Specify a user agent

Use "nosqli [command] --help" for more information about a command.

$ nosqli scan -t http://localhost:4000/user/lookup?username=test
Running Error based scan...
Running Boolean based scan...
Found Error based NoSQL Injection:
  URL: http://localhost:4000/user/lookup?=&username=test
  param: username
  Injection: username='

Using NoSQLi

It has a simple and flexible CLI interface for scanning. You can pass in a target URL with GET parameters that need to be scanned, or a saved request with POST data. The scanner is smart enough to know if the data is JSON or form data, and will inject either way.

The configurations currently support running through a proxy (so you can view the generated traffic in Burp or similar software) and changing the user agent.

Scanning Types

NoSQLi has the most commonly found injection vectors implemented:

1. Error Scans: Look for known error strings in responses from the server.
2. Blind Boolean Injections: When the page doesn’t return errors, but does return different data when true or false is returned from the database (or when some records are retrieved vs. no records)
3. Timing based injections: When all else fails, if the database sends a delayed response after a successful injection.

 

Using NoSQLi with Requests

A key feature missing from a few previous scanners was the ability to export a request from a proxy and run the injections based on that. NoSQLi can leverage this easily, and keeps all the header information, including things like user agent.

While the tool does not yet support importing a full session log and executing tests against all requests sequentially, saving a standard HTTP request to a file and referencing that file allows repeatable tests, or extraction from other tools such as Burp.

Installing NoSQLi

The github page has all the instructions. You can build from source or download and run the appropriate executable for your system.

The post NoSQLi – A Fast NoSQL Injection Scanner appeared first on Tech Chronicles.

$ git clone https://github.com/fsociety-team/fsociety.git

$ pip install fsociety

$ docker pull fsocietyteam/fsociety
$ docker run -it fsocietyteam/fsociety fsociety

$ git clone https://github.com/fsociety-team/fsociety.git
$ pip install -e ".[dev]"

$ fsociety -h

usage: fsociety [-h] [-i] [-s]

A Penetration Testing Framework

optional arguments:
  -h, --help     show this help message and exit
  -i, --info     gets fsociety info
  -s, --suggest  suggest a tool

The post fsociety: Modular Penetration Testing Framework appeared first on Tech Chronicles.