Follow Offensive Sec 3.0 on Feedspot

Continue with Google
Continue with Facebook


Offensive Security Tool for Reconnaissance and Information Gathering.

  • DNS details
  • DNS visual mapping using DNS dumpster
  • WHOIS information
  • TLS Data - supported ciphers, TLS versions, certificate details, and SANs
  • Port Scan
  • Services and scripts scan
  • URL fuzzing and dir/file detection
  • Subdomain enumeration - uses Google Dorking, DNS dumpster queries, SAN discovery, and brute-force
  • Web application data retrieval:
    • CMS detection
    • Web server info and X-Powered-By
    • robots.txt and sitemap extraction
    • Cookie inspection
    • Extracts all fuzzable URLs
    • Discovers HTML forms
    • Retrieves all Email addresses
  • Detects known WAFs
  • Supports anonymous routing through Tor/Proxies
  • Uses asyncio for improved performance
  • Saves output to files - separates targets by folders and modules by files

Roadmap and TODOs
  • Support multiple hosts (read from the file)
  • Rate limit evasion
  • OWASP vulnerabilities scan (RFI, RCE, XSS, SQLi etc.)
  • SearchSploit lookup on results
  • IP ranges support
  • CIDR notation support
  • More output formats

A raccoon is a tool made for reconnaissance and information gathering with an emphasis on simplicity.
It will do everything from fetching DNS records, retrieving WHOIS information, obtaining TLS data, detecting WAF presence and up to threaded dir busting and subdomain enumeration. Every scan outputs to a corresponding file.
As most of Raccoon's scans are independent and do not rely on each other's results, it utilizes Python's asyncio to run most scans asynchronously.
Raccoon supports Tor/proxy for anonymous routing. It uses default wordlists (for URL fuzzing and subdomain discovery) from the amazing SecLists repository but different lists can be passed as arguments.
For more options - see "Usage".

For the latest stable version:
pip install raccoon-scanner
Or clone the GitHub repository for the latest features and changes:
git clone https://github.com/evyatarmeged/Raccoon.git
cd Raccoon
python raccoon_src/main.py

Raccoon uses Nmap to scan ports as well as utilizes some other Nmap scripts and features. It is mandatory that you have it installed before running Raccoon.
OpenSSL is also used for TLS/SSL scans and should be installed as well.

Usage: raccoon [OPTIONS]

--version Show the version and exit.
-t, --target TEXT Target to scan [required]
-d, --dns-records TEXT Comma separated DNS records to query.
Defaults to: A,MX,NS,CNAME,SOA,TXT
--tor-routing Route HTTP traffic through Tor (uses port
9050). Slows total runtime significantly
--proxy-list TEXT Path to proxy list file that would be used
for routing HTTP traffic. A proxy from the
list will be chosen at random for each
request. Slows total runtime
--proxy TEXT Proxy address to route HTTP traffic through.
Slows total runtime
-w, --wordlist TEXT Path to wordlist that would be used for URL
-T, --threads INTEGER Number of threads to use for URL
Fuzzing/Subdomain enumeration. Default: 25
--ignored-response-codes TEXT Comma separated list of HTTP status code to
ignore for fuzzing. Defaults to:
--subdomain-list TEXT Path to subdomain list file that would be
used for enumeration
-S, --scripts Run Nmap scan with -sC flag
-s, --services Run Nmap scan with -sV flag
-f, --full-scan Run Nmap scan with both -sV and -sC
-p, --port TEXT Use this port range for Nmap scan instead of
the default
--tls-port INTEGER Use this port for TLS queries. Default: 443
--skip-health-check Do not test for target host availability
-fr, --follow-redirects Follow redirects when fuzzing. Default: True
--no-url-fuzzing Do not fuzz URLs
--no-sub-enum Do not bruteforce subdomains
-q, --quiet Do not output to stdout
-o, --outdir TEXT Directory destination for scan output
--help Show this message and exit.


HTB challenge example scan:

Results folder tree after a scan:

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

It just a silly python script that either retrieves SSL Certificate based data from online sources, currently https://crt.sh/, https://certdb.com/, https://sslmate.com/certspotter/, and https://censys.io or given an IP range it will attempt to extract host information from SSL Certificates. If you want to use Censys.io you need to register for an API key.

How to install
git clone https://github.com/joda32/CertCrunchy.git
cd CertCrunchy
sudo pip3 install -r requirements.txt

How to use it?
Very simply -d to get hostnames for a specific domain
-D to get hostnames for a list of domains (just stuff it in a line-delimited text file)
-I to retrieve and parse certificates from hosts in a netblock / IP range (e.g.
-T the thread count makes stuff faster, but don't over do it
-o Output file name
-f Output format CSV or JSON, CSV is the default
for the rest, I'm still working on those :)

API keys and configs
All API keys are stored in the api_keys.py file below is a list of supported APIs requiring API keys.
  1. Censys.oi https://censys.io
  2. VirusTotal https://www.virustotal.com/en/documentation/public-api/

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Fluxion is a security auditing and social-engineering research tool. It is a remake of linset by vk496 with (hopefully) less bugs and more functionality. The script attempts to retrieve the WPA/WPA2 key from a target access point by means of a social engineering (phishing) attack. It's compatible with the latest release of Kali (rolling). Fluxion's attacks' setup is mostly manual, but experimental auto-mode handles some of the attacks' setup parameters. Read the FAQ before requesting issues.
If you need quick help, fluxion is also avaible on gitter. You can talk with us on Gitter or on Discord.

Read here before you do the following steps.
Download the latest revision
git clone --recursive git@github.com:FluxionNetwork/fluxion.git
Switch to tool's directory
cd fluxion 
Run fluxion (missing dependencies will be auto-installed)
Fluxion is also available in arch
cd bin/arch
or using the blackarch repo
pacman -S fluxion

Fluxion gets weekly updates with new features, improvements, and bugfixes. Be sure to check out the changelog here.

How it works
  • Scan for a target wireless network.
  • Launch the Handshake Snooper attack.
  • Capture a handshake (necessary for password verification).
  • Launch Captive Portal attack.
  • Spawns a rogue (fake) AP, imitating the original access point.
  • Spawns a DNS server, redirecting all requests to the attacker's host running the captive portal.
  • Spawns a web server, serving the captive portal which prompts users for their WPA/WPA2 key.
  • Spawns a jammer, deauthenticating all clients from original AP and lureing them to the rogue AP.
  • All authentication attempts at the captive portal are checked against the handshake file captured earlier.
  • The attack will automatically terminate once a correct key has been submitted.
  • The key will be logged and clients will be allowed to reconnect to the target access point.
  • For a guide to the Captive Portal attack, read the Captive Portal attack guide

A Linux-based operating system. We recommend Kali Linux 2 or Kali rolling. Kali 2 & rolling support the latest aircrack-ng versions. An external wifi card is recommended.

Related work
For development I use vim and tmux. Here are my dotfiles

  1. l3op - contributor
  2. dlinkproto - contributor
  3. vk496 - developer of linset
  4. Derv82 - @Wifite/2
  5. Princeofguilty - @webpages and @buteforce
  6. Photos for wiki @http://www.kalitutorials.net
  7. Ons Ali @wallpaper
  8. PappleTec @sites
  9. MPX4132 - Fluxion V3

  • Authors do not own the logos under the /attacks/Captive Portal/sites/ directory. Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship, and research.
  • The usage of Fluxion for attacking infrastructures without prior mutual consent could be considered an illegal activity, and is highly discouraged by its authors/developers. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program.

  • Beware of sites pretending to be related with the Fluxion Project. These may be delivering malware.
  • Fluxion DOES NOT WORK on Linux Subsystem For Windows 10, because the subsystem doesn't allow access to network interfaces. Any Issue regarding the same would be Closed Immediately

Fluxion website: https://fluxionnetwork.github.io/fluxion/
Discord: https://discordapp.com/invite/G43gptk
Gitter: https://gitter.im/FluxionNetwork/Lobby

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

macSubstrate is a platform tool for interprocess code injection on macOS, with the similar function to Cydia Substrate on iOS. Using macSubstrate, you can inject your plugins (.bundle or .framework) into a mac app (including sandboxed apps) to tweak it in the runtime.
  • All you need is to get or create plugins for your target app.
  • No trouble with modification and codesign for the original target app.
  • No more work after the target app is updated.
  • Super easy to install or uninstall a plugin.
  • Loading plugins automatically whenever the target app is relaunched.
  • Providing a GUI app to make injection much easier.

  • Disable SIP
  • Why should disable SIP
    System Integrity Protection is a new security policy that applies to every running process, including privileged code and code that runs out of the sandbox. The policy extends additional protections to components on disk and at run-time, only allowing system binaries to be modified by the system installer and software updates. Code injection and runtime attachments to system binaries are no longer permitted.

  1. download macSubstrate.app, put into /Applications and launch it.

  2. grant authorization if needed.
  3. install a plugin by importing or dragging into macSubstrate.

  4. launch the target app.
    step 3 and step 4 can be switched
    Once a plugin is installed by macSubstrate, it will take effect immediately. But if you want it to work whenever the target app is relaunched or macOS is restarted, you need to keep macSubstrate running and allow it to automatically launch at login.
  5. uninstall a plugin when you do not need it anymore.

macSubstrate supports plugins of .bundle or .framework, so you just need to create a valid .bundle or .framework file. The most important thing is to add a key macSubstratePlugin into the info.plist, with the dictionary value:
Key Value
TargetAppBundleID the target app's CFBundleIdentifier, this tells macSubstrate which app to inject.
Description brief description of the plugin
AuthorName author name of the plugin
AuthorEmail author email of the plugin
Please check the demo plugins demo.bundle and demo.framework for details.

Xcode Templates
macSubstrate also provides Xcode Templates to help you create plugins conveniently:
  1. ln -fhs ./macSubstratePluginTemplate ~/Library/Developer/Xcode/Templates/macSubstrate\ Plugin
  2. Launch Xcode, and there will be 2 new plugin templates for you.

  1. SIP is a new security policy on macOS, which will help to keep you away from potential security risk. Disable it means you will lose the protection from SIP.
  2. If you install a plugin from a developer, you should be responsible for the security of the plugin. If you do not trust it, please do not install it. macSubstrate will help to verify the code signature of a plugin, and I suggest you to scan it using VirusTotal. Anyway, macSubstrate is just a tool, and it is your choice to decide what plugin to install.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Kali 2018.3 brings the kernel up to version 4.17.0 and while 4.17.0 did not introduce many changes, 4.16.0 had a huge number of additions and improvements including more Spectre and Meltdown fixes, improved power management, and better GPU support.

New Tools and Tool Upgrades

Since our last release, we have added a number of new tools to the repositories, including:
  • idb – An iOS research / penetration testing tool
  • gdb-peda – Python Exploit Development Assistance for GDB
  • datasploit – OSINT Framework to perform various recon techniques
  • kerberoast – Kerberos assessment tools

In addition to these new packages, we have also upgraded a number of tools in our repos including aircrack-ng, burpsuite, openvas,wifite, and wpscan.
For the complete list of updates, fixes, and additions, please refer to the Kali Bug Tracker Changelog.

Download Kali Linux 2018.3

If you would like to check out this latest and greatest Kali release, you can find download links for ISOs and Torrents on the Kali Downloads page along with links to the Offensive Security virtual machine and ARM images, which have also been updated to 2018.3. If you already have a Kali installation you’re happy with, you can easily upgrade in place as follows.
root@kali:~# apt update && apt -y full-upgrade
If you come across any bugs in Kali, please open a report on our bug tracker. It’s more than a little challenging to fix what we don’t know about.

Making sure you are up-to-date

To double check your version, first make sure your network repositories is enabled.
root@kali:~# cat</etc/apt/sources.list
deb http://http.kali.org/kali kali-rolling main non-free contrib

Then after running apt -y full-upgrade, you may require a reboot before checking:
root@kali:~# grep VERSION /etc/os-release

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Is an open source tool to help you build a valid SSL certificate chain from the root certificate to the end-user certificate. Also can help you fix the incomplete certificate chain and download all missing CA certificates.

How To Use
It's simple:
# Clone this repository
git clone https://github.com/trimstray/sslmerge

# Go into the repository
cd sslmerge

# Install
./setup.sh install

# Run the app
sslmerge -i /data/certs -o /data/certs/chain.crt
  • symlink to bin/sslmerge is placed in /usr/local/bin
  • man page is placed in /usr/local/man/man8

Provides the following options:
sslmerge <option|long-option>

sslmerge --in Root.crt --in Intermediate1.crt --in Server.crt --out bundle_chain_certs.crt
sslmerge --in /tmp/certs --out bundle_chain_certs.crt --with-root
sslmerge -i Server.crt -o bundle_chain_certs.crt

--help show this message
--debug displays information on the screen (debug mode)
-i, --in add certificates to merge (certificate file, multiple files or directory with ssl certificates)
-o, --out saves the result (chain) to file
--with-root add root certificate to the certificate chain

How it works
Let's start with ssllabs certificate chain. They are delivered together with the sslmerge and can be found in the example/ssllabs.com directory which additionally contains the all directory (containing all the certificates needed to assemble the chain) and the server_certificate directory (containing only the server certificate).
The correct chain for the ssllabs.com domain (the result of the openssl command):
Certificate chain
0 s:/C=US/ST=California/L=Redwood City/O=Qualys, Inc./CN=ssllabs.com
i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
The above code presents a full chain consisting of:
  • Identity Certificate (Server Certificate)
    issued for ssllabs.com by Entrust Certification Authority - L1K
  • Intermediate Certificate
    issued for Entrust Certification Authority - L1K by Entrust Root Certification Authority - G2
  • Intermediate Certificate
    issued for Entrust Root Certification Authority - G2 by Entrust Root Certification Authority
  • Root Certificate (Self-Signed Certificate)
    issued for Entrust Root Certification Authority by Entrust Root Certification Authority

Scenario 1
In this scenario, we will chain all delivered certificates. Example of running the tool:

Scenario 2
In this scenario, we only use the server certificate and use it to retrieve the remaining required certificates. Then, as above, we will combine all the provided certificates. Example of running the tool:

Certificate chain
In order to create a valid chain, you must provide the tool with all the necessary certificates. It will be:
  • Server Certificate
  • Intermediate CAs and Root CAs
This is very important because without it you will not be able to determine the beginning and end of the chain.
However, if you look inside the generated chain after generating with sslmerge, you will not find the root certificate there. Why?
Because self-signed root certificates need not/should not be included in web server configuration. They serve no purpose (clients will always ignore them) and they incur a slight performance (latency) penalty because they increase the size of the SSL handshake.
If you want to add a root certificate to the certificate chain, call the utility with the --with-root parameter.

Certification Paths
Sslmerge allows use of two certification paths:

Output comments
When generating the chain of certificates, sslmerge displays comments with information about certificates, including any errors.
Here is a list of all possibilities:

not found identity (end-user, server) certificate
The message is displayed in the absence of a server certificate that is the beginning of the chain. This is a unique case because in this situation the sslmerge ends its operation displaying only this information. The server certificate is the only certificate required to correctly create a chain. Without this certificate, the correct chain will not be created.

found correct identity (end-user, server) certificate
The reverse situation here - message displayed when a valid server certificate is found.

not found first intermediate certificate
This message appears when the first of the two intermediate certificates is not found. This information does not explicitly specify the absence of a second intermediate certificate and on the other hand it allows to determine whether the intermediate certificate to which the server certificate was signed exists. Additionally, it can be displayed if the second intermediate certificate has been delivered.

not found second intermediate certificate
Similar to the above, however, it concerns the second intermediate certificate. However, it is possible to create the chain correctly using the second certification path, e.g. using the first intermediate certificate and replacing the second with the main certificate.

one or more intermediate certificate not found
This message means that one or all of the required intermediate certificates are missing and displayed in the absence of the root certificate.

found 'n' correct intermediate certificate(s)
This message indicates the number of valid intermediate certificates.

not found correct root certificate
The lack of the root certificate is treated as a warning. Of course, when configuring certificates on the server side, it is not recommended to attach a root certificate, but if you create it with the sslmerge, it treats the chain as incomplete displaying information about the incorrect creation of the chain.

an empty CN field was found in one of the certificates
This message does not inform about the error and about the lack of the CN field what can happen with some certificates (look at example/google.com). Common Name field identifies the host name associated with the certificate. There is no requirement in RFC3280 for an Issuer DN to have a CN. Most CAs do include a CN in the Issuer DN, but some don't, such as this Equifax CA.

Sslmerge uses external utilities to be installed before running:


See this.

Project architecture
See this.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Wordpress Hash Cracker.

git clone https://github.com/MrSqar-Ye/wpCrack.git

[#Review] Wordpress hash cracker - tool - YouTube

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Sub-domain takeover vulnerability occur when a sub-domain (subdomain.example.com) is pointing to a service (e.g: GitHub, AWS/S3,..) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that sub-domain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com. For more information: here

# git clone https://github.com/m4ll0k/takeover.git
# cd takeover
# python takeover.py
wget -q https://raw.githubusercontent.com/m4ll0k/takeover/master/takeover.py && python takeover.py

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

I would like to send a salve to my friend noob at Rivendel in Brazilian company hahaha
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing. It is compatible with Bash and Android Shell (tested on Kali Linux and Cyanogenmod 10.2) and uses aircrack-ng to scan for clients that are currently connected to access points (AP). Those clients are then deauthenticated in order to capture the handshake when attempting to reconnect to the AP. Verification of a captured handshake is done using aircrack-ng. If one or more handshakes are captured, they are entered into an SQLite3 database, along with the time of capture and current GPS data (if properly configured).
After capture, the database can be tested for vulnerable router models using crackdefault.sh. It will search for entries that match the implemented modules, which currently include algorithms to compute default keys for Speedport 500-700 series, Thomson/SpeedTouch and UPC 7 digits (UPC1234567) routers.

WiFi interface in monitor mode aircrack-ng SQLite3 openssl for compilation of modules (optional) wlanhc2hcx from hcxtools
In order to log GPS coordinates of handshakes, configure your coordinate logging software to log to .loc/*.txt (the filename can be chosen as desired). Airbash will always use the output of cat "$path$loc"*.txt 2>/dev/null | awk 'NR==0; END{print}', which equals to reading all .txt files in .loc/ and picking the second line. The reason for this way of implementation is the functionality of GPSLogger, which was used on the development device.

Calculating default keys
After capturing a new handshake, the database can be queried for vulnerable router models. If a module applies, the default keys for this router series are calculated and used as input for aircrack-ng to try and recover the passphrase.

Compiling Modules
The modules for calculating Thomson/SpeedTouch and UPC1234567 (7 random digits) default keys are included in src/
Credits for the code go to the authors Kevin Devine and [peter@haxx.in].
On Linux:
gcc -fomit-frame-pointer -O3 -funroll-all-loops -o modules/st modules/stkeys.c -lcrypto
gcc -O2 -o modules/upckeys modules/upc_keys.c -lcrypto
If on Android, you may need to copy the binaries to /system/xbin/ or to another directory where binary execution is allowed.

Running install.sh will create the database, prepare the folder structure and create shortlinks to both scripts which can be moved to a directory that is on $PATH to allow execution from any location.
After installation, you may need to manually adjust INTERFACE on line 46 in airba.sh. This will later be determined automatically, but for now the default is set to wlan0, to allow out of the box compatibility with bcmon on Android.
./airba.sh starts the script, automatically scanning and attacking targets that are not found in the database. ./crackdefault.sh attempts to break known default key algorithms.
To view the database contents, run sqlite3 .db.sqlite3 "SELECT * FROM hs" in the main directory.

Update (Linux only ... for now):
Airbash can be updated by executing update.sh. This will clone the master branch into /tmp/ and overwrite the local files.

_n: number of access points found
__c/m: represents client number and maximum number of clients found, respectively
-: access point is blacklisted
x: access point already in database
?: access point out of range (not visible to airodump anymore)

The Database
The database contains a table called hs with seven columns.
id: incrementing counter of table entries
lat and lon: GPS coordinates of the handshake (if available)
bssid: MAC address of the access point
essid: Name identifier
psk: WPA Passphrase, if known
prcsd: Flag that gets set by crackdefault.sh to prevent duplicate calculation of default keys if a custom passphrase was used.
Currently, the SQLite3 database is not password-protected.

Read for later

Articles marked as Favorite are saved for later viewing.
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview