Home » Posts filed under Python

Parsero v0.75 - Attacking Robots.txt Files

in Auditing Tool, Linux, Mac, Parsero, Python, Robots.txt, Script, Windows - on 1:16 PM - No comments

Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries tell the search engines what directories or files hosted on a web server mustn't be indexed. For example, "Disallow: /portal/login" means that the content on www.example.com/portal/login it's not allowed to be indexed by crawlers like Google, Bing, Yahoo... This is the way the administrator have to not share sensitive or private information with the search engines.
But sometimes these paths typed in the Disallows entries are directly accessible by the users without using a search engine, just visiting the URL and the Path, and sometimes they are not available to be visited by anybody... Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.

Also, the fact the administrator write a robots.txt, it doesn't mean that the files or directories typed in the Dissallow entries will not be indexed by Bing, Google, Yahoo... For this reason, Parsero is capable of searching in Bing to locate content indexed without the web administrator authorization. Parsero will check the HTTP status code in the same way for each Bing result.

When you execute Parsero, you can see the HTTP status codes. For example, the codes bellow:


200 OK          The request has succeeded.
403 Forbidden   The server understood the request, but is refusing to fulfill it.
404 Not Found   The server hasn't found anything matching the Request-URI.
302 Found       The requested resource resides temporarily under a different URI.
...

Usage


$ python3 parsero.py -h

usage: parsero.py [-h] [-u URL] [-o] [-sb]

optional arguments:
-h, --help  show this help message and exit
-u URL      Type the URL which will be analyzed
-o          Show only the "HTTP 200" status code
-sb         Search in Bing indexed Disallows

Download Parsero v0.75

Cuckoo Sandbox v1.1 - Automated Malware Analysis

in Cuckoo, Cuckoo Sandbox, Detect Malware, Linux, Malware Analysis, Python, Windows - on 8:57 PM - No comments

Cuckoo Sandbox is a malware analysis system. It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Cuckoo generates a handful of different raw data which include:

Native functions and Windows API calls traces
Copies of files created and deleted from the filesystem
Dump of the memory of the selected process
Full memory dump of the analysis machine
Screenshots of the desktop during the execution of the malware analysis
Network dump generated by the machine used for the analysis

In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:

JSON report
HTML report
MAEC report
MongoDB interface
HPFeeds interface

Even more interestingly, thanks to Cuckoo’s extensive modular design, you are able to customize both the processing and the reporting stages. Cuckoo provides you all the requirements to easily integrate the sandbox into your existing frameworks and storages with the data you want, in the way you want, with the format you want.

Changelog v1.1

Added imphash to static PE analysis
Added search for URLs in the web interface
Added search for PE Imphash in the web interface
Added possibility in web interface to queue to all machines
Added filtering by behavior category in Django web interface
Added analyzer log to Django web interface
Added REST API to retrieve screenshots associated with a task
Added REST API to retrieve the PCAP associated with a task
Added database migration utility
Added remote submission to submit.py utility
Added small stats utility (utils/stats.py)
Added analysis package for PowerShell scripts
Added overlay configuration for signatures (data/signatures_overlay.json)
Fixed bug in MAEC report
Fixed package selection for Office documents and CPL scripts
Fixed issue with tcpdump filters
Fixed unhandled exception when uploading files to the analysis machines
Fixed issues in CuckooMon that resulted in Internet Explorer crashes
Fixed bug in CuckooMon that caused mutexes to be resolved as file paths
Fixed bug in behavior processing module that resulted in a trailing backslash in summary’s registry keys

Download Cuckoo Sandbox v1.1

Pyrasite - Inject arbitrary code into a running Python process

in EN, Inject Arbitrary Code, Linux, Mac, Pyrasite, Python, Python process, Windows - on 11:35 AM - No comments

Pyrasite is a library and a set of tools for injecting code into running Python programs.

usage: pyrasite [-h] [--gdb-prefix GDB_PREFIX] [--verbose] pid [filename]

pyrasite - inject code into a running python process

positional arguments:
  pid                   The ID of the process to inject code into
  filename              The second argument must be a filename

optional arguments:
  -h, --help            show this help message and exit
  --gdb-prefix GDB_PREFIX
                        GDB prefix (if specified during installation)
  --verbose             Verbose mode

For updates, visit https://github.com/lmacken/pyrasite

Download Pyrasite

WebPwn3r - Web Applications Security Scanner

in EN, Linux, Mac, Python, Scanner, Security Scanner, WebPwn3r, Windows - on 5:31 PM - No comments

WebPwn3r is a Web Applications Security Scanner coded in Python to help Security Researchers to scan Multiple links in the same time against Remote Code/Command Execution & XSS Vulnerabilities.

You can extract the URL’s from Burp Suite and save it in list.txt then pass it to WebPwn3r.

You can also use your own crowler to gather URL’s for a certain domain or a random domains, and save it in list.txt then pass it to WebPwn3r.

WebPwn3r got below Features:

1- Scan a URL or List of URL’s

2- Detect and Exploit Remote Code Injection Vulnerabilities.

3- ~ ~ ~ Remote Command Execution Vulnerabilities.

4- ~ ~ ~ Typical XSS Vulnerabilities.

5- Detect WebKnight WAF.

6- Improved Payloads to bypass Security Filters/WAF’s.

7- Finger-Print the backend Technologies.

Download WebPwn3r

Pyew - A Python tool for static malware analysis

in EN, Linux, Mac, Malware Analysis, Pyew, Python, Windows - on 9:36 AM - No comments

Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.

Pyew have been successfully used in big malware analysis systems since almost 2 years, processing thousand of files daily.

Download Pyew

HULK - Web Server DoS Tool

in Cygwin, DoS, DoS Tool, EN, HULK, Linux, Python, Windows - on 5:17 PM - No comments

HULK is a web server denial of service tool (DDoS Tool) written for research purposes. It is designed to generate volumes of unique and obfuscated traffic at a webserver, bypassing caching engines and therefore hitting the server's direct resource pool.

The Hulk Web server is a brainchild of Barry Shteiman. This DDoS attack tool distinguishes itself from many of the other tools out in the wild. According to its creator, the Hulk Web server was born of his conclusion that most available DDoS attack tools produced predictable repeated patterns that could easily be mitigated. The principle behind the Hulk Web server is that a unique pattern is generated at each and every request, with the intention of increasing the load on the servers as well as evading any intrusion detection and prevention systems.

Some Techniques

Obfuscation of Source Client – this is done by using a list of known User Agents, and for every request that is constructed, the User Agent is a random value out of the known list
Reference Forgery – the referer that points at the request is obfuscated and points into either the host itself or some major prelisted websites.
Stickiness – using some standard Http command to try and ask the server to maintain open connections by using Keep-Alive with variable time window
no-cache – this is a given, but by asking the HTTP server for no-cache , a server that is not behind a dedicated caching service will present a unique page.
Unique Transformation of URL – to eliminate caching and other optimization tools, I crafted custom parameter names and values and they are randomized and attached to each request, rendering it to be Unique, causing the server to process the response on each event.

Download Hulk

Collection of Heartbleed Tools (OpenSSL CVE-2014-0160)

in Bug, Exploit, Heartbleed, Heartbleeder, HoneyPot, Mass Scanner, Metasploit, Metasploit Framework, Nmap NSE script, OpenSSL, Python, SSL - on 5:55 PM - No comments

A checker (site and tool) for CVE-2014-0160: https://github.com/FiloSottile/Heartbleed
ssltest.py: Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford http://pastebin.com/WmxzjkXJ
SSL Server Test https://www.ssllabs.com/ssltest/index.html
Metasploit Module: https://github.com/rapid7/metasploit-framework/pull/3206/files
Nmap NSE script: Detects whether a server is vulnerable to the OpenSSL Heartbleed: https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse
Nmap NSE script: Quick'n'Dirty OpenVAS nasl wrapper for ssl_heartbleed based on ssl_cert_expiry.nas https://gist.github.com/RealRancor/10140249
Heartbleeder: Tests your servers for OpenSSL: https://github.com/titanous/heartbleeder?files=1
Heartbleed Attack POC and Mass Scanner: https://bitbucket.org/fb1h2s/cve-2014-0160
Heartbleed Honeypot Script: http://packetstormsecurity.com/files/126068/hb_honeypot.pl.txt

Pompem - Exploit Finder

in 1337day, EN, Exploit, Exploit Finder, Exploit-db, Linux, Mac, Packetstorm Security, Pompem, Python, Windows - on 10:54 AM - No comments

Pompem is an open source tool, which is designed to automate the search for exploits in major databases. Developed in Python, has a system of advanced search, thus facilitating the work of pentesters and ethical hackers. In its current version, performs searches in databases: Exploit-db, 1337day, Packetstorm Security...

Usage

To get the list of basic options and information about the project:

python pompem.py -h

Examples of use:

python pompem.py -s Wordpress
python pompem.py -s Joomla --html
python pompem.py -s "Internet Explorer,joomla,wordpress" --html
python pompem.py -s FortiGate --txt
python pompem.py -s ssh,ftp,mysql
python pompem.py --update

Download Pompem

SEES (Social Enginnering Email Sender) - A Social Engineering Attack/Audit Tool for Spear Phishing

in Linux, Python, SEES, Social Enginnering Email Sender, Spear Phishing, The Social-Engineer Toolkit, Windows - on 1:52 PM - No comments

What is SEES?

Most of the companies nowadays have their firewalls, threat monitoring and prevention security appliances setup. With these mechanisms in place, security precautions are taken and incidents are monitored. Inbound traffic being restricted, SEES on the other hand is developed for sending targeted phishing emails in order to carry sophisticated social engineering attacks/audits.

SEES aims to increase the success rate of phishing attacks by sending emails to company users as if they are coming from the very same company’s domain. The attacks become much more sophisticated if an attacker is able to send an email, which is coming from ceo@example.org email address, to a company with domain example.org.

Download SEES

MITMer - Automated Man-In-The-Middle Attack Tool

in EN, Linux, Mac, Man-in-the-Middle, Man-in-the-Middle Attack Framework, MITMer, Python, Windows - on 1:15 PM - No comments

MITMer is a man-in-the-middle and phishing attack tool that steals the victim’s credentials of some web services like Facebook.

Dependencies:

python2
scapy
python2-nfqueue

How to:

Run it as root.
```
sudo python2 mitmer.py
```
Select a network interface.
After scanning the network for available hosts, choose one as a victim or enter an IP address manually.
Select one of the attack profiles or custom.
If custom is selected, type the domain(s) you want in the “Query request” field, and type the domain (or IP address) of the server that the victim should be redirected to in the “Query reply” field.
Start the attack and wait.

Download MITMer

[Peepdf] PDF Analysis and Creation/Modification Tool

in EN, Linux, Mac, PDF, PDF Analyzer, Peepdf, Python, Windows - on 4:57 PM - No comments

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it's able to create new PDF files and to modify/obfuscate existent ones.

The main functionalities of peepdf are the following:

Analysis:

Decodings: hexadecimal, octal, name objects
More used filters
References in objects and where an object is referenced
Strings search (including streams)
Physical structure (offsets)
Logical tree structure
Metadata
Modifications between versions (changelog)
Compressed objects (object streams)
Analysis and modification of Javascript (PyV8): unescape, replace, join
Shellcode analysis (Libemu python wrapper, pylibemu)
Variables (set command)
Extraction of old versions of the document
Easy extraction of objects, Javascript code, shellcodes (>, >>, $>, $>>)
Checking hashes on VirusTotal

Creation/Modification:

Basic PDF creation
Creation of PDF with Javascript executed wen the document is opened
Creation of object streams to compress objects
Embedded PDFs
Strings and names obfuscation
Malformed PDF output: without endobj, garbage in the header, bad header...
Filters modification
Objects modification

Execution modes:

Simple command line execution
Powerful interactive console (colorized or not)
Batch mode

TODO:

Embedded PDFs analysis
Improving automatic Javascript analysis
GUI

Download Peepdf

[wig] WebApp Information Gatherer (Identify CMS)

in Identify CMS, Information Gatherer, Linux, Mac, Python, WebApp, wig, Windows - on 5:24 PM - No comments

wig is a Python tool that identifies a websites CMS by searching for fingerprints of static files and extracting version numbers from known files.

OS identification is done by using the value of the ‘server’ and ‘X-Powered-By’ in the response header. These values are compared to a database of which package versions are include with different operating systems.

The version detection is based on md5 checksums of statics files, regex and string matching. OS detection is based on headers and packages listed in the ‘server’ header. There’s a quite large database of package versions included in common linux distros.

The author uses scripts to automatically update the md5 checksums for new versions of open source CMS the the tool is capable to detecting. This one of the main advantages over BlindElephant and WhatWeb.

There are currently three profiles for wig:

Only send one request: wig only sends a request for ‘/’. All fingerprints matching this url are tested.
Only send one request per plugin: The url used in most fingerprints is used
All fingerprints: All fingerprints are tested

Help screen:

# wig.py --help
usage: wig.py [-h] [-v] [-p {1,2,4}] host

WebApp Information Gatherer

positional arguments:
  host        the host name of the target

optional arguments:
  -h, --help  show this help message and exit
  -v          list all the urls where matches have been found
  -p {1,2,4}  select a profile: 1) Make only one request - 2) Make one request
              per plugin - 4) All

Example of run:

# python3 wig.py www.example.com

CMS                  Drupal CMS: [7.25, 7.24, 7.26, 7.23, 7.22]
Operating System     Microsoft Windows Server: [2008 R2]
Server Info          Microsoft-IIS: [7.5, 6.0]
______________________________________________________________
Time: 18.0 sec | Plugins: 65 | Urls: 324 | Fingerprints: 14178

Download wig

[BlindElephant] Web Application Fingerprinter

in BlindElephant, EN, Linux, Mac, Python, Web Application Fingerprinter, Windows - on 4:06 PM - No comments

The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases.

The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.

Getting Started

BlindElephant can be used directly as a tool on the command line, or as a library to provide fingerprinting functionality to another program.

Pre-requisites:

Python 2.6.x (prefer 2.6.5); users of earlier versions may have difficulty installing or running BlindElephant.

Download BlindElephant

[EyeWitness] A Rapid Web Application Triage Tool

in EN, EyeWitness, Linux, Python, Triage Tool - on 12:03 PM - No comments

EyeWitness is a rapid web application triage tool designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

The author would love for EyeWitness to identify more default credentials of various web applications. So as you find devices which utilizes default credentials, please e-mail him the source code of the index page and the default credentials so he can add it in to EyeWitness. You can e-mail to EyeWitness [@] christophertruncer [dot] com.

Inspiration came from Tim Tomes’s PeepingTom Script. The author just wanted to change some things, and then it became a thought exercise to write it again himself.

EyeWitness is designed to run on Kali Linux. It will auto detect the file you give it with the -f flag as either being a text file with URLs on each new line, nmap xml output, or nessus xml output. The -t (timeout) flag is completely optional, and lets you provice the max time to wait when trying to render and screenshot a web page. The –open flag, which is optional, will open the URL in a new tab within iceweasel.

Setup
Navigate into the setup directory and run the setup.sh script.

Usage

./EyeWitness.py -f filename -t optionaltimeout --open (Optional)

Examples

./EyeWitness -f urls.txt
./EyeWitness -f urls.xml -t 8 --open

Download EyeWitness

[GoldenEye v2.1] DoS Tool

in DoS, DoS Tool, EN, GoldenEye, Linux, Mac, Python, Windows - on 9:18 AM - No comments

GoldenEye is a HTTP/S Layer 7 Denial-of-Service Testing Tool. It uses KeepAlive (and Connection: keep-alive) paired with Cache-Control options to persist socket connection busting through caching (when possible) until it consumes all available sockets on the HTTP/S server.

Changelog v2.1

2014-02-20 Added randomly created user agents (still RFC compliant).
2014-02-19 Removed silly referers and user agents. Improved randomness of referers. Added external user-agent list support.

Usage

USAGE: ./goldeneye.py <url> [OPTIONS]

OPTIONS:
 Flag Description Default
 -u, --useragents File with user-agents to use (default: randomly generated)
 -w, --workers Number of concurrent workers (default: 50)
 -s, --sockets Number of concurrent sockets (default: 30)
 -m, --method HTTP Method to use 'get' or 'post' or 'random' (default: get)
 -d, --debug Enable Debug Mode [more verbose output] (default: False)
 -h, --help Shows this help

Download GoldenEye v2.1

[Parsero] Robots.txt audit tool

in Auditing Tool, EN, Linux, Mac, Parsero, Python, Robots.txt, Script, Windows - on 11:59 AM - No comments

Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries are the URL path of directories or files hosted on a web server which the administrators don't want to be indexed by the crawlers. For example, "Disallow: /portal/login" don't allow to www.example.com/portal/login be indexed by the search engines like Google, Bing, Yahoo... so nobody can locate it when searching on them.

Sometimes these paths typed in the Disallows entries are directly accessible by the users (without using a search engine) just visiting the URL and the Path and sometimes they are not available to be visited by anybody... Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.

When you execute Parsero, you can see the HTTP status codes. For example, the codes bellow:

200 OK          The request has succeeded.
403 Forbidden   The server understood the request, but is refusing to fulfill it.
404 Not Found   The server hasn't found anything matching the Request-URI.
302 Found       The requested resource resides temporarily under a different URI.
...

Also, that the administrator write a robots.txt, it doesn't mean that the files or direcotories typed in this file will not be indexed by Bing, Google, Yahoo... For this reason, Parsero is capable of searching in Bing to locate content indexed whithout the web administrator authorization.

Download Parsero

[Maltrieve] A tool to retrieve malware directly from the source for security researchers

in CleanMX, EN, Linux, Mac, Malc0de, Maltrieve, Malware Black List, Malware Domain List, Python, URLqery, VX Vault, Windows - on 1:07 PM - No comments

Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites, including:

These lists will be implemented if/when they return to activity.

NovCon Minotaur

Other improvements include:

Proxy support
Multithreading for improved performance
Logging of source URLs
Multiple user agent support
Better error handling
VxCage and Cuckoo Sandbox support

Dependencies

Python 2 (2.6 should be sufficient)
BeautifulSoup version 4
lxml

Download Maltrieve

[FBHT v2.0] Facebook Hacking Tool

in Facebook, Facebook Hacking Tool, FBHT, Linux, Mac, Phishing, Python, Windows - on 3:38 PM - No comments

FBHT (Facebook Hacking Tool) is an open-source tool written in Python that exploits multiple vulnerabilities on the Facebook platform

The tool provides:

Tests account handling (Create, Delete, Friend, Accept)
Youtube videos phishing
Facebook links preview modification
Friends list privacy bypass
Graph support
Facebook links preview modification
More...

Download FBHT v2.0

[Wireless IDS] Ability to detect suspicious activity such as (WEP/WPA/WPS) attack by sniffing the air for wireless packets

in EN, Intrusion Detection System, Linux, Python, WEP/WPA/WPS, WINDS, Wireless IDS - on 8:06 AM - No comments

Wireless IDS is an open source tool written in Python and work on Linux environment. This tool will sniff your surrounding air traffic for suspicious activities such as WEP/WPA/WPS attacking packets. It do the following

Detect mass deauthentication sent to client / access point which unreasonable amount indicate possible WPA attack for handshakes.
Continual sending data to access point using broadcast MAC address which indicate a possibility of WEP attacks
Unreasonable amount of communication between wireless client and access point using EAP authentication which indicate the possibility of WPS bruteforce attack by Reaver / WPSCrack
Detection of changes in connection to anther access point which may have the possibility of connection to Rogue AP (User needs to assess the situation whether similar AP name)

Download Wireless IDS

[ZynOS-Attacker] (TP-LINK TD-W8951ND Router) Tool for automated attack on a range of IP

in EN, Linux, Mac, Python, TD-W8951ND, TP-LINK, Windows, ZynOS, ZynOS-Attacker - on 3:40 PM - No comments

With these scripts you can attack ZynOS routers and modify/extract anything you want on the target router from extracting ISP username and password to injecting rogue DNS servers IPs.

Download ZynOS-Attacker

The Exploiting Tools