Browsing category
StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications. This tool will look for interesting lines in the code which can contain: Hardcoded credentials API keys URL’s of API’s Decryption keys Major coding mistakes This tool was created with a big focus on usability and graphical guidance in […]
Telegram Chatbot to control Lan network. Installation: You will need a Raspberry Pi with fresh Raspbian/Kali on the SD card, because you don’t want anything else running in the background. Boot up the Pi, get an SSH sell or connect a monitor and a keyboard and enter these commands: $ sudo apt update && sudo […]
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths Active Directory domain privilege escalation is a […]
Bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack. Does a complete, modular, portable and easy to extend MITM tool actually exist? If your answer is “ettercap”, let me tell […]
The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable(.exe) archive. The sfx archive when executed it will run both files (our payload and the legit app at the same time) To make the archive less suspicious to target at execution time, trojanizer will […]
Proxenet is a hacker-friendly DIY web proxy for pentesters. It is a C-based proxy that allows you to interact with higher level languages (like Python, Ruby, Java, etc.) for modifying on-the-fly requests/responses sent by your Web browser. It allows you to make fine grain plugins to manipulate HTTP requests and/or responses in the language of […]
SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API. SQLMap comes with a RESTful based server that will execute SQLMap scans. This plugin can start the API for you or connect to an already running API to perform a scan. Requirements: Jython 2.7 beta, due to the use of […]
Yasuo is a ruby script that scans for vulnerable 3rd-party web applications. There are over 10,000 remotely exploitable vulnerabilities that exist in tons of web applications/front-ends and could allow an attacker to completely compromise the back-end server. These vulnerabilities range from RCE to malicious file uploads to SQL injection to RFI/LFI etc. Yasuo is built […]
This tool allows to check speculative execution side-channel attacks that affect many modern processors and operating systems designs. CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre) allows unprivileged processes to steal secrets from privileged processes. These attacks present 3 different ways of attacking data protection measures on CPUs enabling attackers to read data they shouldn’t be able to. […]
ShellCheck is a static analysis tool that gives warnings and suggestions for bash/sh shell scripts. How To Use ShellCheck There are a number of ways to use ShellCheck. On The Web Paste a shell script on https://www.shellcheck.net for instant feedback. ShellCheck.net is always synchronized to the latest git commit, and is the easiest way to give […]
Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool that you can use to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP […]
Fsociety Contains All Tools Used In Mr Robot Series compiled into an easy to use Pentesting framework. Fsociety Menu Information Gathering Password Attacks Wireless Testing Exploitation Tools Sniffing & Spoofing Web Hacking Private Web Hacking Post Exploitation INSTALL & UPDATE Information Gathering : Nmap Setoolkit Port Scanning Host To IP wordpress user CMS scanner […]
Autorize is an automatic authorization enforcement detection extension for Burp Suite. It helps you detect authorization vulnerabilities. It is sufficient to give to the extension the cookies of a low privileged user and navigate the website with a high privileged user. The extension automatically repeats every request with the session of the low privileged user and […]
D-Link Password Decryptor is a free program that allows you to instantly recover the Login Password of D-Link modem/router. It supports dual mode of password recovery. You can either enter the encrypted D-link password directly or specify the D-Link Modem’s backup configuration file. Note: This program is only tested with a limited number of D-Link modems. […]
Kadimus is a tool that allows you to detect and exploit the Local File Inclusion (LFI) vulnerability in sites. Features: Check all url parameters /var/log/auth.log RCE /proc/self/environ RCE php://input RCE data://text RCE Source code disclosure Multi thread scanner Command shell interface through HTTP Request Proxy support (socks4://, socks4a://, socks5:// ,socks5h:// and http://) Proxy socks5 support […]
Bluepot was a third year university project attempting to implement a fully functional Bluetooth Honeypot. A piece of software designed to accept and store any malware sent to it and interact with common Bluetooth attacks such as “BlueBugging?” and “BlueSnarfing?”. The system also allows monitoring of attacks via a graphical user interface that provides graphs, […]
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use […]
Phant0m is a PowerShell script and targets the Windows Event Log Service in Windows operating system. Because the most traces of a possible attack remain in the operating system logs. If we targeting Event Log Service first of all, let’s remember how services working on Windows operating system. When you look at the task manager, […]
Mimikatz is a post-exploitation tool written by Benjamin Delpy (gentilkiwi). It’s now well known for extracting plaintexts passwords, hash, PIN code and kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets It comes in two flavors: x64 or Win32, depending on your windows version (32/64 bits). The Win32 flavor cannot access 64 bits process memory (like lsass) […]
Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file or from the web. The least significant 4 bits of 2 color values in each pixel are used to hold the payload. Image quality will suffer […]
PhEmail is a python based email phishing tool that automates the process of sending phishing emails as part of a social engineering test. The main purpose of PhEmail is to send a bunch of phishing emails and prove who clicked on them without attempting to exploit the web browser or email client but collecting as […]