• Content Count

  • Avg. Content Per Day

  • Joined

  • Last visited

  • Days Won


0x1 last won the day on December 3 2015

0x1 had the most liked content!

Community Reputation

5,198 Excellent


About 0x1

  • Rank
    LeVeL23 HacKerS TeaM
  • Birthday 03/03/1900

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. 0x1

    Xerxes Ddos Tool

    Xerxes dos tool enhanced with many features for stress testing. Features Xerxes has many features, some of these features are: TLS Support HTTP header randomization Useragent randomization Multiprocessing support Multiple Attack vectors etc... Not only that but also we are aggressively developing it and adding a lot more features and functionalities. Code Source & More info [Hidden Content]
  2. 0x1


    h2t - HTTP Hardening Tool Description h2t is a simple tool to help sysadmins to hardening their websites. Until now h2t checks the website headers and recommends how to make it better. Dependences Python 3 colorama requests Install [Hidden Content] Usage h2t has subcommands: list and scan. ./h2t.py -h usage: h2t.py [-h] {list,l,scan,s} ... h2t - HTTP Hardening Tool positional arguments: {list,l,scan,s} sub-command help list (l) show a list of available headers in h2t catalog (that can be used in scan subcommand -H option) scan (s) scan url to hardening headers optional arguments: -h, --help show this help message and exit List Subcommand The list subcommand lists all headers cataloged in h2t and can show informations about it as a description, links for more information and for how to's. ./h2t.py list -h usage: h2t.py list [-h] [-p PRINT [PRINT ...]] [-B] [-a | -H HEADERS [HEADERS ...]] optional arguments: -h, --help show this help message and exit -p PRINT [PRINT ...], --print PRINT [PRINT ...] a list of additional information about the headers to print. For now there are two options: description and refs (you can use either or both) -B, --no-banner don't print the h2t banner -a, --all list all available headers [default] -H HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...] a list of headers to look for in the h2t catalog Scan Subcommand The scan subcommand perform a scan in a website looking for their headers. ./h2t.py scan -h usage: h2t.py scan [-h] [-v] [-a] [-g] [-b] [-H HEADERS [HEADERS ...]] [-p PRINT [PRINT ...]] [-i IGNORE_HEADERS [IGNORE_HEADERS ...]] [-B] [-E] [-n] [-u USER_AGENT] [-r | -s] url positional arguments: url url to look for optional arguments: -h, --help show this help message and exit -v, --verbose increase output verbosity: -v print response headers, -vv print response and request headers -a, --all scan all cataloged headers [default] -g, --good scan good headers only -b, --bad scan bad headers only -H HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...] scan only these headers (see available in list sub- command) -p PRINT [PRINT ...], --print PRINT [PRINT ...] a list of additional information about the headers to print. For now there are two options: description and refs (you can use either or both) -i IGNORE_HEADERS [IGNORE_HEADERS ...], --ignore-headers IGNORE_HEADERS [IGNORE_HEADERS ...] a list of headers to ignore in the results -B, --no-banner don't print the h2t banner -E, --no-explanation don't print the h2t output explanation -o {normal,csv,json}, --output {normal,csv,json} choose which output format to use (available: normal, csv, json) -n, --no-redirect don't follow http redirects -u USER_AGENT, --user-agent USER_AGENT set user agent to scan request -k, --insecure don't verify SSL certificate as valid -r, --recommendation output only recommendations [default] -s, --status output actual status (eg: existent headers only) Output For now the output is only in normal mode. Understant it as follows: [+] Red Headers are bad headers that open a breach on your website or maybe show a lots of information. We recommend fix it. [+] Yellow Headers are good headers that is not applied on your website. We recommend apply them. [-] Green Headers are good headers that is already used in your website. It's shown when use -s flag. Example: Cookie HTTP Only would be good to be applied Cookie over SSL/TLS would be good to be applied Server header would be good to be removed Referrer-Policy would be good to be applied X-Frame-Options is already in use, nothing to do here X-XSS-Protection is already in use, nothing to do here Screenshots List h2t catalog Scan from file Scan url Scan verbose Headers information Source & Download [Hidden Content]
  3. 0x1


    @yoyohoneysinger Read Rules Posting download links to infected files will result in you being banned Analysis : Binded with keylogger on "C:\Users\-\AppData\Roaming\HVUCTD\YMJ.exe" and have Anti : Wireshark & Ollydbg & Sandboxie .
  4. 0x1

    Dork Generator By X-SLAYER

    Read Rules POST THANKS = BANNED If you want to thank a user for their contribution please use the "Thanks Button" otherwise it spams the thread. If you do this your post will be deleted. Users who continue to do this will be banned.
  5. 0x1


    Post moved from Tools Yard [RSS] section to Hacking Tools and fixed the title too long
  6. 0x1

    Acunetix 12 Cracked

    Analyse : Binded with BUILD_2019-02-22_12-39.EXE > Copy code to hxxp:// > Creat service from "C:\ProgramData\Microsofts HeIp\wsus.exe"
  7. 0x1

    GMT2 (Gram Multitool) 0.9.9 Cracked

    You need to click Thanks or Like to see Hidden Content and the link works well
  8. 0x1

    Specter Obfuscator + Source

    @turkojan try again, the link works well for me !
  9. 0x1

    .NET Reactor 5.9.8

    .NET Reactor [] 01-Dec-2018 Added Universal Windows (UWP) protection support and added corresponding protection presets Added ASP.NET Core protection support Added .NET Core 2.2 protection support Added public type internalization exclusion editor (2. Protection Settings -> Public Types Internalization -> Exclusions) Added options to exclude compiler generated types and properties from obfuscation (Obfuscation -> Exclusions -> Compiler Generated Types) Added license generation support (LicenseGenNetStandard.dll) for the .NET Standard/Core environment Improved protection support for NET Standard and Core libraries Fixed issue where WPF applications sometimes not correctly detected as desktop application Fixed project file loading problem Fixed compiled XAML (BAML) reading issue Fixed mixed mode (C++/CLI) obfuscation issue Fixed Visual Studio 2017 Add-in issue Fixed dynamic encryption issue Fixed minor bugs Download [hide][Hidden Content]] Pass : level23hacktools.com
  10. 0x1

    TOR Browser 0day

    TOR Browser 0day : JavaScript Exploit ! Works on Firefox versions 41 - 50 The critical vulnerability is believed to affect multiple Windows versions of the open source Firefox web browser as far back as Firefox version 41, and up to Firefox version 50. When exploit opened by a Firefox or Tor Browser with Javascript enabled on a Windows computer, it leverage a memory corruption vulnerability in the background to make direct calls to kernel32.dll, which allows malicious code to be executed on computers running Windows. [Hidden Content] Download [hide][Hidden Content]] Ref : [hide][Hidden Content]]
  11. 0x1

    Flash CVE-2018-15982 UAF

    Adobe Flash last 0day Exploit Info Exploit : [Hidden Content] SWF file can be integrated into Alaovs files xls, doc, but the explanation will be on how the gap and modify them, in the windows system and IE SWF Decompile [Hidden Content] Notes Command Execution Bchgl Calculator x64 shellcode [Hidden Content] After modification [Hidden Content] Download [Hidden Content]
  12. 0x1


    SharpWeb is a .NET 2.0 CLR compliant project that can retrieve saved logins from Google Chrome, Firefox, Internet Explorer and Microsoft Edge. In the future, this project will be expanded upon to retrieve Cookies and History items from these browsers. Usage Usage: .\SharpWeb.exe arg0 [arg1 arg2 ...] Arguments: all - Retrieve all Chrome, FireFox and IE/Edge credentials. full - The same as 'all' chrome - Fetch saved Chrome logins. firefox - Fetch saved FireFox logins. edge - Fetch saved Internet Explorer/Microsoft Edge logins. Example: Retrieve Edge and Firefox Credentials .\SharpWeb.exe edge firefox Example: Retrieve All Saved Browser Credentials .\SharpWeb.exe all Standing on the Shoulders of Giants This project uses the work of @plainprogrammer and his work on a compliant .NET 2.0 CLR compliant SQLite parser, which can be found [Hidden Content]. In addition, @gourk created a wonderful ASN parser and cryptography helpers for decrypting and parsing the FireFox login files. It uses a revised version of his work (found [Hidden Content]) to parse these logins out. Without their work this project would not have come together nearly as quickly as it did. Source & Ref [hide][Hidden Content]]
  13. linux-exploit-suggester Quick download:[Hidden Content] Purpose Often during the penetration test engagement the security analyst faces the problem of identifying privilege escalation attack vectors on tested Linux machine(s). One of viable attack vectors is using publicly known Linux exploit to gain root privileges on tested machine. Of course in order to do that the analyst needs to identify the right PoC exploit, make sure that his target is affected by the associated vulnerability and finally modify the exploit to suit his target. The linux-exploit-suggester.sh tool is designed to help with these activities. Overview The tool is meant to assist the security analyst in his testing for privilege escalation opportunities on Linux machine, it provides following features: "Remote" mode (--kernel or --uname switches) In this mode the analyst simply provides kernel version (--kernel switch) or uname -a command output (--uname switch) and receives list of candidate exploits for a given kernel version. Using this mode one can also check for candidate user space exploits (with --pkglist-file switch) if he has access to installed packages listing (output of dpkg -l/rpm -qa commands) of examined system. "Direct" mode (default run) The basic idea behind this mode is the same as previously but additionally in an effort to produce more relevant list of candidate exploits, the tool also performs series of additional checks (like: kernel build settings aka CONFIG_*, sysctl entries and other custom checks defined on per-exploit basis) to rule out exploits that for sure won't be applicable due to OS customization. Obviously to take advantage of this mode the tool needs to be run directly on target machine. For example for 'af_packet' exploit which requirements looks like this: Reqs: pkg=linux-kernel,ver>=3.2,ver<=4.10.6,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1 the script (in addition to checking kernel version) will check if target kernel was built with CONFIG_USER_NS and if sysctl entry kernel.unprivileged_userns_clone is enabled. If desired those additional checks can by skipped by running with --skip-more-checks command line switch. By default tool also checks for applicable user space exploits when distribution is one of Debian, Ubuntu, RHEL/CentOS, Fedora. To skip user space exploits checks one can run with --kernelspace-only switch. Example of script's output in this mode: "CVE list" mode (--cvelist-file switch) In this mode the analyst already posesses partial/full list of CVEs that affects his target kernel and wants to verify if there are any publicly known exploits against this CVEs. Of course efectivness of this mode highly depends on completness of provided CVE list. Such list is usually constructed by manual study and examination of distribution's Changelog for the given kernel version. Alternatively for most popular distros [Hidden Content] could be used to speed up this proccess. For example following oneliner worked quite fine for me: $ (uname -s; uname -m; uname -r; uname -v) | curl -s [Hidden Content] -L -H "Accept: text/text" --data-binary @- | grep CVE | tr ' ' '\n' | grep -o -E 'CVE-[0-9]+-[0-9]+' | sort -r -n | uniq WARNING. By default in addition to comparing CVE IDs, this mode also performs additional checks to rule out exploits that won't be applicable due to OS customization (kernel build settings aka CONFIG_*, sysctl entries and other custom settings). So for the best possible results one should run it directly on tested machine or alternatively use --skip-more-checks command line switch if running on the target is not possible/not desired. "Check security" mode (--checksec switch) WARNING. This mode is in beta currently. This mode is meant to be a modern continuation of [Hidden Content]'s --kernel switch functionality. In this mode linux-exploit-suggester.sh enumerates target system for various kernel/hardware security features (KASLR, SMEP, etc.) and settings. It checks if given protection mechanism is available (builtin into the kernel): [ Available ] and (if applicable) it check if it can be disabled/enabled without recompiling the kernel (via sysctl entry or other means): [ Enabled/Disabled ] or shows [ N/A] if disabling/enabling is not possible/not supported. Example of script's output in this mode: Tips, limitations, caveats Remember that this script is only meant to assist the analyst in his auditing activities. It won't do the all work for him! That's the analyst job to determine whether given target at hand isn't patched against generated list of candidate exploits (the script doesn't look at distro patchlevel so obviously it won't do that for you) In addition to manual inspection [Hidden Content] could come handy with determining the previous one Selected exploit almost certainly will need some customization to suit your target (at minimum: correct commit_creds/prepare_kernel_cred pointers) so knowledge about kernel exploitation techniques is required Usage Default run on target machine (kernel version, packages versions and additional checks as described in "Overview" paragraph are performed to give the list of possible exploits: $ ./linux-exploit-suggester.sh As previously but only userspace exploits are checked: $ ./linux-exploit-suggester.sh --userspace-only Check if exploit(s) for given list of CVE IDs are available: $ ./linux-exploit-suggester.sh --cvelist-file <cve-listing-file> --skip-more-checks Generate list of CVEs for the target kernel and check if exploit(s) for it exists (also performs additional checks $ (uname -s; uname -m; uname -r; uname -v) | curl -s [Hidden Content] -L -H "Accept: text/text" --data-binary @- | grep CVE | tr ' ' '\n' | grep -o -E 'CVE-[0-9]+-[0-9]+' | sort -r -n | uniq > <cve-listing-file> $ ./linux-exploit-suggester.sh --cvelist-file <cve-listing-file> List available hardware/kernel security mechanisms for target machine: $ ./linux-exploit-suggester.sh --checksec Running with -k option is handy if one wants to quickly examine which exploits could be potentially applicable for given kernel version (this is also compatibility mode with Linux_Exploit_Suggester): $ ./linux-exploit-suggester.sh -k 3.1 With --uname one provides slightly more information (uname -a output from target machine) to linux-exploit-suggester.sh and receives slightly specific list of possible exploits (for example also target arch x86|x86_64 is taken into account when generating exploits list): $ ./linux-exploit-suggester.sh --uname "Linux taris 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43:14 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux" Optionally --pkglist-file <file> could be provided to -k or --uname to also check for user space exploits: (remote machine) $ dpkg -l > dpkgOutput.txt $ ./linux-exploit-suggester.sh --uname "Linux taris 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43:14 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux" --pkglist-file dpkgOutput.txt In terms of generated list of exploits its identical with executing (directly on the given remote machine): (remote machine) $ ./linux-exploit-suggester.sh --skip-more-checks Sometimes it is desired to examine only package listing (in this case only check for userspace exploits is performed): (remote machine) $ dpkg -l > dpkgOutput.txt $ ./linux-exploit-suggester.sh --pkglist-file dpkgOutput.txt As previously but no package versioning is performed (handy for quick preliminary checking if any package for which user space exploit is available is installed): $ ./linux-exploit-suggester.sh --pkglist-file dpkgOutput.txt --skip-pkg-versions Kernel version number is taken from current OS, sources for possible exploits are downloaded to current directory (only kernel space exploits are examined): $ ./linux-exploit-suggester.sh --fetch-sources --kernelspace-only Kernel version number is taken from command line, full details (like: kernel version requirements, comments and URL pointing to announcement/technical details about exploit) about matched exploits are listed: $ ./linux-exploit-suggester.sh -k 4.1 --full Kernel version number is taken from current OS, binaries for applicable exploits are downloaded (if available) to current directory, additional checks are skipped: $ ./linux-exploit-suggester.sh --fetch-binaries --skip-more-checks Note however that --fetch-binaries is not recommended as it downloads binaries from generally not trusted sources and most likely these binaries weren't compiled for your target anyway. It should be used as a kind of last resort option when you're running out of time during your pen testing engagement and there is no compiler available on your target at hand. Misc The tool was inspired by the [Hidden Content] script and it contains all the exploits that are present there (for kernels 2.6+) plus all more recent Linux kernel exploits It is available in [Hidden Content] distribution I'm not responsible for how the tool is used and where it is used Source & Ref. [hide][Hidden Content]]
  14. 0x1


    SILENTTRINITY An asynchronous post-exploitation agent powered by Python, IronPython, C# and .NET's DLR Requirements Server requires Python >= 3.7 SILENTTRINITY C# implant requires .NET >= 4.5 How it works Notes .NET runtime support The implant needs .NET 4.5 or greater due to the IronPython DLLs being compiled against .NET 4.0, also there is no ZipArchive .NET library prior to 4.5 which the implant relies upon to download the initial stage containing the IronPython DLLs and the main Python code. Reading the source for the [Hidden Content] it seems like we can get around the first issue by directly generating IL code through IKVM (I still don't understand why this works). However this would require modifying the compiler to generate a completely new EXE stub (definitely feasible, just time consuming to find the proper IKVM API calls). C2 Comms Currently the implant only supports C2 over HTTP 1.1, .NET 4.5 seems to have a native WebSocket library which makes implementing a WS C2 channel more than possible. HTTP/2 client support for .NET's HttpClient API is in the works, just not yet released. The implant and server design are very much "future proof" which should make implementing these C2 Channels pretty trivial when the time comes. COM Interop [Hidden Content] Python Standard Library We technically could load/use IronPython's stdlib instead of calling .NET APIs but this would require writing some "magic" dependency resolving code. Possibly could modify [Hidden Content] to do this automagically. Inject into unmanaged process [Hidden Content] If you need some help setting up your environment. Reporting issues Reporting any issue will be appreciated, but please, feel free to use this [Hidden Content]. Source & Ref. [hide][Hidden Content]]
  15. 0x1

    Payloads All The Things

    Payloads All The Things A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! [Hidden Content] Source & Ref [hide][Hidden Content]]