NetSPI/django.nV NetSPI/django.nV

  • This repository has been archived on 17/May/2022
  • Stars
    star
    197
  • Rank 191,834 (Top 4 %)
  • Language
    JavaScript
  • License
    GNU General Publi...
  • Created almost 10 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
NetSPI/django.nV
github

NetSPI

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Vulnerable Django Application

django.nV

django.nV is a purposefully vulnerable Django application provided by nVisium.

System Requirements & Setup

First, make sure Python 3.4+ is installed on your machine. On OSX, this can be installed with Homebrew (eg. brew install python3). If you receive an error about conflicting PYTHONPATH, try updating the variable to reflect your python version.

export PYTHONPATH="/usr/local/lib/python3.4/site-packages"

Before using django.nV, you'll also need to install virtualenv. You should be able to use pip install virtualenv, using the pip package manager, to install it. On most systems, pip should be installed alongside python.

To set up the repository, use virtualenv -p python3 venv, which will create a virtualenv using Python 3. To enter this environment, run source venv/bin/activate. You should see your $PS1 update to include (venv) to remind you that you are in the virtual environment. You can also leave the environment by simply typing deactivate.

Installation of Dependencies

To install the dependencies, simply run pip install -r requirements.txt.

Database Setup

django.nV provides you with a script automatically creates the database as well as populates it with data. This script is titled reset_db.sh. django.nV does not ship with the database, so in order to run the application properly, you'll need to use this script:

./reset_db.sh

You can also use the same script to reset the database if you make any changes.

Running the application

To run the app in its application folder type:

./runapp.sh

You should then be able to access the web interface at http://localhost:8000/.

Tutorials

django.nV comes with a series of writeups for the vulnerabilities we've added to the code. Each tutorial comes with a description of the vuln, a hint to where to find it, and then the exact bug and how it could be remedied.

You can access these tutorials within the app at http://localhost:8000/taskManager/tutorials/, or by clicking on the 'Tutorials' link in the top-right of the web interface.

Mail

The only mail sent by the app is for the "Forgot Password" feature. You can use the built-in Python mailserver for those messages.

python -m smtpd -n -c DebuggingServer localhost:1025

If you prefer to use your own mailserver, simply add your settings to settings.py.

More Repositories

1

PowerUpSQL

PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
PowerShell
2,316
star
2

MicroBurst

A collection of scripts for assessing Microsoft Azure security
PowerShell
1,862
star
3

SQLInjectionWiki

A wiki focusing on aggregating and documenting various SQL injection methods
HTML
727
star
4

PESecurity

PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.
PowerShell
593
star
5

PowerHuntShares

PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.
PowerShell
424
star
6

xssValidator

This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
Java
399
star
7

NetblockTool

Find netblocks owned by a company
Python
319
star
8

PowerShell

NetSPI PowerShell Scripts
PowerShell
300
star
9

ESC

Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.
C#
266
star
10

WebLogicPasswordDecryptor

PowerShell script and Java code to decrypt WebLogic passwords
Java
240
star
11

sshkey-grab

Grab ssh keys from ssh-agent
Python
217
star
12

JavaSerialKiller

Burp extension to perform Java Deserialization Attacks
Java
205
star
13

Wsdler

WSDL Parser extension for Burp
Java
189
star
14

Swift.nV

Security Training Tool that demonstrates common mobile application vulnerabilities using Swift in iOS
Swift
180
star
15

aws_consoler

A utility to convert your AWS CLI credentials into AWS console access.
Python
178
star
16

DAFT

DAFT: Database Audit Framework & Toolkit
C#
170
star
17

Powershell-Modules

PowerShell
158
star
18

Burp-Extensions

Central Repo for Burp extensions
Java
141
star
19

BurpCollaboratorDNSTunnel

A DNS tunnel utilizing the Burp Collaborator
Java
97
star
20

BetaFast

Vulnerable thick client applications used as examples in the Introduction to Hacking Desktop Applications blog series
C#
89
star
21

BurpExtractor

A Burp extension for generic extraction and reuse of data within HTTP requests and responses.
Java
88
star
22

AWSSigner

Burp Extension for AWS Signing
Java
86
star
23

AutoDirbuster

Automatically run and save ffuf scans for multiple IPs
Python
72
star
24

SQLC2

SQLC2 is a PowerShell script for deploying and managing a command and control system that uses SQL Server as both the control server and the agent.
PowerShell
69
star
25

MonkeyWorks

C#
58
star
26

PowerHunt

PowerHunt is a modular threat hunting framework written in PowerShell that leverages PowerShell Remoting for data collection on scale.
PowerShell
55
star
27

cmdsql

ASP.NET
54
star
28

FuncoPop

Tools for attacking Azure Function Apps
PowerShell
54
star
29

heapdump-ios

Dump IOS application heap space from memory
Shell
50
star
30

SpoofSpotter

A tool to catch spoofed NBNS responses.
Python
49
star
31

skl

strace keylogger PoC
44
star
32

grails-nV

Vulnerable Grails application
JavaScript
43
star
33

JSONBeautifier

JSON Beautifier for Burp written in Java
Java
36
star
34

asa_tools

Verification tools for CVE-2016-1287
Python
32
star
35

MoneyX

MoneyX is an intentionally vulnerable JSP application used for training developers in application security concepts.
Java
30
star
36

JIG

Jira Information Gatherer
Python
29
star
37

httpillage

Java
26
star
38

HTTPScrapers

NetSPI HTTP Scrapers
Python
25
star
39

binrev

Shell
24
star
40

crossdomainscanner

Python tool for expired domain discovery in crossdomain.xml files
Python
23
star
41

goat.js

Tutorial for Node.js security
CSS
20
star
42

PS_Reflector

PowerShell
19
star
43

PS_MultiCrack

A powershell script for cracking halfLMchall password hashes
PowerShell
19
star
44

PS_CC_Checker

PowerShell
17
star
45

DataLoc

Scan MSSQL databases for payment card data without relying on key words
AutoIt
16
star
46

Pin

Intel pin tools
C++
12
star
47

ruby_apk_unpack

Ruby Gem to Unpack APK(s)
Ruby
12
star
48

silkwasm

HTML Smuggling with Web Assembly
Go
9
star
49

SVNentriesParser

A powershell script to parse SVN entries files into an HTML directory listing
PowerShell
9
star
50

Dekrypto

Ruby
8
star
51

JSWS

JavaScript Web Service Proxy Burp Plugin
Java
7
star
52

gppdecrypt

Stand alone script to decrypt GPP cpassword.
Go
7
star
53

TapJacking-Demo

Java
6
star
54

WCF

C#
6
star
55

PycroBurst

Python implementation of select MicroBurst scripts.
Python
6
star
56

Custom-Passive-Scanner

Define custom findings for Burp's Passive Scanner using regex.
Java
5
star
57

doctordocker

Docker Doctor - Automated upgrading of libraries through Docker deployments.
Ruby
5
star
58

osint_scripts

Collection of Scripts of Open Source Intelligence Gathering
Ruby
5
star
59

npm-deps-parser

Parses, summarizes, and prints "npm audit" json output to markdown for nVision reports
Python
4
star
60

DetectionRules

This is a single location to store detection rules of various types.
4
star
61

CollegePresentation

2
star
62

rails-scope

scoping gem for rails application
Ruby
2
star
63

Scheduled-Task

Native Binary for Creating a Scheduled Task
C++
1
star
64

edge-cases-in-web

PHP
1
star
65

brigade-security-scripts

Brigade scripts to perform common Kubernetes and container-level security checks triggered by events.
1
star
66

WikiJekyllTheme

Wiki theme for various NetSPI wikis
HTML
1
star