RastLeak Tool To Automatic Leak Information Using Hacking With Search Engine

RastLeak: Tool to automatic leak information using Hacking with Search Engines

How to install

Install requirements with:

pip install -r requirements.txt

#How to use:

python rastleak.py

The last stable version is rastleak.py

$python rastleak.py -h

Usage: rastleak.py [-h] -d DOMAIN -o OPTION -n SEARCH -e EXT [-f EXPORT]

This script searchs files indexed in the main searches of a domain to detect a possible leak information

Optional Arguments:

-h, --help show this help message and exit

-d DOMAIN, --domain DOMAIN


The domain which it wants to search

-o OPTION, --option OPTION

                    Indicate the option of search
                  
                     1.Searching leak information into the target
                     2.Searching leak information outside target

-n SEARCH, --search SEARCH

                    Indicate the number of the search which you want to do

-e EXT, --ext EXT Indicate the option of display:

                     1-Searching the domains where these files are found
                     2-Searching ofimatic files

-f EXPORT, --export EXPORT

                    Indicate the type of format to export results.
                  
                     1.json (by default)
                     2.xlsx              

Download RastLeak

XSStrike: A Python Script Designed To Detect And Exploit XSS Vulnerabilities

XSStrike is a python script designed to detect and exploit XSS vulnerabilities.

A list of features XSStrike has to offer:

•  Fuzzes a parameter and builds a suitable payload
•  Bruteforces parameters with payloads
•  Has an inbuilt crawler like functionality
•  Can reverse engineer the rules of a WAF/Filter
•  Detects and tries to bypass WAFs
•  Both GET and POST support
•  Most of the payloads are hand crafted
•  Negligible number of false positives
•  Opens the POC in a browser window

Installing XSStrike

Use the following command to download it

git clone https://github.com/UltimateHackers/XSStrike/

After downloading, navigate to XSStrike directory with the following command

cd XSStrike

Now install the required modules with the following command


pip install -r requirements.txt

Now you are good to go! Run XSStrike with the following command

python xsstrike

Using XSStrike

You can enter your target URL now but remember, you have to mark the most crucial parameter by inserting "d3v<" in it.

For example: target.com/search.php?q=d3v&category=1

After you enter your target URL, XSStrike will check if the target is protected by a WAF or not. If its not protected by WAF you will get three options

1. Fuzzer: It checks how the input gets reflected in the webpage and then tries to build a payload according to that.

2. Striker: It brute-forces all the parameters one by one and generates the proof of concept in a browser window.

3. Spider: It extracts all the links present in homepage of the target and checks parameters in them for XSS.

4. Hulk: Hulk uses a different approach, it doesn't care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window.

XSStrike can also bypass Website Application Firewall (WAFs)

Watch Video:

  

Download

XSStrike: A Python Script Designed To Detect And Exploit XSS Vulnerabilities

XSStrike is a python script designed to detect and exploit XSS vulnerabilities.

A list of features XSStrike has to offer:

•  Fuzzes a parameter and builds a suitable payload
•  Bruteforces parameters with payloads
•  Has an inbuilt crawler like functionality
•  Can reverse engineer the rules of a WAF/Filter
•  Detects and tries to bypass WAFs
•  Both GET and POST support
•  Most of the payloads are hand crafted
•  Negligible number of false positives
•  Opens the POC in a browser window

Installing XSStrike

Use the following command to download it

git clone https://github.com/UltimateHackers/XSStrike/

After downloading, navigate to XSStrike directory with the following command

cd XSStrike

Now install the required modules with the following command


pip install -r requirements.txt

Now you are good to go! Run XSStrike with the following command

python xsstrike

Using XSStrike

You can enter your target URL now but remember, you have to mark the most crucial parameter by inserting "d3v<" in it.

For example: target.com/search.php?q=d3v&category=1

After you enter your target URL, XSStrike will check if the target is protected by a WAF or not. If its not protected by WAF you will get three options

1. Fuzzer: It checks how the input gets reflected in the webpage and then tries to build a payload according to that.

2. Striker: It brute-forces all the parameters one by one and generates the proof of concept in a browser window.

3. Spider: It extracts all the links present in homepage of the target and checks parameters in them for XSS.

4. Hulk: Hulk uses a different approach, it doesn't care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window.

XSStrike can also bypass Website Application Firewall (WAFs)

Watch Video:

  

Download

cgPwn - Cyber Grand Pwnage Box For Hardware Hacking

cgPwn - Cyber Grand Pwnage Box For Hardware Hacking. 

Ubuntu VM tailored for hardware hacking, RE and Wargaming.

Install VirtualBox

Check Virtualbox for information on installing Virtualbox on your respective operating system.

Install Vagrant

Check VagrantUp for information on installing vagrant.

Fire up the VM

git clone https://github.com/0xM3R/cgPwn
cd cgPwn
vagrant up
... Just wait until everything is getting setup for you.
vagrant ssh

Default settings

By default, personal dotfiles are installed onto the VM. Simply comment out the following lines in cgPwn.sh if you don't want my settings.

# Personal config
sudo apt-get -y install stow
cd ~
rm .bashrc
git clone https://github.com/0xM3R/dotfiles
cd dotfiles
chmod a+x ./install.sh
./install.sh

Shared folder

Drop files in the sharedFolder folder on your host to find them on your VM at /home/vagrant/sharedFolder

Tools Included

• Pwndbg
• Pwntools
• Binwalk
• Radare2
• Capstone, Unicorn and Keystone Engines
• Qira Timeless Debugger
• AFL
• Valgrind , VGdb
• ROPGadget, XRop, Ropper, rp++
• Intel PIN
• Angr
• z3
• frida
• Compiler tools: CLANG, LLVM, GDBMultiarch, GDBArm
• Useful tools: htop, lynx, socat, p7zip, mc

Download cgPwn

Pyrasite: A Tool For Injecting Arbitrary Code Into Running Python Processes

Pyrasite: A Tool for injecting arbitrary code into running Python processes.

Python Compatiblity

Pyrasite works with Python 2.4 and newer. Injection works between versions as well, so you can run Pyrasite under Python 3 and inject into 2, and vice versa.

Installing

You can download the latest tarballs, RPMs, and debs from PyPi. Installing the package specific to your distribution is recommended. However, you can also install it using pip if you wish

pip install pyrasite pyrasite-gui

Additional installation notes

Fedora
If you’re using Fedora 17 or later, you’ll need to disable an SELinux boolean to allow ptrace.

sudo setsebool -P deny_ptrace=off

Mac OS X
If you don’t want to override Apple’s default gdb, install the latest version of gdb with a prefix (e.g. gnu)

$ ./configure --program-prefix=gnu
$ pyrasite <PID> payloads/reverse_python_shell.py --gdb-prefix="gnu"

Arch Linux
You can install pyrasite from the Arch User Repository If you want python debugging symbols, you may have to self compile python2.

Ubuntu
Since version 10.10, Ubuntu ships with a controversial patch that restricts the scope of ptrace, which can be disabled by running:

echo 0 > /proc/sys/kernel/yama/ptrace_scope

You can make this change permanent by setting ptrace_scope to 0 in /etc/sysctl.d/10-ptrace.conf.

Usage: pyrasite [-h] [--gdb-prefix GDB_PREFIX] [--verbose] [--output OUTPUT_TYPE] pid [filepath|payloadname]

       pyrasite --list-payloads

pyrasite - inject code into a running python process

Positional arguments:

 pid                   The ID of the process to inject code into
filepath|payloadname  The second argument must be a path to a
                        file that will be sent as a payload to the
                        target process or it must be the name of
                        an existing payload (see --list-payloads).

Optional arguments:

  -h, --help                                     show this help message and exit
  --gdb-prefix GDB_PREFIX     GDB prefix (if specified during installation)
  --verbose                                    Verbose mode
  --output OUTPUT_TYPE  This option controls where the output from
                        the executed payload will be printed. If
                        the value is 'procstreams' (the default) then
                        the output is sent to the stdout/stderr of the
                        process. If the value is 'localterm' then the
                        output is piped back and printed on the local
                        terminal where pyrasite is being run.
  --list-payloads       List payloads that are delivered by pyrasite


pyrasite-gui - A graphical interface for Pyrasite
The pyrasite-gui is a graphical interface for Pyrasite that lets you easily monitor, analyze, introspect, and alter running Python programs.

Requirements

• Python debuginfo (needed for live object inspection)
• PyGObject3 Introspection bindings
• WebKitGTK3
• Meliae (easy_install/pip may not work for this install. If not, use the tarball from the distribution website. You may need to install Cython in order to get meliae to build)
• pycallgraph
• psutil

# Fedora
yum --enablerepo=updates-testing install python-psutil python-debuginfo python-pycallgraph pygobject3 webkitgtk3 python-meliae

# Ubuntu
apt-get install python-dbg python-pycallgraph python-gobject-dev gir1.2-webkit-3.0 python-meliae python-psutil

# Arch
pacman -S python2-psutil python2-gobject python2-pycallgraph libwebkit3 python2-meliae

Download