Misc

lyncsmash: This is a collection of tools to enumerate and attack self-hosted Skype for Business and Microsoft Lync installations.

python lyncsmash.py enum -H 2013-lync-fe.contoso.com -U usernamelist.txt -P passwordlist.txt -d CONTOSO -o CONTOSO_output.txt
python lyncsmash.py enum -H 2013-lync-fe.contoso.com -U usernamelist.txt -p Winter2017 -d CONTOSO

MSOLSpray: A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.

Import-Module MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2021

patator: Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

* ftp_login      : Brute-force FTP
* ssh_login      : Brute-force SSH
* telnet_login   : Brute-force Telnet
* smtp_login     : Brute-force SMTP
* smtp_vrfy      : Enumerate valid users using the SMTP VRFY command
* smtp_rcpt      : Enumerate valid users using the SMTP RCPT TO command
* finger_lookup  : Enumerate valid users using Finger
* http_fuzz      : Brute-force HTTP/HTTPS
* rdp_gateway    : Brute-force RDP Gateway
* ajp_fuzz       : Brute-force AJP
* pop_login      : Brute-force POP
* pop_passd      : Brute-force poppassd (not POP3)
* imap_login     : Brute-force IMAP
* ldap_login     : Brute-force LDAP
* dcom_login     : Brute-force DCOM
* smb_login      : Brute-force SMB
* smb_lookupsid  : Brute-force SMB SID-lookup
* rlogin_login   : Brute-force rlogin
* vmauthd_login  : Brute-force VMware Authentication Daemon
* mssql_login    : Brute-force MSSQL
* oracle_login   : Brute-force Oracle
* mysql_login    : Brute-force MySQL
* mysql_query    : Brute-force MySQL queries
* rdp_login      : Brute-force RDP (NLA)
* pgsql_login    : Brute-force PostgreSQL
* vnc_login      : Brute-force VNC
* dns_forward    : Brute-force DNS
* dns_reverse    : Brute-force DNS (reverse lookup subnets)
* ike_enum       : Enumerate IKE transforms
* snmp_login     : Brute-force SNMPv1/2 and SNMPv3
* unzip_pass     : Brute-force the password of encrypted ZIP files
* keystore_pass  : Brute-force the password of Java keystore files
* sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases
* umbraco_crack  : Crack Umbraco HMAC-SHA1 password hashes

Crowbar (formally known as Levye) is a brute forcing tool that can be used during penetration tests. It was developed to brute force some protocols in a different manner according to other popular brute forcing tools. As an example, while most brute forcing tools use username and password for SSH brute force, Crowbar uses SSH key(s). This allows for any private keys that have been obtained during penetration tests, to be used to attack other SSH servers.

ruler: Ruler is a tool that allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol. The main aim is abuse the client-side Outlook features and gain a shell remotely.

impacket: Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

sudo git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket/
python3 -m venv venv
source venv/bin/activate
pip install .
python setup.py install

--or--

python3 -m pip install virtualenv
python3 -m venv impkt
source impkt/bin/activate
(or on windows .\impkt\Scripts\activate.ps1)
pip install git+https://github.com/SecureAuthCorp/impacket

PRET: PRET - Printer Exploitation Toolkit.

$ ./pret.py laserjet.lan pjl
      ________________
    _/_______________/|
   /___________/___//||   PRET | Printer Exploitation Toolkit v0.25
  |===        |----| ||    by Jens Mueller <jens.a.mueller@rub.de>
  |           |   ô| ||
  |___________|   ô| ||
  | ||/.´---.||    | ||        「 cause your device can be
  |-||/_____\||-.  | |´           more fun than paper jams 」
  |_||=L==H==||_|__|/

     (ASCII art by
     Jan Foerster)

Connection to laserjet.lan established
Device:   hp LaserJet 4250

Welcome to the pret shell. Type help or ? to list commands.
laserjet.lan:/> help

Available commands (type help <topic>):
=======================================
append  debug    edit    free  id    ls       open      restart   timeout  
cat     delete   env     fuzz  info  mirror   printenv  selftest  touch    
cd      df       exit    get   load  mkdir    put       set       traversal
chvol   disable  find    help  lock  nvram    pwd       site      unlock   
close   display  format  hold  loop  offline  reset     status    version  

laserjet.lan:/>

anonymousfox.com: Auto-pwn websites and Cpanel.

EyeWitness: EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. Another interesting project is aquatone.

proxychains-ng eyewitness --web -x 192.168.187.0-255.txt.xml --no-dns --no-prompt -d report

EyeWitness through SOCKS proxy v4

source: https://github.com/FortyNorthSecurity/EyeWitness/issues/458

I figured I would leave this information here after my 30 minutes of debugging so someone else doesn't struggle. EyeWitness can be run through a SOCKS proxy v4 by using proxychains, but it requires a very specific setup otherwise everything will timeout.

Note: It looks like EyeWitness does actually support SOCKS v5 via "--proxy-type", but Cobalt Strike is v4 so that doesn't work.

Explanation and other issues:

In the latest versions of Kali, you cannot run EyeWitness as root (with sudo) otherwise you'll get a very vague error message of "Message: Unable to find a matching set of capabilities". If you read "geckodriver.log", you'll see the real error message of "Running Firefox as root in a regular user's session is not supported."
The EyeWitness directory must be user-writable because EyeWitness writes to that geckodriver.log file. So make sure you chmod the folder correctly.
If you run Kali's "proxychains" before "EyeWitness.py" (proxychains ./EyeWitness.py --single 'http://google.com' -d ~/output), you will see a ton of "|S-chain|-<>-SERVER:PORT-<><>-127.0.0.1:54665-<--denied". EyeWitness is trying to connect to the geckodriver that is listening on that port, but that request (127.0.0.1) is going through the SOCKS proxy instead of actually being a localhost request. Thus everything is denied and nothing works.

Instructions on how to make it work

Make sure EyeWitness directory is user-writable:

chmod -R 777 /opt/eyewitness-git/

Kali's proxychains does not allow you to exclude IPs from being passed through the SOCKS proxy (which is what is breaking EyeWitness). You need to use the latest support version of Proxychains-ng (the actively developed version of proxychains) that allows exclusions. Complete commands are below for github cloning and installing for your convenience for copy/paste:

git clone https://github.com/rofl0r/proxychains-ng ~/proxychains-ng
cd ~/proxychains-ng
make -s clean
./configure --prefix=/usr --sysconfdir=/etc
make -s
make -s install
ln -sf /usr/bin/proxychains4 /usr/local/bin/proxychains-ng

Add the following line to your /etc/proxychains.conf file (I personally add it after "proxy_dns" but anywhere should work as long as its not at the very bottom under "[ProxyList]"):

localnet 127.0.0.0/255.0.0.0

Add your proxychains server like normal to the bottom of /etc/proxychains.conf
Run EyeWitness like normal by prefixing "proxychains-ng" (notice the "-ng" at the end)

proxychains-ng ./EyeWitness.py --single 'http://google.com' -d ~/output

You should now see the NEW version of the "S-Chain" line where it no longer uses ASCII arrows, see below:

Done! You can now run EyeWitness through CobaltStrike as long as you prefix it with "proxychains-ng" instead of the old, crappy "proxychains"

for I in $(ls); do 
      echo "$I" >> index.html;
      echo "<img src=$I><br>" >> index.html;
done

1. Install BurpExtension: Add Custom Header

2. BurpSuite > Add Custom Header

3. BurpSuite > Project Options > Sessions

Add new rule (Rule 3), and on "Rule Actions" enable the "Invoke the extension handler" and finally pick "Add Custom Header" extension. Ensure you enable in the "Scope" menu the "Proxy" option and also includes the scope/target URL or simply "Include all URLs".

4. Run eyewitness via proxy

eyewitness --proxy-ip 127.0.0.1 --proxy-port 8080 -f files.txt --web

gowitness: gowitness - a golang, web screenshot utility using Chrome Headless.

###multiple shots from a file####
for /F "delims=" %%a in (hosts.txt) do (
     gowitness-2.3.4-windows-amd64.exe single %%a
)

webscreenshot: A simple script to screenshot a list of websites, based on the url-to-image PhantomJS script. It can add customized headers.

updog: Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.

radamsa: Radamsa is a test case generator for robustness testing, a.k.a. a fuzzer. It is typically used to test how well a program can withstand malformed and potentially malicious inputs. It works by reading sample files of valid data and generating interestringly different outputs from them. The main selling points of radamsa are that it has already found a slew of bugs in programs that actually matter, it is easily scriptable and, easy to get up and running.

git clone https://gitlab.com/akihe/radamsa.git && cd radamsa && make && sudo make install
echo "HAL 9000" | radamsa

airventriloquist-ng injects on encrypted WiFi packet and circumvents wireless intrusion prevention systems.

CheckPoint Mobile agent VPN + Kali Linux

CPVNP

git clone https://gitlab.com/cpvpn/cpyvpn.git
cd cpvpn
pip install .
/home/kali/.local/bin/cp_client https://endpoint -m l -u 'user' -p 'pwd'

PreviousAutomated Scanners NextActive Directory

Last updated 2 years ago

Was this helpful?

Misc

lyncsmash: This is a collection of tools to enumerate and attack self-hosted Skype for Business and Microsoft Lync installations.

python lyncsmash.py enum -H 2013-lync-fe.contoso.com -U usernamelist.txt -P passwordlist.txt -d CONTOSO -o CONTOSO_output.txt
python lyncsmash.py enum -H 2013-lync-fe.contoso.com -U usernamelist.txt -p Winter2017 -d CONTOSO

Import-Module MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2021

patator: Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

* ftp_login      : Brute-force FTP
* ssh_login      : Brute-force SSH
* telnet_login   : Brute-force Telnet
* smtp_login     : Brute-force SMTP
* smtp_vrfy      : Enumerate valid users using the SMTP VRFY command
* smtp_rcpt      : Enumerate valid users using the SMTP RCPT TO command
* finger_lookup  : Enumerate valid users using Finger
* http_fuzz      : Brute-force HTTP/HTTPS
* rdp_gateway    : Brute-force RDP Gateway
* ajp_fuzz       : Brute-force AJP
* pop_login      : Brute-force POP
* pop_passd      : Brute-force poppassd (not POP3)
* imap_login     : Brute-force IMAP
* ldap_login     : Brute-force LDAP
* dcom_login     : Brute-force DCOM
* smb_login      : Brute-force SMB
* smb_lookupsid  : Brute-force SMB SID-lookup
* rlogin_login   : Brute-force rlogin
* vmauthd_login  : Brute-force VMware Authentication Daemon
* mssql_login    : Brute-force MSSQL
* oracle_login   : Brute-force Oracle
* mysql_login    : Brute-force MySQL
* mysql_query    : Brute-force MySQL queries
* rdp_login      : Brute-force RDP (NLA)
* pgsql_login    : Brute-force PostgreSQL
* vnc_login      : Brute-force VNC
* dns_forward    : Brute-force DNS
* dns_reverse    : Brute-force DNS (reverse lookup subnets)
* ike_enum       : Enumerate IKE transforms
* snmp_login     : Brute-force SNMPv1/2 and SNMPv3
* unzip_pass     : Brute-force the password of encrypted ZIP files
* keystore_pass  : Brute-force the password of Java keystore files
* sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases
* umbraco_crack  : Crack Umbraco HMAC-SHA1 password hashes

sudo git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket/
python3 -m venv venv
source venv/bin/activate
pip install .
python setup.py install

--or--

python3 -m pip install virtualenv
python3 -m venv impkt
source impkt/bin/activate
(or on windows .\impkt\Scripts\activate.ps1)
pip install git+https://github.com/SecureAuthCorp/impacket

PRET: PRET - Printer Exploitation Toolkit.

$ ./pret.py laserjet.lan pjl
      ________________
    _/_______________/|
   /___________/___//||   PRET | Printer Exploitation Toolkit v0.25
  |===        |----| ||    by Jens Mueller <jens.a.mueller@rub.de>
  |           |   ô| ||
  |___________|   ô| ||
  | ||/.´---.||    | ||        「 cause your device can be
  |-||/_____\||-.  | |´           more fun than paper jams 」
  |_||=L==H==||_|__|/

     (ASCII art by
     Jan Foerster)

Connection to laserjet.lan established
Device:   hp LaserJet 4250

Welcome to the pret shell. Type help or ? to list commands.
laserjet.lan:/> help

Available commands (type help <topic>):
=======================================
append  debug    edit    free  id    ls       open      restart   timeout  
cat     delete   env     fuzz  info  mirror   printenv  selftest  touch    
cd      df       exit    get   load  mkdir    put       set       traversal
chvol   disable  find    help  lock  nvram    pwd       site      unlock   
close   display  format  hold  loop  offline  reset     status    version  

laserjet.lan:/>

anonymousfox.com: Auto-pwn websites and Cpanel.

https://youtu.be/PMt-t8VHLC0youtu.be

EyeWitness: EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. Another interesting project is aquatone.

proxychains-ng eyewitness --web -x 192.168.187.0-255.txt.xml --no-dns --no-prompt -d report

EyeWitness through SOCKS proxy v4

source: https://github.com/FortyNorthSecurity/EyeWitness/issues/458

Note: It looks like EyeWitness does actually support SOCKS v5 via "--proxy-type", but Cobalt Strike is v4 so that doesn't work.

Explanation and other issues:

In the latest versions of Kali, you cannot run EyeWitness as root (with sudo) otherwise you'll get a very vague error message of "Message: Unable to find a matching set of capabilities". If you read "geckodriver.log", you'll see the real error message of "Running Firefox as root in a regular user's session is not supported."
The EyeWitness directory must be user-writable because EyeWitness writes to that geckodriver.log file. So make sure you chmod the folder correctly.
If you run Kali's "proxychains" before "EyeWitness.py" (proxychains ./EyeWitness.py --single 'http://google.com' -d ~/output), you will see a ton of "|S-chain|-<>-SERVER:PORT-<><>-127.0.0.1:54665-<--denied". EyeWitness is trying to connect to the geckodriver that is listening on that port, but that request (127.0.0.1) is going through the SOCKS proxy instead of actually being a localhost request. Thus everything is denied and nothing works.

Instructions on how to make it work

Make sure EyeWitness directory is user-writable:

chmod -R 777 /opt/eyewitness-git/

Kali's proxychains does not allow you to exclude IPs from being passed through the SOCKS proxy (which is what is breaking EyeWitness). You need to use the latest support version of Proxychains-ng (the actively developed version of proxychains) that allows exclusions. Complete commands are below for github cloning and installing for your convenience for copy/paste:

git clone https://github.com/rofl0r/proxychains-ng ~/proxychains-ng
cd ~/proxychains-ng
make -s clean
./configure --prefix=/usr --sysconfdir=/etc
make -s
make -s install
ln -sf /usr/bin/proxychains4 /usr/local/bin/proxychains-ng

Add the following line to your /etc/proxychains.conf file (I personally add it after "proxy_dns" but anywhere should work as long as its not at the very bottom under "[ProxyList]"):

localnet 127.0.0.0/255.0.0.0

Add your proxychains server like normal to the bottom of /etc/proxychains.conf
Run EyeWitness like normal by prefixing "proxychains-ng" (notice the "-ng" at the end)

proxychains-ng ./EyeWitness.py --single 'http://google.com' -d ~/output

You should now see the NEW version of the "S-Chain" line where it no longer uses ASCII arrows, see below:

Done! You can now run EyeWitness through CobaltStrike as long as you prefix it with "proxychains-ng" instead of the old, crappy "proxychains"

for I in $(ls); do 
      echo "$I" >> index.html;
      echo "<img src=$I><br>" >> index.html;
done

1. Install BurpExtension: Add Custom Header

Add Custom Header

2. BurpSuite > Add Custom Header

3. BurpSuite > Project Options > Sessions

4. Run eyewitness via proxy

eyewitness --proxy-ip 127.0.0.1 --proxy-port 8080 -f files.txt --web

gowitness: gowitness - a golang, web screenshot utility using Chrome Headless.

###multiple shots from a file####
for /F "delims=" %%a in (hosts.txt) do (
     gowitness-2.3.4-windows-amd64.exe single %%a
)

webscreenshot: A simple script to screenshot a list of websites, based on the url-to-image PhantomJS script. It can add customized headers.

updog: Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.

git clone https://gitlab.com/akihe/radamsa.git && cd radamsa && make && sudo make install
echo "HAL 9000" | radamsa

airventriloquist-ng injects on encrypted WiFi packet and circumvents wireless intrusion prevention systems.

airventriloquist-ng(8) — aircrack-ng — Debian unstable — Debian Manpages

CheckPoint Mobile agent VPN + Kali Linux

CPVNP

git clone https://gitlab.com/cpvpn/cpyvpn.git
cd cpvpn
pip install .
/home/kali/.local/bin/cp_client https://endpoint -m l -u 'user' -p 'pwd'

cpvpn / cpyvpn · GitLabGitLab

PreviousAutomated Scanners NextActive Directory

Last updated 2 years ago

Was this helpful?