Automated HTTP Enumeration Tool

Null Security Team writing a python script for Automated HTTP Enumeration. currently only in the initial beta stage, but includes basic checking of files including the Apache server-status as well as well IIS WebDAV and Microsoft FrontPage Extensions, many more features will be added to this tool which will make lot of the enumeration process quick and simple.

Version 0.2 adds scanning of SSL / TLS as well as an option for probing delays and general bug fixes.

Download the Python Script

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Server Shield v1.0.2 - Protect your Linux machine in 1 minute

Server Shield is a lightweight method of protecting and hardening your Linux server. It is easy to install, hard to mess up, and makes your server instantly and effortlessly resilient to many basic and advanced attacks.

Features

• Firewall Hardening
• TCP Hardening
• Data Leakage Protection
• ICMP/Ping Flood Protection
• Rootkit Protection
• DoS Protection
• Spoof Protection
• Bogus TCP Protection
• SYN Flood Protection
• Requires
• iptables ("yum install iptables")

Installation

git clone https://github.com/Brian-Holt/server-shield

cd server-shield;chmod +x sshield;mv sshield /etc/init.d

/etc/init.d/sshield start

Download Server Shield v1.0.2

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

WordPress Version Checker - MD5 Hash Method

WordPress Version Check provides you with an easy way of checking that which version your Victim is using. It is a simple php Script based upon  MD5 Hash Method.

You can download the Script from Pastebin: http://pastebin.com/3c72K1kj

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Antiflood v-1.8.2 with IP tables bash script

This module provides security enhancements against (HTTP) Flood & Brute Force Attacks for native PHP or .NET scripts at web application level. Massive crawling/scanning tools, HTTP flood tools can be detected and blocked by this module via htaccess or iptables, etc. You can use this module by including "iosec.php" to any PHP file which wants to be protected.

Features :

This is a unique project and it is the world's first web application flood guard script.

At web application (scripting) level you can,

- Block proxies. (only via HTTP header)

- Detect flooding IP addresses.

- Slow down or restrict access for automated tools (HTTP flood, brute force tools, vulnerability scanners, etc.)

- Save your server resources (database, cpu, ram, etc.) under an attack.

- Restrict access permanently or temporarily for listed IP addresses in "banlist" file.

- Notify yourself via email alerts when attacks begin.

- Implicit deny for DDoS attacks

Download ANTIFLOOD

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Windows PowerShell V3.0 download available

PowerShell V3.0 has been released as part of Windows Server 2012, but you do not have to wait it though! The final release of Windows Management Framework 3.0 is also available for download from the Microsoft Download Center.

Windows Management Framework 3.0 makes much of the same great management functionality from Windows Server 2012 available to earlier versions of Windows. Windows Management Framework 3.0 allows you to install Windows PowerShell 3.0 (including a new version of WMI and WinRM) on the following Operating Systems:

• Windows 7 Service Pack 1 (32-bit & 64-bit)
• Windows Server 2008 R2 Service Pack 1 (64-bit only, includes Server Core)
• Windows Server 2008 Service Pack 2 (32-bit & 64-bit)

Some of the new features in Windows PowerShell 3.0 include:

1. Workflow : Windows PowerShell Workflow lets IT Pros and developers apply the benefits of workflows to the automation capabilities of Windows PowerShell. Workflows allow administrators to run long-running tasks (which can be made repeatable, frequent, parallelizable, interruptible, or restart-able) that can affect multiple managed computers or devices at the same time.
2. Disconnected Sessions:  PowerShell sessions can be disconnected from the remote computer and reconnected later from the same computer or a different computer without losing state or causing running commands to fail.
3. Robust Session Connectivity: Remote sessions are resilient to network failures and will attempt to reconnect for several minutes. If connectivity cannot be reestablished, the session will automatically disconnect itself so that it can be reconnected when network connectivity is restored.
4. Scheduled Jobs: scheduled jobs that run regularly or in response to an event.
5. Delegated Administration: Commands that can be executed with a delegated set of credentials so users with limited permissions can run critical jobs
6. Simplified Language Syntax: Simplified language syntax that make commands and scripts look a lot less like code and a lot more like natural language.
7. Cmdlet Discovery: Improved cmdlet discovery and automatic module loading that make it easier to find and run any of the cmdlets installed on your computer.
8. Show-Command: Show-Command, a cmdlet and ISE Add-On that helps users find the right cmdlet, view its parameters in a dialog box, and run it.

Download Powershell V3.0

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

pWeb-suite v1.1 - Web application penetration testing

This Suite (formerly known as the “PCrack Suite”) of tools is used primarily or web application vulnerability testing, written in PERL.

It include various Tools:

• Hellfire - LFI Automation Tool,
• LogInjector – Code Injection Tool for Web Server Logs (LFI Attack)
• Smsi (SimplyMySQLi) - Simple Mysql Injector
• Xss Tools like StrEncode
• Xss String Encoding Tool.

Download pWeb-suite v1.1

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Sptoolkit - A Simple Phishing Toolkit

The spt project ( sptoolkit ) is an open source phishing education toolkit that aims to help in securing the mind as opposed to securing computers. A simple, targeted link is all it takes to bypass the most advanced security protections. The link is clicked, the deed is done.

spt ( sptoolkit )was developed from the ground up to provide a simple and easy to use framework to identify your weakest links so that you can patch the human vulnerability. If the spt project sounds interesting to you, please consider downloading it for evaluation in your own organization. Feedback is welcomed and always appreciated.

Basic reuirements for sptoolkit

• Apache,
• PHP
• MySQL

Feature list of sptoolkit 

• Vast improvements in the editing functionality for templates and education packages. Major changes include: two different editors to choose from (the oroginal spt text editor and TinyMCE), copy templates or education to new version and then customize them.
• Added education completion tracking, now you can determine if your targets completed the assigned education in a campaign.
• Support for the Google and TinyURL URL shortener services. Now your phishing emails can have shortened URLs, making them harder to detect.
• Support for sending SMTP using SSL secured connections.
• Enhancements to the viewing of campiang information including SMTP relay used and destination URL used.
• Initial support for using spt in SSL/TLS secured installations, code updates to prevent insecure content warnings.
• All forms now generate inline errors with entered value retention, allowing easy correction of incorrect or missing items without requiring all information to be entered again.
• Email tracking times are now more accurate when viewing campaign information.
• Most items in the Quick Start module now feature links allowing you to quickly access the desired location in the spt UI.
• Enhancements to the browser detection script for more information on what you need vs. what you have.
• Many security and usability issues fixed.
• Additional improvements in authentication and session management security.

Download sptoolkit

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

lafuzz - Local File Incursion exploiter

LaFuzz is a exploiter/fuzzer which is specify on Local File Incursion (LFI), but not just to exploit known vulnerabilities; LaFuzz takes a step forward onto exploiting unknown/0-day which is surrounding directory traversal's vectors.

How to use:

./lafuzz.py

python2.7 lafuzz.py

python lafuzz.py

Download lafuzz 1.5

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

OWASP Security Shepherd 1.2 Released

Security Shepherd is a computer based training application for web application security vulnerabilities. This project strives to hurde the lost sheep of the technological world back to the safe and sound ways of secure practises. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.

Easy configuration to suit every use

Security Shepherd has been designed and implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The bi-product of this challenge game is the acquired skill to harden a players own environment from OWASP top ten security risks The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.

Security Shepherds vulnerabilities are not simulated, and are instead delievered through hardened real security vulnerabilities that can not be abused to compromise the application or it's environment. Many of these levels include insufficient protections to these vulnerabilities, such as black list filteres and poor security configuration. Security Shepherd includes everything you need to complete all of it's levels including the OWASP Zed Attack Proxy Project and portable browsers already configured for proxy use.

The Security Shepherd project covers the following web application security topics;

• SQL Injection
• Cross Site Scripting
• Broken Authetication and Session Management
• Cross Site Rrequest Forgery
• Insecure Direct Object Reference
• Insecure Cryptographic Storage
• Failure to Restrict URL Access
• Unvalidated Redirects and Forwards
• Insufficient Transport Layer Security

Download OWASP Security Shepherd 1.2

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Phemail.py: Phishing EMail Social Engineering Tool

Social Engineering is defined as the process of inducing people into giving away access or confidential information. From a security consultant point of view this topic is not new and there are many tools which can be used against the target.

phemail.py - Phishing EMAIL. The main purpose of this tool is to prove who clicked on the phishing email without attempting to exploit the web browser but collecting as much information as possible. For this reason it will be 100% undetectable by any antivirus and it will obtain sufficient data to have an initial proof of concept for the client.

Steps to use Phemail.py:

1. Find corporate email addresses: Phemail has an option for harvesting corporate email addresses and save them to a file. Phemail.py leverages Google to search for LinkedIn specific corporate e-mail targets.
2. Create a phishing email template: You get to create your own custom phishing templates. Do not forget to add the string “{0}” in each URL as the script will replace this string with the correct URL automatically.
3. Host/upload a single PHP file: This file contains JavaScript code which attempts to collect web browser information and save it in a log file in /tmp directory.
4. Run the php file as shown in the following example: # phemail.py -e test-emails.txt -f "Tax report " -r "Tax Report " -s "Important information about your tax" -b body.txt -w http://YOUR-WEBSITE.com

Download Phemail.py

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

HTExploit : Open Source Tool to Bypass Standard Directory Protection

HTExploit (HiperText access Exploit) is an open-source tool written in Python that exploits a weakness in the way that .htaccess files can be configured to protect a web directory with an authentication process to gain access to a protected directory contents. Presumably, if such an attack is successful, you can launch further attacks such as SQL Injection, Local File Inclusion, Remote File Inclusion, etc. on discovered files.

Features of HTExploit:

• Multiples modules to execute.
• Save the output to an specify directory.
• HTML Reporting.
• Use multiples wordlist to probe against htaccess bypassing.
• Mode verbose for a full detailed information.
• Multi-platform and flexible.

The vulnerability exists because web servers like Apache forward PHP-based requests within .htaccess to the PHP engine itself. The .htaccess file allows you to specify the requests get sent to PHP to try to interpret. However, on encountering non-standard input, PHP automatically treats it as a GET request, and allows the utility to start saving the PHP files on a webserver to your local filesystem, bypassing security restrictions!

Download HTExploit

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

BBQSQL : Blind SQL injection framework ( Python )

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.

BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.

Must provide the usual information:

• URL
• HTTP Method
• Headers
• Cookies
• Encoding methods
• Redirect behavior
• Files
• HTTP Auth
• Proxies

After you pull the tool from Github, you can install simply by typing:

python setup.py install

Download BBQSQL

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Anonymous FTP Scanner - Python Script

Anonymous FTP Scanner is a Python Script "FtpScan.py" - Which Scans for FTP servers allowing Anonymous Login.

Download the Script

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

RemoteScript - Execute scripts on multiple remote hosts

Execute a script on single or multiple remote hosts simultaneously via ssh . No client installation required. May work on any host with a ssh server. Php/mysql based.

Features

• Execute shell script on single or multiple linux hosts remotely
• Group hosts to execute scripts on multiple hosts simultaneously
• Keep a trace of stout and error output

Download RemoteScript

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Sensitive Buster v 1.0 - Tool to find out Sensitive Data

r00tw0rm Team release a new tool today, called "Sensitive Buster" and Coded by Th3breacher And Angel Injection. The Tool finds vulnerabilities On WebServer ,Admin panels, sensitive files and folders and even backups. The Tool Coded by Python Language And it's Open Source Every One Can Edit it.

Usage:
1-first You Must Install Active Python
2-Open Command Prompt
3-./sensitivebuster.py -m -p Proxy

There are 5 Mode In This Version The Mode it
-shell
-backup
-admin
-dir
-files

4-./sensitivebuster http://example.com -m backup -p


You can Use proxy server
5-./sensitivebuster http://example.com -m backup -p 127.0.0.1:8080

Download Sensitive Buster v 1.0

Password : r00tw0rm.com

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

TheHarvester v 2.0 - Collects email accounts, usernames and hostnames

TheHarvester is a tool to collect email accounts, usernames and hostnames/subdomains from different public sources like search engines and PGP key servers.

This tool is intended to help Penetration testers in the early stages of the project. It's a really simple tool, but very effective.

The sources supported are:

• Google - emails,subdomains/hostnames
• Google profiles - Employee names
• Bing search - emails, subdomains/hostnames,virtual hosts
• Pgp servers - emails, subdomains/hostnames
• Linkedin - Employee names
• Exalead - emails,subdomain/hostnames

Some examples: 

• Searching emails accounts for the domain microsoft.com, it will work with the first 500 google results.

./theharvester.py -d microsoft.com -l 500 -b google

• Searching emails accounts for the domain microsoft.com in a PGP server, here it's not necessary to specify the limit.

./theharvester.py -d microsoft.com -b pgp


Searching for user names that works in the company microsoft, we use google as search engine, so we need to specify the limit of results we want to use:

./theharvester.py -d microsoft.com -l 200 -b linkedin

• Searching in all sources at the same time, with a limit of 200 results:

./theHarvester.py -d microsoft.com -l 200 -b all

Download TheHarvester v 2.0

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Plecost 0.2.2-9-beta : Wordpress fingerprinting tool

Wordpress finger printer tool, plecost search and retrieve information about the plugins versions installed in Wordpress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each plugin, if there.Plecost retrieves the information contained on Web sites supported by Wordpress, and also allows a search on the results indexed by Google.

Plecost works in two modes. On the one hand by analyzing a single URL and the other analyzing the results of Google searches (-G).

Threads version Usage:

./plecost-0.2.2-8-beta.py [options] [ URL | [-l num] -G]

Mono task version Usage: 

./plecost_0.0.1-5beta.py [options] URL | [options] -G

DOWNLOAD Plecost 0.2.2-9-beta

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Mutillidae 2.1.20 - Test your Hacking skills

Mutillidae is a free, open source web application provided to allow security enthusiast to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. Mutillidae contains dozens of vulnerabilities and hints to help the user exploit them; providing an easy-to-use web hacking environment deliberately designed to be used as a hack-lab for security enthusiast, classroom labs, and vulnerability assessment tool targets.

Change log : Mutillidae 2.1.20:

• Changed some color schemes
• Bug fix: The html5 key validation on the on the html5 page was too restrictive. The validator was throwing errors even when the input was ok. This validation checks for any non-alphanumeric characters and prints an error if non-alphanumeric characters are found. This error message contains the bad key the user input. Since the site fails to output encode this error message, it is possible to perform DOM injection.
• Add the html5-storage.php to the vulnerabilities listing.

Download Mutillidae 2.1.20

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

NinjaWPass - Protect WordPress against keyloggers and stolen passwords

NinjaWPass is a free WordPress plugin written to protect your blog administration console. It makes it basically impossible for a hacker who stole your password to log in to your console. The way it works is simple but very efficient and it is being used by some large banking corporations in order to protect their customers online accounts. All you need to do is to define a second password (AKA the NinjaWPass password) from 10 to 30 characters.

At the WordPress login prompt, besides your current password, you will be asked to enter 3 randomly chosen characters from your NinjaWPass password. Whether your computer is infected by a keylogger or someone is spying over your shoulder, this protection will keep them away.

Additionally, the plugin offers the possibility to receive an alert by email whenever someone logs into your WordPress admin interface

Download NinjaWPass

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email

Bash Script to Automate browser-in-the-middle attack

Browser-in-the-middle is a bashscript that uses ettercap, metasploit and the beEF framework to make attacks that injects code in pages users visited on the internet from the local network.

• - uses ettercap to launch a man in the middle attack
• - ettercap modifies traffic so evil javascript or iframes are added
• - victim's browser will be redirect to the attackers webserver
• - the webserver will be running the msf autopwn module or the beEF framework to launch browser exploits are other browser related attacks.

Download Bash Script

Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .

Subscribe Top Hacker Stories via email