Sep 30, 2015

Tools: Windows Spy Keylogger

Windows Spy Keylogger is the free software to help you covertly monitor all activities on your computer.
  • Free Tool to Monitor Keystokes in stealth manner
  • Monitor both 32-bit & 64-bit applications
  • Automatically run at Startup
  • No need for administrator privileges
  • Settings dialog to change various options
  • Stores keyboard activities silently to a log file
  • Very easy to use with just a click of button
  • Displays current status of key logger at any time
  • Includes Installer for local installation & un-installation
How to Use?
'Windows Spy Keylogger' is very easy to use tool with its cool GUI interface.
Here are the simple steps,
  • Run 'Windows Spy Keylogger' on your system
  • It will show you the current status of Keylogger as seen in the screenshots below.
  • Now you can just click on button below to Start or Stop Keylogger
  • That's all :)

Sep 25, 2015

Tools: ARDT - Akamai Reflective DDoS Tool

Akamai Reflective DDoS Tool - Attack the origin host behind the Akamai Edge hosts and DDoS protection offered by Akamai services.


Tools: Tango - Set of scripts and Splunk apps for Honeypot

Tango is a set of scripts and Splunk apps which help organizations and users quickly and easily deploy honeypots and then view the data and analysis of the attacker sessions. There are two scripts provided which facilitate the installation of the honeypots and/or Splunk Universal Forwarder. One of the scripts will install the Splunk Universal Forwarder and install the necessary input and output configuration files. The other script will install the Splunk Universal Forwarder along with the Cowrie honeypot required for the Tango Honeypot Intelligence app to work.


Sep 24, 2015

Tools: Powercat - A PowerShell version of netcat.

PowerCat is a PowerShell module. First you need to load the function before you can execute it. You can put one of the below commands into your powershell profile so powercat is automatically loaded when powershell starts


Tools: php-malware-finder - Detect potentially malicious PHP files

PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.
The following list of encoders/obfuscators/webshells are also detected:


Tools: Pupy - opensource RAT (Remote Administration Tool) written in Python

Pupy is an opensource RAT (Remote Administration Tool) written in Python. Pupy uses reflective dll injection and leaves no traces on disk.

Features :

  • On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
  • Pupy can reflectively migrate into other processes
  • Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented).
  • modules are quite simple to write and pupy is easily extensible.
  • Pupy uses rpyc ( and a module can directly access python objects on the remote client
    • we can also access remote objects interactively from the pupy shell and even auto completion of remote attributes works !
  • communication channel currently works as a ssl reverse connection, but a bind payload will be implemented in the future
  • all the non interactive modules can be dispatched on multiple hosts in one command
  • Multi-platform (tested on windows 7, windows xp, kali linux, ubuntu)
  • modules can be executed as background jobs
  • commands and scripts running on remote hosts are interruptible
  • auto-completion and nice colored output :-)
  • commands aliases can be defined in the config

Sep 21, 2015

Tools: scanmem - memory scanner for Linux

scanmem is a debugging utility designed to isolate the address of an arbitrary variable in an executing process. scanmem simply needs to be told the pid of the process, and the value of the variable at several different times.
After several scans of the process, scanmem isolates the position of the variable and allows you to modify it's value.
GameConqueror is a GUI of scanmem and more than that, it provides flexible syntax for searching, multiple memory locking and a memory editor.


Sep 17, 2015

Tools: Android Vulnerability Test Suite

Android Vulnerability Test Suite - In the spirit of open data collection, and with the help of the community, let's take a pulse on the state of Android security. NowSecure presents an on-device app to test for recent device vulnerabilities.


Sep 9, 2015

Howto: Extract sensitive plaintext data from Android memory

1. Upload the file$ adb push gdbserver /sdcard

2. Enter a shell and become root
$ adb shell
$ su

3. Remount /system as read/write
$ mount -o rw,remount /system

4. Copy file to /system/xbin (or /system/bin)
$ cp /sdcard/gdbserver /system/xbin

5. Change permissions to ensure that it is executable
$ chmod 555 /system/xbin

6. Clean up
$ mount -o ro,remount /system
$ rm /sdcard/gdbserver

7. Download and compile gdb
$ wget
$ bunzip2 gdb-7.7.tar.bz2
$ tar xf gdb-7.7.tar
$ cd gdb-7.7/
$ ./configure --target=arm-linux-gnueabi
$ make

8. Find the keystore pid
$ ps | grep key
$ cd /proc/228

9. Find the heap
What we’ll normally find are is the code that makes up the process and its libraries and then a copy of the important bits of the process:
- heap   - memory assigned by the VM or by the kernel for data storage
- stack  - memory used during function calls etc.
 So above we can see that the heap runs from 0xb7712000(start of heap) – 0xb771f000(end of heap)

10. Start gdbserver on the process listening on a port on the device
$ gdbserver --attach :1234 228
1234 => any Port
228 => any PID

11. Use adb to forward the port on the device to a local port
$ adb forward tcp:1234 tcp:1234

This will now allow us to talk to the device on port 1234/tcp by connecting to 1234/tcp on the host device.

12. Use a third party program to forward the local port to the device where you will be running gdb
> Use program "Port Forwarding for Windows” to forward from my native OS to the virtual machine I run gdb on

13. Connect via gdb
$ ./gdb
$ gdb> target remote

14. Dump the memory
$ gdb> dump memory /tmp/heapout 0xb7712000 0xb771f000

15. Look for some strings that can be user, password
$ strings /tmp/heapout | more

Tools: USBDeview v2.45 - View all installed/connected USB devices on your system

USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.
For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more...
USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.

Using USBDeview

USBDeview doesn't require any installation process or additional DLL files. Just copy the executable file (USBDeview.exe) to any folder you like, and run it.
The main window of USBDeview displays all USB devices installed on your system. You can select one or more items, and then disconnect (unplug) them , uninstall them, or just save the information into text/xml/html file.
USBDeview Columns Description
  • Device Name: Specifies the device name. For some device, this column may display meaningless name, like "USB Device". If the device name is meaningless, try to look at the Description column.
  • Device Description: The description of the device.
  • Device Type: The device type, according to USB class code. For more information about USB classes: USB Class Codes.
  • Connected: Specifies whether the device is currently connected to your computer. If the device is connected, you can use the 'Disconnect Selected Devices' option (F9) to disconnect the device.
  • Safe To Unplug: Specifies whether it's safe to unplug the device from the USB plug without disconnecting it first. If the value of this column is false, and you want to unplug this device, you must first disconnect this device by using the 'Disconnect Selected Devices' option (F9) of USBDeview utility, or by using the 'Unplug or Eject Hardware' utility of Windows operating system.
  • Drive Letter: Specifies the drive letter of the USB device. This column is only relevant to USB flash memory devices and to USB CD/DVD drives. Be aware that USBDeview cannot detect drive letters of USB hard-disks.
  • Serial Number: Specifies the serial number of the device. This column is only relevant to mass storage devices (flash memory devices, CD/DVD drives, and USB hard-disks).
  • Created Date: Specifies the date/time that the device was installed. In most cases, this date/time value represents the time that you first plugged the device to the USB port. However, be aware that in some circumstances this value may be wrong. Also, On Windows 7, this value is initialized with the current date/time on every reboot.
  • Last Plug/Unplug Date: Specifies the last time that you plugged/unplugged the device. This date value is lost when you restart the computer.
  • VendorID/ProductID: Specifies the VendorID and ProductID of the device. For unofficial list of VendorID/ProductID, click here.
  • USB Class/Subclass/Protocol: Specifies the Class/Subclass/Protocol of the device according to USB specifications. For more information about USB classes: USB Class Codes.
  • Hub/Port: Specifies the hub number and port number that the device was plugged into. This value is empty for mass storage devices.
Notice: According to user reports, On some systems the 'Last Plug/Unplug Date' and the 'Created Date' values are initialized after reboot. This means that these columns may display the reboot time instead of the correct date/time.