free penetration testing and vulnerability discovery toolkit
See Doc inside...
------------------------------------
Scapy (http://www.secdev.org/projects/scapy/) (Python)
interactive packet manipulation tool Author: Philippe BIONDI
See Doc inside.
------------------------------------
Admin Control Panel Finder v1.1 (Author:KuNdUz) (Perl)
Usage: s3rg3770@localhost:~/Tools/Web_scanner$ perl ACPF.pl
~ Enter Site
* ex: or /path
->
~ Enter site source code
* ex: asp or php
->
->Target:
->Site source code: php
->Searching admin control panel...
[-] Not Found <- admin/
[-] Not Found <- administrator/
Pixy (Secure Systems Lab, Vienna University of Technology) (Java/Perl/PHP)
RTFM Here
s3rg3770@localhost:/opt/lampp/htdocs/audit/pixy$ perl run-all.pl
usage: check [options] file
-a,--call-string call-string analysis (else: functional)
-A,--alias use alias analysis
-L,--literal use literal analysis (usually not necessary)
-P,--prefixes print prefixes and suffixes
-V,--verbosegraphs disable verbose depgraphs
-b,--brief be brief (for regression tests)
-c,--cfg dump the function CFGs in dot syntax
-d,--detailcfg dump the function control flow graphs and the
CFGs of their paramters in dot syntax
-f,--functions print function information
-g,--registerGlobals DISABLE register_globals for analysis
-h,--help print help
-i,--getisuntaintedsql make the GET array untainted for SQL analysis
-l,--libdetect detect libraries (i.e. scripts with empty main
function)
-m,--max print maximum number of temporaries
-o,--outputdir output directory (for graphs etc.)
-p,--parsetree print the parse tree in dot syntax
-q,--query enable interactive queries
-r,--notrim do NOT trim untained stuff (during sanit
analysis)
-s,--sinks provide config files for custom sinks
-t,--table print symbol tables
-v,--verbose enable verbose output
-w,--web web interface mode
-y,--analysistype type of taint analysis (sqlsanit, sql, file,
xsssanit, xss)
----------------------------------------------
Wfuzz 1.1 (edge-security) (Python / Pycurl or Exe)
RATS is authored, maintained and distributed by Secure Software, Inc. All
bug reports, patches, database contributions, comments, etc. should be sent to
rats@securesoftware.com. Our website is http://www.securesoftware.com/
usage: rats [-adhilrwxR] [--help] [--database|--db] name1 name2 ... namen
-a report any occurence of function 'fun' in the source file(s)
-d specify an alternate vulnerability database.
--db
--database
-h display usage information (what you're reading)
--help
-i report functions that accept external input
--input
-l force the specified langauge to be used
--language
-r include references that are not function calls
--references
-w <1,2,3> set warning level (default 2)
--warning <1,2,3>
-x do not load default databases
-R don't recurse subdirectories scanning for matching files
--no-recursion
--xml Output in XML.
--html Output in HTML.
--follow-symlinks
Follow symlinks and process files found.
--noheader
Don't print initial header in output
--nofooter
Don't show timing information footer at end of analysis
--quiet
Don't print status information regarding what file is being analyzed
--resultsonly
No header, footer, or status information
--columns
Show column number of hte line where the problem occured.
--context
Display the line of code that caused the problem report
------------------------------------------------------
Sulley - Fuzzing Framework
Sulley is a fuzzer development and fuzz testing framework consisting of multiple extensible components
RTF PDF inside the package. XD
-------------------------------------------------
Burp Suite ()
------------------------------------------------
ISR-sqlget () (Perl)
It's a blind SQL injection tool developed in Perl.
It lets you get databases schemas and tables rows
RTFM inside the package XD
Usage: ./ISR-sqlget.pl [ACTION] [OPTIONS]
Action:
-c: Check parser module
-t: Get test page
-a: Get all database names (only mssql)
-s: Get database/s structure/s
-d: Get database/s information/s (csv format)
-g: Graphic structure of database (gif format)
Options:
-n: Session name
-p: (Use with -c action, specify src page to check the module);
Default ./template/$SESSION.testpage
-v: Verbose
-h: Help
Scans a uri for XSS, RFI, LFI, SQL Injection and Path disclosures.
Some options include custom User_Agent/Referer, scan choice, proxy and phproxy
Usage : RTFM in the package... XD
-----------------------------------------------
Cookie Tools - cookiesniffer (xenion ) (C)
cookiesniffer e' un semplice e potente cookie sniffer che riconosce
(attraverso euristiche) e ricostruisce (con libnids) qualsiasi connessione
HTTP nuova oppure gia' esistente, facendo il parsing di qualsiasi messaggio
HTTP valido oppure parzialmente valido. L'output e' un insieme di file
contenenti le informazioni raccolte con time-stamps in un formato che puo'
essere facilmente utilizzato con i tool standard di UNIX come grep, awk, cut
e sed. Supporta le reti wireless
#No RTFM here, if you don't know what this does you probably shouldn't be
#messing with it anyway. This is for people doing XSS research only, if those
#words don't resonate with you, you've got the wrong program.
Usage: sqlier [OPTIONS] [url]
-c [host] Clear all exploit information stored for [host].
-o [file] Output cracked passwords to [file].
-s [seconds] Wait [seconds] between page requests.
-u [usernames] Usernames that will be brute forced from the database,
comma separated (Username1,Username2,Username3).
-w [options] Pass [options] to wget.
Passing Field Names:
--table-names [table_names] Comma separated list of table names to guess.
--user-fields [user_fields] Comma separated list of username fields to guess.
--pass-fields [pass_fields] Comma separated list of password fields to guess.
Usage: ./d3sqlfuzz.py (p.s add more table, column name in the source..)
-------------------------------------------
SQLBrute (Justin Clarke, justin at justinclarke dot com) (Python)
Usage: sqlbrute.py options url
[--help|-h] - this help
[--verbose|-v] - verbose mode
[--server|-d oracle|sqlserver] - type of database server (default MS SQL Server)
[--error|-e regex] - regex to recognize error page (error testing on
ly)
[--threads|-s number] - number of threads (default 10)
[--cookie|-k string] - cookies needed
[--time|-n] - force time delay (waitfor) testing
[--data|-p string] - POST data
[--database|-f database] - database to enumerate data from (SQL Server)
[--table|-t table] - table to extract data from
[--column|-c column] - column to extract data from
[--where|-w column=data] - restrict data returned to rows where column
"co lumn" matches "data"
[--header|-x header::val] - header to add to the request (i.e.
Referer::htt p://foobar/blah.asp)
[--output|-o file] - file to send output to
[--psyco|-y] - enable psyco acceleration, if installed (real m emory
hog)
Integer based Injection-->bsqlbf.pl - url [options]
String Based Injection-->bsqlbf.pl - url ' [options]
------------------------------------options:--------------------------
-sql: valid SQL syntax to get; version(), database(),
query like-->(select table_name from inforamtion_schema.tables limit 1 offset 0)
-get: If MySQL user is root, supply word readable file name
-blind: parameter to inject sql. Default is last value of url
-match: *RECOMMENDED* string to match in valid query, Default is try to get auto
-start: if you know the beginning of the string, use it.
-length: maximum length of value. Default is 32.
-time: timer options:
0: dont wait. Default option.
1: wait 15 seconds
2: wait 5 minutes
-type: Type of injection:
0: Type 0 (default) is blind injection based on True and False responses
1: Type 1 is blind injection based on True and Error responses
-database: Backend database:
0: MS-SQL (Default)
1: MYSQL
2: POSTGRES
3: ORACLE
-rtime: wait random seconds, for example: "10-20".
-method: http method to use; get or post. Default is GET.
-uagent: http UserAgent header to use. Default is bsqlbf 2.0
-ruagent: file with random http UserAgent header to use.
-cookie: http cookie header to use
-rproxy: use random http proxy from file list.
-proxy: use proxy http. Syntax: -proxy=
-proxy_user: proxy http user
-proxy_pass: proxy http password
bash# bsqlbf.pl -url -blind u -sql
"select table_name from imformation_schema.tables limit 1 offset 0"
-database 1 -type 1
bash# bsqlbf.pl -url ' -method post -get "/etc/passwd" -match "foo"
LiLith v0.6a ((c) 2003-2005 Michael Hendrickx ) (Perl)
s3rg3770@localhost:~/Hack/Tools/Sql_scanner/9$ perl lilith.pl
LiLith v0.6a : http forms scanner/injector
by michael@code.ae ()
usage: lilith.pl [options]
with following options:
-d : (or file) where to start [default: /]
-a : agent to use (-a 0 for list) ["LiLith v0.6a"]
-u : basic authentication credentials
-p : proxy server (proxy:port)
-U : proxy authentication credentials
-T : wait seconds between requests [0s]
-f : if defined, extensive logging is done to
-c : ignore cookies presented by
-g : try more poison, even when error is found
-s : do not attempt to guess server version
-S : do not strip host and directory from output
-I : don't try to get directory listings
-i : don't inject any poison
-A : print all return codes (lots of data)
-v : verbosity
------------------------------------------------
SQLiX Version 1.0 (Cedric COCHIN - OWASP Project) (Perl)
Target specification:
-url [URL] Scan a given URL.
Example: -url=""
--post_content [CONTENT] Add a content to the current [URL] and change the HTTP method to POST
-file [FILE_NAME] Scan a list of URI provided via a flat file.
Example: -file="./crawling"
-crawl [ROOT_URL] Scan a web site from the given root URL.
Example: -crawl=""
Injection vectors:
-referer Use HTTP referer as a potential injection vector.
-agent Use HTTP User agent as a potential injection vector.
-cookie [COOKIE] Use the cookie as a potential injection vector.
Cookie value has to be specified and the injection area
tagged as "--INJECT_HERE--".
Example: -cookie="userID=--INJECT_HERE--"
Injection methods:
-all Use all the injection methods.
-method_taggy Use MS-SQL "verbose" error messages method.
-method_error Use conditional error messages injection method.
-method_blind Use all blind injection methods.
-method_blind_integer Use integer blind injection method.
-method_blind_string Use string blind injection method.
-method_blind_statement Use statement blind injection method.
-method_blind_comment Use MySQL comment blind injection method.
Attack modules:
-exploit Exploit the found injection to extract information.
by default the version of the database will be retrieved
-function [function] Used with exploit to retrieve a given function value.
Example: -function="system_user"
Example: -function="(select password from user_table)"
-union Analyse target for potential UNION attack [MS-SQL only].
MS-SQL System command injection:
-cmd [COMMAND] System command to be executed.
Example: -cmd="dir c:\\"
-login [LOGIN] MS-SQL login to use if known.
-password [PASSWORD] MS-SQL password to use if known.
Verbosity:
-v=[n] Verbose mode level
v=0 => no output, only results are displayed at the end
v=2 => realtime display, provide minimum result info
v=5 => debug view [all url,content and headers are displayed]
-----------------------------------------
SqlInference (Copyright (C) 2006 Antonio "s4tan" Parata ) (Perl)
Usage: sqlInf.pl [-t 0|1] [-v] : website prone to sql injection attack : string on which it's possible to make inference, for example:
1) known column name
2) LOAD_FILE('') where is a filename (e.g. /etc/passwd)
3) a MySQL function like: DATABASE(), LAST_INSERT_ID(), USER(), VERSION()
-t : type 0 to end the query whit /*
type 1 to end the query whit %20and%20'1'%20=%20'1
-v : verbose output
[options]
-h/-host : Host to scan
-p/-port : Port to use (defaults: 80)
-l/-list : List of sites to scan through
-n/-null : Adds a null byte onto the end of the inclusion
-v/-verbose : Shows every lfi attempt
UnHash 1.0 (dxp2532 |at| gmail |dot| com) (Language C)
brute force attack against a given hash. The hash can be MD5 or SHA1
s3rg3770@localhost:~/Hack/Tools/Brute_forcer/Hash/sha1/unhash$ ./unhash
Usage: unhash SIZE SET HASH
Performs a brute-force attack on the given HASH.
Only MD5 and SHA1 hashes!
SIZE Minimum amount of letters to start with.
SET Number of the alphabet set to acquire letters from.
1. Numeric only
2. Hexadecimal in lowercase
3. HEXadecimal in uppercase
4. alpha only in lowercase
5. ALPHA only in uppercase
6. alphanumeric in lowercase
7. ALPHANUMERIC in uppercase
8. All alpha only, both uppercase and lowercase
9. Alpha-Numeric, both uppercase and lowercase
10. All printable ascii characters
HASH Hashed string to attack.
-------------------------------------------------
Multi MD5 Online Cracker v0.1 ( no
fonte ) (File seguibile , aggiunta estensione .exe.lol poichè prob
segnalazione AV - usare con WINE. Tool utile di ricerca MD5 crackati su
9 motori di ricerca in contemporanea e velocemente. Prima di eseguirlo
togliere la spunta dai siti csthis.com e cryptobitch.de non più on line
)
k8's Md5 Db. - Autore: K8 Versione 0.2 (PHP)
Script che permette l'inserimento di hash da file e non, e la ricerca
1) Impostare user e pass dal config.php per la connessione a MySQL.
2) Creare una cartella per le wordlist ed impostare il percorso in config.php
3) Creare una database denominato md5.
4) Creare una tabella denominata md5.
Con le seguenti caratteristiche:
mysql> describe md5;
+-------------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| pass_md5 | varchar(64) | NO | | | |
| pass_chiaro | varchar(64) | NO | | | |
+-------------+--------------+------+-----+---------+----------------+
3 rows in set (0.10 sec)
Ho impostato max 64 caratteri per la password in chiaro. Se volete modificar,
fatelo pure,cambiando il valore nel file config.php al DEFINE MAXLENGTH & MINLENGTH.
Se volete usar un altro database,modificate il file config.php con il nome del vostro db.
Se volete usar un'altra tabella,modificate il file functions.php con il nome della vostra tabella.
---------------------------------------------
Hash Calculator v1.2 (Dhruva Sagar) (Java)
The user can calculate hashes using various different commercially
available algorithms that are used often namely MD2, MD5, SHA-1,
SHA-256, SHA-384, SHA-512
--------------------- Md5This () (Java)
Dictionary recover md5 Salted for example E107 - Vbulletin - IPB
