Conpot is an ICS honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems

Documentation
The build of the documentations source can be found here. There you will also find the instructions on how to install conpot and the FAQ.

Easy install using Docker

Via a pre-built image

  1. Install Docker
  2. Run docker pull honeynet/conpot
  3. Run docker run -it -p 80:80 -p 102:102 -p 502:502 -p 161:161/udp --network=bridge honeynet/conpot:latest /bin/sh
  4. Finally run conpot -f --template default

Navigate to http://MY_IP_ADDRESS to confirm the setup.

Build docker image from source

  1. Install Docker
  2. Clone this repo with git clone https://github.com/mushorg/conpot.git and cd conpot/docker
  3. Run docker build -t conpot .
  4. Run docker run -it -p 80:8800 -p 102:10201 -p 502:5020 -p 161:16100/udp -p 47808:47808/udp -p 623:6230/udp -p 21:2121 -p 69:6969/udp -p 44818:44818 --network=bridge conpot

Navigate to http://MY_IP_ADDRESS to confirm the setup.

Build from source and run with docker-compose

  1. Install docker-compose
  2. Clone this repo with git clone https://github.com/mushorg/conpot.git and cd conpot/docker
  3. Build the image with docker-compose build
  4. Test if everything is running correctly with docker-compose up
  5. Permanently run as a daemon with docker-compose up -d

Sample output
::

# conpot --template default  
_
___ ___ ___ ___ ___| |_
| _| . | | . | . | _|
|___|___|_|_| _|___|_|
|_|

Version 0.6.0
MushMush Foundation

2018-08-09 19:13:15,085 Initializing Virtual File System at ConpotTempFS/__conpot__ootc_k3j. Source specified : tar://conpot-0.6.0-py3.6/conpot/data.tar
2018-08-09 19:13:15,100 Please wait while the system copies all specified files
2018-08-09 19:13:15,172 Fetched x.x.x.x as external ip.
2018-08-09 19:13:15,175 Found and enabled ('modbus', ) protocol.
2018-08-09 19:13:15,177 Found and enabled ('s7comm', ) protocol.
2018-08-09 19:13:15,178 Found and enabled ('http', ) protocol.
2018-08-09 19:13:15,179 Found and enabled ('snmp', ) protocol.
2018-08-09 19:13:15,181 Found and enabled ('bacnet', ) protocol.
2018-08-09 19:13:15,182 Found and enabled ('ipmi', ) protocol.
2018-08-09 19:13:15,185 Found and enabled ('enip', ) protocol.
2018-08-09 19:13:15,199 Found and enabled ('ftp', ) protocol.
2018-08-09 19:13:15,206 Found and enabled ('tftp', <conpot.protocols.tftp.tftp_server.TftpServer object at 0x7f1af4fcef28$) protocol.
2018-08-09 19:13:15,206 No proxy template found. Service will remain unconfigured/stopped.
2018-08-09 19:13:15,206 Modbus server started on: ('0.0.0.0', 5020)
2018-08-09 19:13:15,206 S7Comm server started on: ('0.0.0.0', 10201)
2018-08-09 19:13:15,207 HTTP server started on: ('0.0.0.0', 8800)
2018-08-09 19:13:15,402 SNMP server started on: ('0.0.0.0', 16100)
2018-08-09 19:13:15,403 Bacnet server started on: ('0.0.0.0', 47808)
2018-08-09 19:13:15,403 IPMI server started on: ('0.0.0.0', 6230)
2018-08-09 19:13:15,403 handle server PID [23183] running on ('0.0.0.0', 44818)
2018-08-09 19:13:15,404 handle server PID [23183] responding to external done/disable signal in object 139753672309064
2018-08-09 19:13:15,404 FTP server started on: ('0.0.0.0', 2121)
2018-08-09 19:13:15,404 Starting TFTP server at ('0.0.0.0', 6969)

Intro video

WordPress Vulnerability Scanner – Scan for vulnerabilities, version, themes, plugins and much more!
WPintel allows you to scan self hosted WordPress sites.
With WPintel you can detect the following:
  • Version
  • Version vulnerabilities
  • Plugins
  • Themes
  • Users
and much more!
Although WPintel is designed for self hosted (wordpress.org) WordPress sites, some of it’s functionalities still work for sites hosted on wordpress.com.

Video

Malice’s mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company.

Try It Out

DEMO: demo.malice.io

  • username: malice
  • password: ecilam

Requirements

Hardware

  • ~16GB disk space
  • ~4GB RAM

Software

Getting Started (OSX)

Install

$ brew install maliceio/tap/malice
Usage: malice [OPTIONS] COMMAND [arg...]

Open Source Malware Analysis Framework

Version: 0.3.11

Author:
blacktop -

Options:
--debug, -D Enable debug mode [$MALICE_DEBUG]
--help, -h show help
--version, -v print the version

Commands:
scan Scan a file
watch Watch a folder
lookup Look up a file hash
elk Start an ELK docker container
plugin List, Install or Remove Plugins
help Shows a list of commands or help for one command

Run 'malice COMMAND --help' for more information on a command.

Scan some malware

$ malice scan evil.malware

NOTE: On the first run malice will download all of it’s default plugins which can take a while to complete.

Malice will output the results as a markdown table that can be piped or copied into a results.md that will look great on Github see here

Start Malice’s Web UI

$ malice elk

You can open the Kibana UI and look at the scan results here: http://localhost (assuming you are using Docker for Mac)

  • Type in malice as the Index name or pattern and click Create.
  • Now click on the Malice Tab and behold!!!

Getting Started (Docker in Docker)

Install/Update all Plugins

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock malice/engine plugin update --all

Scan a file

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock 
-v `pwd`:/malice/samples
-e MALICE_VT_API=$MALICE_VT_API
malice/engine scan SAMPLE

Documentation

Htcap is a web application scanner able to crawl single page application (SPA) in a recursive manner by intercepting ajax calls and DOM changes. Htcap is not just another vulnerability scanner since it’s focused on the crawling process and it’s aimed to detect and intercept ajax/fetch calls, websockets, jsonp ecc. It uses its own fuzzers plus a set of external tools to discover vulnerabilities and it’s designed to be a tool for both manual and automated penetration test of modern web applications.
It also features a small but powerful framework to quickly develop custom fuzzers with less than 60 lines of python. The fuzzers can work with GET/POST data, XML and JSON payloads and switch between POST and GET. Of course, fuzzers run in parallel in a multi-threaded environment.
This is the very first release that uses headless chrome instead of phantomjs. Htcap’s Javascript crawling engine has been rewritten to take advantage of the new async/await features of ecmascript and has been converted to a nodjes module build on top of Puppetteer.
More infos at htcap.org.


SETUP

Requirements

  1. Python 2.7
  2. Nodejs and npm
  3. Sqlmap (for sqlmap scanner module)
  4. Arachni (for arachni scanner module)

Download and Run

$ git clone https://github.com/fcavallarin/htcap.git htcap
$ htcap/htcap.py

VIDEO

DOCUMENTATION
Documentation, examples and demos can be found at the official website https://htcap.org.

It’s easy to create a backdoor in an instant, the backdoor can be used in a remote process via a Linux terminal on the server that runs the PHP Language program.
Made to bypass the system that is disabled on the server, especially for reading sensitive files that are /etc/passwd

Screenshots

List of Remot3d Functions

  • Create backdoor for windows or linux servers (can run php file)
  • Bypass disable function’s with imap_open vulnerability
  • Bypass read file /etc/passwd with cURL or Unique Logic Script’s
  • Generating Backdoor and can be remoted on Tools
  • Some other fun stuff 🙂

Getting Started

  1. git clone https://github.com/KeepWannabe/Remot3d
  2. cd Remot3d
  3. chmod +x Remot3d.sh && ./Remot3d.sh

Linux operating systems we recommend :

  • Linux mint (Ubuntu Based with Mate DE)
  • Parrot
  • BackTrack
  • Backbox
  • DracOS
  • IbisLinux

Update Remot3d

  • To update remot3d go to your Remot3d folder and execute : git pull && chmod +x Remot3d.sh && ./Remot3d.sh

Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+.
For more information, visit Tyton’s website.

Detected Attacks

  • Hidden Modules
  • Syscall Table Hooking
  • Network Protocol Hooking
  • Netfilter Hooking
  • Zeroed Process Inodes
  • Process Fops Hooking
  • Interrupt Descriptor Table Hooking


Additional Features
Notifications: Users (including myself) do not actively monitor their journald logs, so a userland notification daemon has been included to monitor journald logs and display them to the user using libnotify. Notifications are enabled after install by XDG autorun, so if your DM does not have /etc/xdg/autostart it will fail.
DKMS: Dynamic Kernel Module Support has been added for Arch and Fedora/CentOS (looking to expand in the near future). DKMS allows the (near) seamless upgrading of Kernel modules during kernel upgrades. This is mainly important for distributions that provide rolling releases or upgrade their kernel frequently.

Installing

Dependencies

  • Linux Kernel 4.4.0-31 or greater
  • Corresponding Linux Kernel Headers
  • GCC
  • Make
  • Libnotify
  • Libsystemd
  • Package Config
  • GTK3

From Source

Ubuntu/Debian/Kali

  1. sudo apt install linux-headers-$(uname -r) gcc make libnotify-dev pkg-config libgtk-3-dev libsystemd-dev
  2. git clone https://github.com/nbulischeck/tyton.git
  3. cd tyton
  4. make
  5. sudo insmod tyton.ko

Note: For Ubuntu 14.04, libsystemd-dev is named libsystemd-journal-dev.

Arch

  1. sudo pacman -S linux-headers gcc make libnotify libsystemd pkgconfig gtk3
  2. git clone https://github.com/nbulischeck/tyton.git
  3. cd tyton
  4. make
  5. sudo insmod tyton.ko

Note: It’s recommended to install Tyton through the AUR so you can benefit from DKMS.

Fedora/CentOS

  1. dnf install kernel-devel gcc make libnotify libnotify-devel systemd-devel gtk3-devel gtk3
  2. git clone https://github.com/nbulischeck/tyton.git
  3. cd tyton
  4. make
  5. sudo insmod tyton.ko

Kernel Module Arguments
The kernel module can be passed a specific timeout argument on insertion through the command line.
To do this, run the command sudo insmod tyton.ko timeout=X where X is the number of minutes you would like the kernel module to wait before executing its scan again.

AUR
Tyton is available on the AUR here.
You can install it using the AUR helper of your choice:

  • yaourt -S tyton-dkms-git
  • yay -S tyton-dkms-git
  • pakku -S tyton-dkms-git

dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don’t have any source code available.
Want to say thanks? Click the star at the top of the page. Or fork dnSpy and send a PR!
The following pictures show dnSpy in action. It shows dnSpy editing and debugging a .NET EXE file, not source code.

Features

  • Debug .NET Framework, .NET Core and Unity game assemblies, no source code required
  • Edit assemblies in C# or Visual Basic or IL, and edit all metadata
  • Light and dark themes
  • Extensible, write your own extension
  • High DPI support (per-monitor DPI aware)
  • And much more, see below

dnSpy uses the ILSpy decompiler engine and the Roslyn (C# / Visual Basic) compiler and many other open source libraries, see below for more info.

Debugger

  • Debug .NET Framework, .NET Core and Unity game assemblies, no source code required
  • Set breakpoints and step into any assembly
  • Locals, watch, autos windows
  • Variables windows supports saving variables (eg. decrypted byte arrays) to disk or view them in the hex editor (memory window)
  • Object IDs
  • Multiple processes can be debugged at the same time
  • Break on module load
  • Tracepoints and conditional breakpoints
  • Export/import breakpoints and tracepoints
  • Call stack, threads, modules, processes windows
  • Break on thrown exceptions (1st chance)
  • Variables windows support evaluating C# / Visual Basic expressions
  • Dynamic modules can be debugged (but not dynamic methods due to CLR limitations)
  • Output window logs various debugging events, and it shows timestamps by default 🙂
  • Assemblies that decrypt themselves at runtime can be debugged, dnSpy will use the in-memory image. You can also force dnSpy to always use in-memory images instead of disk files.
  • Public API, you can write an extension or use the C# Interactive window to control the debugger

Assembly Editor

  • All metadata can be edited
  • Edit methods and classes in C# or Visual Basic with IntelliSense, no source code required
  • Add new methods, classes or members in C# or Visual Basic
  • IL editor for low level IL method body editing
  • Low level metadata tables can be edited. This uses the hex editor internally.

Hex Editor

  • Click on an address in the decompiled code to go to its IL code in the hex editor
  • Reverse of above, press F12 in an IL body in the hex editor to go to the decompiled code or other high level representation of the bits. It’s great to find out which statement a patch modified.
  • Highlights .NET metadata structures and PE structures
  • Tooltips shows more info about the selected .NET metadata / PE field
  • Go to position, file, RVA
  • Go to .NET metadata token, method body, #Blob / #Strings / #US heap offset or #GUID heap index
  • Follow references (Ctrl+F12)

Other

  • BAML decompiler
  • Blue, light and dark themes (and a dark high contrast theme)
  • Bookmarks
  • C# Interactive window can be used to script dnSpy
  • Search assemblies for classes, methods, strings etc
  • Analyze class and method usage, find callers etc
  • Multiple tabs and tab groups
  • References are highlighted, use Tab / Shift+Tab to move to next reference
  • Go to entry point and module initializer commands
  • Go to metadata token or metadata row commands
  • Code tooltips (C# and Visual Basic)
  • Export to project

List of other open source libraries used by dnSpy

  • ILSpy decompiler engine (C# and Visual Basic decompilers)
  • Roslyn (C# and Visual Basic compilers)
  • dnlib (.NET metadata reader/writer which can also read obfuscated assemblies)
  • VS MEF (Faster MEF equals faster startup)
  • ClrMD (Access to lower level debugging info not provided by the CorDebug API)

Credits

Recaf is an open-source Java bytecode editor built on top of Objectweb’s ASM. ASM is a bytecode manipulation library that abstracts away the constant pool and a few other class-file attributes. Since keeping track of the constant pool and managing proper stackframes are no longer necessary, complex changes can be made with relative ease. With additional features to assist in the process of editing classes, Recaf is the most feature rich free bytecode editor available.

Useful Information

While ASM makes bytecode manipulation very simple it does not mean you should dive head-first into editing compiled java programs without understanding some basic programming concepts and the Java class file architecture. Here are some references for these topics:

For screenshots check the screenshots directory. They appear throughout the documentation as well.

Libraries used:

Here’s the main new features and improvements in Faraday v3.5:

New vulnerability form
We are happy to introduce our new vulnerability form which makes the creation and editing of vulnerabilities easier.  The new form brings you tabs to make it smaller and group different fields.
Custom fields
Add your own custom fields to your vulnerabilities. We currently support str, int and list types. You can also use these fields in your Executive Reports.

2nd-factor authentication
We added the optional feature for 2nd-factor authentication. You can use any mobile application to use our 2nd-factor authentication.

    As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets can be collected automatically through Shodan, Censys or Zoomeye. But options to add your custom targets and host lists have been included as well. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured by filling out the dialog that comes up before the exploit component is started
    Operational Security Consideration
    Receiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.
    The new version of AutoSploit has a feature that allows you to set a proxy before you connect and a custom user-agent.

    Installation
    Installing AutoSploit is very simple, you can find the latest stable release here. You can also download the master branch as a zip or tarball or follow one of the below methods;

    Cloning

    sudo -s << EOF
    git clone https://github.com/NullArray/Autosploit.git
    cd AutoSploit
    chmod +x install.sh
    ./install.sh
    python2 autosploit.py
    EOF

    Docker

    sudo -s << EOF
    git clone https://github.com/NullArray/AutoSploit.git
    cd AutoSploit
    chmod +x install.sh
    ./install.sh
    cd AutoSploit/Docker
    docker network create -d bridge haknet
    docker run --network haknet --name msfdb -e POSTGRES_PASSWORD=s3cr3t -d postgres
    docker build -t autosploit .
    docker run -it --network haknet -p 80:80 -p 443:443 -p 4444:4444 autosploit
    EOF

    On any Linux system the following should work;

    git clone https://github.com/NullArray/AutoSploit
    cd AutoSploit
    chmod +x install.sh
    ./install.sh

    AutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. In order to accomplish this employ/perform the below operations via the terminal or in the form of a shell script.

    sudo -s << '_EOF'
    pip2 install virtualenv --user
    git clone https://github.com/NullArray/AutoSploit.git
    virtualenv
    source /bin/activate
    cd
    pip2 install -r requirements.txt
    chmod +x install.sh
    ./install.sh
    python autosploit.py
    _EOF

    More information on running Docker can be found here

    Usage
    Starting the program with python autosploit.py will open an AutoSploit terminal session. The options for which are as follows.

    1. Usage And Legal
    2. Gather Hosts
    3. Custom Hosts
    4. Add Single Host
    5. View Gathered Hosts
    6. Exploit Gathered Hosts
    99. Quit

    Choosing option 2 will prompt you for a platform specific search query. Enter IIS or Apache in example and choose a search engine. After doing so the collected hosts will be saved to be used in the Exploit component.
    As of version 2.0 AutoSploit can be started with a number of command line arguments/flags as well. Type python autosploit.py -h to display all the options available to you. I’ve posted the options below as well for reference.

    usage: python autosploit.py -[c|z|s|a] -[q] QUERY
    [-C] WORKSPACE LHOST LPORT [-e] [--whitewash] PATH
    [--ruby-exec] [--msf-path] PATH [-E] EXPLOIT-FILE-PATH
    [--rand-agent] [--proxy] PROTO://IP:PORT [-P] AGENT

    optional arguments:
    -h, --help show this help message and exit

    search engines:
    possible search engines to use

    -c, --censys use censys.io as the search engine to gather hosts
    -z, --zoomeye use zoomeye.org as the search engine to gather hosts
    -s, --shodan use shodan.io as the search engine to gather hosts
    -a, --all search all available search engines to gather hosts

    requests:
    arguments to edit your requests

    --proxy PROTO://IP:PORT
    run behind a proxy while performing the searches
    --random-agent use a random HTTP User-Agent header
    -P USER-AGENT, --personal-agent USER-AGENT
    pass a personal User-Agent to use for HTTP requests
    -q QUERY, --query QUERY
    pass your search query

    exploits:
    arguments to edit your exploits

    -E PATH, --exploit-file PATH
    provide a text file to convert into JSON and save for
    later use
    -C WORKSPACE LHOST LPORT, --config WORKSPACE LHOST LPORT
    set the configuration for MSF (IE -C default 127.0.0.1
    8080)
    -e, --exploit start exploiting the already gathered hosts

    misc arguments:
    arguments that don't fit anywhere else

    --ruby-exec if you need to run the Ruby executable with MSF use
    this
    --msf-path MSF-PATH pass the path to your framework if it is not in your
    ENV PATH
    --whitelist PATH only exploit hosts listed in the whitelist file

    Dependencies
    Note: All dependencies should be installed using the above installation method, however, if you find they are not:
    AutoSploit depends on the following Python2.7 modules.

    requests
    psutil

    Should you find you do not have these installed get them with pip like so.

    pip install requests psutil

    or

    pip install -r requirements.txt

    Since the program invokes functionality from the Metasploit Framework you need to have this installed also. Get it from Rapid7 by clicking here.