Tested on Kali Linux. Should work with all Debian based distros (and other ones if you have the right packages installed)
BabySploit is a penetration testing framework aimed at making it easy to learn how to use bigger, more complicated frameworks like Metasploit. With a very easy to use UI and toolkit, anybody from any experience level will find use out of BabySploit.

Features (Current, In The Works, Planned):

  • Information Gathering
  • Exploitation
  • Post Exploitation
  • Bruteforcing
  • Phishing
  • Cryptography/Stenography

Information Gathering:

  • Nmap
  • IP Info
  • Tcpdump (In The Works)
  • Datasploit (In The Works)
  • Censys Lookup
  • DNS Lookup


  • Searchsploit
  • ReverseShell Wizard

Post Exploitation:

  • In The Works


  • In The Works


  • BlackEye Python


  • MetaKiller (In The Works)

Manticore is a symbolic execution tool for analysis of binaries and smart contracts.

Note: Beginning with version 0.2.0, Python 3.6+ is required.


  • Input Generation: Manticore automatically generates inputs that trigger unique code paths
  • Crash Discovery: Manticore discovers inputs that crash programs via memory safety violations
  • Execution Tracing: Manticore records an instruction-level trace of execution for each generated input
  • Programmatic Interface: Manticore exposes programmatic access to its analysis engine via a Python API

Manticore can analyze the following types of programs:

  • Ethereum smart contracts (EVM bytecode)
  • Linux ELF binaries (x86, x86_64 and ARMv7)


Manticore has a command line interface which can be used to easily symbolically execute a supported program or smart contract. Analysis results will be placed into a new directory beginning with mcore_.
Use the CLI to explore possible states in Ethereum smart contracts. Manticore includes detectors that flag potentially vulnerable code in discovered states. Solidity smart contracts must have a .sol extension for analysis by Manticore. See a demo.

$ manticore ./path/to/contract.sol  # runs, and creates a mcore_* directory with analysis results
$ manticore --detect-reentrancy ./path/to/contract.sol # Above, but with reentrancy detection enabled
$ manticore --detect-all ./path/to/contract.sol # Above, but with all detectors enabled

The command line can also be used to simply explore a Linux binary:

$ manticore ./path/to/binary        # runs, and creates a mcore_* directory with analysis results
$ manticore ./path/to/binary ab cd # use concrete strings "ab", "cd" as program arguments
$ manticore ./path/to/binary ++ ++ # use two symbolic strings of length two as program arguments

Manticore has a Python programming interface which can be used to implement custom analyses.
For Ethereum smart contracts, it can be used for detailed verification of arbitrary contract properties. Set starting conditions, execute symbolic transactions, then review discovered states to ensure invariants for your contract hold.

from manticore.ethereum import ManticoreEVM
contract Adder {
function incremented(uint value) public returns (uint){
if (value == 1)
return value + 1;
m = ManticoreEVM()

user_account = m.create_account(balance=1000)
contract_account = m.solidity_create_contract(contract_src,
value = m.make_symbolic_value()


for state in m.running_states:
print("can value be 1? {}".format(state.can_be_true(value == 1)))
print("can value be 200? {}".format(state.can_be_true(value == 200)))

It is also possible to use the API to create custom analysis tools for Linux binaries.

# example Manticore script
from manticore import Manticore

hook_pc = 0x400ca0

m = Manticore('./path/to/binary')

def hook(state):
cpu = state.cpu
print('eax', cpu.EAX)

m.terminate() # tell Manticore to stop



  • Manticore is supported on Linux and requires Python 3.6+.
  • Ubuntu 18.04 is strongly recommended.
  • Ethereum smart contract analysis requires the solc program in your $PATH.

Install and try Manticore in a few shell commands:

# Install system dependencies
sudo apt-get update && sudo apt-get install python3 python3-pip -y

# Install Manticore and its dependencies
sudo pip3 install manticore

# Download the examples
git clone https://github.com/trailofbits/manticore.git && cd manticore/examples/linux

# Build the examples

# Use the Manticore CLI
manticore basic
cat mcore_*/*0.stdin | ./basic
cat mcore_*/*1.stdin | ./basic

# Use the Manticore API
cd ../script
python3 count_instructions.py ../linux/helloworld

You can also use Docker to quickly install and try Manticore:

# Download the Manticore image
docker pull trailofbits/manticore

# Download the examples
git clone https://github.com/trailofbits/manticore.git && cd manticore

# Run container with a shared examples/ directory
docker run -it -v $PWD/examples:/home/manticore/examples trailofbits/manticore

# Change to examples directory
manticore@80d441275ebf$ cd examples/linux

# Build the examples
manticore@80d441275ebf$ make

# Use the Manticore CLI
manticore@80d441275ebf$ manticore basic
manticore@80d441275ebf$ cat mcore_*/*0.stdin | ./basic
manticore@80d441275ebf$ cat mcore_*/*1.stdin | ./basic

# Use the Manticore API
manticore@80d441275ebf$ cd ../script
manticore@80d441275ebf$ python3 count_instructions.py ../linux/helloworld

Option 1: Perform a user install (requires ~/.local/bin in your PATH).

echo "PATH=$PATH:~/.local/bin" >> ~/.profile
source ~/.profile
pip3 install --user manticore

Option 2: Use a virtual environment (requires virtualenvwrapper or similar).

sudo pip3 install virtualenvwrapper
echo "source /usr/local/bin/virtualenvwrapper.sh" >> ~/.profile
source ~/.profile
mkvirtualenv manticore
sudo ./manticore/bin/pip3 install manticore

Option 3: Perform a system install.

sudo pip3 install manticore

Option 4: Install via Docker.

docker pull trailofbits/manticore

Once installed, the manticore CLI tool and Python API will be available.
For installing a development version of Manticore, see our wiki.

Getting Help
Feel free to stop by our Slack channel for help on using or extending Manticore.
Documentation is available in several places:

  • The wiki contains some basic information about getting started with Manticore and contributing
  • The examples directory has some very minimal examples that showcase API features
  • The API reference has more thorough and in-depth documentation on our API
  • The manticore-examples repository has some more involved examples, for instance solving real CTF problems

Androspy : is Backdoor Crypter & Creator with Automatic IP Poisener Coded By Belahsan Ouerghi


  • keytool
  • jarsigner
  • Apache2
  • Metasploit-Framework
  • xterm


sudo apt-get install git
git clone https://github.com/TunisianEagles/Androspy.git
cd Androspy
chmod +x setup.sh
sudo ./setup.sh
chmod +x androspy.sh
sudo ./androspy.sh

Tested on :

  • BackBox Linux
  • Kali linux
  • Parrot os



  • Multi-threading
  • 3 modes of detection
  • Regex powered heuristic scanning
  • Huge list of 3370 parameter names


Note: Arjun doesn’t work with python < 3.4

Discover parameters
To find GET parameters, you can simply do:

python3 arjun.py -u https://api.example.com/endpoint --get

Similarly, use --post to find POST parameters.

Arjun uses 2 threads by default but you can tune its performance according to your network connection.

python3 arjun.py -u https://api.example.com/endpoint --get -t 22

Delay between requests
You can delay the request by using the -d option as follows:

python3 arjun.py  -u https://api.example.com/endpoint --get -d 2

Adding HTTP Headers
Using the --headers switch will open an interactive prompt where you can paste your headers. Press Ctrl + S to save and Ctrl + X to procced.

Note: Arjun uses nano as the default editor for the prompt but you can change it by tweaking /core/prompt.py.

The parameter names list has been taken from @SecLists


AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.

Powershell 5.0 or higher


Version 4.5
• New ninja style icon!
• Automatic cleaning of Powershell history after execution
• Now all dependencies are downloaded from the same repository
• Many errors and bugs fixed
• UAC & AMSI bypass in 64-bit systems
• New module available: Remote Desktop Caching
• New module available: Disable system logs (Invoke-Phant0m)
• New module available: Sticky Keys Hacking
• New available module: Remote Desktop History
• New available attack: Session Hijacking (passwordless)
WARNING! This attack is very intrusive and can only be used locally
*The rest of the changes can be consulted in the CHANGELOG file

This application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords or even recover the history of RDP connections.
One line execution:
powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .AutoRDPwn.ps1″
The detailed guide of use can be found at the following link:


Credits and Acknowledgments
Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell
Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap
Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash
Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz
Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0m

This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.
For more information, you can contact through info@darkbyte.net

A Web Dashbord for Nmap XML Report

You should use this with docker, just by sending this command:

$ mkdir /tmp/webmap
$ docker run -d
--name webmap
-h webmap
-p 8000:8000
-v /tmp/webmap:/opt/xml

$ # now you can run Nmap and save the XML Report on /tmp/webmap
$ nmap -sT -A -T4 -oX /tmp/webmap/myscan.xml

Now point your browser to http://localhost:8000

Quick and Dirty

$ curl -sL http://bit.ly/webmapsetup | bash

Upgrade from previous release

$ # stop running webmap container
$ docker stop webmap

$ # remove webmap container
$ docker rm webmap

$ # pull new image from dockerhub
$ docker pull rev3rse/webmap

$ # run WebMap
$ curl -sL http://bit.ly/webmapsetup | bash

Run without Docker
This project is designed to run on a Docker container. IMHO it isn’t a good idea to run this on a custom Django installation, but if you need it you can find all building steps inside the Dockerfile.


  • Import and parse Nmap XML files
  • Statistics and Charts on discovered services, ports, OS, etc…
  • Inspect a single host by clicking on its IP address
  • Attach labels on a host
  • Insert notes for a specific host
  • Create a PDF Report with charts, details, labels and notes
  • Copy to clipboard as Nikto, Curl or Telnet commands
  • Search for CVE and Exploits based on CPE collected by Nmap

Changes on v2.1

  • Better usage of Django template
  • Fixed some Nmap XML parse problems
  • Fixed CVE and Exploit collecting problems
  • Add new Network View

PDF Report

XML Filenames
When creating the PDF version of the Nmap XML Report, the XML filename is used as document title on the first page. WebMap will replace some parts of the filename as following:

  • _ will replaced by a space ()
  • .xml will be removed

Example: ACME_Ltd..xml
PDF title: ACME Ltd.

CVE and Exploits
thanks to the amazing API services by circl.lu, WebMap is able to looking for CVE and Exploits for each CPE collected by Nmap. Not all CPE are checked over the circl.lu API, but only when a specific version is specified (for example: cpe:/a:microsoft:iis:7.5 and not cpe:/o:microsoft:windows).

Network View

Third Parts

Security Issues
This app is not intended to be exposed on the internet. Please, DO NOT expose this app to the internet, use your localhost or, in case you can’t do it, take care to filter who and what can access to WebMap with a firewall rule or something like that. Exposing this app to the whole internet could lead not only to a stored XSS but also to a leakage of sensitive/critical/private informations about your port scan. Please, be smart.

This project is currently a beta, and I’m not super skilled on Django so, every type of contribution is appreciated. I’ll mention all contributors in this section of the README file.

Contributors List

  • s3th_0x @adubaldo (bug on single host report)
  • Neetx @Neetx (bug on xml with no host up)

In order to receive updates about this project, please follow me on twitter:
Twitter: @Menin_TheMiddle
YouTube: Rev3rseSecurity

DEVELOPMENT BRANCH: The current branch is a development version. Go to the stable release by clicking on the master branch.

Dirhunt is a web crawler optimize for search and analyze directories. This tool can find interesting things if the server has the “index of” mode enabled. Dirhunt is also useful if the directory listing is not enabled. It detects directories with false 404 errors, directories where an empty index file has been created to hide things and much more.

$ dirhunt http://website.com/

Dirhunt does not use brute force. But neither is it just a crawler. This tool is faster than others because it minimizes requests to the server. Generally, this tool takes between 5-30 seconds, depending on the website and the server.
Read more about how to use Dirhunt in the documentation.


  • Process one or multiple sites at a time.
  • Process ‘Index Of’ pages and report interesting files.
  • Detect redirectors.
  • Detect blank index file created on directory to hide things.
  • Process some html files in search of new directories.
  • 404 error pages and detect fake 404 errors.
  • Filter results by flags.
  • Analyze results at end. It also processes date & size of the Index Pages (NEW!)
  • Get new directories using robots.txt, VirusTotal & Google (NEW!)
  • Delay between requests
  • One or multiple proxies option. It can also search for free proxies (NEW!)

If you have Pip installed on your system, you can use it to install the latest Dirhunt stable version:

$ sudo pip3 install dirhunt

Python 2.7 & 3.4-3.7 are supported but Python 3.x is recommended. Use pip2 on install for Python2.
There are other installation methods available.

Use open source tools and network intelligence to help organizations with attack surface discovery and identification of security vulnerabilities. Identification of an organizations vulnerabilities is an impossible task without tactical intelligence on the network footprint. By combining open source intelligence with the worlds best open source security scanning tools, we enable your attack surface discovery. With the ability for Internet assets to be deployed in seconds, the attack surface is more dynamic and ever growing. This very fact makes mapping your external network footprint a hard problem. We aim to provide solutions to solve this problem. Start with our tools for domain and IP address data, then pivot to mapping the exposure with hosted open source scanners. We have developed a linux terminal tool using python programming language through an api which we received from HacKerTarget.com.

How do you run it?

git clone https://github.com/ismailtasdelen/hackertarget.git
cd hackertarget/
python hackertarget.py

View :

root@ismailtasdelen:~# python hackertarget.py 

_ _ _ _
| |_ __ _ __ | |__ ___ _ _ | |_ __ _ _ _ __ _ ___ | |_
| ' / _` |/ _|| / // -_)| '_|| _|/ _` || '_|/ _` |/ -_)| _|
|_||_|__,_|__||_____||_| __|__,_||_| __, |___| __|
Ismail Tasdelen
| github.com/ismailtasdelen | linkedin.com/in/ismailtasdelen |

[1] Traceroute
[2] Ping Test
[3] DNS Lookup
[4] Reverse DNS
[5] Find DNS Host
[6] Find Shared DNS
[7] Zone Transfer
[8] Whois Lookup
[9] IP Location Lookup
[10] Reverse IP Lookup
[11] TCP Port Scan
[12] Subnet Lookup
[13] HTTP Header Check
[14] Extract Page Links
[15] Exit

Which option number :

Menu :

  • [1] Traceroute
  • [2] Ping Test
  • [3] DNS Lookup
  • [4] Reverse DNS
  • [5] Find DNS Host
  • [6] Find Shared DNS
  • [7] Zone Transfer
  • [8] Whois Lookup
  • [9] IP Location Lookup
  • [10] Reverse IP Lookup
  • [11] TCP Port Scan
  • [12] Subnet Lookup
  • [13] HTTP Header Check
  • [14] Extract Page Links
  • [15] Exit

Cloning an Existing Repository ( Clone with HTTPS )

root@ismailtasdelen:~# git clone https://github.com/ismailtasdelen/hackertarget.git

Cloning an Existing Repository ( Clone with SSH )

root@ismailtasdelen:~# git clone git@github.com:ismailtasdelen/hackertarget.git

Reference :

novahot is a webshell framework for penetration testers. It implements a JSON-based API that can communicate with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python.
Beyond executing system commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, and psql. It additionally implements “virtual commands” that make it possible to upload, download, edit, and view remote files locallly using your preferred applications.

Install the executable directly from npm:

[sudo] npm install -g novahot

Then seed a config file:

novahot config > ~/.novahotrc


  1. View the available trojans with novahot trojan list.
  2. Select a trojan in a language that is appropriate for your target, then copy its source to a new file. (Ex: novahot trojan view basic.php > ~/my-trojan.php)
  3. Change the control password in the newly-created trojan.
  4. Upload the trojan to a web-accessible location on the target.
  5. Configure target information in the targets property in ~/.novahotrc.
  6. Run novahot shell to open a shell.

Shell Modes
Internally, novahot uses “modes” and “adapters” to emulate various interactive clients, currently including the mysql, psql (postgres), and sqlite3 clients.
To change novahot‘s mode, issue the appropriate “dot command”:

.mysql { "username" : "mysql-user", "password" : "the-password", "database" : "the-database" }

(Connection parameters may be specified as JSON while changing modes, or alternatively saved as target configuration data in ~/.novahotrc.)
For example, the mysql mode makes it possible to directly run queries like the following:

mysql> SELECT ID, user_login, user_email, user_pass FROM wp_users;

There additionally exists a payload mode that can be used to POST arbitrary data to the trojan. See the wiki for more information.

Virtual Commands
novahot implements four “virtual commands” that utilize payloads built in to the trojans to extend the functionality of the shell:


download  []

Downloads to --download-dir, and optionally renames it to if specified.


upload  []

Uploads to the shell’s cwd, and optionally renames to if specified.


view  []

Downloads to --download-dir, and optionally renames it to After downloading, the file will be opened by the “viewer” application specified in the configs.



Downloads to a temporary file, and then opens that file for editing using the “editor” specified in the configs. Afterward, if changes to the file are saved locally, the file will be re-uploaded to the server automatically.

Provisioning a Test Environment
This repository contains a laboratory environment built on Vagrant, Docker, and the Damn Vulnerable Web Application (“DVWA”). Steps for provisioning the environment vary depending on the capabilities of your physical host.

Using docker-compose
If you have docker and docker-compose installed on your physical host, you may simply do the following:

  1. Clone and cd to this repository
  2. Run: docker-compose up

After the docker container starts, the DVWA will be accessible at http://localhost:80.

Using vagrant
If docker is not installed on your physical host, you may use Vagrant/Virtualbox to access a docker-capable virtual-machine:

  1. Clone and cd to this repository
  2. Provision a virtual machine: vagrant up
  3. SSH into the virtual machine: vagrant ssh
  4. Start the docker container: sudo su; cd /vagrant; docker-compose up

The DVWA will be accessible at http://localhost:8000.

Configuring novahot against the laboratory environment
Specify the following connection strings in your ~/.novahotrc file to connect the novahot client to the PHP trojan embedded in the DVWA container:


"targets": {
"dvwa" : {
"uri" : "http://localhost:8000/novahot.php",
"password" : "the-password",

"mysql" : {
"username": "root",
"password": "vulnerables",
"database": "dvwa"


You may then establish a webshell via:

novahot shell dvwa

Additional Information
Additional information can be found in the wiki:

Tool designed to help identify incorrectly configured Django applications that are exposing sensitive information.
https://www.reddit.com/r/django/comments/87qcf4/28165_thousand_django_running_servers_are_exposed/ https://twitter.com/6ix7ine/status/978598496658960384?lang=en


Usage: python3 djangohunter.py --key {shodan}
Dorks: 'DisallowedHost', 'KeyError', 'OperationalError', 'Page not found at /'


  • Shodan
  • Pyfiglet
  • Requests
  • BeautifulSoup
pip -r install requirements


Code samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code.