Skip to content

Latest commit

 

History

History
69 lines (53 loc) · 3.71 KB

README.md

File metadata and controls

69 lines (53 loc) · 3.71 KB

LA FOIR'FOUILLE

Tools and more... List below is not maintained.

FINGERPRINT

  • haveibeenpwned.sh - Takes input emails and checking their pwned status on https://haveibeenpwned.com/.

  • web/pillage.sh
    Finding interesting files on a system thanks to a LFI previously found on the target.

  • web/versionchecker.sh
    versionchecker.sh will hash some input files and compare them to hashes computed from the specific GIT releases. It helps to identify for example a CMS version if some CHANGELOG.txt files are missing.
    Example of command:
    ./versionchecker.sh -s ./input -g ~/Documents/repo/drupal/ -p "^[78]\.[0-9.]+$"

  • web/knocktone/knocktone.py

    • convert knockpy json output file for aquatone-scan
    • DNS resolve and look for unresolved aliases
    • generate subdomains list
    • scan headers generated by aquatone-scan
    • and much more...
    • pip install -r requirements.txt
  • web/cors/cors.py

    • Multi-threaded script looking for some permissive CORS, taking a list of urls or domains in input
      Example of command:
      cors.py -f urls.txt
      Update 03/07/2020: Everything has been merged into https://github.com/chenjj/CORScanner.git
  • web/git.sh

    • Small bash script providing the following information about a web exposed git repository (even if no traversal dir):
      • Dates of last commits on each branch
      • Highlights directory traversal
      • Highlights if remote url can be accessed (may provide juicy info like user:[email protected])
      • Displays .git/config file and root .gitignore Example of command:
        git.sh -u http://monsite.com/.git/

PRIVILEGE ESCALATION

  • windows/privesc.bat - Dirty script for windows using accesschk.exe (needed to be uploaded in the same time, check sysinternals).
  • windows/wmic_info.bat - Same using the WMI command-line utility.
  • windows/win_user_add.c - Add a user to local group Administrators.

EXPLOITS

NETWORK

  • mitm/phishing.sh - Launches an MITM attack and redirecting a specific domain to our phising web page.
  • mitm.sh (with Mitmproxy) - has it's own repo
    A custom proxy that aims at stripping all HTTPS web page links and keeping unsecure connection with the proxy: VICTIM <-- HTTP --> MITMPROXY <-- HTTPS --> WEBSITE.
    It works for any websites with at least one insecure page (which reliably means HSTS is not used for the current domain).
    You can control and do whatever you want with the trafic thanks to custom Python scripts.

DEV

  • urls/uniqurls.py - keep only unique urls (for each FQDNs, keeping the unique combinations of GET parameters)
  • bruteforce/java/
  • bruteforce/javascript/ - Bruteforce algorithms with permutations and fixed position characters.
  • shell/lin_shell_bind_tcp.c - /bin/sh TCP bind shell.
  • shell/lin_reverse_tcp_shell.c - /bin/sh TCP reverse shell.
  • shell/uid_gid_root_shell.c - setreuid/setregid root /bin/sh shell.

...