Updates Tools : a Collection security and hacking tools; likes exploits, proof of concepts, shellcodes, scripts, and more..

March 14, 2015, 2:46 pm

≫ Next: Dnsforwarder is a designed for anti-spoofing tool.

≪ Previous: Updates MITMf v-0.9.5 : Framework for Man-In-The-Middle attacks.

Change and Update 14.03.2015 updates vulnerability scanner:

## Blackbox vulnerability scanne for the concrete5 CMS
## Detects concrete5 CMS, version and associated vulnerabilities
## Detects full path disclosure vulnerabilities
## Enumerates CMS users
## Brute-fores user account credentials

This section offers a selection of our fully featured security and hacking tools from NullSecurity.
+ Automation :
This section includes automation tools and wrapper scripts for well-known and public security tools to make your life easier. You can adjust the scripts fast and easily according to your own needs. Mostly written in bourne shell.
+ Backdoor :
Backdoors and rootkits for kernel and userland, network, hardware and software. Once you have gone through all the hard work making sure you can get on the system. Make sure you can always get back in.
+ Binary :
ELF and PE binary related tools. This section includes packers, runtime crypters, including our famous (thanks trusted sec team) hyperion tool from our very own belial and other stuff.
+ Cracker :
Tools for cracking network and software login masks. Not been able to find an exploit to give you RCE? Too lazy to SE? So go smash down the front doors and rummage around with our cracking and brute force tools.
+ Cryptography :
Encrypt all the things! With privacy issues moving up most people agenda with items like PRISM in the news cryptography it one of todays hot topics. It’s also pretty useful for exfiltrating data from your target environment, connecting to that C2 box and keeping your loot away from prying eyes.
+ DDoS :
(D)DoS tools if you wanna by like those n00bs at anonymous or simulate everyones favourite underground extortionists.
+ Exploit :
Proof of Concept tools and, if we are feeling particularly generous, fully working exploits because there is nothing more fun that RCE, except dinner with noptrix of course.
+ Fuzzer :
Didn’t find the exploit you wanted in our exploit section well try one of our fuzzers and write you own god damn code.
+ Keylogger :
When you really need to know those credentials you keep seeing the user enter or are too lazy to go searching for every new piece of useful information just try one of our keyloggers and get the user to do the hard work for you!
+ LogCleaner :
Just because our mothers raised us right, we always clean up after ourselves and pwnage is no exception. These logcleaners also help in not getting caught on that important engagement.
+ Misc :
This section includes miscellanous files. Often, you will find non-security related stuff here.
+ Resersing :
Whether figuring out how that new piece of malware you just discovered works or hunting for the next 0day from $vendor, our reversing toolz will help you on your way.
+ Scanner
Can’t find any useful hints on shodan? Google dorks not dishing up the goods? Hell get one of our scanners out and track down your targets in 2 shakes of a lol-cat’s tail.
+ Shellcode
Just because our fuzzer worked or the PoC was fantastic doesn’t mean that running calc is gonna put a smile on your face. If you got RCE try our shellcodes to actually do something useful.
+ Wireless
Why wireless? It works and you don’t have to wear your favorite nullsecurity hoody to hide you face from the camera in reception. Hack all the thingz!

Downlaod : Master.zip | Clone Url
Source : http://nullsecurity.net/

↧

Dnsforwarder is a designed for anti-spoofing tool.

March 23, 2015, 11:43 am

≫ Next: Updates 3vilTwinAttacker v-0.5.8

≪ Previous: Updates Tools : a Collection security and hacking tools; likes exploits, proof of concepts, shellcodes, scripts, and more..

Dnsforwarder is a designed for anti-spoofing tool.
Latest version 5.0.11:
– Bug Fixing Compiling on win x86 and win x64

A dnsforwarder designed for anti-spoofing

configure parameters:
–enable-downloader =
+ Select the library or calling program when downloading Hosts and GFW List

Options:
+ libcurl: call libcurl, coupled with the introduction of this option will depend libcurl (default)
+ wget: wget to download the execution file, which some did libcurl but Busybox (Busybox generally with wget) environment under applicable
+ do not use the download function, you can not use the network function Hosts and GFW List

–enable-base64decoder =
+ When using select Base64 decoding library or program
+ Base64 decoding in decoding GFW List

Options:
– openssl: openssl call decoding library, add this option will be introduced openssl (libcrypto) depend on (the default)
– uudecode: execution uudecode (Busybox generally with) decoding
– If neither openssl nor uudecode (Busybox), then choose uudecode
–enable-static
+ Statically link all libraries
–enable-android
+ If the target is androideabi, please turn on this option. Production on Android toolchain, please Google “Android Standalone Toolchain”, while paying attention to use the “libc.so” on the phone, “libm.so” and “libthread_db.so” replace tool chain corresponding file.

Dependencies :
For Linux:
– pthread;
– libcurl (optional);
– openssl (optional).
+ Macros needed to be declared while compiling :
For Linux: None.

For Windows x86 (at least Windows XP)
– WIN32
For Windows x86-64 (at least Windows Vista):
– WIN32
– WIN64
Usage :

Usage : dnsforwarder [args].
 [args] is case sensitivity and can be zero or more (in any order) of:
  -f <FILE>  Use configuration <FILE> instead of the default one.
  -q         Quiet mode. Do not print any information.
  -e         Show only error messages.
  -d         Daemon mode. Running at background.
  -P         Try to probe all the fake IP addresses held in false DNS responses.

  -p         Prepare needed environment.

  -h         Show this help.

Output format:
 Date & Time [Udp|Tcp|Cache|Hosts|Refused|Blocked][Client IP][Type in querying][Domain in querying] : Message size
    Results

Download : dnsforwarder-5.zip | Clone Url
Source : https://github.com/holmium

↧

Updates 3vilTwinAttacker v-0.5.8

March 29, 2015, 6:52 pm

≫ Next: Updates MITMf v-0.9.6 : Framework for Man-In-The-Middle attacks.

≪ Previous: Dnsforwarder is a designed for anti-spoofing tool.

Change update 03/29/2015 v-0.5.8 :
+ Deauth Attack: kill all devices connected in AP (wireless network) or the attacker can Also put the Mac-address in the Client field, Then only one client disconnects the access point.
+ Probe Request: Probe request capture the clients trying to connect to AP,Probe requests can be sent by anyone with a legitimate Media Access Control (MAC) address, as association to the network is not required at this stage.
+ Mac Changer: you can now easily spoof the MAC address. With a few clicks, users will be able to change their MAC addresses.
+ Device FingerPrint: list devices connected the network mini fingerprint, is information collected about a local computing device.
+ DHCP Starvation Attack: this module DHCP Starvation can be classified as a Denial of Service attack. is an attack that works by broadcasting vast numbers of DHCP requests with spoofed MAC addresses simultaneously.
+ DNS Spoof Manager: this module DNS spoofing is the making change in hostname ip-address table, this table tells the route will be that DNS address for that particular IP address, thus changing the address of this table we can redirect wherever we want.
+ Windows Update Attack: this module is an attack DNS spoof que generate an update the page fake Windows, causing the victim to download a fake file update.
+ ARP Posion Attack: change tables ARPspoof the target and redirect all request tcp to ip attacker.

3vilTiwnAttacker : This tool create an rogue Wi-Fi access point , purporting to provide wireless Internet services, but snooping on the traffic.
Software dependencies:
+ Recommended to use Kali linux.
+ Ettercap.
+ Sslstrip.
+ Airbase-ng include in aircrack-ng.
+ DHCP.

[install DHCP in Debian-based]

Ubuntu

$ sudo apt-get install isc-dhcp-server

Kali linux

$ echo "deb http://ftp.de.debian.org/debian wheezy main " >> /etc/apt/sources.list
$ apt-get update && apt-get install isc-dhcp-server

[install DHCP in redhat-based]

Fedora

$ sudo yum install dhcp

This tool create an rogue Wi-Fi access point , purporting to provide wireless Internet services, but snooping on the traffic.

Etter.dns: Edit etter.dns to loading module dns spoof.

Dns Spoof: Start dns spoof attack in interface ath0 fake AP.

Ettercap: Start ettercap attack in host connected AP fake Capturing login credentials.

Sslstrip: The sslstrip listen the traffic on port 10000.

Driftnet: The driftnet sniffs and decodes any JPEG TCP sessions, then displays in an window.

Download : Master.zip | Clone Url
Source : https://github.com/P0cL4bs | Our Post Before

↧

Updates MITMf v-0.9.6 : Framework for Man-In-The-Middle attacks.

April 14, 2015, 9:49 am

≫ Next: Updates HoneyBadger v-05/05/2015 – TCP attack inquisitor and 0-day catcher.

≪ Previous: Updates 3vilTwinAttacker v-0.5.8

Changelog MITMf v0.9.6 :
+ DNSChef integration
+ FilePwn plugin updated to latest BDFProxy version
+ Huge amount of bugfixes
+ Code style fixes

Framework for Man-In-The-Middle attacks

(Another) Dependency change!
As of v0.9.6, the fork of the python-netfilterqueue library is no longer required.

Installation
If MITMf is not in your distros repo or you just want the latest version:
– clone this repository
– run the setup.sh script
– run the command pip install -r requirements.txt to install all python dependencies

Framework for Man-In-The-Middle attacks

Changelog
– Addition of DNSChef, the framework is now a IPv4/IPv6 (TCP & UDP) DNS server ! Supported queries are: ‘A’, ‘AAAA’, ‘MX’, ‘PTR’, ‘NS’, ‘CNAME’, ‘TXT’, ‘SOA’, ‘NAPTR’, ‘SRV’, ‘DNSKEY’ and ‘RRSIG’
– Addition of the Sniffer plugin which integrates Net-Creds currently supported protocols are: FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc..) and Kerberos
– Integrated Responder to poison LLMNR, NBT-NS and MDNS, and act as a WPAD rogue server.
– Integrated SSLstrip+ by Leonardo Nve to partially bypass HSTS as demonstrated at BlackHat Asia 2014
– Addition of the SessionHijacking plugin, which uses code from FireLamb to store cookies in a Firefox profile
– Spoof plugin can now exploit the ‘ShellShock’ bug when DHCP spoofing!
– Spoof plugin now supports ICMP, ARP and DHCP spoofing
– Usage of third party tools has been completely removed (e.g. ettercap)
– FilePwn plugin re-written to backdoor executables and zip files on the fly by using the-backdoor-factory and code from BDFProxy
– Added msfrpc.py for interfacing with Metasploits rpc server
– Added beefapi.py for interfacing with BeEF’s RESTfulAPI
– Addition of the app-cache poisoning attack by Krzysztof Kotowicz (blogpost explaining the attack here http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html)

Framework for Man-In-The-Middle attacks

How to install on Kali
MITMf is now in tha kali linux repositories!
apt-get install mitmf

Download : Master.zip | Clone Url | 0.9.6.zip | 0.9.6.tar.gz
Source : http://sign0f4.blogspot.it/ | Github
Our Post before: http://seclist.us/updates-mitmf-v-0-9-5-framework-for-man-in-the-middle-attacks.html

↧

Updates HoneyBadger v-05/05/2015 – TCP attack inquisitor and 0-day catcher.

May 5, 2015, 10:44 am

≫ Next: Dnsf_ckr – A dns exploitation tool.

≪ Previous: Updates MITMf v-0.9.6 : Framework for Man-In-The-Middle attacks.

Version May 5, 2015 :
+ all: make connection factory an interface
+ fix pcapsnifferoptions and various cleanup
+ fix description/copyright banner
+ all: gofmt -s -w
+ Refactor BadgerSupervisor into core package

HoneyBadger is a comprehensive TCP stream analysis tool for detecting and recording TCP attacks. HoneyBadger includes a variety of TCP stream injections attacks which will prove that the TCP attack detection is reliable.

project goals:
– HoneyBadger will primarily be a comprehensive TCP stream analysis tool for detecting and recording TCP attacks. Perhaps it can assist in discovering 0-days and botnets.
– HoneyBadger will include a variety of TCP stream injections attacks which will prove that the TCP attack detection is reliable.

manual “integration test” with netcat
abstract
This manual testing procedure proves that HoneyBadger’s TCP injection detection is solid! It only takes a few minutes to perform… and thus I highly recommend it to new users for two reasons
– to raise awareness about how insecure TCP is
– to give you confidence that HoneyBadger has reliable TCP attack detection functionality

TCP attack inquisitor and 0-day catcher

procedure
1. build honey_badger.go and spray_injector.go (located in the tools directory in the source repository)
2. run honey_badger with these arguments… Note we are telling honey_badger to write log files to the current working directory.

./honey_badger -i=lo -f="tcp port 9666"  -l="."

3. run spray_injector with these arguments

./spray_injector -d=127.0.0.1 -e=9666 -f="tcp" -i=lo

4. start the netcat server

nc -l -p 9666

5. start the netcat client

nc 127.0.0.1 9666

6. In this next step we enter some data on the netcat server so that it will send it to the netcat client that is connected until the spray_injector prints a log message containing “packet spray sent!” In that cause the TCP connection will have been sloppily injected.

7. Look for the log files in honey_badger’s working directory. You should see two files beginning with “127.0.0.1”; the pcap file is a full packet log of that TCP connection which you can easily view in Wireshark et al. The JSON file contains attack reports. This is various peices of information relevant to each TCP injection attack. The spray_injector tends to produce several injections… and does so sloppily in regards to keeping the client and server synchronized.

$ ls 127*
127.0.0.1:43716-127.0.0.1:9666.pcap  127.0.0.1:9666-127.0.0.1:43716.attackreport.json

It’s what you’d expect… the pcap file can be viewed and analyzed in Wireshark and other similar tools. The 127.0.0.1:9666-127.0.0.1:43716.attackreport.json file contains JSON report structures. The attack reports contains important information that is highly relevant to your interests such as:

– type of TCP injection attack
– flow of attack (meaning srcip:srcport-dstip:dstport)
– time of attack
– payload of packet with overlaping stream segment (in base64 format)
– previously assembled stream segment that overlaps with packet payload (in base64 format)
– TCP sequence of packet
– end sequence of packet
– overlap start offset is the number of bytes from the beginning of the packet payload that we have available among the reassembled stream segments for retrospective analysis
– overlap end offset is the number of bytes from the end of the packet payload that we have in our reassembled stream segments…

Sample Output :

$ cat 127.0.0.1:9666-127.0.0.1:43716.attackreport.json
{"Type":"injection","Flow":"127.0.0.1:9666-127.0.0.1:43716","Time":"2015-01-30T08:38:14.378603859Z","Payload":"bWVvd21lb3dtZW93","Overlap":"aHJzCg==","StartSequence":831278445,"EndSequence":831278456,"OverlapStart":0,"OverlapEnd":4}
{"Type":"injection","Flow":"127.0.0.1:9666-127.0.0.1:43716","Time":"2015-01-30T08:38:14.379005763Z","Payload":"bWVvd21lb3dtZW93","Overlap":"cnMK","StartSequence":831278446,"EndSequence":831278457,"OverlapStart":0,"OverlapEnd":3}
...

Download : Master.Zip | Clone Url | Our post before
Source : https://honeybadger.readthedocs.org/en/latest/ | Github

↧

Dnsf_ckr – A dns exploitation tool.

May 17, 2015, 9:00 am

≫ Next: Updates HoneyBadger v-05/06/2015 – TCP attack inquisitor and 0-day catcher.

≪ Previous: Updates HoneyBadger v-05/05/2015 – TCP attack inquisitor and 0-day catcher.

dnsf_ckr is an application used for messing up with domain names. Until now it works on FreeBSD and Linux.
The idea here is sniffing victim’s dns requests and fake the response as soon as possible than real dns server. In this way we can redirect the target machine to anywhere You want.

Warning:
This application is only for educational purposes. Developer wrote it to show how the DNS protocol can be unsecure in some cases and I think you should use it with responsibility.

How to build it?
In order to build dnsf_ckr you need to use Hefesto(https://github.com/rafael-santiago/hefesto), Is a multiplatform build system which currently runs on Linux, FreeBSD and Windows.

Using dnsf_ckr:

* The victim's ip address
* The victim's real DNS server IP
* What domain names you wish to spoof

# dnsf_ckr attack config sample

    # at first, you have to declare your victim alias

    victims =
        sheep: 192.30.70.9
    ;

    # sheep requests name resolutions in 192.30.70.200 (from now on called "cheap-server")

    dns-servers =
        cheap-server: 192.30.70.200
    ;

    # and so, the domain that your victim accesses and which you want to spoof, in form <domain>:<spoofed-ip>

    namelist boring-sites =
        www.facebook.com: 192.30.70.101
    ;

    # finally, you inform your intentions to dnsf_ckr

    fake-nameserver =
        with sheep mess up boring-sites
    ;

    # but yet we need to describe how valid transactions (in normal conditions, e.g. not spoofed) should be occur.

    real-dns-transactions =
        sheep sends requests to cheap-server
    ;

What about the dnsf_ckr-core section in .conf file?

A dns exploitation tool

Download : Master.zip | Clone Url
Source : https://github.com/rafael-santiago

↧

Updates HoneyBadger v-05/06/2015 – TCP attack inquisitor and 0-day catcher.

June 5, 2015, 11:03 am

≫ Next: Updates 3vilTwinAttacker v-0.5.9 – Framework for EvilTwin Attacks.

≪ Previous: Dnsf_ckr – A dns exploitation tool.

Changelog 05/06/2015:
+ Add a potential packetCount to the attack log
+ Fix attack log bug and remove superfluous print
+ Add AF_PACKET support
+ Clean up TCP FSM and fix bugs in FIN-WAIT1
+ Remove olde crusty code stalactite from TCP FSM
+ Detect injection attacks while in CLOSE-WAIT state
+ update unit tests

TCP attack inquisitor and 0-day catcher

./honey_badger -i=lo -f="tcp port 9666"  -l="."

3. run spray_injector with these arguments

./spray_injector -d=127.0.0.1 -e=9666 -f="tcp" -i=lo

4. start the netcat server

nc -l -p 9666

5. start the netcat client

nc 127.0.0.1 9666

$ ls 127*
127.0.0.1:43716-127.0.0.1:9666.pcap  127.0.0.1:9666-127.0.0.1:43716.attackreport.json

Sample Output :

$ cat 127.0.0.1:9666-127.0.0.1:43716.attackreport.json
{"Type":"injection","Flow":"127.0.0.1:9666-127.0.0.1:43716","Time":"2015-01-30T08:38:14.378603859Z","Payload":"bWVvd21lb3dtZW93","Overlap":"aHJzCg==","StartSequence":831278445,"EndSequence":831278456,"OverlapStart":0,"OverlapEnd":4}
{"Type":"injection","Flow":"127.0.0.1:9666-127.0.0.1:43716","Time":"2015-01-30T08:38:14.379005763Z","Payload":"bWVvd21lb3dtZW93","Overlap":"cnMK","StartSequence":831278446,"EndSequence":831278457,"OverlapStart":0,"OverlapEnd":3}
...

Download : Master.Zip | Clone Url | Our post before
Source : https://honeybadger.readthedocs.org/en/latest/ | Github

↧

Updates 3vilTwinAttacker v-0.5.9 – Framework for EvilTwin Attacks.

June 7, 2015, 11:55 am

≫ Next: Dnstwist – Generate and resolve domain variations to detect typo squatting, phishing and corporate espionage.

≪ Previous: Updates HoneyBadger v-05/06/2015 – TCP attack inquisitor and 0-day catcher.

Changelog 3vilTwinAttacker V-0.5.9:
+ added new themes
+ added thread fast scan IP
+ fixed some bugs

3vilTiwnAttacker : This tool create an rogue Wi-Fi access point , purporting to provide wireless Internet services, but snooping on the traffic.

dependencies:
– Python-scapy
– Python-nmap
– BeautifulSoup
– Airbase-ng include in aircrack-ng
– DHCP-server

3vilTwinAttacker.V0.5.9 ScreenCapture

Tools:
+ Etter.dns: Edit etter.dns to loading module dns spoof.
+ Dns Spoof: Start dns spoof attack in interface ath0 fake AP.
+ Ettercap: Start ettercap attack in host connected AP fake Capturing login credentials.
+ Sslstrip: The sslstrip listen the traffic on port 10000.
+ Driftnet: The driftnet sniffs and decodes any JPEG TCP sessions, then displays in an window.

Modules:
– Deauth Attack: kill all devices connected in AP (wireless network) or the attacker can Also put the Mac-address in the Client field, Then only one client disconnects the access point.
– Probe Request: Probe request capture the clients trying to connect to AP,Probe requests can be sent by anyone with a legitimate Media Access Control (MAC) address, as association to the network is not required at this stage.
– Mac Changer: you can now easily spoof the MAC address. With a few clicks, users will be able to change their MAC addresses.
– Device FingerPrint: list devices connected the network mini fingerprint, is information collected about a local computing device.
– DHCP Starvation Attack: this module DHCP Starvation can be classified as a Denial of Service attack. is an attack that works by broadcasting vast numbers of DHCP requests with spoofed MAC addresses simultaneously.
– DNS Spoof Manager: this module DNS spoofing is the making change in hostname ip-address table, this table tells the route will be that DNS address for that particular IP address, thus changing the address of this table we can redirect wherever we want.
– Windows Update Attack: this module is an attack DNS spoof que generate an update the page fake Windows, causing the victim to download a fake file update.
– ARP Posion Attack: change tables ARPspoof the target and redirect all request tcp to ip attacker.

Installation:
Ubuntu and Kali install :

$ chmod +x install.sh
$ sudo ./install --install

[install DHCP in Debian-based]
Ubuntu:

$ sudo apt-get install isc-dhcp-server

Kali Linux:

$ echo "deb http://ftp.de.debian.org/debian wheezy main " >> /etc/apt/sources.list
$ apt-get update && apt-get install isc-dhcp-server

Fedora [install DHCP in redhat-based]:

$ sudo yum install dhcp

Download :
V0.5.9.zip
V0.5.9.tar.gz
Source : https://github.com/P0cL4bs | Our Post Before

↧

Dnstwist – Generate and resolve domain variations to detect typo squatting, phishing and corporate espionage.

June 13, 2015, 2:19 am

≫ Next: Updates netool.sh V- 4.5 : MitM PENTESTING OPENSOURCE T00LKIT.

≪ Previous: Updates 3vilTwinAttacker v-0.5.9 – Framework for EvilTwin Attacks.

Dnstwist is a tools for Generate and resolve domain variations to detect typo squatting, phishing and corporate espionage.

Example report_google :

Processing 89 domains !...!.......!!..!!!.!....!.!.!!!!.!!!!!!!!!!!!!!!!!..!!!.!!!!!!..!!..!!.!!!!!!!!!!..!.!!!

Bitsquatting         foogle.com           64.111.126.107      
Bitsquatting         eoogle.com           -                   
Bitsquatting         coogle.com           -                   
Bitsquatting         ooogle.com           -                   
Bitsquatting         woogle.com           98.124.199.1        
Bitsquatting         gnogle.com           -                   
Bitsquatting         gmogle.com           -                   
Bitsquatting         gkogle.com           -                   
Bitsquatting         ggogle.com           -                   
Bitsquatting         gongle.com           -                   
Bitsquatting         gomgle.com           -                   
Bitsquatting         gokgle.com           -                   
Bitsquatting         goggle.com           104.156.226.89      
Bitsquatting         goofle.com           69.89.22.115        
Bitsquatting         gooele.com           -                   
Bitsquatting         goocle.com           -                   
Bitsquatting         gooole.com           98.124.199.1        
Bitsquatting         goowle.com           54.68.76.21         
Bitsquatting         googme.com           199.59.243.120      
Bitsquatting         googne.com           -                   
Bitsquatting         googhe.com           199.59.243.120      
Bitsquatting         googde.com           -                   
Bitsquatting         googld.com           -                   
Bitsquatting         googlg.com           -                   
Bitsquatting         googla.com           -                   
Bitsquatting         googlm.com           98.126.223.220      
Bitsquatting         googlu.com           -                   
Homoglyph            g0ogle.com           98.124.198.1        
Homoglyph            go0gle.com           -                   
Homoglyph            googie.com           209.237.151.18      
Repetition           ggoogle.com          46.28.247.113       
Repetition           gooogle.com          46.28.247.109       
Repetition           gooogle.com          46.28.247.93        
Repetition           googgle.com          -                   
Repetition           googlle.com          96.126.106.126      
Repetition           googlee.com          46.28.247.114       
Replacement          ogogle.com           46.28.247.109       
Replacement          google.com           46.28.247.99        
Replacement          gogole.com           46.28.247.94        
Replacement          goolge.com           46.28.247.119       
Replacement          googel.com           46.28.247.84        
Omission             oogle.com            109.123.198.149     
Omission             gogle.com            46.28.247.94        
Omission             gogle.com            46.28.247.108       
Omission             goole.com            87.106.83.127       
Omission             googe.com            162.243.20.86       
Omission             googl.com            46.28.247.98        
Insertion            g0oogle.com          185.2.66.16         
Insertion            go0ogle.com          5.39.99.51          
Insertion            gpoogle.com          64.15.205.100       
Insertion            gopogle.com          209.15.13.134       
Insertion            gloogle.com          -                   
Insertion            gologle.com          -                   
Insertion            gkoogle.com          50.63.202.7         
Insertion            gokogle.com          103.224.182.253     
Insertion            gioogle.com          208.87.34.163       
Insertion            goiogle.com          -                   
Insertion            g9oogle.com          185.53.177.8        
Insertion            go9ogle.com          199.59.243.120      
Insertion            go0ogle.com          5.39.99.51          
Insertion            goo0gle.com          103.224.182.244     
Insertion            gopogle.com          209.15.13.134       
Insertion            goopgle.com          69.162.80.56        
Insertion            gologle.com          -                   
Insertion            goolgle.com          -                   
Insertion            gokogle.com          103.224.182.253     
Insertion            gookgle.com          103.224.182.210     
Insertion            goiogle.com          -                   
Insertion            gooigle.com          -                   
Insertion            go9ogle.com          199.59.243.120      
Insertion            goo9gle.com          185.2.66.16         
Insertion            gooygle.com          -                   
Insertion            googyle.com          103.224.182.252     
Insertion            goohgle.com          83.64.127.75        
Insertion            googhle.com          5.39.99.51          
Insertion            goobgle.com          103.224.182.249     
Insertion            googble.com          69.163.201.152      
Insertion            goovgle.com          199.59.243.120      
Insertion            googvle.com          103.224.182.243     
Insertion            goofgle.com          208.73.210.200      
Insertion            googfle.com          103.224.182.241     
Insertion            gootgle.com          103.224.182.244     
Insertion            googtle.com          -                   
Insertion            googkle.com          -                   
Insertion            googlke.com          98.124.198.1        
Insertion            googole.com          -                   
Insertion            googloe.com          209.15.13.134       
Insertion            googple.com          199.59.243.120      
Insertion            googlpe.com          103.224.182.243

Example report_twitter :

Processing 113 domains !!..!!!!.!!!!!...!.!.!.!.!..!.!..!!.!!!!!!!!!!!!.!!.!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!...!.!!!.!!.!.!..!!!.!.!!.!

Bitsquatting         uwitter.com          72.52.4.120         
Bitsquatting         vwitter.com          54.68.76.21         
Bitsquatting         pwitter.com          -                   
Bitsquatting         dwitter.com          -                   
Bitsquatting         tvitter.com          5.22.149.135        
Bitsquatting         tuitter.com          208.73.210.200      
Bitsquatting         tsitter.com          50.63.202.35        
Bitsquatting         tgitter.com          192.40.56.146       
Bitsquatting         twhtter.com          -                   
Bitsquatting         twktter.com          103.224.182.241     
Bitsquatting         twmtter.com          54.68.76.21         
Bitsquatting         twatter.com          208.82.16.68        
Bitsquatting         twytter.com          184.168.221.96      
Bitsquatting         twiuter.com          185.53.177.8        
Bitsquatting         twivter.com          -                   
Bitsquatting         twipter.com          -                   
Bitsquatting         twidter.com          -                   
Bitsquatting         twituer.com          72.52.4.119         
Bitsquatting         twitver.com          -                   
Bitsquatting         twitper.com          162.255.119.246     
Bitsquatting         twitder.com          -                   
Bitsquatting         twittdr.com          72.52.4.119         
Bitsquatting         twittgr.com          -                   
Bitsquatting         twittar.com          96.126.106.126      
Bitsquatting         twittmr.com          -                   
Bitsquatting         twittur.com          198.187.31.153      
Bitsquatting         twittes.com          -                   
Bitsquatting         twittep.com          -                   
Bitsquatting         twittev.com          184.187.12.126      
Bitsquatting         twittez.com          -                   
Bitsquatting         twitteb.com          54.68.76.21         
Homoglyph            tvvitter.com         -                   
Homoglyph            twltter.com          -                   
Repetition           ttwitter.com         95.211.117.206      
Repetition           twwitter.com         95.211.117.206      
Repetition           twiitter.com         -                   
Repetition           twittter.com         199.59.148.82       
Repetition           twittter.com         199.59.148.82       
Repetition           twitteer.com         62.116.130.8        
Repetition           twitterr.com         95.211.117.206      
Replacement          wtitter.com          95.211.117.206      
Replacement          tiwtter.com          54.75.246.166       
Replacement          twtiter.com          208.73.210.200      
Replacement          twitter.com          199.16.156.198      
Replacement          twitetr.com          95.211.117.206      
Replacement          twittre.com          95.211.117.206      
Omission             witter.com           66.147.244.205      
Omission             titter.com           84.22.98.192        
Omission             twtter.com           -                   
Omission             twiter.com           199.16.156.70       
Omission             twiter.com           199.16.156.70       
Omission             twittr.com           -                   
Omission             twitte.com           66.33.208.125       
Insertion            t3witter.com         198.40.51.109       
Insertion            tw3itter.com         50.63.202.8         
Insertion            tewitter.com         95.211.117.206      
Insertion            tweitter.com         69.162.80.53        
Insertion            tswitter.com         31.170.164.149      
Insertion            twsitter.com         184.168.221.29      
Insertion            tawitter.com         69.162.80.54        
Insertion            twaitter.com         184.168.221.8       
Insertion            tqwitter.com         95.211.117.206      
Insertion            twqitter.com         199.59.243.120      
Insertion            t2witter.com         -                   
Insertion            tw2itter.com         50.63.202.12        
Insertion            tw9itter.com         199.59.243.120      
Insertion            twi9tter.com         185.53.179.6        
Insertion            twoitter.com         208.73.211.178      
Insertion            twiotter.com         103.224.182.241     
Insertion            twkitter.com         184.168.221.11      
Insertion            twiktter.com         185.53.177.9        
Insertion            twjitter.com         184.168.221.96      
Insertion            twijtter.com         199.59.243.120      
Insertion            twuitter.com         103.224.182.243     
Insertion            twiutter.com         95.211.117.206      
Insertion            tw8itter.com         184.168.221.21      
Insertion            twi8tter.com         185.53.179.9        
Insertion            twi6tter.com         184.171.252.34      
Insertion            twit6ter.com         208.73.211.178      
Insertion            twiytter.com         162.218.54.42       
Insertion            twityter.com         8.5.1.37            
Insertion            twigtter.com         199.59.243.120      
Insertion            twitgter.com         50.63.202.15        
Insertion            twiftter.com         72.52.4.119         
Insertion            twitfter.com         148.251.19.202      
Insertion            twirtter.com         116.212.117.220     
Insertion            twitrter.com         -                   
Insertion            twi5tter.com         -                   
Insertion            twit5ter.com         -                   
Insertion            twit6ter.com         208.73.210.200      
Insertion            twitt6er.com         -                   
Insertion            twityter.com         8.5.1.37            
Insertion            twittyer.com         185.53.178.6        
Insertion            twitgter.com         50.63.202.15        
Insertion            twittger.com         -                   
Insertion            twitfter.com         148.251.19.202      
Insertion            twittfer.com         208.73.210.214      
Insertion            twitrter.com         -                   
Insertion            twittrer.com         69.162.80.53        
Insertion            twit5ter.com         -                   
Insertion            twitt5er.com         198.40.51.109       
Insertion            twitt4er.com         -                   
Insertion            twitte4r.com         -                   
Insertion            twittrer.com         69.162.80.53        
Insertion            twitterr.com         95.211.117.206      
Insertion            twittder.com         208.73.210.217      
Insertion            twittedr.com         -                   
Insertion            twittser.com         208.73.210.214      
Insertion            twittesr.com         -                   
Insertion            twittwer.com         103.1.175.248       
Insertion            twittewr.com         199.59.243.120      
Insertion            twitt3er.com         -                   
Insertion            twitte3r.com         50.63.202.12

Example report_facebook :

Processing 120 domains ..!!!!!!.!!!!..!!!!.!!!!!!!!!.!..!.!!.!.....!!!!!!!!...!.!!!!!!!!!!!!.!.!...!!!...!!.!!.....!.!!!!.!!!!.!!!!!!!!!!.!!.!!

Bitsquatting         gacebook.com         -                   
Bitsquatting         dacebook.com         -                   
Bitsquatting         bacebook.com         116.212.117.220     
Bitsquatting         nacebook.com         68.65.123.248       
Bitsquatting         vacebook.com         103.224.182.241     
Bitsquatting         fccebook.com         103.224.182.252     
Bitsquatting         fecebook.com         146.148.34.125      
Bitsquatting         ficebook.com         103.224.182.245     
Bitsquatting         fqcebook.com         -                   
Bitsquatting         fabebook.com         208.87.150.50       
Bitsquatting         faaebook.com         174.139.64.188      
Bitsquatting         fagebook.com         199.59.243.120      
Bitsquatting         fakebook.com         98.131.4.39         
Bitsquatting         fasebook.com         -                   
Bitsquatting         facdbook.com         -                   
Bitsquatting         facgbook.com         185.53.179.9        
Bitsquatting         facabook.com         208.87.150.50       
Bitsquatting         facmbook.com         8.5.1.31            
Bitsquatting         facubook.com         199.59.243.120      
Bitsquatting         facecook.com         -                   
Bitsquatting         facefook.com         199.59.243.120      
Bitsquatting         facejook.com         103.224.182.251     
Bitsquatting         facerook.com         75.126.102.246      
Bitsquatting         facebnok.com         103.224.182.252     
Bitsquatting         facebmok.com         54.68.76.21         
Bitsquatting         facebkok.com         96.126.106.126      
Bitsquatting         facebgok.com         54.68.76.21         
Bitsquatting         facebonk.com         23.254.217.113      
Bitsquatting         facebomk.com         208.73.210.214      
Bitsquatting         facebokk.com         -                   
Bitsquatting         facebogk.com         54.68.76.21         
Bitsquatting         facebooj.com         -                   
Bitsquatting         facebooi.com         -                   
Bitsquatting         facebooo.com         162.255.119.114     
Bitsquatting         facebooc.com         -                   
Homoglyph            faceb0ok.com         199.59.243.120      
Homoglyph            facebo0k.com         75.126.104.241      
Repetition           ffacebook.com        -                   
Repetition           faacebook.com        173.252.120.6       
Repetition           faccebook.com        -                   
Repetition           faceebook.com        -                   
Repetition           facebbook.com        -                   
Repetition           faceboook.com        -                   
Repetition           faceboook.com        -                   
Repetition           facebookk.com        127.0.0.1           
Replacement          afcebook.com         96.126.106.126      
Replacement          fcaebook.com         173.252.120.6       
Replacement          faecbook.com         52.0.7.30           
Replacement          facbeook.com         96.126.106.126      
Replacement          faceobok.com         173.252.120.6       
Replacement          facebook.com         173.252.120.6       
Replacement          faceboko.com         185.53.177.20       
Omission             acebook.com          -                   
Omission             fcebook.com          -                   
Omission             faebook.com          -                   
Omission             facbook.com          173.252.120.6       
Omission             faceook.com          -                   
Omission             facebok.com          173.252.120.6       
Omission             facebok.com          173.252.120.6       
Omission             faceboo.com          173.252.120.6       
Insertion            fqacebook.com        185.53.177.9        
Insertion            faqcebook.com        72.52.4.119         
Insertion            fwacebook.com        103.224.182.214     
Insertion            fawcebook.com        209.15.13.134       
Insertion            fsacebook.com        68.65.123.151       
Insertion            fascebook.com        208.73.210.217      
Insertion            fzacebook.com        74.200.250.181      
Insertion            fazcebook.com        199.59.243.120      
Insertion            faxcebook.com        184.168.221.15      
Insertion            facxebook.com        -                   
Insertion            fadcebook.com        103.224.182.241     
Insertion            facdebook.com        -                   
Insertion            fafcebook.com        208.73.210.200      
Insertion            facfebook.com        -                   
Insertion            favcebook.com        -                   
Insertion            facvebook.com        -                   
Insertion            fac4ebook.com        103.224.182.214     
Insertion            face4book.com        209.15.13.134       
Insertion            facrebook.com        103.224.182.252     
Insertion            facerbook.com        -                   
Insertion            facdebook.com        -                   
Insertion            facedbook.com        -                   
Insertion            facsebook.com        74.200.250.181      
Insertion            facesbook.com        103.224.182.241     
Insertion            facwebook.com        -                   
Insertion            facewbook.com        208.73.211.178      
Insertion            fac3ebook.com        198.12.15.244       
Insertion            face3book.com        -                   
Insertion            facevbook.com        -                   
Insertion            facebvook.com        -                   
Insertion            facegbook.com        -                   
Insertion            facebgook.com        -                   
Insertion            facehbook.com        199.59.243.120      
Insertion            facebhook.com        -                   
Insertion            facenbook.com        72.52.4.119         
Insertion            facebnook.com        103.224.182.241     
Insertion            faceb0ook.com        103.224.182.214     
Insertion            facebo0ok.com        146.148.34.125      
Insertion            facebpook.com        -                   
Insertion            facebopok.com        103.224.182.241     
Insertion            faceblook.com        103.224.182.241     
Insertion            facebolok.com        208.73.210.217      
Insertion            facebkook.com        199.59.243.120      
Insertion            facebokok.com        -                   
Insertion            facebiook.com        103.224.182.241     
Insertion            faceboiok.com        146.148.34.125      
Insertion            faceb9ook.com        208.91.196.126      
Insertion            facebo9ok.com        185.53.177.20       
Insertion            facebo0ok.com        54.210.47.225       
Insertion            faceboo0k.com        103.224.182.214     
Insertion            facebopok.com        103.224.182.241     
Insertion            faceboopk.com        103.224.182.252     
Insertion            facebolok.com        208.73.210.214      
Insertion            faceboolk.com        146.148.34.125      
Insertion            facebokok.com        -                   
Insertion            facebookk.com        127.0.0.1           
Insertion            faceboiok.com        146.148.34.125      
Insertion            facebooik.com        -                   
Insertion            facebo9ok.com        185.53.177.20       
Insertion            faceboo9k.com        208.73.210.217

Dnstwist Script.py:

#!/usr/bin/env python
"""
dnstwist by marcin@ulikowski.pl
Generate and resolve domain variations to detect typo squatting,
phishing and corporate espionage.
"""

__version__ = '20150612'


import sys
import socket
import signal


def sigint_handler(signal, frame):
	print('You pressed Ctrl+C!')
	sys.exit(0)


def bitsquatting(domain):
	out = []
	dom = domain.rsplit('.', 1)[0]
	tld = domain.rsplit('.', 1)[1]
	masks = [1, 2, 4, 8, 16, 32, 64, 128]
	for i in range(0, len(dom)):
		c = dom[i]
		for j in range(0, len(masks)):
			b = chr(ord(c) ^ masks[j])
			if (b.isalpha() and b.lower() == b):
				out.append(dom[:i] + b + dom[i+1:] + '.' + tld)
	return out


def homoglyph(domain):
	glyphs = { 'd':['b', 'cl'], 'm':['n', 'rn'], 'l':['1', 'i'], 'o':['0'], 'w':['vv'], 'n':['m'], 'b':['d'], 'i':['l'] }
	out = []
	dom = domain.rsplit('.', 1)[0]
	tld = domain.rsplit('.', 1)[1]
	for i in range(0, len(dom)):
		c = dom[i]
		if c in glyphs:
			for g in range(0, len(glyphs[c])):
				out.append(dom[:i] + glyphs[c][g] + dom[i+1:] + '.' + tld)
	return out


def repetition(domain):
	out = []
	dom = domain.rsplit('.', 1)[0]
	tld = domain.rsplit('.', 1)[1]
	for i in range(0, len(dom)):
		if dom[i].isalpha():
			out.append(dom[:i] + dom[i] + dom[i] + dom[i+1:] + '.' + tld)
	return out


def replacement(domain):
	out = []
	dom = domain.rsplit('.', 1)[0]
	tld = domain.rsplit('.', 1)[1]
	for i in range(0, len(dom)-1):
		out.append(dom[:i] + dom[i+1] + dom[i] + dom[i+2:] + '.' + tld)
	return out


def omission(domain):
	out = []
	dom = domain.rsplit('.', 1)[0]
	tld = domain.rsplit('.', 1)[1]
	for i in range(0, len(dom)):
		out.append(dom[:i] + dom[i+1:] + '.' + tld)
	return out


def insertion(domain):
	keys = {
	'1':'2q', '2':'3wq1', '3':'4ew2', '4':'5re3', '5':'6tr4', '6':'7yt5', '7':'8uy6', '8':'9iu7', '9':'0oi8', '0':'po9',
	'q':'12wa', 'w':'3esaq2', 'e':'4rdsw3', 'r':'5tfde4', 't':'6ygfr5', 'y':'7uhgt6', 'u':'8ijhy7', 'i':'9okju8', 'o':'0plki9', 'p':'lo0',
	'a':'qwsz', 's':'edxzaw', 'd':'rfcxse', 'f':'tgvcdr', 'g':'yhbvft', 'h':'ujnbgy', 'j':'ikmnhu', 'k':'olmji', 'l':'kop',
	'z':'asx', 'x':'zsdc', 'c':'xdfv', 'v':'cfgb', 'b':'vghn', 'n':'bhjm', 'm':'njk'
	}
	out = []
	dom = domain.rsplit('.', 1)[0]
	tld = domain.rsplit('.', 1)[1]

	for i in range(1, len(dom)-1):
		if dom[i] in keys:
			for c in range(0, len(keys[dom[i]])):
				out.append(dom[:i] + keys[dom[i]][c] + dom[i] + dom[i+1:] + '.' + tld)
				out.append(dom[:i] + dom[i] + keys[dom[i]][c] + dom[i+1:] + '.' + tld)
	return out


print 'dnstwist (' + __version__ + ') by marcin@ulikowski.pl'
if len(sys.argv) < 2:
	print 'Usage: ' + sys.argv[0] + ' <domain>'
	sys.exit()

domains = []

for i in bitsquatting(sys.argv[1]):
	domains.append({'type':'Bitsquatting', 'domain':i, 'ipaddr':'-'})
for i in homoglyph(sys.argv[1]):
	domains.append({'type':'Homoglyph', 'domain':i, 'ipaddr':'-'})
for i in repetition(sys.argv[1]):
	domains.append({'type':'Repetition', 'domain':i, 'ipaddr':'-'})
for i in replacement(sys.argv[1]):
	domains.append({'type':'Replacement', 'domain':i, 'ipaddr':'-'})
for i in omission(sys.argv[1]):
	domains.append({'type':'Omission', 'domain':i, 'ipaddr':'-'})
for i in insertion(sys.argv[1]):
	domains.append({'type':'Insertion', 'domain':i, 'ipaddr':'-'})

sys.stdout.write('Processing ' + str(len(domains)) + ' domains ')
sys.stdout.flush()

signal.signal(signal.SIGINT, sigint_handler)

for i in range(0, len(domains)):
	try:
		domains[i]['ipaddr'] = socket.gethostbyname(domains[i]['domain'])
	except:
		sys.stdout.write('.')
		sys.stdout.flush()
		pass
	else:
		sys.stdout.write('!')
		sys.stdout.flush()

sys.stdout.write('\n\n')

for d in domains:
	print "%-20s %-20s %-20s" % (d['type'], d['domain'], d['ipaddr']

Updates IPV6 and Small Bug Fixes:

#!/usr/bin/env python
#
# dnstwist by marcin@ulikowski.pl
# Generate and resolve domain variations to detect typo squatting, phishing and corporate espionage.
#
#
# dnstwist is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# dnstwist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility.  If not, see <http://www.gnu.org/licenses/>.


__author__ = 'Marcin Ulikowski'
__version__ = '20150616'
__email__ = 'marcin@ulikowski.pl'


import sys
import socket
import signal
try:
	import dns.resolver
	module_dnspython = True
except:
	module_dnspython = False
	pass
try:
	import GeoIP
	module_geoip = True
except:
	module_geoip = False
	pass


def sigint_handler(signal, frame):
	print('You pressed Ctrl+C!')
	sys.exit(0)


def bitsquatting(domain):
	out = []
	dom = domain.rsplit('.', 1)[0]
	tld = domain.rsplit('.', 1)[1]
	masks = [1, 2, 4, 8, 16, 32, 64, 128]
	for i in range(0, len(dom)):
		c = dom[i]
		for j in range(0, len(masks)):
			b = chr(ord(c) ^ masks[j])
			o = ord(b)
			if (o >= 48 and o <= 57) or (o >= 97 and o <= 122):
				out.append(dom[:i] + b + dom[i+1:] + '.' + tld)
	return out


def homoglyph(domain):
	glyphs = { 'd':['b', 'cl'], 'm':['n', 'rn'], 'l':['1', 'i'], 'o':['0'], 'w':['vv'], 'n':['m'], 'b':['d'], 'i':['l'] }
	out = []
	dom = domain.rsplit('.', 1)[0]
	tld = domain.rsplit('.', 1)[1]
	for ws in range(0, len(dom)):
		for i in range(0, len(dom)-ws):
			win = dom[i:i+ws]
			j = 0
			while j < ws:
				c = win[j]
				if c in glyphs:
					for g in range(0, len(glyphs[c])):
						win = win[:j] + glyphs[c][g] + win[j+1:]
						if len(glyphs[c][g]) > 1:
							j += len(glyphs[c][g]) - 1
						out.append(dom[:i] + win + dom[i+ws:] + '.' + tld)
				j += 1
	return list(set(out))


def repetition(domain):
	out = []
	dom = domain.rsplit('.', 1)[0]
	tld = domain.rsplit('.', 1)[1]
	for i in range(0, len(dom)):
		if dom[i].isalpha():
			out.append(dom[:i] + dom[i] + dom[i] + dom[i+1:] + '.' + tld)
	return out


def replacement(domain):
	out = []
	dom = domain.rsplit('.', 1)[0]
	tld = domain.rsplit('.', 1)[1]
	for i in range(0, len(dom)-1):
		out.append(dom[:i] + dom[i+1] + dom[i] + dom[i+2:] + '.' + tld)
	return out


def omission(domain):
	out = []
	dom = domain.rsplit('.', 1)[0]
	tld = domain.rsplit('.', 1)[1]
	for i in range(0, len(dom)):
		out.append(dom[:i] + dom[i+1:] + '.' + tld)
	return out


def insertion(domain):
	keys = {
	'1':'2q', '2':'3wq1', '3':'4ew2', '4':'5re3', '5':'6tr4', '6':'7yt5', '7':'8uy6', '8':'9iu7', '9':'0oi8', '0':'po9',
	'q':'12wa', 'w':'3esaq2', 'e':'4rdsw3', 'r':'5tfde4', 't':'6ygfr5', 'y':'7uhgt6', 'u':'8ijhy7', 'i':'9okju8', 'o':'0plki9', 'p':'lo0',
	'a':'qwsz', 's':'edxzaw', 'd':'rfcxse', 'f':'tgvcdr', 'g':'yhbvft', 'h':'ujnbgy', 'j':'ikmnhu', 'k':'olmji', 'l':'kop',
	'z':'asx', 'x':'zsdc', 'c':'xdfv', 'v':'cfgb', 'b':'vghn', 'n':'bhjm', 'm':'njk'
	}
	out = []
	dom = domain.rsplit('.', 1)[0]
	tld = domain.rsplit('.', 1)[1]

	for i in range(1, len(dom)-1):
		if dom[i] in keys:
			for c in range(0, len(keys[dom[i]])):
				out.append(dom[:i] + keys[dom[i]][c] + dom[i] + dom[i+1:] + '.' + tld)
				out.append(dom[:i] + dom[i] + keys[dom[i]][c] + dom[i+1:] + '.' + tld)
	return out


print('dnstwist (' + __version__ + ') by ' + __email__)
if len(sys.argv) < 2:
	print('Usage: ' + sys.argv[0] + ' <domain>')
	sys.exit()

domains = []

for i in bitsquatting(sys.argv[1]):
	domains.append({ 'type':'Bitsquatting', 'domain':i })
for i in homoglyph(sys.argv[1]):
	domains.append({ 'type':'Homoglyph', 'domain':i })
for i in repetition(sys.argv[1]):
	domains.append({ 'type':'Repetition', 'domain':i })
for i in replacement(sys.argv[1]):
	domains.append({ 'type':'Replacement', 'domain':i })
for i in omission(sys.argv[1]):
	domains.append({'type':'Omission', 'domain':i })
for i in insertion(sys.argv[1]):
	domains.append({'type':'Insertion', 'domain':i })

if module_dnspython == False:
	sys.stderr.write('NOTICE: missing dnspython module - functionality is limited !\n')
	sys.stderr.flush()

sys.stdout.write('Processing ' + str(len(domains)) + ' domains ')
sys.stdout.flush()

signal.signal(signal.SIGINT, sigint_handler)

for i in range(0, len(domains)):
	try:
		ip = socket.getaddrinfo(domains[i]['domain'], 80)
	except:
		pass
	else:
		for j in ip:
			if '.' in j[4][0]:
				domains[i]['a'] = j[4][0]
				break
		for j in ip:
			if ':' in j[4][0]:
				domains[i]['aaaa'] = j[4][0]
				break

	if module_dnspython:
		try:
			ns = dns.resolver.query(domains[i]['domain'], 'NS')
			domains[i]['ns'] = str(ns[0])[:-1]
		except:
			pass

		if 'ns' in domains[i]:
			try:
				mx = dns.resolver.query(domains[i]['domain'], 'MX')
				domains[i]['mx'] = str(mx[0].exchange)[:-1]
			except:
				pass

	if module_geoip:
		gi = GeoIP.new(GeoIP.GEOIP_MEMORY_CACHE)
		try:
			domains[i]['country'] = str(gi.country_name_by_addr(domains[i]['a']))
		except:
			pass

	if 'a' in domains[i] or 'ns' in domains[i]:
		sys.stdout.write('!')
		sys.stdout.flush()
	else:
		sys.stdout.write('.')
		sys.stdout.flush()

sys.stdout.write('\n\n')

for i in domains:
	dns = ''
	if 'a' in i:
		dns += i['a']
		if 'country' in i:
			dns += '/' + i['country']
	elif 'ns' in i:
		dns += 'NS:' + i['ns']
	if 'aaaa' in i:
		dns += ' ' + i['aaaa']
	if 'mx' in i:
		dns += ' MX:' + i['mx']
	if not dns:
		dns = '-'

	sys.stdout.write('%-15s %-15s %s' % (i['type'], i['domain'], dns))
	sys.stdout.write('\n')
	sys.stdout.flush()

Source : https://github.com/elceef

↧

Updates netool.sh V- 4.5 : MitM PENTESTING OPENSOURCE T00LKIT.

August 7, 2015, 2:25 am

≫ Next: Updates THC Hydra – IPv6 attack toolkit v-2.8-dev.

≪ Previous: Dnstwist – Generate and resolve domain variations to detect typo squatting, phishing and corporate espionage.

Changelog v-4.5 :
+ UPGRADE => msfpayload and msfencode replaced by msfvenom
+ UPGRADE => unicorn.py (meterpreter powershell by ReL1K)
+ netool.sh => “added” Resize terminal windows size (gnome terminal)
+ netool.sh => “added” nmap stealth scan (scan evading IDS logs)
+ priv8.sh => “added” missing ‘google cast extension’ phishing webpage
+ priv8.sh => “added” ‘use host-a-file-attack’ OR ‘start a listenner’module to all non-automated exploits.
* priv8.sh => “improved” android payload -> meterpreter or shell payloads
* priv8.sh => “improved” generate shellcode -> added “DLL” funtion
* priv8.sh => “improved” generate shellcode -> added “C-to-EXE” (Veil-Evasion)
* priv8.sh => “improved” backdooring EXE files -> added “BDF” module

Scanning – Sniffing – Social Engeneering”

Netool: its a toolkit written using ‘bash, python, ruby’ that allows you to automate frameworks like Nmap, Driftnet, Sslstrip, Metasploit and Ettercap MitM attacks. this toolkit makes it easy tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle attacks, SSL-sniff, DNS-spoofing, D0S attacks in wan/lan networks, TCP/UDP packet manipulation using etter-filters, and gives you the ability to capture pictures of target webbrowser surfing (driftnet) also uses macchanger to decoy scans changing the mac address.

Rootsector: module allows you to automate some attacks over DNS_SPOOF + MitM(phishing – social engineering) using metasploit, apache2 and ettercap frameworks. like the generation of payloads,shellcode,backdoors delivered using dns_spoof and MitM method to redirect a target to your phishing webpage.

Recently was introduced “inurlbr” webscanner (by cleiton) that allow us to search SQL related bugs, using severeal search engines, also this framework can be used in conjunction with other frameworks like nmap, (using the flag –comand-vul)
Example:

inurlbr.php -q 1,2,10 --dork 'inurl:index.php?id=' --exploit-get ?´0x27
-s report.log --comand-vul 'nmap -Pn -p 1-8080 --script http-enum --open _TARGET_'

Features (Modules) :

"1-Show Local Connections"
  "2-Nmap Scanner menu"
        ->
        Ping target
        Show my Ip address
        See/change mac address
        change my PC hostname
        Scan Local network 
        Scan external lan for hosts
        Scan a list of targets (list.txt)          
        Scan remote host for vulns          
        Execute Nmap command
        Search for target geolocation
        ping of dead (DoS)
        Norse (cyber attacks map)
        nmap Nse vuln modules
        nmap Nse discovery modules
        <-
  "3-Open router config"       
  "4-Ip tracer whois"
  "5-firefox webcrawler addon"                           
  "6-Retrieve metadata"
        ->
        retrieve metadata from target website
        retrieve using a fake user-agent
        retrieve only certain file types
        <-
  "7-INURLBR.php (webcrawler)"
        -> 
        scanner inurlbr.php -> Advanced search with multiple engines, provided
        analysis enables to exploit GET/POST capturing emails/urls & internal
        custom validation for each target/url found. also the ability to use
        external frameworks in conjuction with the scanner like nmap,sqlmap,etc
        or simple the use of external scripts.
        <-
  "8-r00tsect0r automated exploits (phishing - social engeneering)"
        ->
        package.deb backdoor [Binary linux trojan]
        Backdooring EXE Files [Backdooring EXE Files]
        fakeupdate.exe [dns-spoof phishing backdoor]
        meterpreter powershell invocation payload [by ReL1K]
        host a file attack [dns_spoof+mitm-hosted file]
        clone website [dns-spoof phishing keylooger]
        Java.jar phishing [dns-spoof+java.jar+phishing]
        clone website [dns-spoof + java-applet]
        clone website [browser_autopwn phishing Iframe]
        Block network access [dns-spoof]
        Samsung TV DoS [Plasma TV DoS attack]
        RDP DoS attack [Dos attack against target RDP]
        website D0S flood [Dos attack using syn packets]
        firefox_xpi_bootstarpped_addon automated exploit
        PDF backdoor [insert a payload into a PDF file]
        Winrar backdoor (file spoofing)
        VBScript injection [embedded a payload into a world document]
        ".::[ normal payloads ]::."
        windows.exe payload
        mac osx payload
        linux payload
        java signed applet [multi-operative systems]
        android-meterpreter [android smartphone payload]
        webshell.php [webshell.php backdoor]
        generate shellcode [C,Perl,Ruby,Python,exe,war,vbs,Dll,js]
        Session hijacking [cookie hijacking]
        start a lisenner [multi-handler]
        <-
  "9-Config ettercap"         
  "10-Launch MitM"            
  "11-Show URLs visited"       
  "12-Sniff remote pics"
  "13-Sniff SSL passwords"      
  "14-Dns-Spoofing"
  "15-Share files on lan"   
  "16-DoS attack {local}"      
  "17-Compile etter.filters"    
  "18-execute ettercap filter"
  "19-Common user password profiler [cupp.py]"

  d. delete lock folders
  a. about netool
  u. check for updates
  c. config toolkit
 db. access database
  q. quit

Download :
opensource.tar.gz (26.5 MB)
opensource[kali].tar.gz (26.5 MB)
Our Post Before | Source : http://sourceforge.net/projects/netoolsh/

↧

Updates THC Hydra – IPv6 attack toolkit v-2.8-dev.

October 11, 2015, 7:04 am

≫ Next: netool.sh V- 4.5.2 released : MitM PENTESTING OPENSOURCE T00LKIT.

≪ Previous: Updates netool.sh V- 4.5 : MitM PENTESTING OPENSOURCE T00LKIT.

Latest Change 10/11/2015 more helper bash scripts:
– dnsrevenum6.sh: scans the reverse DNS entries of the /48 of the ipv6 address on the responsible dns server.
– create_network_map.sh: Creates a GV file for use with Graphviz to create a network topology map file1 must have per line one entry only.
– dnssecwalk.sh: will try dnssecwalk on all nameservers until one is found, or all if -a is given as option.
– trace62list.sh: Prepares a trace6 output file for the network topology map generation tool.
– axfr.sh : data is saved to domain-ns.zone.
– data is saved to $domain-$ns.zone, if there are dns soa problems and the prefix length is not 48 you can specify it as an extra option on the command line.

more helper bash scripts

CHANGELOG
=========
NOTE: More tools exist, but are only handed out to specific people who develop ipv6 security/pentest tools themselves, or support the thc-ipv6 toolkit development. If this matches *you* send me an email to vh (at) thc (dot) org , with “thc-ipv6 antispam” in the subject line.

v2.8-dev:
* TCP Fast Open support (22/06/2015)
* fake_router26:
– option -X removes router entry from targets on exit (patch from Dan Luedtke, thanks)
* flood_router26:
– Fix – the source mac was always null bytes without evasion, thank to Christopher Werny for reporting
* ndpexaust26:
– option -m generates maximum size packets
* dump_router6:
– fixed route option parsing
* thcping6:
– added -O TCP Fast Open cookie request option
* thcsyn6
– added -O TCP Fast Open fake cookie sending option
* connect6:
– will now print the known MTU path to the destination upon succesful connect
* Renamed dos_mld.sh to dos_mld6.sh and local_discovery.sh to local_discovery6.sh

INTRODUCTION
============
This code was inspired when I got into touch with IPv6, learned more and more about it – and then found no tools to play (read: “hack”) around with. First I tried to implement things with libnet, but then found out that the IPv6 implementation is only partial – and sucks. I tried to add the missing code, but well, it was not so easy, hence I saved my time and quickly wrote my own library.

LIMITATIONS
===========
This code currently only runs on:
– Linux 2.6.x or newer (because of /proc usage)
– Ethernet
But this means for all linux guys that it will work for 98% of your use cases.
Patches are welcome! (add “antispam” in the subject line to get through my
anti-spam protection, otherwise the email will bounce)

THE TOOLS
=========
The THC IPV6 ATTACK TOOLKIT comes already with lots of effective attacking tools:
– parasite6: ICMPv6 neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)
– alive6: an effective alive scanng, which will detect all systems listening to this address
– dnsdict6: parallized DNS IPv6 dictionary bruteforcer
– fake_router6: announce yourself as a router on the network, with the highest priority
– redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever ICMPv6 redirect spoofer
– toobig6: mtu decreaser with the same intelligence as redir6
– detect-new-ip6: detect new IPv6 devices which join the network, you can run a script to automatically scan these systems etc.
– dos-new-ip6: detect new IPv6 devices and tell them that their chosen IP collides on the network (DOS).
– trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN
– flood_router6: flood a target with random router advertisements
– flood_advertise6: flood a target with random neighbor advertisements
– fuzz_ip6: fuzzer for IPv6
– implementation6: performs various implementation checks on IPv6
– implementation6d: listen daemon for implementation6 to check behind a FW
– fake_mld6: announce yourself in a multicast group of your choice on the net
– fake_mld26: same but for MLDv2
– fake_mldrouter6: fake MLD router messages
– fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
– fake_advertiser6: announce yourself on the network
– smurf6: local smurfer
– rsmurf6: remote smurfer, known to work only against linux at the moment
– exploit6: known IPv6 vulnerabilities to test against a target
– denial6: a collection of denial-of-service tests againsts a target
– thcping6: sends a hand crafted ping6 packet
– sendpees6: a tool by willdamn@gmail.com, which generates a neighbor
solicitation requests with a lot of CGAs (crypto stuff to keep the
CPU busy. nice.
and about 25 more tools for you to discover :-)

Just run the tools without options and they will give you help and show the
command line options.
DETECTION
=========
Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make rogue usage detection easier. The tools either specify a fixed packet signature, or generically sniff for packets (e.g. therefore also answering to ICMPv6 neighbor solitications which
are sent to a non-existing mac, and are therefore very easy to detect).

Installation :
– git clone https://github.com/vanhauser-thc/thc-ipv6
– cd thc-ipv6
– ./thc-ipv6-setup.sh
– or run bash script helper

Download : thc-ipv6.zip(1.58 MB) | Clone Url
Source : www.thc.org | vh@thc.org | Our Post Before

↧

netool.sh V- 4.5.2 released : MitM PENTESTING OPENSOURCE T00LKIT.

October 25, 2015, 4:04 pm

≫ Next: THC Hydra – IPv6 attack toolkit v-3.1-dev released.

≪ Previous: Updates THC Hydra – IPv6 attack toolkit v-2.8-dev.

Changelog v-4.5 .2:
+ UPGRADE => msfcli replaced by msfconsole
+ netool.sh => “added” file selection GUI -> zenity displays
+ priv8.sh => “added” MitM DLINK phishing -> capture routers creds
+ priv8.sh => “added” adobe_flash_hacking_team_uaf -> mitm+dns_spoof
+ INSTALL.sh => “added” build shortcut to toolkit -> gnome-desktop-item-edit
* netool.sh => “improved” input interface in use bug-fixed -> ettercap modules
* priv8.sh => “bug-fixed” ettercap IPV6 bug-fixed -> target selection /// ///
* priv8.sh => “improved” java.jar phishing -> download using pishishing webpage or direct URL execute…

Scanning – Sniffing – Social Engeneering”

Installation:

git clone git://git.code.sf.net/p/netoolsh/opensource-kali opensource
cd opensource
chmod +x INSTALL.sh
./INSTALL.sh

Update type: u

Example:

inurlbr.php -q 1,2,10 --dork 'inurl:index.php?id=' --exploit-get ?´0x27
-s report.log --comand-vul 'nmap -Pn -p 1-8080 --script http-enum --open _TARGET_'

Features (Modules) :

"1-Show Local Connections"
  "2-Nmap Scanner menu"
        ->
        Ping target
        Show my Ip address
        See/change mac address
        change my PC hostname
        Scan Local network 
        Scan external lan for hosts
        Scan a list of targets (list.txt)          
        Scan remote host for vulns          
        Execute Nmap command
        Search for target geolocation
        ping of dead (DoS)
        Norse (cyber attacks map)
        nmap Nse vuln modules
        nmap Nse discovery modules
        <-
  "3-Open router config"       
  "4-Ip tracer whois"
  "5-firefox webcrawler addon"                           
  "6-Retrieve metadata"
        ->
        retrieve metadata from target website
        retrieve using a fake user-agent
        retrieve only certain file types
        <-
  "7-INURLBR.php (webcrawler)"
        -> 
        scanner inurlbr.php -> Advanced search with multiple engines, provided
        analysis enables to exploit GET/POST capturing emails/urls & internal
        custom validation for each target/url found. also the ability to use
        external frameworks in conjuction with the scanner like nmap,sqlmap,etc
        or simple the use of external scripts.
        <-
  "8-r00tsect0r automated exploits (phishing - social engeneering)"
        ->
        package.deb backdoor [Binary linux trojan]
        Backdooring EXE Files [Backdooring EXE Files]
        fakeupdate.exe [dns-spoof phishing backdoor]
        meterpreter powershell invocation payload [by ReL1K]
        host a file attack [dns_spoof+mitm-hosted file]
        clone website [dns-spoof phishing keylooger]
        Java.jar phishing [dns-spoof+java.jar+phishing]
        clone website [dns-spoof + java-applet]
        clone website [browser_autopwn phishing Iframe]
        Block network access [dns-spoof]
        Samsung TV DoS [Plasma TV DoS attack]
        RDP DoS attack [Dos attack against target RDP]
        website D0S flood [Dos attack using syn packets]
        firefox_xpi_bootstarpped_addon automated exploit
        PDF backdoor [insert a payload into a PDF file]
        Winrar backdoor (file spoofing)
        VBScript injection [embedded a payload into a world document]
        ".::[ normal payloads ]::."
        windows.exe payload
        mac osx payload
        linux payload
        java signed applet [multi-operative systems]
        android-meterpreter [android smartphone payload]
        webshell.php [webshell.php backdoor]
        generate shellcode [C,Perl,Ruby,Python,exe,war,vbs,Dll,js]
        Session hijacking [cookie hijacking]
        start a lisenner [multi-handler]
        <-
  "9-Config ettercap"         
  "10-Launch MitM"            
  "11-Show URLs visited"       
  "12-Sniff remote pics"
  "13-Sniff SSL passwords"      
  "14-Dns-Spoofing"
  "15-Share files on lan"   
  "16-DoS attack {local}"      
  "17-Compile etter.filters"    
  "18-execute ettercap filter"
  "19-Common user password profiler [cupp.py]"

  d. delete lock folders
  a. about netool
  u. check for updates
  c. config toolkit
 db. access database
  q. quit

Download :
opensource.tar.gz (26.5 MB)
opensource[kali].tar.gz (26.5 MB)
Our Post Before | Source : http://sourceforge.net/projects/netoolsh/

↧

THC Hydra – IPv6 attack toolkit v-3.1-dev released.

November 10, 2015, 11:29 am

≫ Next: BetterCap v1.3.3 – A complete, modular, portable and easily extensible MITM framework.

≪ Previous: netool.sh V- 4.5.2 released : MitM PENTESTING OPENSOURCE T00LKIT.

Latest Change 10/11/2015 more helper bash scripts:

* small reliability patches
* added man page auto generator by Benjamin Kellermann! dos_mld6.sh and local_discovery.sh to local_discovery6.sh

more helper bash scripts

Installation :
– git clone https://github.com/vanhauser-thc/thc-ipv6
– cd thc-ipv6
– ./thc-ipv6-setup.sh
– or run bash script helper

Download : thc-ipv6.zip(1.58 MB) | Clone Url
Source : www.thc.org | vh@thc.org | Our Post Before

↧

BetterCap v1.3.3 – A complete, modular, portable and easily extensible MITM framework.

January 31, 2016, 5:49 am

≫ Next: BetterCap v1.3.7 – A complete, modular, portable and easily extensible MITM framework.

≪ Previous: THC Hydra – IPv6 attack toolkit v-3.1-dev released.

Changelog v1.3.3:
New Features:
+ New DICT protocol credentials parser.
+ New Redis protocol credentials parser.
+ New MPD protocol credentials parser.
+ New RLogin protocol credentials parser.
+ New SNPP protocol credentials parser.
+ New –log-timestamp option to enable timestamps while logging.
Fixes:
– Fixed issue #114 : Error while parsing IPv6 address.
Code Style:
+ Better SocketError handling in Proxy class.

bettercap-v-1-3-3

bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack.
DEPENDS:
All dependencies will be automatically installed through the GEM system, in some case you might need to install some system dependency in order to make everything work:
sudo apt-get install ruby-dev libpcap-dev

HOW TO INSTALL:
Stable Release ( GEM ):
gem install bettercap

From Source:

Ubuntu/Debian/Kali:
sudo apt-get install ruby-dev libpcap-dev

Fedora/Centos/redhat
yum install ruby-dev libpcap-dev

git clone https://github.com/evilsocket/bettercap
cd bettercap
gem build bettercap.gemspec
sudo gem install bettercap*.gem

Update: just type inyour terminal gem install bettercap

Download : v1.3.3.tar.gz | v1.3.3.zip
Source : http://www.bettercap.org/ | Our Post Before

↧

BetterCap v1.3.7 – A complete, modular, portable and easily extensible MITM framework.

February 8, 2016, 9:49 am

≫ Next: BetterCap v1.4.5 – A complete, modular, portable and easily extensible MITM framework.

≪ Previous: BetterCap v1.3.3 – A complete, modular, portable and easily extensible MITM framework.

Changelog v1.3.7:
New Features
+ New PGSQL authentication parser.
+ New MYSQL authentication parser.
+ New NTLM protocol parser and NTLMSSP Authentication sniffer.
+ HTTP Auth parser can now parse every kind of Authentication header ( NTLM authentication too ).
+ Printing * when an address is 255.255.255.255.
+ Resolving port to network service name when possible.

Fixes
+ Fix: Do not send probes to already discovered devices.
+ Fixed bug in sslstripping which caused the client connection to hang when sending expired cookies.
+ Fix: Using either tcp_dst or udp_dst in StreamLogger.
+ Fixed metaprogramming bug in BetterCap::Network::Protos::Base.

Code Style
+ Using Response static methods to generate constant HTTP responses.
+ Autoload every Ruby file in bettercap installation.
+ Removed DHCP#transaction_id

bettercap v1.3.7

HOW TO INSTALL:
Stable Release ( GEM ):
gem install bettercap

From Source:

Ubuntu/Debian/Kali:
sudo apt-get install ruby-dev libpcap-dev

Fedora/Centos/redhat
yum install ruby-dev libpcap-dev

git clone https://github.com/evilsocket/bettercap
cd bettercap
gem build bettercap.gemspec
sudo gem install bettercap*.gem

Update: just type inyour terminal gem install bettercap

Download : v1.3.7.tar.gz | v1.3.7.zip
Source : http://www.bettercap.org/ | Our Post Before

↧

BetterCap v1.4.5 – A complete, modular, portable and easily extensible MITM framework.

February 29, 2016, 11:53 am

≫ Next: thc-ipv6 v3.1dev update – IPv6 attack toolkit.

≪ Previous: BetterCap v1.3.7 – A complete, modular, portable and easily extensible MITM framework.

Changelog v1.4.5:

New Features
+ New CREDITCARD sniffer with Luhn algorithm verification.
+ Handling DELETE requests.

Fixes
+ Fixes #165 : Fixed a bug which caused the –custom-proxy argument to not work properly.
+ Fixes #134 : Bettercap killing connections.
+ Fix: Resetting packet forwarding only after restore packets are sent.
+ Fixed wrong boolean condition in ARP spoofer.

Code Style
+ Refactored if/then constructs to ternary operators.
+ Refactored DNS server code.
+ Moved Authority loading code into SSLServer class.
+ Refactored proxy processor code.

Bettercap v1.4.5

HOW TO INSTALL:
Stable Release ( GEM ):
gem install bettercap

From Source:

Ubuntu/Debian/Kali:
sudo apt-get install ruby-dev libpcap-dev

Fedora/Centos/redhat
yum install ruby-dev libpcap-dev

git clone https://github.com/evilsocket/bettercap
cd bettercap
gem build bettercap.gemspec
sudo gem install bettercap*.gem

Update: 
bettercap --check-updates

Download : v1.4.5.tar.gz | v1.4.5.zip
Source : http://www.bettercap.org/ | Our Post Before

↧

thc-ipv6 v3.1dev update – IPv6 attack toolkit.

March 14, 2016, 4:50 pm

≫ Next: BetterCap v1.5.0 – A complete, modular, portable and easily extensible MITM framework.

≪ Previous: BetterCap v1.4.5 – A complete, modular, portable and easily extensible MITM framework.

changelog v3.1-dev:
* dnssecwalk: added TCP mode (-t)
* dnsrevenum6: added TCP mode (-t)
* re-enabled raw mode, works now with modern kernels it seems
* fake_advertise6: a second packet always was sent with no flags. fixed. thanks to Christopher Werny@ERNW for reporting
* small reliability patches by Benjamin Kellermann, thanks!
* added man page auto generator by Benjamin Kellermann, thanks!
* small change to the Makefile to allow installation even if not everything could be compiled (libraries missing)

thc-ipv6 v3.1 dev update

more helper bash scripts

Installation :

THC-IPV6 requires libpcap development files being installed, also the
libopenssl development files are a good idea.

For Debian/Ubunut/Kali/Backtrack, you can install them by:
 $ sudo apt-get install libpcap-dev libssl-dev

To compile simply type
 $ make

All tools are installed to /usr/local/bin if you type
 $ sudo make install

You need to be root to run most tools

Download : thc-ipv6.zip(1.58 MB) | Clone Url
Source : www.thc.org | vh@thc.org | Our Post Before

↧

BetterCap v1.5.0 – A complete, modular, portable and easily extensible MITM framework.

March 16, 2016, 5:15 pm

≫ Next: Fluxion is the future (a tool helps to automate the process of testing router WPS/WPA vulnerability).

≪ Previous: thc-ipv6 v3.1dev update – IPv6 attack toolkit.

Changelog v 1.5.0 16/3/2016:
New Features
+ New TCP modular and transparent proxy.
+ Connections within internal nodes on the network are now spoofed.
+ Memory usage optimization.

Fixes:
+ Fixed a bug which caused bettercap to crash if the gateway mac address could not be detected.
+ Fixes #180: NoMethodError on OS X
+ Fixed –httpd-path option position.
+ Fixed SignalException handling.
+ Fixed little endian PCAP files support.
+ Fixed big endian PCAP files support.
+ Fixed exception handling while loading external PCAP file as sniffer source.
+ Fixes #176 : ArgumentError on GC.start( :full_mark => false ) with Ruby 1.9.3
+ Fixes #175 : ARP Spoofer doesn’t spoof internal connections.
+ Fixed handling of text/plain content-types in StreamLogger class.
+ Better hex dumping of binary data.

Code Style:
+ Renamed –sniffer-pcap option to –sniffer-output.
+ :check validator can now be used for every type of Network::Proto:Base derived classes.
+ Minor refactoring of if not to unless.
+ Minor refactoring/semplification of spoofing logic.
+ Unified OSX and OpenBSD firewalls under the same BSD class.
+ Refactored DHCP protocol class and constants.
+ Refactored and centralized gateway mac resolution and usage logic.
+ Whole refactoring of options parsing and handling logic into different, dedicated, classes.
+ Added a few comments here and there.
+ Refactored ::Proxy -> ::HTTP::Proxy

HOW TO INSTALL:
Stable Release ( GEM ):
gem install bettercap

From Source:

Ubuntu/Debian/Kali:
sudo apt-get install ruby-dev libpcap-dev

Fedora/Centos/redhat
yum install ruby-dev libpcap-dev

git clone https://github.com/evilsocket/bettercap
cd bettercap
gem build bettercap.gemspec
sudo gem install bettercap*.gem

Update: 
bettercap --check-updates

Download : v1.5.0.tar.gz | v1.5.0.zip
Source : http://www.bettercap.org/ | Our Post Before

↧

Fluxion is the future (a tool helps to automate the process of testing router WPS/WPA vulnerability).

March 21, 2016, 5:55 pm

≫ Next: Responder v2.3-git – an LLMNR, NBT-NS and MDNS poisoner.

≪ Previous: BetterCap v1.5.0 – A complete, modular, portable and easily extensible MITM framework.

Fluxion is a remake of linset by vk439 with fixed bugs and added features. It’s compatible with the latest release of Kali (Rolling)
How it works
+ Scan the networks.
+ Capture handshake (can’t be used without a valid handshake, it’s necessary to verify the password)
+ Use WEB Interface *
+ Launches a FakeAP instance imitating the original access point
+ Spawns a MDK3 processs, which deauthentificates all of the users connected to the target network, so they can be lured to connect to FakeAP network and enter the WPA password.
+ A DHCP server is lainched in FakeAP network
+ A fake DNS server is launched in order to capture all of the DNS requests and redirect them to the host running the script
+ A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
+ Each submitted password is verified against the handshake captured earlier
+ The attack will automatically terminate once correct password is submitted

Fluxion is the future (a tool helps to automate the process of testing router WPS/WPA vulnerability).

Bugs fixed
– Negative Channel
– Kali Patch for Kali Patch 2
– Added airmon
– Translate DE –> EN
– Handshake get fixed
– Check Updates
– Animations
– Wifi List Bug

Usage:

git clone https://github.com/deltaxflux/fluxion && cd fluxion
./Installer.sh
./fluxion

Source: https://github.com/deltaxflux

↧

Responder v2.3-git – an LLMNR, NBT-NS and MDNS poisoner.

June 8, 2016, 4:53 pm

≫ Next: thc-ipv6 v3.1dev-git ~ IPv6 attack toolkit.

≪ Previous: Fluxion is the future (a tool helps to automate the process of testing router WPS/WPA vulnerability).

Latest change v2.3-git 8/6/2016:
+ Fingerprint.py; Fixed color bug in Analyze mode.
+ settings.py; fixed minor bug.
+ Responder.conf; Set AutoIgnoreAfterSuccess = Off by default, up to the pentester to disable it.
+ Responder.py; Fixed some tools and +x on some executables.

This tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior.

Responder On Windows XP/2003 Server/7/8.1

Responder On Unix Platform. Intallation; using giit.

Responder On Unix Platform; MacOSX, Kali-Sana, Arch Linux, Debian, Ubuntu etc.. Intallation; using giit.

FEATURES
========

– Built-in SMB Auth server.
Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP. Successfully tested from NT4 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4. This functionality is enabled by default when the tool is launched.

– Built-in MSSQL Auth server.
In order to redirect SQL Authentication to this tool, you will need to set the option -r to 1(NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested
on Windows SQL Server 2005 & 2008.

– Built-in HTTP Auth server.
In order to redirect HTTP Authentication to this tool, you will need to set the option -r to 1 for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.

Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient).

– Built-in LDAP Auth server.
In order to redirect LDAP Authentication to this tool, you will need to set the option -r to 1 for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool “ldp” and LdapAdmin.

– Built-in FTP Auth server.
This module will collect FTP clear text credentials.

– Built-in small DNS server. This server will answer type A queries. This is really handy when it’s combined with ARP spoofing.

– All hashes are printed to stdout and dumped in an unique file John
Jumbo compliant, using this format:
(SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or clear-text)-Client_IP.txt
The file will be located in the current folder.

– Responder will logs all its activity to a file Responder-Session.log.

– When the option -f is set to “On”, Responder will fingerprint every host who issued an LLMNR/NBT-NS query.
All capture modules still work while in fingerprint mode.

– Browser Listener finds the PDC in stealth mode.

– Icmp Redirect for MITM on Windows =< 5.2 Domain members. This attack combined with the DNS module is pretty effective.

USAGE
=====

Running this tool:

- python Responder.py [options]

Usage Example:

python Responder.py -i 10.20.30.40 -b 1 -r 0 -f On

Options List:

-h, --help show this help message and exit.

-i 10.20.30.40, --ip=10.20.30.40 The ip address to redirect the traffic to.
(usually yours)

-b 0, --basic=0 Set this to 1 if you want to return a
Basic HTTP authentication. 0 will return
an NTLM authentication.

-s Off, --http=Off Set this to On or Off to start/stop the
HTTP server. Default value is On.

-S Off, --smb=Off Set this to On or Off to start/stop the
SMB server. Default value is On.

-q Off, --sql=Off Set this to On or Off to start/stop the
SQL server. Default value is On.

-r 0, --wredir=0 Set this to enable answers for netbios
wredir suffix queries. Answering to wredir
will likely break stuff on the network
(like classics 'nbns spoofer' will).
Default value is therefore set to Off (0).

-c 1122334455667788, --challenge= The server challenge to set for NTLM
authentication. If not set, then defaults
to 1122334455667788, the most common
challenge for existing Rainbow Tables.

-l file.log, --logfile=filename.log Log file to use for Responder session.

-f Off, --fingerprint=Off This option allows you to fingerprint a
host that issued an NBT-NS or LLMNR query.

-F On, --ftp=On Set this to On or Off to start/stop the FTP server.
Default value is On

-L On, --ldap=On Set this to On or Off to start/stop the LDAP server.
Default value is On

-D On, --dns=On Set this to On or Off to start/stop the DNS server.
Default value is On

Download stable version : v2.3.0.zip | v2.3.0.tar.gz
source : https://github.com/SpiderLabs/Responder | http://blog.spiderlabs.com/2012/10/introducing-responder-10.html | Our post Before

↧