changelog v3.1dev-git:
* fake_router26: new -f option to specify the sending mac address (thanks to Scott Winegarden for the patch) [1/7/2016]
* added alive2map.sh script to create a network map (graphviz->jpg) from a list of alive hosts
* thcsyn6: added -f and -d options
* flood_router26:
– added -m option to force DHCPv6 managed and other configuration
– reduced lifetime for -s option to 1s
* dnssecwalk: added TCP mode (-t)
* dnsrevenum6: added TCP mode (-t)
* fake_advertise6: a second packet always was sent with no flags. fixed. thanks to Christopher Werny@ERNW for reporting
* flood_rs6 and thcping6: small fixes
* re-enabled raw mode, works now with modern kernels it seems
* small reliability patches by Benjamin Kellermann, thanks!
* added man page auto generator by Benjamin Kellermann, thanks!
* small change to the Makefile to allow installation even if not everything could be compiled (libraries missing)

fakerouter26 -f

INTRODUCTION
============
This code was inspired when I got into touch with IPv6, learned more and more about it – and then found no tools to play (read: “hack”) around with. First I tried to implement things with libnet, but then found out that the IPv6 implementation is only partial – and sucks. I tried to add the missing code, but well, it was not so easy, hence I saved my time and quickly wrote my own library.

LIMITATIONS
===========
This code currently only runs on:
– Linux 2.7.x or newer (because of /proc usage)
– Ethernet
But this means for all linux guys that it will work for 98% of your use cases.
Patches are welcome! (add “antispam” in the subject line to get through my
anti-spam protection, otherwise the email will bounce)

THE TOOLS
=========
The THC IPV6 ATTACK TOOLKIT comes already with lots of effective attacking tools:
– parasite6: ICMPv6 neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)
– alive6: an effective alive scanng, which will detect all systems listening to this address
– dnsdict6: parallized DNS IPv6 dictionary bruteforcer
– fake_router6: announce yourself as a router on the network, with the highest priority
– redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever ICMPv6 redirect spoofer
– toobig6: mtu decreaser with the same intelligence as redir6
– detect-new-ip6: detect new IPv6 devices which join the network, you can run a script to automatically scan these systems etc.
– dos-new-ip6: detect new IPv6 devices and tell them that their chosen IP collides on the network (DOS).
– trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN
– flood_router6: flood a target with random router advertisements
– flood_advertise6: flood a target with random neighbor advertisements
– fuzz_ip6: fuzzer for IPv6
– implementation6: performs various implementation checks on IPv6
– implementation6d: listen daemon for implementation6 to check behind a FW
– fake_mld6: announce yourself in a multicast group of your choice on the net
– fake_mld26: same but for MLDv2
– fake_mldrouter6: fake MLD router messages
– fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
– fake_advertiser6: announce yourself on the network
– smurf6: local smurfer
– rsmurf6: remote smurfer, known to work only against linux at the moment
– exploit6: known IPv6 vulnerabilities to test against a target
– denial6: a collection of denial-of-service tests againsts a target
– thcping6: sends a hand crafted ping6 packet
– sendpees6: a tool by willdamn@gmail.com, which generates a neighbor
solicitation requests with a lot of CGAs (crypto stuff to keep the
CPU busy. nice.
and about 25 more tools for you to discover

Just run the tools without options and they will give you help and show the
command line options.
DETECTION
=========
Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make rogue usage detection easier. The tools either specify a fixed packet signature, or generically sniff for packets (e.g. therefore also answering to ICMPv6 neighbor solitications which
are sent to a non-existing mac, and are therefore very easy to detect).

Installation :

THC-IPV6 requires libpcap development files being installed, also the
libopenssl development files are a good idea.

For Debian/Ubunut/Kali/Backtrack, you can install them by:
 $ sudo apt-get install libpcap-dev libssl-dev

To compile simply type
 $ make

All tools are installed to /usr/local/bin if you type
 $ sudo make install

You need to be root to run most tools

Download : thc-ipv6.zip(1.58 MB)  | Clone Url
Source : www.thc.org | vh@thc.org | Our Post Before

This is a PoC demonstrating techniques exploiting CVE-2016-5696 Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/cao
Short Abstract:
The specification is faithfully implemented in Linux kernel version 3.6 (from 2012) and beyond, and affects a wide range of devices and hosts. In a nutshell, the vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection. Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks. We illustrate how the attack can be leveraged to disrupt or degrade the privacy guarantees of an anonymity network such as Tor, and perform web connection hijacking. Through extensive experiments, we show that the attack is fast and reliable. On average, it takes about 40 to 60 seconds to finish and the success rate is 88% to 97%. Finally, we propose changes to both the TCP specification and implementation to eliminate the root cause of the problem.

mountain_goat

Usage and DOwnload from git:

git clone https://github.com/Gnoxter/mountain_goat && cd mountain_goat
make
gcc -g -o mountain_goat mountain_goat.c layers.c -l pcap -std=gnu99
./mountain_goat

Source: https://github.com/Gnoxter

THE SOFTWARE IS FOR EDUCATIONAL AND RESEARCH PURPOSES. IT MAY CAUSE UNEXPECTED AND UNDESIRABLE BEHAVIOUR TO OCCUR AND MAY DISTRUPT NORMAL OPERATION OF MACHINES AND NETWORK EQUIPMENT. IT IS THE USERS RESPONSIBILITY TO ENSURE AN EDQUATE ENVIRONMENT THAT DOES NOT AFFECT ANY THIRD PARTY.

Changelog Wifi-Pumpkin v0.8.1:
——————————————–
– re-design all GUI Menu->view
– added new report logger GUI
– added new sessions for Rogue AP loggers
– added new plugin BDFProxy-ng
– added new theme Orange and set as default
– fixed error when launch airodump-ng scan the wireless networks #75
– fixed IndexError: list index out of range on BDFProxy get_output #77
– added new re-design module Deauth Wireless Attack
– added some improvements in module Probe Wireless Request #78
– added option: exclude USB Wi-Fi Adapter in NetworkManager persistently #69

wifi-pumpkin v0.8.1

Wifi-Pumpkin Updater Click Help Menu then Update

WiFi-Pumpkin is security tool that provide the Rogue access point to Man-In-The-Middle and network attacks. purporting to provide wireless Internet services, but snooping on the traffic. can be used to capture of credentials of unsuspecting users by either snooping the communication by phishing.
Features
+ Rouge Wi-Fi Access Point
+ Deauth Clients AP
+ Probe Request Monitor
+ DHCP Starvation Attack
+ Crendentials Monitor
+ Windows Update Attack
+ Templates phishing
+ Partial bypass HSTS
+ Dump credentials phishing
+ Support airodump scan
+ Support mkd3 deauth
+ beef hook support
+ Report Logs html
+ Mac Changer
+ ARP Posion
+ DNS Spoof

Ubuntu/Kali 2.0/WifiSlax 4.11.1/Parrot 2.0.5:

git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
cd WiFi-Pumpkin
chmod +x installer.sh
./installer.sh --install


Update
cd WiFi-Pumpkin
git pull origin master

then run
wifipumpkin (ubuntu)
wifi-pumpkin (kali 2.0)

Source : https://github.com/P0cL4bs | Download: 0.8.1.zip | 0.8.1.tar.gz | Our post before

This tool is first an LLMNR, NBT-NS and MDNS responder, it will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option via command line if you want this tool to answer to the Workstation Service request name suffix.
MultiRelay has also been ported to this Windows version, allowing a pentest to pivot across compromises.

Features:
* Experimental Windows Version.
* Goal of this version is to be able to propagate compromises across subnets and domains from any compromised Windows machine. This tool can also be used compromise a domain from an external penetration test.
* This version will disable netbios on all interfaces and the current firewall profile on the target host.
* Default values will be turned back On when killing Responder (CRTL-C).
* LLMNR and Netbios works out of the box on any Windows XP-2003 and apparently on Windows 2012/2016.
* Netbios support works on all versions.
* Best way to collect hashes with this Windows version: Responder.exe -i IP_Addr -rPv

Latest change Responder v1.2 10/11/2016:
* Added: use wmic instead of .bat files and %compsec%

Usage and download from source:

git clone https://github.com/lgandx/Responder-Windows && cd Responder-Windows
cd binaries/Responder
Responder -h
MultiRelay -h

update:
git pull

Download stable: v1.2.zip  | v1.2.tar.gz
Source: https://github.com/lgandx

LEGAL DISCLAMER
The author does not hold any responsibility about the bad use of this script, remember that attacking targets without prior concent its ilegal and punish by law, this script was build to show how resource files can automate tasks.

JudasDNS is A DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation. Judas works by proxying all DNS queries to the legitimate nameservers for a domain. The magic comes with Judas’s rule configurations which allow you to change DNS responses depending on source IP or DNS query type. This allows an attacker to configure a malicious nameserver to do things like selectively re-route inbound email coming from specified source IP ranges (via modified MX records), set extremely long TTLs to keep poisoned records cached, and more.

JudasDNS

The above configuration value purposes are the following:
+ version: The configuration file format version (for now is always 1.0.0).
+ port: The port Judas should run on.
+ dns_query_timeout: How long to wait in milliseconds before giving up on a reply from the upstream target nameserver. target_nameservers: The legit nameservers for your target domain, all DNS queries will be sent here from Judas on behalf of all requesting clients.
+ rules: A list of rules with modifications to the DNS response to apply if matched.
+-+ name: Name of a given rule.
+-+ query_type_matches: List of query types to match on such as CNAME, A, etc. A wildcard (*) can also be specified to match any query type.
+-+ ip_range_matches: List of IP ranges to match on. For selectively spoofing responses to a specific range of IPs.
+-+ modifications: See the “Modifications” section of this README.

Example:

{
    "version": "1.0.0",
    "port": 2248,
    "dns_query_timeout": 10000,
    "target_nameservers": [ "17.254.0.59", "17.254.0.50", "17.112.144.50", "17.112.144.59", "17.171.63.30", "17.171.63.40", "17.151.0.151", "17.151.0.152" ],
    "rules": [
        {
            "name": "Secretly redirect all emails coming from 127.0.0.1!",
            "query_type_matches": [ "MX" ],
            "ip_range_matches": [ "127.0.0.1/32" ],
            "modifications": [
                {
                    "answer": [
                        {
                            "name": "apple.com",
                            "type": 15,
                            "class": 1,
                            "ttl": 10,
                            "priority": 10,
                            "exchange": "hacktheplace.localhost"
                        }
                    ]
                }
            ]
        },
        {
            "name": "Make all responses NOERROR even if they've failed.",
            "query_type_matches": [ "*" ],
            "modifications": [
                {
                    "header": {
                        "rcode": 0
                    }
                }
            ]
        }
    ]
}

usage:

git clone https://github.com/mandatoryprogrammer/JudasDNS && cd JudasDNS
npm install
node judasdns.js

Source: https://github.com/mandatoryprogrammer

LEGAL DISCLAMER
The author does not hold any responsibility about the bad use of this script, remember that attacking targets without prior concent its ilegal and punish by law, this script was build to show how resource files can automate tasks.

WMDFrame is a python tool with a collection of IT security software. The software is incapsulated in “modules”. The modules does consist of pure python code and/or external third programs.
Main functions:
1) To use a module, run the command “use [module_call]”, e.g. “use apsniff”, to activate the module.
2) The modules options can be changed with “set [parameter] [value]”.
3) Inside the modules, you always have the possibilty to view the options with the command “so”.
4)Your environment settings is in core/config.ini. Please adjust them before running.

WMD – Weapon of Mass Destruction

Requirements:
+ Python3
+ Python libraries requirements in requirements.txt

Modules:
* monitor network auto
* xsser
* target attack website or ip
* system information
* dns fake
* grep, sed, awk
* scapy on all network activity

Usage:

git clone https://github.com/ThomasTJdev/WMD
pip3 install -r requirements.txt
Before your first run, please adjust your environmentsettings in core/config.ini

Start the console with: python3 wmd.py
Start a single module: python3 wmd.py -m [CALL]
Start webserver: python3 wmd.py -w
Start without checking requirements: python3 wmd.py -nc

Source: https://github.com/ThomasTJdev

::DISCLAIMER::
RogueSploit is intended to be used for legal security purposes only, and you should only use it to protect networks/hosts you own or have permission to test. Any other use is not the responsibility of the developer. Be sure that you understand and are complying with the RogueSploit licenses and laws in your area. In other words, don’t be stupid, don’t be an asshole, and use this tool responsibly and legally.

RogueSploit is an open source automated script made to create a Fake Acces Point, with dhcpd server, dns spoofing, host redirection, browser_autopwn1 or autopwn2 or beef+mitmf.

RogueSploit – A WiFi Social Trap

TO DO LIST:
+ Add BeEF;
+ Add MITMF;
+ Add BDFProxy;
+ Add some features;

What you need:
– Aircrack-ng Suite [https://github.com/aircrack-ng/aircrack-ng]
– Dhcpd server
– Metasploit Framework [https://github.com/rapid7/metasploit-framework]
– Browser Exploitation Framework [https://github.com/beefproject/beef]
– dnsmasq
– GNU / Linux based Operating Sistem [https://kali.org]
– External Wireless Interface like TP-Link TL-WN722N
– Zenity
– MITMF [https://github.com/byt3bl33d3r/MITMf]

Usage:

git clone https://github.com/B4ckP0r7/RogueSploit && cd RogueSploit
bash RogueSploit

Source: https://b4ckp0r7.github.io/RogueSploit/

Disclaimer:
Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.

outis is a custom Remote Administration Tool (RAT) or something like that. Think Meterpreter or Empire-Agent. However, the focus of this tool is neither an exploit toolkit (there are no exploits) nor persistent management of targets. The focus is to communicate between server and target system and to transfer files, share sockets, spawn shells and so on using various methods and platforms.

outis

Dependencies & following packages:
+ python3 # includes cmd, tempfile, …
+ python-progressbar2
+ python-dnspython
+ python-crypto
+ python-pyopenssl
+ and maybe more…
In other distributions the names may differ, for instance, there is a module named crypto and a module named pycrypto. We need the latter.

Terms
* agent: software, that runs on the victim system
* handler: software, that parses your commands and leads the agents (usually it runs on your server)
* stager: short script that downloads the agent (using the transport module) and runs it
* transport: communication channel between stager/agent and handler, e.g. ReverseTCP
* platform: victim architecture to use for stager/agent scripts, e.g. PowerShell

Currently Supported Plattforms
* PowerShell (partial)

Currently Supported Transports
* Reverse TCP
* DNS (types TXT or A for staging, and types TXT, CNAME, MX, AAAA or A for agent connection)

Currently Supported Cryptography
* Agent stages can be encoded (for obfuscation, not for security) using cyclic XOR
* Agent stages can be authenticated using RSA signatures and pinned certificates
* Transport connections can be encrypted / authenticated using TLS and pinned certificates
Usage and install:

$ python3 -c 'import OpenSSL; print(OpenSSL.version.__version__)'
$ virtualenv -p python3 outis-venv
$ source ./outis-venv/bin/activate
(outis-venv) $ pip install progressbar2 dnspython pycrypto pyopenssl
$ pip3 freeze

git clone --recursive https://github.com/SySS-Research/outis && cd outis
./outis.py

Source: https://github.com/SySS-Research

subjack is a Hostile Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go’s speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule out false positives.

subjack

Currently checks for:
+ Amazon S3 Bucket
+ Amazon Cloudfront
+ Cargo
+ Fastly
+ FeedPress
+ Ghost
+ Github
+ Helpjuice
+ Help Scout
+ Heroku
+ Pantheon.io
+ Shopify
+ Surge
+ Tumblr
+ UserVoice
+ WordPress
+ WPEngine

Dependencies:
+ Golang Language https://golang.org/doc/install

Practical Use:
I’ve included scanio.sh which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7’s Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they’re vulnerable to Hostile Subdomain Takeover. Of course this isn’t the only method to get a large amount of data to test. Please use this responsibly

Usage:

git clone https://github.com/haccer/subjack && cd subjack
go build
./subjack -w (your_file.txt) -t 100 -https

Source: https://github.com/haccer