INURLBR – Advanced Search Engine Tool - Hacking

INURLBR is a PHP based advanced search engine tool for security professionals, it supports 24 search engines and 6 deep web or special options. Very useful for the information gathering phase of a penetration test or vulnerability assessment.
INURLBR - Advanced Search Engine Tool
This tool functions in many ways enabling you to harness the power of what’s already indexed by the search engines and analyse your target for potential exploits, capture E-mails and URLs with internal custom validation for each target/URL found.
Also supports external commands for exploitation, so if your scan/search finds a potential validated SQL Injection vulnerability, you could have INURLBR directly launch sqlmap or your tool of choice.

Features

  • Generate IP ranges or random_ip and analyse the targets.
  • Customization of HTTP-HEADER, USER-AGET, URL-REFERENCE.
  • Execute external commands to exploit certain targets.
  • Generate random dorks or set dorks file.
  • Option to set proxy manually or from a file list.
  • Supports both SOCKS and HTTP proxies
  • Set time for proxy change when using random.
  • Supports TOR to randomise IP.
  • Debug processed URLs & HTTP requests.
  • Can send vulnerable URLs to an IRC chat room.
  • Support for GET / POST => SQLI, LFI, LFD injection exploits.
  • Filter and validate based on regexp.
  • Extraction of e-mail addresses and URLs.
  • Validation using HTTP response codes.
  • Search pages based on strings file.
  • Exploits commands manager.
  • Paging limiter on search engines.
  • Beep sound when a vulnerability is found.
  • Use text file as a data source for URLs to test.
  • Find personalized strings in return values of the tests.
  • Checks and validates for Shellshock.
  • File validation for the WordPress config file – wp-config.php.
  • Can execute a sub-process for validation.
  • Validate syntax errors for databases and programming.
  • Data encryption as native parameter.
  • Random Google host.
  • Scan port.

Search Engines/Methods Supported

  • Google / (CSE) generic random / API
  • Bing
  • Yahoo! BR
  • Ask
  • HAO123 Br
  • Google (API)
  • Lycos
  • UOL Br
  • Yahoo! US
  • Sapo
  • Dmoz
  • Gigablast
  • Never
  • Baidu BR
  • Andex
  • Zoo
  • Hotbot
  • Zhongsou
  • Hksearch
  • Ezilion
  • Sogou
  • DuckDuckGo
  • Boorow
  • Google (CSE) generic random
Special
  • Tor Find
  • Elephant
  • Torsearch
  • Wikileaks
  • OTN
  • Shodan

Errors Checked For

  • Java Infinitydb
  • LFI
  • Zimbra mail
  • Zend framework
  • MariaDB
  • MySQL
  • Jbossweb
  • Microsoft
  • ODBC
  • PostgreSQL
  • PHP
  • WordPress
  • Web Shell
  • JDBC
  • ASP
  • Oracle
  • DB2
  • CFM
  • LUA
You can download INURLBR by cloning the Github repo:
Or read more here.

Posted in: Hacking ToolsWeb Hacking | Add a Comment

DNSRecon – DNS Enumeration Script


DNSRecon is a Python based DNS enumeration script designed to help you audit your DNS security and configuration as part of information gathering stage of a pen-test. DNS reconnaissance is an important step when mapping out domain resources, sub-domains, e-mail servers and so on and can often lead to you finding an old DNS entry pointing to an unmaintained, insecure server.
DNSRecon - DNS Enumeration Script
It’s also considered passive information gathering, as it’s a way to gather a map of company/target resources without alerting IDS/IPS systems by doing active probes/scans.

Features

DNSRecon provides the ability to perform:
  • Check all NS Records for Zone Transfers
  • Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
  • Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
  • Check for Wildcard Resolution
  • Brute Force subdomain and host A and AAAA records given a domain and a wordlist
  • Perform a PTR Record lookup for a given IP Range or CIDR
  • Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
  • Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google

Usage

You can download DNSRecon here:
Or read more here.

Posted in: Hacking ToolsNetwork Hacking | Add a Comment

The Panama Papers Leak – What You Need To Know


The HUGE news this week is the Panama Papers leak, a massive cache of 11.5 million documents leaked to a German Newspaper (Süddeutsche Zeitung) in August 2015. It’s one of the most significant data leaks of all time and Edward Snowden has labelled it as “the biggest leak in the history of data journalism”. It’s also pretty huge at about 2.6TB of data, was leaked anonymously without any payment and goes all the way back to the 1970s.
The Panama Papers Leak - What You Need To Know
The Panama Papers are a leaked set of 11.5 million confidential documents that provide detailed information about more than 214,000 offshore companies listed by the Panamanian corporate service provider Mossack Fonseca, including the identities of shareholders and directors of the companies.
The documents show how wealthy public officials hide their money and identify current government leaders from five countries – Argentina, Iceland, Saudi Arabia, Ukraine, and the United Arab Emirates – as well as government officials, close relatives, and close associates of various heads of government of more than forty other countries, including Brazil, the People’s Republic of China, Peru, France, India, Malaysia, Mexico, Pakistan, Romania, Russia, South Africa, Spain, Syria, and the United Kingdom.
Source: Wikipedia
The firm involved, Mossack Fonseca is obviously back-pedalling hard and has registered a domain and designed a website just for their press statement: http://mossfonmedia.com/
But the ripples are already kicking in, with the PM of Iceland resigning and a lot of others countries, organisations (including FIFA) and political families finding themselves in hot water.
Iceland’s prime minister has stepped down – the first major casualty of the leaked Panama Papers that have shone a spotlight on offshore finance.
The leaks, from Panama-based law firm Mossack Fonseca, showed Sigmundur Gunnlaugsson owned an offshore company with his wife but had not declared it when he entered parliament.
He is accused of concealing millions of dollars’ worth of family assets. Mr Gunnlaugsson says he sold his shares to his wife and denies any wrongdoing.
Source: BBC
Yah sold to his wife for $1, convenient right?
There’s all kinds of other reactions too with France adding Panama back to the list of countries that doesn’t comply with tax, China completely censoring all mentions of the Panama Papers country-wide and the head of the anti-corruption watchdog in Chile also stepping down after being implicated (ironic much?).
Plenty of other scandals are dropping out of the docs too as they get investigated further and linked together, tracing links between complex multi-layer, multi-country financial transactions.
Thirty three of its clients have been blacklisted by the US government for allegedly doing business with Mexican drug lords, terrorist organisations and “rogue nations” like North Korea and Iran. Its files have unearthed a secret, shady $2 billion (£1.3 billion) trail of money that leads to Vladimir Putin. One of its clients played a crucial role in the Watergate scandal. Another was convicted for the torture and murder of a US drug enforcement agent.
Source: Vice
Mossack Fonseca appears to have claimed that the hack happened on their e-mail server, which makes me wonder – what kind of e-mail server do they have that stores 11.5 million documents? And documents going all the way back to the 1970s?
That’s one hell of an e-mail server.
There’s definitely going to be a lot of articles written about this, a lot of discussions on this and much more to come as the ICIJ haven’t even gone through ALL the documents yet. There may be further implications coming soon.
For now, it’s an interesting drama to watch unfold.
The offical site for the whole thing is here: https://panamapapers.icij.org/

Posted in: Legal IssuesPrivacy | Add a Comment

Phishing Frenzy – E-mail Phishing Framework


Phishing Frenzy is an Open Source Ruby on Rails e-mail phishing framework designed to help penetration testers manage multiple, complex phishing campaigns. The goal of the project is to streamline the phishing process while still providing clients the best realistic phishing campaign possible. This goal is obtainable through campaign management, template reuse, statistical generation, and other features the Frenzy has to offer.
Phishing Frenzy - Manage Phishing Campaigns
Leveraging the Twitter Bootstrap CSS library Phishing Frenzy is presented with an elegant front end that feels comfortable. Manage your phishing campaign with ease while looking good.
There are of course other frameworks and tools available too such as:

How It Works

Email Phishing in it’s simplest form consists of three (3) primary components.
  • Sending Emails
  • Hosting Websites
  • Tracking Analytics
There obviously are more complex forms of email phishing that include additional components, but for the sake of our conversation we are going to break it up to this simple structure.

Features

  • Website Cloning
  • E-mail Harvesting
  • Credential Harvesting
  • UID tracking for users
  • Reporting and Analytics
  • Action Mailer
  • Dynamic E-mails
  • Preview E-mails
  • Sharing Templates
  • DataTables
  • Export XML
  • PDF Reports
You can download Phishing Frenzy by cloning the Github repo:
Or read more here.

0 Comment:

Đăng nhận xét

Thank you for your comments!