icmpsh is a simple ICMP reverse shell with a win32 slave and a POSIX-compatible master in C, Perl or Python. The main advantage over the other similar open source tools is that it does not require administrative privileges to run onto the target machine.
The tool is clean, easy and portable. The slave (client) runs on the target Windows machine, it is written in C and works on Windows only whereas the master (server) can run on any platform on the attacker machine as it has been implemented in C and Perl by and this port is in Python.
- Open source software.
- Client/server architecture.
- The master is portable across any platform that can run either C, Perl or Python code.
- The target system has to be Windows because the slave runs on that platform only for now.
- The user running the slave on the target system does not require administrative privileges.
Running the master
The master is straight forward to use. There are no extra libraries required for the C and Python versions. The Perl master however, has the following dependencies:
When running the master, don’t forget to disable ICMP replies by the OS. For example:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
If you miss doing that, you will receive information from the slave, but the slave is unlikely to receive commands send from the master.
Running the slave
The slave comes with a few command line options as outlined below:
-t host host ip address to send ping requests to. This option is mandatory!
-r send a single test icmp request containing the string "Test1234" and then quit.
This is for testing the connection.
-d milliseconds delay between requests in milliseconds
-o milliseconds timeout of responses in milliseconds. If a response has not received in time,
the slave will increase a counter of blanks. If that counter reaches a limit, the slave will quit.
The counter is set back to 0 if a response was received.
-b num limit of blanks (unanswered icmp requests before quitting
-s bytes maximal data buffer size in bytes
In order to improve the speed, lower the delay (-d) between requests or increase the size (-s) of the data buffer.
You can download icmpsh here:
Or read more here.
Not long after releasing v11 of their scanner, Acunetix has decided to deliver free manual pen-testing tools. Previously these tools were only available to paying Acunetix customers, now anyone can use them to make their manual web application testing easier.
Penetration testers can make use of an HTTP Editor to modify or craft HTTP requests and analyse responses; intercept and modify HTTP traffic on the fly using the integrated HTTP Sniffer; fuzz test HTTP requests using the HTTP Fuzzer and test Blind SQL Injection vulnerabilities further using the Blind SQL Injector, among others.
- HTTP Editor: Allows you to create, analyze and edit client HTTP requests; as well as inspect server responses. It also includes an encoding and decoding tool to encode/decode text and URL’s to MD5 hashes, UTF-7 and other formats.
- HTTP Sniffer: A proxy that allows you to analyse HTTP requests and responses, and edit these while they are in transit. The HTTP sniffer can also be used to manually crawl a site, and use the manual crawl to seed an Acunetix scan.
- HTTP Fuzzer: A tool which allows you to automatically send a large number of HTTP requests including invalid, unexpected and random data to a website, to test input validation and handling of invalid data by the web application.
- Blind SQL Injector: An automated database data exfiltration tool. By using Blind SQL injection vulnerabilities discovered when scanning a website, it is possible to demonstrate the serious impact a Blind SQL injection vulnerability can have on the website. Used to enumerate databases, tables, fields and dump data from the vulnerable web application.
- Subdomain Scanner: Scans a top-level domain to discover subdomains configured in its hierarchy, by using the target domain’s DNS server, or any other DNS server specified by the user. While scanning, this tool will also automatically identify and inform the user if the domain being scanned is using some kind of wildcard characters, such as *.domain.com.
- Target Finder: An IP range / port scanner which can be used to discover running web servers on a given IP or within a specified range of IPs. The list of ports on which the web servers are listening can also be configured. The default ports the scanner will scan are port 80 for HTTP and port 443 for SSL.
- Authentication Tester: Used to test the strength of both usernames and passwords within HTTP and web forms authentication environments via a dictionary attack.
There are also detailed documents with examples for:
You can download the tools here:
You can read more here:
ZGrab is a Go-based application layer scanner that operates with ZMap and supports multiple protocols and services including TLS, IMAP, SMTP, POP3 etc.
It also stores TLS version and can detect Heartbleed.
You will need to have a valid
$GOPATH set up, for more information about
$GOPATH, see https://golang.org/doc/code.html.
Once you have a working
go get github.com/zmap/zgrab
This will install zgrab under
$ cd $GOPATH/src/github.com/zmap/zgrab
$ go build
zgrab [-banners] [-ca-file file ] [-cbc-only] [-data message ] [-ehlo]
domain ] [-encoding encoding ] [-heartbleed] [-imap] [-input-file file
] [-interface interface ] [-log-file file ] [-metadata-file file ]
[-modbus] [-output-file file ] [-pop3] [-port port ] [-senders senders
] [-smtp] [-smtp-help] [-starttls] [-timeout timeout ] [-tls] [-tls-
version version ] [-udp]
# zmap -p 443 --output-fields=* | ztee results.csv | zgrab --port 443 --tls --http="/" --output-file=banners.json
You can download ZGrab here:
Or read more here.
p0wnedShell is an offensive PowerShell Runspace Post Exploitation host application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a PowerShell run space environment (.NET). It has a lot of offensive PowerShell modules and binaries included making the process of Post Exploitation easier.
What the author tried was to build an “all in one” Post Exploitation tool which could be used to bypass all mitigations solutions (or at least some of), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defence strategies.
The following PowerShell tools/functions are included:
- PowerSploit Invoke-Shellcode
- PowerSploit Invoke-ReflectivePEInjection
- PowerSploit Invoke-Mimikatz
- PowerSploit Invoke-TokenManipulation
- PowerSploit PowerUp
- PowerSploit PowerView
- HarmJ0y’s Invoke-Psexec
- Besimorhino’s PowerCat
- Nishang Invoke-PsUACme
- Nishang Invoke-Encode
- Nishang Get-PassHashes
- Nishang Invoke-CredentialsPhish
- Nishang Port-Scan
- Nishang Copy-VSS
- Kevin Robertson Invoke-Inveigh
- Kevin Robertson Tater
- FuzzySecurity Invoke-MS16-032
Powershell functions within the Runspace are loaded in memory from Base64 encode strings.
The following Binaries/tools are included:
- Benjamin DELPY’s Mimikatz
- Benjamin DELPY’s MS14-068 kekeo Exploit
- Didier Stevens modification of ReactOS Command Prompt
- MS14-058 Local SYSTEM Exploit
- hfiref0x MS15-051 Local SYSTEM Exploit
To compile p0wnedShell you need to import this project into Microsoft Visual Studio or if you don’t have access to a Visual Studio installation, you can compile it as follows:
To Compile as x86 binary:
csc.exe /unsafe /reference:"C:\p0wnedShell\System.Management.Automation.dll" /reference:System.IO.Compression.dll /win32icon:C:\p0wnedShell\p0wnedShell.ico /out:C:\p0wnedShell\p0wnedShellx86.exe /platform:x86 "C:\p0wnedShell\*.cs"
To Compile as x64 binary:
csc.exe /unsafe /reference:"C:\p0wnedShell\System.Management.Automation.dll" /reference:System.IO.Compression.dll /win32icon:C:\p0wnedShell\p0wnedShell.ico /out:C:\p0wnedShell\p0wnedShellx64.exe /platform:x64 "C:\p0wnedShell\*.cs"
p0wnedShell uses the System.Management.Automation namespace, so make sure you have the System.Management.Automation.dll within your source path when compiling outside of Visual Studio.
You can download p0wnedShell here:
Or read more here.
Tags: p0wnedshell, powershell, powershell hacking, powershell hacking tool, powershell invoke shellcode, powershell offensive host application, powershell post-exploitation, windows privilege escalation, windows-securityPosted in: Exploits/Vulnerabilities, Hacking Tools, Windows Hacking | Add a Comment
Ah our favourite database in the news again, being hailed as the MongoDB Ransack a whole bunch of people have turned the insecure MongoDB default configuration into a ransom opportunity. They are deleting/stealing databases and soliciting bitcoin payments to return the data. With multiple actors doing the same stuff though it’s hard to know who […]
Fluxion is an automated EvilAP attack tool for carrying out MiTM attacks on WPA Wireless networks written in a mix of Bash and Python. Fluxion is heavily based off Linset the Evil Twin Attack Bash Script, with some improvements and bug-fixes. How it Works Scan the networks. Capture a handshake (can’t be used without a […]
Exitmap is a fast and modular Python-based Tor exit relay scanner. Exitmap modules implement tasks that are run over (a subset of) all exit relays. If you have a background in functional programming, think of exitmap as a map() interface for Tor exit relays. Modules can perform any TCP-based networking task; fetching a web page, […]
DAVScan is a quick and lightweight WebDAV security scanner designed to discover hidden files and folders on DAV enabled web servers. The scanner works by taking advantage of overly privileged/misconfigured WebDAV servers or servers vulnerable to various disclosure or authentication bypass vulnerabilities. The scanner attempts to fingerprint the target server and then spider the server […]
Project Wycheproof is a tool to test crypto libraries against known attacks. It is developed and maintained by members of Google Security Team, but it is not an official Google product. At Google, they rely on many third party cryptographic software libraries. Unfortunately, in cryptography, subtle mistakes can have catastrophic consequences, and they found that […]
It seems that 2016 has been the year of immense DDoS attacks, many coming from Mirai. This seems to be a newcomer though ending the year with a 650Gbps DDoS attack. The Dyn DNS DDoS attack that some speculated reached over 1Tbps was probably the biggest, but this isn’t that far behind and it’s bigger […]