Termux ID: Discover -->

    Social Items

Home / Discover

InSpy is a python based LinkedIn enumeration tool. Inspy has two functionalities: TechSpy and EmpSpy.
  • TechSpy - Crawls LinkedIn job listings for technlogoies used by the provided company. InSpy attempts to identify technologies by matching job descriptions to keywords from a new line delimited file.
  • EmpSpy - Crawls LinkedIn for employees working at the provided company. InSpy searches for employees by title and/or departments from a new line delimited file. InSpy may also create emails for the identified employees if the user specifies an email format.

Installation
Run 
pip install -r requirements.txt
within the cloned InSpy directory.

Help
InSpy - A LinkedIn enumeration tool by Jonathan Broche (@jonathanbroche)

positional arguments:
  company               Company name to use for tasks.

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit

Technology Search:
  --techspy [file]      Crawl LinkedIn job listings for technologies used by
                        the company. Technologies imported from a new line
                        delimited file. [Default: tech-list-small.txt]
  --limit int           Limit the number of job listings to crawl. [Default:
                        50]

Employee Harvesting:
  --empspy [file]       Discover employees by title and/or department. Titles
                        and departments are imported from a new line delimited
                        file. [Default: title-list-small.txt]
  --emailformat string  Create email addresses for discovered employees using
                        a known format. [Accepted Formats: first.last@xyz.com,
                        last.first@xyz.com, first_last@xyz.com, last_first@xyz.com, 
                        firstl@xyz.com, lfirst@xyz.com,
                        flast@xyz.com, lastf@xyz.com, first@xyz.com,
                        last@xyz.com]

Output Options:
  --html file           Print results in HTML file.
  --csv file            Print results in CSV format.
  --json file           Print results in JSON.


InSpy - A Linkedin Enumeration Tool


WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to control the trade off between speed and reliability. When you visit a website in your browser, the transaction includes many hints of what web technologies are powering that website. Sometimes a single webpage visit contains enough information to identify a website but when it does not, WhatWeb can interrogate the website further. The default level of aggression, called ‘stealthy’, is the fastest and requires only one HTTP request of a website. This is suitable for scanning public websites. More aggressive modes were developed for use in penetration tests.

Most WhatWeb plugins are thorough and recognise a range of cues from subtle to obvious. For example, most WordPress websites can be identified by the meta HTML tag, e.g. ”, but a minority of WordPress websites remove this identifying tag but this does not thwart WhatWeb. The WordPress WhatWeb plugin has over 15 tests, which include checking the favicon, default installation files, login pages, and checking for “/wp-content/” within relative links.


 Features:
  • Over 1700 plugins
  • Control the trade off between speed/stealth and reliability
  • Plugins include example URLs
  • Performance tuning. Control how many websites to scan concurrently.
  • Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, MagicTree, RubyObject, MongoDB, SQL, and ElasticSearch.
  • Proxy support including TOR
  • Custom HTTP headers
  • Basic HTTP authentication
  • Control over webpage redirection
  • Nmap-style IP ranges
  • Fuzzy matching
  • Result certainty awareness
  • Custom plugins defined on the command line


Example Usage

Using WhatWeb on a couple of websites:

Using a higher aggression level to identify the version of Joomla in use.

Help

.$$$     $.                                   .$$$     $.
$$$$     $$. .$$$  $$$ .$$$$$$.  .$$$$$$$$$$. $$$$     $$. .$$$$$$$. .$$$$$$.
$ $$     $$$ $ $$  $$$ $ $$$$$$. $$$$$ $$$$$$ $ $$     $$$ $ $$   $$ $ $$$$$$.
$ `$     $$$ $ `$  $$$ $ `$  $$$ $$' $ `$ `$$ $ `$     $$$ $ `$      $ `$  $$$'
$. $     $$$ $. $$$$$$ $. $$$$$$ `$  $. $  :' $. $     $$$ $. $$$$   $. $$$$$.
$::$  .  $$$ $::$  $$$ $::$  $$$     $::$     $::$  .  $$$ $::$      $::$  $$$$
$;;$ $$$ $$$ $;;$  $$$ $;;$  $$$     $;;$     $;;$ $$$ $$$ $;;$      $;;$  $$$$
$$$$$$ $$$$$ $$$$  $$$ $$$$  $$$     $$$$     $$$$$$ $$$$$ $$$$$$$$$ $$$$$$$$$'

WhatWeb - Next generation web scanner.
Version 0.4.7 by Andrew Horton aka urbanadventurer from Security-Assessment.com
Homepage: http://www.morningstarsecurity.com/research/whatweb

Usage: whatweb [options] 

TARGET SELECTION:
                  Enter URLs, filenames or nmap-format IP ranges.
                        Use /dev/stdin to pipe HTML directly
  --input-file=FILE, -i Identify URLs found in FILE, eg. -i /dev/stdin
  --url-prefix          Add a prefix to target URLs
  --url-suffix          Add a suffix to target URLs
  --url-pattern         Insert the targets into a URL. Requires --input-file,
                        eg. www.example.com/%insert%/robots.txt
  --example-urls, -e    Add example URLs for each selected plugin to the target
                        list. By default will add example URLs for all plugins.

AGGRESSION LEVELS:
  --aggression, -a=LEVEL The aggression level controls the trade-off between
                        speed/stealth and reliability. Default: 1
                        Aggression levels are:
        1 (Passive)     Make one HTTP request per target. Except for redirects.
        2 (Polite)      Reserved for future use
        3 (Aggressive)  Triggers aggressive plugin functions only when a
                        plugin matches passively.
        4 (Heavy)       Trigger aggressive functions for all plugins. Guess a
                        lot of URLs like Nikto.

HTTP OPTIONS:
  --user-agent, -U=AGENT Identify as AGENT instead of WhatWeb/0.4.7.
  --user, -u= HTTP basic authentication
  --header, -H          Add an HTTP header. eg "Foo:Bar". Specifying a default
                        header will replace it. Specifying an empty value, eg.
                        "User-Agent:" will remove the header.
  --follow-redirect=WHEN Control when to follow redirects. WHEN may be `never',
                        `http-only', `meta-only', `same-site', `same-domain'
                        or `always'. Default: always
  --max-redirects=NUM   Maximum number of contiguous redirects. Default: 10

SPIDERING:
  --recursion, -r       Follow links recursively. Only follow links under the
                        path Default: off
  --depth, -d           Maximum recursion depth. Default: 10
  --max-links, -m       Maximum number of links to follow on one page
                        Default: 250
  --spider-skip-extensions Redefine extensions to skip.
                        Default: zip,gz,tar,jpg,exe,png,pdf

PROXY:
  --proxy               <hostname[:port]> Set proxy hostname and port
                        Default: 8080
  --proxy-user           Set proxy user and password

PLUGINS:
  --plugins, -p         Comma delimited set of selected plugins. Default is all.
                        Each element can be a directory, file or plugin name and
                        can optionally have a modifier, eg. + or -
                        Examples: +/tmp/moo.rb,+/tmp/foo.rb
                        title,md5,+./plugins-disabled/
                        ./plugins-disabled,-md5
   -p + is a shortcut for -p +plugins-disabled
  --list-plugins, -l    List the plugins
  --info-plugins, -I    Display information for all plugins. Optionally search
                        with keywords in a comma delimited list.
  --custom-plugin       Define a custom plugin called Custom-Plugin,
                        Examples: ":text=>'powered by abc'"
                        ":regexp=>/powered[ ]?by ab[0-9]/"
                        ":ghdb=>'intitle:abc \"powered by abc\"'"
                        ":md5=>'8666257030b94d3bdb46e05945f60b42'"
                        "{:text=>'powered by abc'},{:regexp=>/abc [ ]?1/i}"

LOGGING & OUTPUT:
  --verbose, -v         Increase verbosity, use twice for plugin development.
  --colour,--color=WHEN control whether colour is used. WHEN may be `never',
                        `always', or `auto'
  --quiet, -q  Do not display brief logging to STDOUT
  --log-brief=FILE      Log brief, one-line output
  --log-verbose=FILE    Log verbose output
  --log-xml=FILE        Log XML format
  --log-json=FILE       Log JSON format
  --log-json-verbose=FILE Log JSON Verbose format
  --log-magictree=FILE  Log MagicTree XML format
  --log-object=FILE     Log Ruby object inspection format
  --log-mongo-database  Name of the MongoDB database
  --log-mongo-collection Name of the MongoDB collection. Default: whatweb
  --log-mongo-host      MongoDB hostname or IP address. Default: 0.0.0.0
  --log-mongo-username  MongoDB username. Default: nil
  --log-mongo-password  MongoDB password. Default: nil
  --log-errors=FILE     Log errors

PERFORMANCE & STABILITY:
  --max-threads, -t     Number of simultaneous threads. Default: 25.
  --open-timeout        Time in seconds. Default: 15
  --read-timeout        Time in seconds. Default: 30
  --wait=SECONDS        Wait SECONDS between connections
                        This is useful when using a single thread.

HELP & MISCELLANEOUS:
  --help, -h            This help
  --debug               Raise errors in plugins
  --version             Display version information. (WhatWeb 0.4.7)

EXAMPLE USAGE:
  whatweb example.com
  whatweb -v example.com
  whatweb -a 3 example.com
  whatweb 192.168.1.0/24

Changelog
  • Added unit testing with rake @bcoles
  • Added Elastic Search output @SlivTaMere
  • Source code formatting cleanup @Code0x58
  • Thread reuse and logging through a single thread @Code0x58
  • Fixed max-redirection bug @Code0x58
  • Fixed bug when using a proxy and HTTPS (unknown user)
  • Fixed timeout deprecation warning @iGeek098
  • New plugins and plugin updates @guikcd @bcoles @andreas-becker
  • Added proxy and user-agent to logging @rdubourguais
  • Updated Alexa top websites lists
  • Updated update-alexa script
  • Updated IP to Country database
  • Updated man page
  • Updated Mongo DB output for Mongo 2.x

WhatWeb v0.4.9 - Next Generation Web Scanner


This tool can be used to brute discover GET and POST parameters.

Often when you are busting a directory for common files, you can identify scripts (for example test.php) that look like they need to be passed an unknown parameter. This hopefully can help find them.

The -off flag allows you to specify an offset (helps with dynamic pages) so for example, if you were getting alternating response sizes of 4444 and 4448, set the offset to 5 and it will only show the stuff outside the norm

Usage
usage: parameth.py [-h] [-v] [-u URL] [-p PARAMS] [-H HEADER] [-a AGENT]
              [-t THREADS] [-off VARIANCE] [-o OUT] [-P PROXY]
              [-x IGNORE] [-s SIZEIGNORE] [-d DATA] [-i IGMETH]
              [-c COOKIE]***
optional arguments:
-h, --help show this help message and exit
-v, --version Version Information
-u URL, --url URL Target URL
-p PARAMS, --params PARAMS Provide a list of parameters to scan for
-H HEADER, --header HEADER Add a custom header to the requests
-a AGENT, --agent AGENT Specify a user agent
-t THREADS, --threads THREADS Specify the number of threads.
-off VARIANCE, --variance VARIANCE The offset in difference to ignore (if dynamic pages)
-diff DIFFERENCE, --difference DIFFERENCE Percentage difference in response (recommended 95)
-o OUT, --out OUT Specify output file
-P PROXY, --proxy PROXY Specify a proxy in the form http|s://[IP]:[PORT]
-x IGNORE, --ignore IGNORE Specify a status to ignore eg. 404,302...
-s SIZEIGNORE, --sizeignore SIZEIGNORE Ignore responses of specified size
-d DATA, --data DATA Provide default post data (also taken from provided url after ?)
-i IGMETH, --igmeth IGMETH Ignore GET or POST method. Specify g or p
-c COOKIE, --cookie COOKIE Specify Cookies
-T TIMEOUT, --timeout TIMEOUT Specify a timeout in seconds to wait between each request

Adding new params from source:
The following regexes might be useful to parse $_GET or $_POST parameters from source:
$> grep -rioP '$_POST[\s*["']\s*\w+\s*["']\s*]' PHPSOURCE  | grep -oP '$_POST[\s*["']\s*\w+\s*["']\s*]' | sed -e "s/$_POST[\s*["']//g"  -e "s/\s*['"]\s*]//g" | sort -u > /tmp/outfile.txt
$> grep -rioP '$_GET[\s*["']\s*\w+\s*["']\s*]' PHPSOURCE  | grep -oP '$_GET[\s*["']\s*\w+\s*["']\s*]' | sed -e "s/$_GET[\s*["']//g"  -e "s/\s*['"]\s*]//g" | sort -u > /tmp/outfile.txt


parameth - Tool to brute discover GET and POST parameters


Habu is to teach (and learn) some concepts about Python and Network Hacking.
These are basic functions that help with some tasks for Ethical Hacking and Penetration Testing.
Most of them are related with networking, and the implementations are intended to be understandable for who wants to read the source code and learn from that.

Some techniques implemented in the current version are:
  • ARP Poisoning
  • ARP Sniffing
  • DHCP Discover
  • DHCP Starvation
  • LAND Attack
  • SNMP Cracking
  • SYN Flooding
  • TCP Flags Analysis
  • TCP ISN Analysis
  • TCP Port Scan


Installation
To install Habu, simply:
$ pip3 install habu


Dependencies
Habu requires:
  • Click
  • Python (3.x),
  • Scapy-Python3
  • Matplotlib (Optional, only needed if you want to make some graphs)


Get Help
All the commands implement the option '--help', that shows the help, arguments, options, and default values.


Verbose Mode
Almost all commands implement the verbose mode with the '-v' option. This can give you some extra info about what habu is doing.


habu.arpoison: ARP Poisoning
This command sends ARP 'is-at' packets to each victim, poisoning their ARP tables for send the traffic to your system.
$ sudo habu.arpoison 192.168.1.5 192.168.1.6
Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.6
Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.5
Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.6
Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.5
...
Note: If you want a full working Man In The Middle attack, you need to enable the packet forwarding on your operating system to act like a router. You can do that using:
echo 1 > /proc/sys/net/ipv4/ip_forward


habu.arpsniff: Discover devices on your LAN capturing ARP packets
This command listen for ARP packets and shows information each device.
Columns: Seconds from last packet | IP | MAC | Vendor
1   192.168.0.1         a4:08:f5:19:17:a4   Sagemcom Broadband SAS
7   192.168.0.2         64:bc:0c:33:e5:57   LG Electronics (Mobile Communications)
2   192.168.0.5         00:c2:c6:30:2c:58   Intel Corporate
6   192.168.0.7         54:f2:01:db:35:58   Samsung Electronics Co.,Ltd


habu.contest: Check your connection capabilities
This command tries to connect to various services and check if you can reach them using your internet connection.
$ habu.contest
IP:    True
DNS:   True
FTP:   True
SSH:   True
HTTP:  True
HTTPS: True


habu.dhcp_discover: Discover DHCP servers
This command send a DHCP request and shows what devices has replied. Using the '-v' parameter (verbose) you can see all the options (like DNS servers) included on the responses.
$ sudo habu.dhcp_discover
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.5:bootpc / BOOTP / DHCP


habu.dhcp_starvation: Fill the DHCP leases
This command send multiple DHCP requests from forged MAC addresses to fill the DHCP server leases. When all the available network addresses are assigned, the DHCP server don't send responses. So, some attacks, like DHCP spoofing can be made.
$ sudo habu.dhcp_starvation
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.6:bootpc / BOOTP / DHCP
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.7:bootpc / BOOTP / DHCP
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.8:bootpc / BOOTP / DHCP


habu.eicar: Prints the EICAR test string
This command prints the EICAR test string that can be used to test antimalware engines. More info: http://www.eicar.org/86-0-Intended-use.html
$ habu.eicar
X5O!P%@AP[4\XZP54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Note: The below string is incorrect because is not a good idea write the complete in this text file. Some antivirus program can be detect it like a virus. :)


habu.hasher: Computes various hashes with the input data
This command computes various hashes for the input data, that can be a file or a stream.
If the filename is '-', the data is taken from the standard input (stdin) so, three different variants exists to call this command:
$ habu.hasher README.rst
md5  : 375375d9cfb2aacab7c8d1a9afd3d9b7
sha1 : 21c67b9ef44bc24d47eef6adab648ba34662927e

$ cat README.rst | habu.hasher -
md5  : 375375d9cfb2aacab7c8d1a9afd3d9b7
sha1 : 21c67b9ef44bc24d47eef6adab648ba34662927e

$ habu.hasher - < README.rst
md5  : 375375d9cfb2aacab7c8d1a9afd3d9b7
sha1 : 21c67b9ef44bc24d47eef6adab648ba34662927e
Note: The output above shows only MD5 and SHA1 to make it short, but the real output includes more algorithms.
You can also specify which algorithm to use. In such case, the output is only the value of the calculated hash:
$ habu.hasher -a md5 README.rst
375375d9cfb2aacab7c8d1a9afd3d9b7


habu.ip: Prints your current public IP
This command prints your current public IP based on the response from https://api.ipify.org.
$ habu.ip
182.26.32.246


habu.isn: Prints the TCP sequence numbers for an IP
This command creates TCP connections and prints the TCP initial sequence numbers for each connections.
$ sudo habu.isn www.portantier.com
1962287220
1800895007
589617930
3393793979
469428558
You can get a graphical representation (needs the matplotlib package) using the '-g' option:
$ sudo habu.isn -g -c 10 www.portantier.com
Note: The above command uses '-c' option to define that 10 connections must be created.


habu.land: Implements the LAND attack
This command implements the LAND attack, that sends packets forging the source IP address to be the same that the destination IP. Also uses the same source and destination port.
The attack is very old, and can be used to make a Denial of Service on old systems, like Windows NT 4.0. More information here: https://en.wikipedia.org/wiki/LAND
sudo habu.land 172.16.0.10
............
Note: Each dot (.) is a sent packet. You can specify how many packets send with the '-c' option. The default is never stop. Also, you can specify the destination port, with the '-p' option.


habu.ping: ICMP echo requests
This command implements the classic 'ping' with ICMP echo requests.
$ sudo habu.ping 8.8.8.8
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding


habu.snmp_crack: SNMP Community Cracker
This command launches snmp-get queries against an IP, and tells you when finds a valid community string (is a simple SNMP cracker).
The dictionary used is the distributed with the onesixtyone tool (https://github.com/trailofbits/onesixtyone)
$ sudo habu.snmp_crack 179.125.234.210
Community found: private
Community found: public
Note: You can also receive messages like <UNIVERSAL> <class 'scapy.asn1.asn1.ASN1_Class_metaclass'>, I don't know how to supress them for now.


habu.synflood: SYN Flood Attack Implementation
This command launches a lot of TCP connections and keeps them opened. Some very old systems can suffer a Denial of Service with this. More info: https://en.wikipedia.org/wiki/SYN_flood
$ sudo habu.synflood 172.16.0.10
.................
Each dot is a packet sent.
You can use the options '-2' and '-3' to forge the layer 2/3 addresses. If you use them, each connection will be sent from a random layer2 (MAC) and/or layer3 (IP) address.
You can choose the number of connections to create with the option '-c'. The default is never stop creating connections.
Note: If you send the packets from your real IP address and you want to keep the connections half-open, you need to setup for firewall to don't send the RST packets. With habu, you can do this with the following command (only works with Linux+IPTables):
$ sudo habu.firewall --no-rst
You can check the results with "iptables -L -n", and you will see something like this:
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x04/0x04


habu.tcpflags: TCP Flag Fuzzer
This command send TCP packets with different flags and tell you what responses receives.
It can be used to analyze how the different TCP/IP stack implementations and configurations responds to packet with various flag combinations.
$ sudo habu.tcpflags www.portantier.com
S  -> SA
FS -> SA
FA -> R
SA -> R
By default, the command sends all possible flag combinations. You can specify with flags must ever be present (reducing the quantity of possible combinations), with the option '-f'.
Also, you can specify which flags you want to be present on the response packets to show, with the option '-r'.
With the next command, you see all the possible combinations that have the FIN (F) flag set and generates a response that contains the RST (R) flag.
$ sudo habu.tcpflags -f F -r R www.portantier.com
FPA  -> R
FSPA -> R
FAU  -> R


habu - Network Hacking Toolkit

Subscribe to: Posts (Atom)