Wednesday, 3 February 2016

PyKeylogger A Pure-Python Keylogger For Linux

Definition: PyKeylogger is a pure-python keylogger for Linux that uses Xlib by which it can monitor the state of the keyboard. The main purpose is backup process and stealth keylogger too. It is available under the GNU General Public License. 

  • It can easily log all keystrokes to disk
  • It automatically archives log files according to its dated zips
  • It also provides automatic log rotation
  • Zipped log archives are sent out automatically to the specified email address[es] 
  • It works with any SMTP server, including Gmail and Yahoo Mail secure SMTP servers
  • Upload zipped log archives to a specified FTP server automatically
  • At centered location of every mouse click, it takes a partial screenshot
  • If the computer is running it takes screenshots at fixed time interval
  • To ensure the minimization of data loss during crash, it automatically flush write buffer to disk 
  • It provides the features of customization, through configuration with a .ini text file
  • It also provides some features of GUI (graphical) control panel for settings and actions 
  • It also provides features of password protection of control panel
  • To prevent casual snooping passwords are obfuscated in the configuration file
  • If the log files become older than specified age then it automatically deletes it.

Here is the example of its usage:

import keylogger
import time

now = time.time()

done = lambda: time.time() > now + 60

def print_keys(t, modifiers, keys): 
  print "%.2f   %r   %r" % (t, keys, modifiers)
  keylogger.log(done, print_keys)

This will print key events to stdout for 60 seconds. If you wanted to be evil, instead of passing in a print callback, you could pass in a remote logging procedure.

Sample output:

1314238675.42   'o'   {'left shift': False, 'right alt': False, 'right shift': False, 'left 
alt': False, 'left ctrl': False, 'right ctrl': False}
1314238675.51   'm'   {'left shift': False, 'right alt': False, 'right shift': False, 'left 
alt': False, 'left ctrl': False, 'right ctrl': False}
1314238675.65   'g'   {'left shift': False, 'right alt': False, 'right shift': False, 'left 
alt': False, 'left ctrl': False

Tuesday, 2 February 2016

Raptor WAF - Web Applicaiton to Train Attacks to Bypass

Raptor is an Open Source Tool, your focus is study of attacks and find intelligent ways to block attacks.

Raptor is made in pure C, don’t use regex or other common ways to block attacks, yes is different and fast like a raptor dinosaur, Raptor follow principle KISS (Keep It Simple), you can use Raptor to simulate attacks and bypasses at wafs.

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and XSS...

  • You can block XSS, SQL injection attacks and path traversal with Raptor
  • You can use blacklist of IPs to block some users at config/blacklist ip.txt
  • You can use IPv6 and IPv4 at communications
  • At the future DoS protector, request limit, rule interpreter and Malware detector at uploads.
  • At the future SSL/TLS...

to run:
$ git clone
$ cd raptor_waf; make; bin/raptor

Up some HTTPd server at port 80 
$ bin/Raptor -h localhost -p 80 -r 8883 -w 4 -o loglog.txt
you can test at http://localhost:8883/test.php

Look the docs

509 of attacks, detect and block 349, 68% of attacks blocked

Saturday, 30 January 2016

Viper - Cracking Unix Passwords Brute Force

Viper is a brute force UNIX-style password cracker for passwords encrypt with crypt. It has been developed from Hale's viper 1.4 Perl program. While there are other more powerful crack programs out, this one is about studying the safety of passwords while hardware speed is increasing drastically. If I remember right, I read that on a PDP-11 the password generation took 30 seconds. Now we can do more then 230.000 generations per second on a single CPU core of a single system, increasing speed by a factor of several million. Still, there is some time to go for a 8-character password on full keyspace, see keyspace.txt

Originally, the ufc-crypt implementation seemed to be the fastest crypt function around, using it made porting the program to different platforms easy. 

Viper runs under Linux, Solaris, HPUX and DOS/Windows.


The original, Hale's on Linux: 16329 CPS 
Hale's on Solaris: 659 CPS 

SystemCPUOSVersionCompilerCPS rate
Desktop PCPentium III 650MhzLinux2.2.13gcc39062
Desktop PCPentium III 650MhzWindowsWin98gcc51282
Desktop PCPentium III 650MhzDOS7.0djgpp51282
SparcStationSUN U-Sparc 400MhzSolaris2.6gcc24691
HP 9000-B180LPA-7300LC 180MhzHPUX10.20gcc6993
HP Laptop1x 1.7 GHz AMD64WindowsWinXPgcc121,212
Cloud Server1x CPU sharedLinux2.6.31gcc150,000


Viper v1.6 (Hale 05/12/2000) - C version by Frank4DD (05/05/2014)
Wiltered Fire -, incl. bugfixes by David C. Rankin

        -f     File to load password from (required unless using lsf)
        -u     Username to load from file (required unless using lsf)
        -lsf   Load saved file from previous session
        -pf    Save progress to file at update interval
        -rf #        Amount of time in hours to run for (default infinite)
        -c #         Character set from charset.ini to use (default 1)
        -pws #       Minimum password length (starting value, default 1)
        -pwl #       Maximum password length (default 8 - maximum 16)
        -ui #        Console update interval (in minutes - default 10)
        -v           Verbose output

Usage Example   

susie112:/home/me/viper-1.6/src # ./viper -f passwd -u root -ui 1 -v
Viper v1.6 (Hale 05/12/2000) - C version by Frank4DD (05/05/2014)
Wiltered Fire -, incl. bugfixes by David C. Rankin
Found: user root pw:reUJbHrFWYCQk
Found: Charset 0 in charset.ini
...command line parameters loaded.
Character set is 93 chars long
Starting crack on: Sun Oct  3 23:04:44 2009
Cracking for pass length 1 (93 possibilities)
Cracking for pass length 2 (8649 possibilities)
Cracking for pass length 3 (804357 possibilities)
Cracking for pass length 4 (7.48052e+07 possibilities)
[ Length: | Last:    | CPS:    | Time Spent:      | Time Remaining:  | Done:  ]
[    4    |     kq2r |  150000 | 000d:00h:01m:00s | 000d:00h:07m:18s | 12.03% ]
 The password has been located.
 Username : root
 Password : test
 Started  : Sun Oct  3 23:04:44 2009
 Finished : Sun Oct  3 23:06:30 2009
 Duration : 000d:00h:01m:00s
Viper exiting...

Latest Updates   

Viper Version 1.5 has been updated to use the OpenSSL DES routines for encrypting. The UFC library has been dropped as outdated and even generating segfaults on some systems. There is a performance gain of approx. 25% coming from the OpenSSL libraries. In addition to the libraries, the OpenSSL headers (dev package) need to be installed in order to be able to compile Viper. 
Viper Version 1.6 received bugfixes thanks to David C. Rankin. 

Wednesday, 27 January 2016

Metabrik - Perl Brik Platform

Smartphones have their apps, Web browsers have their apps, shells don’t. With Metabrik, we tried to merge the power of shells with the power of the Perl language by creating a platform allowing to quickly write reusable Briks.

Metabrik goals:
  • Glue the Perl language with a shell
  • Give a standardised API to write reusable Briks
  • Self-documented Briks to make them easy to use
  • Only 4 main shell commands to remember: use, set, get, run

Metabrik features:
  • Completion on Brik names, Commands and Attributes
  • Completion on file manipulation
  • Completion on Perl variable names
  • Command history and recalling
  • Customization support with a .rc file
  • Scripting support
  • Multiple Brik repositories support

Metabrik helps you to concentrate on scenarios instead of wasting your time searching how to use a program. You just have to reuse available Briks to perform your everyday job.

The two main ideas behind Metabrik are:
  • You have the brain, code has the details
  • Do it once

V3n0M-Scanner - Popular SQLi and Pentesting Scanner

V3n0M runs on Python3 [Live Project - Readding old features back in and improved for Python3] 

v3n0m is a free and open source scanner. Evolved from baltazar's scanner, it has adapted several new features that improve fuctionality and usability. It is mostly  experimental software. 

This program is for finding and executing various vulnerabilities. It scavenges the web using dorks and organizes the URLs it finds.

You can now install the software via pip install V3n0m
Always verify the PGP signature of the package:

gpg: Signature made Fri 18 Jul 2014 02:59:48 AM UTC
gpg: using RSA key 0x8F2B5CBD711F1326
gpg: Good signature from "Grand Architect <>"

Use at your own risk.  

Very useful for executing:   
  • Metasploit Modules Scans 
  • SQL Injection Vuln Scanner[SQLi] 
  • Extremely Large D0rk Target Lists 
  • FTP Crawler 
  • DNS BruteForcer 

What You Hold:   

A modified smartd0rk3r  
  • Brand new, just outta the box! 
  • Largest and most powerful d0rker online, 18k+d0rks searched over ~ Engines at once. 
  • Free and Open /src/ 
  • CrossPlatform Python based toolkit 
  • Version 4.0.1 Released on 7th Jan 2016 
  • Licensed under GPLv2 
  • Tested on: Linux 4.3.1 Ubuntu/Debian, CentOS 6 (with some errors), Win7 (with some errors) 


root@bt:~# python3

Now you may follow the simple prompts.
[0x100] Choose your target (domain) :
        Example : .com
        it is necessary to add you can also use a specific website (
[0x200] Choose the number of random dorks (0 for all.. may take awhile!) :
        Example : 0 = This will choose all of the XSS, File Inclusion, RCE and SQLi dorks
[0x300] Choose the number of threads :
        Example : 50
[0x400] Enter the number of pages to search through :
        Example : 50
    The program will print out your desired settings and start searching.
    It then creates files for the collected and valid URLs for later.
    It takes a while to scan because it utilizes either TOR, which you can specify
    if you wish to do so, or regular HTTP requests over a long period of time.
    After a while, it will feed you the percentage of the scan until completion.
    At this point, it will have saved the valid URLs in the files it created earlier.
    The program utilizes over 10k dorks now, be careful how you use them!
    Enjoy. :]
                                                            ~/ Dev Team

 Contact Information:   

    [ baltazar  ] - <>       
    [ NovaCygni ] - <>
    [ Architect ] -        R.I.P.

 Original Header:   

- This was written for educational purpose and pentest only. Use it at your own risk.
- Author will be not responsible for any damage!
- !!! Special greetz for my friend sinner_01 !!!
- Toolname        :
- Coder           : baltazar a.k.a b4ltazar <>
- Version         : 1.0
- greetz for all members of ex,

 New To This Addition:   

---To be Done --Partially implemented -Done
- Upgrade to Python3 from Python2
--- Redo LFI/RFI attack method
--- Automate scanning sites with findable admin pages and add to seperate list
--- Redo Metasploit Scans
--- Add default attack option for DB types, automate injection and upload shell or enable RDP.
-- Perfect SQLi Vuln detection and add options for saving/searching specific DB types
-- Starting upgrade for Search engines
--- Implement SQLi D0rk Seed Generation option
--- Implement Metasploit Exploits scan / Nmap style option + Dork option

Monday, 25 January 2016

Windows-Exploit-Suggester - Tool To Compares A Targets Patch Levels Against The Microsoft Vulnerability Database

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins. 

It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host. 

It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet. 

When looking at the command output, it is important to note that it assumes all vulnerabilities and then selectively removes them based upon the hotfix data. This can result in many false-positives, and it is key to know what software is actually running on the target host. For example, if there are known IIS exploits it will flag them even if IIS is not running on the target host. 

The output shows either public exploits (E), or Metasploit modules (M) as indicated by the character value. 

It was heavily inspired by Linux_Exploit_Suggester by Pentura. 


update the database

$ ./ --update
[*] initiating...
[*] successfully requested base url
[*] scraped ms download url
[+] writing to file 2014-06-06-mssb.xlsx
[*] done

install dependencies
(install python-xlrd, $ pip install xlrd --upgrade)
feed it "systeminfo" input, and point it to the microsoft database

$ ./ --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt 
[*] initiating...
[*] database file detected as xls or xlsx based on extension
[*] reading from the systeminfo input file
[*] querying database file for potential vulnerabilities
[*] comparing the 15 hotfix(es) against the 173 potential bulletins(s)
[*] there are now 168 remaining vulns
[+] windows version identified as 'Windows 7 SP1 32-bit'
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[*] done

possible exploits for an operating system can be used without hotfix data

$ ./ --database 2014-06-06-mssb.xlsx --ostext 'windows server 2008 r2' 
[*] initiating...
[*] database file detected as xls or xlsx based on extension
[*] getting OS information from command line text
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 196 potential bulletins(s)
[*] there are now 196 remaining vulns
[+] windows version identified as 'Windows 2008 R2 64-bit'
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical


Currently, if the 'systeminfo' command reveals 'File 1' as the output for the hotfixes, it will not be able to determine which are installed on the target. If this occurs, the list of hotfixes will need to be retrieved from the target host and passed in using the --hotfixes flag 

It currently does not seperate 'editions' of the Windows OS such as 'Tablet' or 'Media Center' for example, or different architectures, such as Itanium-based only 

False positives also occur where it assumes EVERYTHING is installed on the target Windows operating system. If you receive the 'File 1' output, try executing 'wmic qfe list full' and feed that as input with the --hotfixes flag, along with the 'systeminfo

Sunday, 24 January 2016

Python Tools : Penetration Testers Arsenal

If you are involved in vulnerability research, reverse engineering or penetration testing, I suggest to try out the Python programming language. It has a rich set of useful libraries and programs. This page lists some of them.

Most of the listed tools are written in Python, others are just Python bindings for existing C libraries, i.e. they make those libraries easily usable from Python programs.


Scapy, Scapy3k: Send, sniff and dissect and forge network packets. Usable interactively or as a library

pypcap, Pcapy and pylibpcap: Several different Python bindings for libpcap

libdnet: Low-level networking routines, including interface lookup and Ethernet frame transmission

dpkt: Fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols

Impacket: Craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB

pynids: Libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection

Dirtbags py-pcap: Read pcap files without libpcap

flowgrep: Grep through packet payloads using regular expressions

Knock Subdomain Scan: Enumerate subdomains on a target domain through a wordlist

SubBrute: Fast subdomain enumeration tool

Mallory: Extensible TCP/UDP man-in-the-middle proxy, supports modifying non-standard protocols on the fly

Pytbull: Flexible IDS/IPS testing framework (shipped with more than 300 tests)

Debugging and Reverse Engineering

Paimei: Reverse engineering framework, includes PyDBG, PIDA, pGRAPH

Immunity Debugger: Scriptable GUI and command line debugger PyCommand for Immunity Debugger that replaces and improves on pvefindaddr

IDAPython: IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro

PyEMU: Fully scriptable IA-32 emulator, useful for malware analysis

pefile: Read and work with Portable Executable (aka PE) files

pydasm: Python interface to the libdasm x86 disassembling library

PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine

uhooker: Intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory

diStorm: Disassembler library for AMD64, licensed under the BSD license

python-ptrace: Debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python

vdb / vtrace: Vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it

Androguard: Reverse engineering and analysis of Android applications

Capstone: Lightweight multi-platform, multi-architecture disassembly framework with Python bindings

PyBFD: Python interface to the GNU Binary File Descriptor (BFD) library


Sulley: Fuzzer development and fuzz testing framework consisting of multiple extensible components

Peach Fuzzing Platform: Extensible fuzzing framework for generation and mutation based fuzzing (v2 was written in Python)

antiparser: Fuzz testing and fault injection API

TAOF: The Art of Fuzzing) including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer

untidy: General purpose XML fuzzer

Powerfuzzer: Highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)

SMUDGE : Pure Python network protocol fuzzer

Mistress: Probe file formats on the fly and protocols with malformed data, based on pre-defined patterns

Fuzzbox: Multi-codec media fuzzer

Forensic Fuzzing Tools: Generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems

Windows IPC Fuzzing Tools: Tools used to fuzz applications that use Windows Interprocess Communication mechanisms

WSBang: Perform automated security testing of SOAP based web services

Construct: Library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner (feliam): Simple fuzzer by Felipe Andres Manzano

Fusil: Python library used to write fuzzing programs


Requests: Elegant and simple HTTP library, built for human beings

HTTPie: Human-friendly cURL-like command line HTTP client

ProxMon: Processes proxy logs and reports discovered issues

WSMap: Find web service endpoints and discovery files

Twill: Browse the Web from a command-line interface. Supports automated Web testing Webkit web client written in Python

Windmill: Web testing tool designed to let you painlessly automate and debug your web application

FunkLoad: Functional and load web tester

spynner: Programmatic web browsing module for Python with Javascript/AJAX support

python-spidermonkey: Bridge to the Mozilla SpiderMonkey JavaScript engine; allows for the evaluation and calling of Javascript scripts and functions

mitmproxy: SSL-Capable, intercepting HTTP proxy. Console interface allows traffic flows to be inspected and edited on the fly

pathod / pathoc: Pathological daemon/client for tormenting HTTP clients and servers


Volatility: Extract digital artifacts from volatile memory (RAM) samples

Rekall: Memory analysis framework developed by Google

LibForensics: Library for developing digital forensics applications

TrIDLib: Identify file types from their binary signatures. Now includes Python binding

aft: Android forensic toolkit

Malware Analysis

pyew: Command line hexadecimal editor and disassembler, mainly to analyze malware

Exefilter: Filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content

pyClamAV: Add virus detection capabilities to your Python software

jsunpack-n: Generic JavaScript unpacker: emulates browser functionality to detect exploits that target browser and browser plug-in vulnerabilities

yara-python: Identify and classify malware samples

phoneyc: Pure Python honeyclient implementation

CapTipper: Aanalyse, explore and revive HTTP malicious traffic from PCAP file


peepdf: Python tool to analyse and explore PDF files to find out if they can be harmful

Didier Stevens' PDF tools: Analyse, identify and create PDF files (includes PDFiD, pdf-parser and make-pdf and mPDF)

Opaf: Open PDF Analysis Framework. Converts PDF to an XML tree that can be analyzed and modified.

Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files

pyPDF2: Pure Python PDF toolkit: extract info, spilt, merge, crop, encrypt, decrypt...

PDFMiner: Extract text from PDF files

python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support


InlineEgg: Toolbox of classes for writing small assembly programs in Python

Exomind: Framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging

RevHosts: Enumerate virtual hosts for a given IP address

simplejson: JSON encoder/decoder, e.g. to use Google's AJAX API

PyMangle: Command line tool and a python library used to create word lists for use with other penetration testing tools

Hachoir: View and edit a binary stream field by field

py-mangle: Command line tool and a python library used to create word lists for use with other penetration testing tools

Other Useful Libraries And Tools

IPython: Enhanced interactive Python shell with many features for object introspection, system shell access, and its own special command system

Beautiful Soup: HTML parser optimized for screen-scraping

matplotlib: Make 2D plots of arrays

Mayavi: 3D Scientific data visualization and plotting

RTGraph3D: Create dynamic graphs in 3D

Twisted: Event-driven networking engine

Suds: Lightweight SOAP client for consuming Web Services

M2Crypto: Most complete OpenSSL wrapper

NetworkX: Graph library (edges, nodes)

Pandas: Library providing high-performance, easy-to-use data structures and data analysis tools

pyparsing: General parsing module

lxml: Most feature-rich and easy-to-use library for working with XML and HTML in the Python language

Whoosh: Fast, featureful full-text indexing and searching library implemented in pure Python

Pexpect: Control and automate other programs, similar to Don Libes `Expect` system

Sikuli: Visual technology to search and automate GUIs using screenshots. Scriptable in Jython

PyQt and PySide: Python bindings for the Qt application framework and GUI library


Violent Python by TJ O'Connor. A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers

Grey Hat Python by Justin Seitz: Python Programming for Hackers and Reverse Engineers.

Black Hat Python by Justin Seitz: Python Programming for Hackers and Pentesters

Python Penetration Testing Essentials by Mohit: Employ the power of Python to get the best out of pentesting

Python for Secret Agents by Steven F. Lott. Analyze, encrypt, and uncover intelligence data using Python

More Stuff

SecurityTube Python Scripting Expert (SPSE) is an online course and certification offered by Vivek Ramachandran.

The Python Arsenal for Reverse Engineering is a large collection of tools related to reverse engineering.

There is a SANS paper about Python libraries helpful for forensic analysis (PDF).

For more Python libaries, please have a look at PyPI, the Python Package Index.

Source: GitHub