Cyberprobe open source real time monitoring SIEM

The Cyberprobe project is an open-source distributed architecture for real-time monitoring of networks against attack. The software consists of two components:

a probe, which collects data packets and forwards it over a network in standard streaming protocols.
a monitor, which receives the streamed packets, decodes the protocols, and interprets the information.
These components can be used together or separately. For a simple configuration, they can be run on the same host, for more complex environments, a number of probes can feed a single monitor.

The probe, cyberprobe has the following features:

The probe can be tasked to collect packets from an interface and forward any which match a configurable address list.
The probe can be configured to receive Snort alerts. In this configuration, when an alert is received from Snort, the IP source address associated with the alert is dynamically targeted for a period of time. In such a configuration, the system will collect data from any network actor who triggers a snort rule and is thus identified as a potential attacker.
The probe can optionally run a management interface which allows remote interrogation of the state, and alteration of the configuration. This allows dynamic alteration of the targeting map, and integration with other systems.
The probe can be configured to deliver on one of two standard stream protocols.

The monitor tool, cybermon has the following features:

Collects packets delivered in stream protocols.
Decodes packet protocols in and raises events in near-real-time.
Decoded information is made available to user-configurable logic to define how the decoded data is handled. A simple configuration language is used (LUA) and example configurations are provided to monitor data volumes, display data hexdumps, or stash the data in files.
Packet forgery techniques are included, which allow resetting TCP connections, and forging DNS responses. This can be invoked from your LUA in order to fight back against attacks on your network.
Has a pub/sub delivery mechanism with subscribers for ElasticSearch, Google BigQuery and Gaffer graph store.
Supports IP, TCP, UDP, ICMP, HTTP and DNS protocols, currently.

The cybermon software includes some support for STIX as a threat indicator specification, and can create alerts on the presence of threats on the network.

The code is targeted at the Linux platform, although it is generic enough to be applicable to other UN*X-like platforms.

Project Homepage

ThreatPinchLookup, threat intelligence extension for Chrome

ThreatPinchLookup supplies threat intelligence information on hover tool tips.

Creates on hover tooltips for every website for IPv4, MD5, SHA2, CVE or any custom IOC you define. Designed to work with any API, customization encouraged. Its the infosec threat and OSINT swiss army knife for your browser. Investigate less by taking your context with you.

Documentation here:

– Add your own IOC’s by setting your own Look up type via regex
– Create your own data connections, maybe add a data connection for your asset portal
– Sync your data requests with a CouchDB
– Filter look up requests so that you aren’t looking up your own assets in online tools.
– Supports defanged IOCs

Out of the box integrations with:
– ThreatMiner for IPv4, FQDN, MD5 and SHA2 lookups.
– Alienvault OTX for IPv4, MD5 and SHA2 lookups.
– IBM X-Force Exchange for IPv4, FQDN lookups.
– VirusTotal for MD5, SHA2, FQDN lookups.
– for IPv4 lookups.
– Computer Incident Response Center Luxembourg (CIRCL) for CVE Lookups.
– PassiveTotal for FQDN whois Lookups
– MISP for MD5 and SHA2

Chrome Web Store Link privilege escalation utility

The Inspector is a handy privilege escalation utility.

-can find processes with root privilege
-find exploits for your kernel version with builtin exploit database.
-The Inspector also analyses history files to find login information.



i think inspector is a handy utility which all pentesters like to store in their vault.

torcrack: ssh brute force over TOR

torcrack is a penetration testing utility which tries to crack SSH passwords multi-threaded and over TOR network.

argparse, PyFiglet, PySocks, Paramiko, tor installation

git clone

pip3 install pyfiglet pysocks paramiko argparse

apt-get install -y tor


Make sure the tor service is running:

service tor restart

python3 -h for commands


rapid7/ metasploitable3 – a VM for metasploit.


Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with metasploit.

Metasploitable3 is released under a BSD-style license. See COPYING for more details.
Building Metasploitable 3

System Requirements:

OS capable of running all of the required applications listed below
VT-x/AMD-V Supported Processor recommended
65 GB Available space on drive
4.5 GB RAM


Vagrant Reload Plugin
Internet connection

NOTE: A bug was recently discovered in VirtualBox 5.1.8 that is breaking provisioning. More information here.

NOTE: A bug was recently discovered in Vagrant 1.8.7 on OSX that is breaking provisioning. More information here.

To build automatically:

Run the script if using bash, or build_win2008.ps1 if using Windows.
If the command completes successfully, run ‘vagrant up’.
When this process completes, you should be able to open the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.

To build manually:

Clone this repo and navigate to the main directory.
Build the base VM image by running packer build windows_2008_r2.json. This will take a while the first time you run it since it has to download the OS installation ISO.
After the base Vagrant box is created you need to add it to your Vagrant environment. This can be done with the command vagrant box add –name=metasploitable3.
Use vagrant plugin install vagrant-reload to install the reload vagrant provisioner if you haven’t already.
To start the VM, run the command vagrant up. This will start up the VM and run all of the installation and configuration scripts necessary to set everything up. This takes about 10 minutes.
Once this process completes, you can open up the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.


MitmAP is a python program which creates a fake (Rogue AP) Access Point and sniff data


MitmAP is a python program which creates a fake (Rogue AP) Access Point and sniff data.


SSLstrip2 for HSTS bypass
Image capture with Driftnet
TShark for command line .pcap capture
Full featured access point, with configurable speed limit
DNS Spoofing
Saving results to file


Kali Linux / Raspbian with root privileges
A wireless card and an ethernet adapter / 2 wireless card
Python3 (mitmAP will install the dependenices, you don’t have to do it)

“git clone”


Kali Linux -> "sudo python3"
Raspberry PI -> "sudo python3"

Important: At the first run, choose ‘y’ on installing dependencies and on creating the config files!

PenQ Pentesting Browser Bundle


PenQ is an open source, Linux-based penetration testing browser bundle we built over Mozilla Firefox. It comes pre-configured with security tools for spidering, advanced web searching, fingerprinting, anonymous browsing, web server scanning, fuzzing, report generating and more.

PenQ is configured to run on Debian based distributions including Ubuntu and its derivative distros, and penetration testing operating systems such as BackTrack and Kali.

Steps to install and run PenQ

Download the PenQ package.
Open the command-line interface (CLI) and navigate to the location of the downloaded file.
cd [path to PenQ file]
Assign executable permission to this file.
chmod +x PenQ-installer-1.0
Run PenQ installer file from CLI.
Provide sudo password and wait for installation to complete.
Once installed, double-click the PenQ icon on desktop or run ‘penq’ from CLI to open and use the tool.

To uninstall PenQ, navigate to the PenQ folder at ‘/usr/share/PenQ’ and run the uninstaller.


OWASP ZAP Wfuzz Web Application Fuzzer PenTesting Report Generator OWASP WebScarab Mozilla Add-ons Collection Vulnerability Databases Search OWASP WebSlayer Integrated Tor Access to Shell and System Utilities Nikto Web Server Scanner OWASP Penetration Testing Checklist Collection of Useful Links

PenQ Website

Using Vuls Vulnerability Scanner For Linux

Vuls is a vulnerability scanner for Linux, agentless and written in golang.

Vuls downloads NVD(National Vulnerability Database) and inserts into a sqlite database. Vuls has built in CVE dictionary for this sqlite file.

Second step you should prepare ssh key based authorization between server and scan target. Because vuls is an insider scanner. Logic behind the vuls system is searching for unattended upgrades thus getting unsecure packages by this way.

Imho this could be problematic at some distros. Likewise debian team likes to patch some vulnerabilities in prior versions of packages. I think there could be many false positives.


Libgcrypt 1.7.0 released

Libgcrypt is a general purpose cryptographic library based on the code from GnuPG. It provides functions for all cryptographic building blocks: symmetric ciphers, hash algorithms, MACs, public key algorithms, large integer functions, random numbers and a lot of supporting functions.

Version 1.7. has new algorithms and modes listed below:

– SHA3-224, SHA3-256, SHA3-384, SHA3-512, and MD2 hash algorithms.

– SHAKE128 and SHAKE256 extendable-output hash algorithms.

– ChaCha20 stream cipher.

– Poly1305 message authentication algorithm

– ChaCha20-Poly1305 Authenticated Encryption with Associated Data

– OCB mode.

– HMAC-MD2 for use by legacy applications.

* New curves for ECC:

– Curve25519.

– sec256k1.

– GOST R 34.10-2001 and GOST R 34.10-2012.


Debian Jessie compiling PHP with OCI8 & PDO OCI

First we need to grab instant client from oracle..
Basic and Devel RPM packages is enough.

Before we install PHP we need to install prerequisites.

sudo apt-get install gcc libbz2-dev libpng12-dev libc-client2007e-dev libmcrypt-dev libxml2-dev libcurl4-openssl-dev libxslt1-dev libaio1 apache2-dev alien

Turn rpm packages to debian packages with alien.

sudo alien -d oracle-instantclient12.1-basic-
sudo alien -d oracle-instantclient12.1-devel-

Install instant client packages we freshly converted.

sudo dpkg -i oracle-instantclient12.1-basic_12.
sudo dpkg -i oracle-instantclient12.1-devel_12.

Download latest php source from; for example;


tar -jxvf php-5.6.19.tar.bz2

cd php-5.6.19

export paths to system;

export PATH=/usr/lib/oracle/12.1/client64/bin:$PATH
export ORACLE_HOME=/usr/lib/oracle/12.1/client64/
export C_INCLUDE_PATH=/usr/include/oracle/12.1/client64/

now we configure to generate make files;

./configure --with-pdo-oci --with-oci8 --with-pdo-oci --with-apxs2=/usr/bin/apxs2 --with-kerberos --with-mysql --with-pdo-mysql --with-bz2 --with-curl --with-gd --with-imap --with-imap-ssl --enable-mbstring --with-mcrypt --with-openssl --enable-zip --with-zlib --disable-phar

(if you need phar, delete last option).

make & install

sudo make install