Hardcoded credentials

The EPSON iPrint application 6.6.3 for Android contains hard-coded API and Secret keys for the Dropbox, Box, Evernote and OneDrive services...

The Offensive Web Application Penetration Testing Framework: TIDoS

TIDoS Framework is a comprehensive web-app audit framework. TIDoS is made to be comprehensive and versatile. It is a highly flexible framework where you just have to select and use modules. But before that, you need to set your own API KEYS for various OSINT purposes. To do so, open up APIKEYS.py...

CertCrunchy - Just A Silly Recon Tool That Uses Data From SSL Certificates To Find Potential Host Names

It just a silly python script that either retrieves SSL Certificate based data from online sources, currently https://crt.sh/, https://certdb.com/, https://sslmate.com/certspotter/ and https://censys.io or given a IP range it will attempt to extract host information from SSL Certificates. If you...

Reddit Breach Stems from SMS Two-Factor Authentication Breakdown

Reddit confirmed Wednesday that a hacker broke into its systems and has accessed user data – including email addresses and passwords for accounts. The company said in a post today that the compromise occurred between June 14 and June 18, and it detected the incident on June 19. “We learned that a...

Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Nagios XI Chained Remote Code Execution', 'Description' = %q This module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to ga...

Nagios XI Chained Remote Code Execution Exploit

This Metasploit module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access. The steps are: 1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root. 2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API key...

Nagios XI Chained Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Nagios XI Chained Remote Code Execution', 'Description' = %q This module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to ga...

Subdomain Discovery Tool: SubFinder

SubFinder is a subdomain discovery tool that uses various techniques to discover massive amounts of subdomains for any target. It has been aimed as a successor to the sublist3r project . SubFinder uses Passive Sources, Search Engines, Pastebins, Internet Archives, etc to find subdomains and then ...

CVE-2016-9061

A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects...

Code injection

A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects...

CVE-2016-9061

A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects...

CVE-2016-9061

A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects...

CVE-2016-9061

CVE-2016-9061 affects Firefox for Android, where a previously installed malicious Android app can exploit a signature-level permission to access API keys meant for Firefox. The issue is limited to Firefox for Android; other platforms are unaffected and Firefox versions prior to 50 are affected. T...

CVE-2016-9061

A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects...

Omnibus - Open Source Intelligence Collection, Research, And Artifact Management

An Omnibus is defined as a volume containing several novels or other items previously published separately and that is exactly what the InQuest Omnibus project intends to be for Open Source Intelligence collection, research, and artifact management. By providing an easy to use interactive command...

Hijacking Philips Hue

We were filming a smart home hacking piece on the 5th May this year. Like most home users, the Wi-Fi PSK wasn’t strong enough, so we cracked it and joined the network. The user had a Philips Hue lighting system. None of us here had looked at Hue before - we made an assumption after the previous...

Nagios XI Chained Remote Code Execution

This module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access. The steps are: 1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root. 2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys. 3. The...

ODIN - Tool For Automating Penetration Testing Tasks

ODIN is made possible through the help, input, and work provided by others. Therefore, this project is entirely open source and available to all to use/modify. All this developer did was assemble the tools, convert some of them to Python 3, and stitch them together into an all-in-one toolkit. Wha...

StaCoAn - Crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications. This tool will look for interesting lines in the code which can contain: Hardcoded credentials API keys URL's of API's Decryption keys Major coding...

Automating Penetration Testing Tasks: ODIN

ODIN Observe, Detect, and Investigate Networks is a Python tool for automating intelligence gathering, testing and reporting. ODIN is still in active development. ODIN is designed to be run on Linux. About 90% of it will absolutely work on Windows or MacOS with Python 3 and a copy of urlcrazy, bu...