exploit-scripts

## https://sploitus.com/exploit?id=AE0432BA-D73F-569F-98F1-601E585608FC
# Offensive Security Toolkit

```
╔═══════════════════════════════════════════════════════════════════════╗
║  ██╗  ██╗███████╗███████╗██████╗     ██████╗ ███████╗ █████╗ ███████╗║
║  ██║  ██║██╔════╝██╔════╝██╔══██╗    ██╔══██╗██╔════╝██╔══██╗██╔════╝║
║  ███████║█████╗  ███████╗██████╔╝    ██████╔╝█████╗  ███████║███████╗ ║
║  ██╔══██║██╔══╝  ╚════██║██╔═══╝     ██╔══██╗██╔══╝  ██╔══██║╚════██║║
║  ██║  ██║███████╗███████║██║         ██║  ██║███████╗██║  ██║███████║║
║  ╚═╝  ╚═╝╚══════╝╚══════╝╚═╝         ╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝╚══════╝║
║                                                                       ║
║           Penetration Testing Utility Scripts Collection              ║
╚═══════════════════════════════════════════════════════════════════════╝
```

> **WARNING: FOR AUTHORIZED PENETRATION TESTING ONLY**
>
> These tools are designed for use by security professionals during authorized
> penetration tests and security assessments. Unauthorized use of these tools
> against systems you do not own or have explicit written permission to test
> is **ILLEGAL**. The author assumes no liability and is not responsible for
> any misuse or damage caused by these tools.

---

## Table of Contents

### Web Application Testing
| Script | Description | Location |
|--------|-------------|----------|
| SQL Injection Scanner | Error/Boolean/Time-based SQLi detection | [web/sqli_scanner.py](web/sqli_scanner.py) |
| XSS Hunter | Reflected & DOM-based XSS detection | [web/xss_hunter.py](web/xss_hunter.py) |
| Directory Traversal Tester | Path traversal with encoding bypasses | [web/dir_traversal.py](web/dir_traversal.py) |
| Authentication Bruter | HTTP Basic & form brute forcer | [web/auth_bruter.py](web/auth_bruter.py) |

### Network Reconnaissance
| Script | Description | Location |
|--------|-------------|----------|
| Port Scanner | TCP/SYN/UDP scan with service detection | [network/port_scan.py](network/port_scan.py) |
| Subdomain Enumerator | CT logs, DNS, brute force enumeration | [network/subdomain_enum.py](network/subdomain_enum.py) |
| SSH Auditor | SSH config & algorithm security audit | [network/ssh_audit.py](network/ssh_audit.py) |

### Post-Exploitation
| Script | Description | Location |
|--------|-------------|----------|
| Reverse Shell Generator | Multi-language shell payload generator | [post_exploitation/shell_generator.py](post_exploitation/shell_generator.py) |
| Privilege Escalation Checker | Linux privesc vector enumeration | [post_exploitation/priv_check.sh](post_exploitation/priv_check.sh) |

### Utilities
| Script | Description | Location |
|--------|-------------|----------|
| HTTP Fuzzer | Param/header/body fuzzing with anomaly detection | [utils/http_fuzzer.py](utils/http_fuzzer.py) |
| Report Helper | PT report templates, CVSS calc, MD→HTML | [utils/report_helper.py](utils/report_helper.py) |

---

## Requirements

### Python Dependencies
```bash
pip install -r requirements.txt
```

Core dependencies:
- `requests` - HTTP library for web testing
- `colorama` - Cross-platform colored output
- `beautifulsoup4` - HTML parsing for web scanners
- `cryptography` - SSH key exchange analysis
- `markdown` - Report generation

### System Requirements
- Python 3.8+
- Bash 4.0+ (for `priv_check.sh`)
- Network access to target (with authorization)

---

## Usage

### SQL Injection Scanner
```bash
# Scan a URL with GET parameters
python web/sqli_scanner.py -u "http://target.com/page?id=1" --method GET

# Scan with POST data
python web/sqli_scanner.py -u "http://target.com/login" --method POST -d "user=admin&pass=test"

# Scan with cookies
python web/sqli_scanner.py -u "http://target.com/search?q=test" --cookies "session=abc123"

# Specific SQLi type
python web/sqli_scanner.py -u "http://target.com/page?id=1" --type time-based
```

### XSS Hunter
```bash
# Scan URL parameters for reflected XSS
python web/xss_hunter.py -u "http://target.com/search?q=test"

# Include DOM-based XSS checks
python web/xss_hunter.py -u "http://target.com/page" --dom-check

# Custom payload list
python web/xss_hunter.py -u "http://target.com/search?q=test" --payloads custom_xss.txt

# Test cookies for XSS
python web/xss_hunter.py -u "http://target.com/page" --cookie-inject
```

### Directory Traversal Tester
```bash
# Test a parameter for path traversal
python web/dir_traversal.py -u "http://target.com/download?file=report.pdf"

# Test with specific OS target
python web/dir_traversal.py -u "http://target.com/download?file=report.pdf" --os windows

# Use encoding bypasses
python web/dir_traversal.py -u "http://target.com/download?file=report.pdf" --encode double
```

### Authentication Brute Force
```bash
# HTTP Basic Auth
python web/auth_bruter.py -u "http://target.com/admin" --mode basic -U users.txt -P passwords.txt

# Login form brute force
python web/auth_bruter.py -u "http://target.com/login" --mode form \
    --form-user "username" --form-pass "password" \
    --fail-string "Invalid credentials" \
    -U users.txt -P passwords.txt

# With rate limiting (1 req/sec)
python web/auth_bruter.py -u "http://target.com/login" --mode basic \
    -U users.txt -P passwords.txt --rate 1
```

### Port Scanner
```bash
# Quick scan of common ports
python network/port_scan.py -t 192.168.1.1 --scan-type connect

# Full scan with service detection
python network/port_scan.py -t 192.168.1.1 --scan-type connect --service-detect --ports 1-65535

# UDP scan of top ports
python network/port_scan.py -t 192.168.1.1 --scan-type udp --top-ports 100

# Output to JSON
python network/port_scan.py -t 192.168.1.1 -o results.json --format json
```

### Subdomain Enumerator
```bash
# Certificate Transparency lookup
python network/subdomain_enum.py -d example.com --method crt

# Full enumeration (all methods)
python network/subdomain_enum.py -d example.com --method all

# Brute force with custom wordlist
python network/subdomain_enum.py -d example.com --method brute --wordlist subdomains.txt

# DNS zone transfer attempt
python network/subdomain_enum.py -d example.com --method axfr
```

### SSH Auditor
```bash
# Audit SSH server
python network/ssh_audit.py -t 192.168.1.1

# Specify port and check default credentials
python network/ssh_audit.py -t 192.168.1.1 -p 2222 --check-creds

# Output to file
python network/ssh_audit.py -t 192.168.1.1 -o audit_report.txt
```

### Reverse Shell Generator
```bash
# Generate a Python reverse shell
python post_exploitation/shell_generator.py --lang python --ip 10.0.0.1 --port 4444

# Generate all shell types
python post_exploitation/shell_generator.py --lang all --ip 10.0.0.1 --port 4444

# Base64 encoded shell
python post_exploitation/shell_generator.py --lang bash --ip 10.0.0.1 --port 4444 --encode base64

# Generate MSFVenom command
python post_exploitation/shell_generator.py --lang msfvenom --ip 10.0.0.1 --port 4444
```

### Linux Privilege Escalation Checker
```bash
# Run full privilege escalation check
bash post_exploitation/priv_check.sh

# Run specific checks only
bash post_exploitation/priv_check.sh --check suid
bash post_exploitation/priv_check.sh --check kernel
```

### HTTP Fuzzer
```bash
# Fuzz URL parameters
python utils/http_fuzzer.py -u "http://target.com/page?id=FUZZ" -w payloads.txt

# Fuzz HTTP headers
python utils/http_fuzzer.py -u "http://target.com/page" --header "X-Forwarded-For: FUZZ" -w payloads.txt

# Fuzz POST body with anomaly detection
python utils/http_fuzzer.py -u "http://target.com/api" --method POST \
    --body '{"key":"FUZZ"}' -w payloads.txt --anomaly-detect
```

### Report Helper
```bash
# Generate report from findings
python utils/report_helper.py --findings findings.json --output report.html

# Calculate CVSS score
python utils/report_helper.py --cvss AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

# Classify severity
python utils/report_helper.py --classify "SQL injection in login form allowing authentication bypass"
```

---

## Project Structure

```
exploit-scripts/
├── README.md
├── requirements.txt
├── web/
│   ├── sqli_scanner.py
│   ├── xss_hunter.py
│   ├── dir_traversal.py
│   └── auth_bruter.py
├── network/
│   ├── port_scan.py
│   ├── subdomain_enum.py
│   └── ssh_audit.py
├── post_exploitation/
│   ├── shell_generator.py
│   └── priv_check.sh
└── utils/
    ├── http_fuzzer.py
    └── report_helper.py
```

---

## Disclaimer

**This toolkit is provided for educational and authorized testing purposes only.**

- You MUST have explicit, written authorization before testing any system.
- These tools should only be used during legitimate penetration testing engagements.
- The author is not responsible for any damage caused by the misuse of these tools.
- Using these tools against systems without authorization is a criminal offense.
- Always follow your organization's rules of engagement and scope limitations.
- Report all findings responsibly through proper channels.

If you are unsure whether you have authorization to test a system, **do not test it**.

---

## License

This project is licensed under the MIT License - see below:

```
MIT License

Copyright (c) 2024

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
```