Sqli Dorking Script In Perl

USE: sqliDorking.pl [-d/-bd ] -p [-l Links.txt]  [-f Logs.txt]

  -gd : Google Dork
  -bd : Bing Dork
  -l : Archivo con links para analizar
  -p : Numero de paginas para buscar
  -f : Archivo donde se guardaran los logs

Exmple The USE:
sqliDorking.pl -gd inurl:product.php?id= -p 3 -f VulneSQL.txt
sqliDorking.pl -l links.txt -f VulneSQL.txt
sqliDorking.pl -bd inurl:product.php?id= -p 3
sqliDorking.pl -l links.txt

Descargar SQLi Dorking

Read More

CrowdInspect is a free professional grade tool for Microsoft Windows systems from CrowdStrike aimed to help alert you to the presence of malware that communicates over the network that may exist on your computer. It is a host-based real-time monitoring and recording tool utilizing multiple sources of information to detect untrusted or malicious network-active processes.

The tool runs on both 32 bit and 64 bit versions of Windows from XP and above.

Beyond simple network connections, CrowdInspect associates the connection entry with the process that is responsible for that activity. It can display the process name as a simple file name or as as an optional full file path.

In addition to the process name, the entry's process ID number, local port, local IP address, remote port, remote IP address and reverse resolved DNS name of the remote IP address is shown. The tool accommodates both IPv4 and IPv6 addresses.

CrowdInspect records details of any entry that is associated with a remote IP address and maintains a chronological list of these accessed by clicking the "Live/History" toolbar button to switch between the regular live netstat window and the history list window.

Perhaps the most useful aspect of CrowdInspect though is its ability to utilize several sources of information that can be used to determine the reputation of the process using the network connection and the reputation of the domain it is connecting to. This is achieved through the use of the following technologies and services:

Thread Injection Detection

Detection of code injection using custom proprietary code

Many pieces of malware achieve part of their goal by manipulating already running applications and injecting themselves into those processes. Regular antivirus products that only act upon the actual physical file contents would not identify this behavior. CrowdInspect features experimental detection of such behavior and the results of this test on each process can be seen in the “Inject” column.

--  (o Gray icon)
Not applicable/not available. No process is not able to be tested.

??  (o Gray icon)
The process did not allow us to test for code injection.

OK  (o Green)
The process did not appear to have any evidence of thread injection.

!!  (o Red icon)
The entry appeared to have had a thread injected into its process. This is generally not a good thing or something usually encountered. Note though that there may be some classes of specialized software that does exhibit this behavior. The process/application should be investigated further.


Multiple antivirus engine analysis results queried by SHA256 file hash


Shown in the "VT" column of the tool are the basic summary results of querying the VirusTotal service against the file in question (actually the SHA256 hash of the file contents). VirusTotal utilizes multiple antivirus engines to analyze submitted files and we query its database to see if the file hash is in the database and if so, how the antivirus engines rated it. The value here can be one of the following:

--  (o Gray icon)
Not applicable/not available. No connection to the VirusTotal database was made or the process is not associated with a file.

??  (o Gray icon)
The entry does not exist in the VirusTotal database. This is probably good!

0% ... 100%  (o Green ... o Red icons)
The file is known to the VirusTotal database. This is the virus score. 0% means no antivirus vendor reported an issue with the process (very good). 100% means every antivirus vendor reported the process as problematic (very bad!)

More extensive details for the particular selected entry in the list can be seen by either clicking the "AV Results" toolbar button or selecting "View AV Test Results" from the right-click context menu for the selected item.

Note that it may take a short while before the results appear for each entry in the list due to rate throttling of connections to the service.

Team Cymru - Malware Hash Repository

Repository of known malware queried by MD5 file hash


Shown in the "MHR" column, Team Cymru maintains a repository of known malware that can be queried given an MD5 hash of the file contents. In this case we are simply querying for a yes/no answer so the results can be one of the following:

--  (o Gray icon)
Not applicable/not available. No response was received from the Team Cymru service or the process is not associated with a file.

??  (o Gray icon)
The entry does not exist in the MHR database. This is probably good, although the absence of a positive response doesn't necessarily mean the process is not malware.

!!  (o Red icon)
The entry DOES exist in the MHR database. The process is known to be malware. This is bad!

Web of Trust

Crowd-sourced domain name reputation system


Shown in the "WOT" column column of the tool are the basic summary results of querying the Web of Trust service against the reverse resolved domain name associated with the remote IP address of the connection's entry. The value here can be one of the following:

--  (o Gray icon)
Not applicable/not available. No connection to the WoT database was made or the entry's remote IP address does not have a usable valid domain name associated with it.

??  (o Gray icon)
The entry does not exist in the WoT database.

0% ... 100%  (o Red ... o Green icons)
The WoT reputation score. 0% means that everybody who has rated this domain thinks it is untrustworthy. 100% means that everybody who has rated this domain thinks it is reputable and can be trusted.

To avoid unnecessary querying of the above services all results are cached such that no unique process or domain is ever queried more than once for the duration the tool is running.

Read More

Uses the Pinpoint engine to download and analyze webpage components to identify infected files. Scout has a built-in HTTP Request Simulator that will render user-specified HTML files, catch the resulting HTTP requests, then drop the responses. Scout includes the ability to screenshot the webpage using PhantomJS (download PhantomJS and copy the .exe to the same folder as Scout). Use Scout in a VM since it could potentially cause your computer to become infected.

Download Scout

Read More

Fakenet Windows Network Simulation Tool

FakeNet is a tool that aids in the dynamic analysis of malicious software.  The tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware’s network activity from within a safe environment.  The goal of the project is to:
  1. Be easy to install and use; the tool runs on Windows and requires no 3rd party libraries
  2. Support the most common protocols used by malware
  3. Perform all activity on the local machine to avoid the need for a second virtual machine
  4. Provide python extensions for adding new or custom protocols
  5. Keep the malware running so that you can observe as much of its functionality as possible
  6. Have a flexible configuration, but no required configuration
The tool is in its infancy of development.  We started working on the tool in January 2012 and we intend to maintain the tool and add new and useful features.  If you find a bug or have a cool feature you think would improve the tool please contact us.

  • Supports DNS, HTTP, and SSL
  • HTTP server always serves a file and tries to serve a meaningful file; if the malware request a .jpg then a properly formatted .jpg is served, etc.  The files being served are user configurable.
  • Ability to redirect all traffic to the localhost, including traffic destined for a hard-coded IP address.
  • Python extensions, including a sample extension that implements SMTP and SMTP over SSL.
  • Built in ability to create a capture file (.pcap) for packets on localhost.
  • Dummy listener that will listen for traffic on any port, auto-detect and decrypt SSL traffic and display the content to the console.
Demo Video
Click here to watch a demo of version 0.9 of the tool in action.

How it works
FakeNet uses a variety of Windows and third party libraries.  It uses a custom HTTP and DNS server to respond to those request.  It uses OpenSSL to wrap any connection with SSL.  It uses a Winsock Layered Service Provider (LSP) to redirect traffic to the localhost and to listen for traffic on new ports.  It uses python 2.7 for the python extensions.  And, it creates the .pcap file by reconstructing a packet header based on the traffic from send/recv calls.

Read More