• Ubuntu 14+
• CentOS 7+

• Take advantage of built-in tools and functionality in Linux (tools like dd, awk, grep, cat, netstat, etc)
• Reduce the amount of commands incident responder needs to remember/use in response scenario.
• Automation

• LiME
• Exif
• Chckrootkit
• Yara + Linux scanning rules (needs network to fetch the repo)

INSTALL LiME
function init_lime(){

  if [ -f /usr/bin/yum ]; then
    yum -y install make kernel-headers kernel-devel gcc
  elif [ -f /usr/bin/apt-get ]; then
    apt-add-repository universe
    apt-get -y install make linux-headers-$(uname -r) gcc
  fi

  rm -f /tmp/v1.8.1.zip
  wget -P/tmp https://github.com/504ensicsLabs/LiME/archive/v1.8.1.zip
  unzip /tmp/v1.8.1.zip
  rm -f /tmp/v1.8.1.zip

  pushd LiME-1.8.1/src
    make
    mv lime-*.ko /tmp/lime.ko
  popd
  rm -rf LiME-1.8.1
}

   1)System info, IP, Date, Time, local TZ, last boot - 'hostnamectl; who -b; uname -a; uptime; ifconfig; date; last reboot'

    1)Check mounted filesystems -'df -h'
    2)Hash executables (MD5) - 'find /usr/bin -type f -exec file "{}" \; | grep -i "elf" | cut -f1 -d: | xargs -I "{}" -n 1 md5sum {}'
    3)Modified files - 'modified_files_period_select' (calling a function in tuxresponse.sh)
    4)List all hidden directories - 'find / -type d -name "\.*"'
    5)Files/dirs with no user/group name - 'find / \( -nouser -o -nogroup \) -exec ls -l {} \; 2>/dev/null'
    6)Changed files from packages -'packaged_files_changed' (calling a function in tuxresponse.sh)

      1) Check for rootkits - runs 'chkrootkit'
      2) Yara scan - calling a function tuxresponse.sh 'yara_select' (scans system with all YARA linux rules available in master repo)
      3) EXIFTool - calling a function tuxresponse.sh 'exiftool_select' (installs EXIFTool)

      1) List running processes - 'ps -axu'
      2) Deleted binaries still running - 'ls -alR /proc/*/exe 2> /dev/null | grep deleted'
      3) Active Network Connections (TCP, UDP) - 'ss -tunap | sed "s/[ \t]\+/|/g"'
      4) Dump process based on PID - 'dump_process_select' (calling a function in tuxresponse.sh)
          1) Enter PID to dump: **(this is the command executed - gcore -a -o "${DUMP_FILE}" ${DUMP_PID} )**
      5) Process running from /tmp, /dev - 'ls -alR /proc/*/cwd 2> /dev/null | grep -E "tmp|dev"'

      1) List all active network connections/raw sockets - 'netstat -nalp; netstat -plant'

      1) List all users connected to the system - 'w' 
      2) Get users with passwords - 'getent passwd'

      1) Check bash history file - 'cat ~/.bash_history | nl'

      1) List All Cron Jobs - 'list_all_crontab' (calling a function in tuxresponse.sh)
      2) List All on-startup/boot programs - 'list_all_onstartup' (calling a function in tuxresponse.sh)

      1) Dump Users .bash_history - 'cat_all_bash_history' (calling a function in tuxresponse.sh)
      2) Find logs with binary inside -  'grep [[:cntrl:]] /var/log/*.log'

      That option enables you to connect to a remote system, copy over all scripts and tools and analyze the system.

      That option enables you to compile LiME from source and dump the RAM memory off the system. This is the easiest way to do it as the other way around would be to compile from source for all major kernel versions and insert the LKM.

That option enables you to do a full disk image of the target system using well-known tool - dd. The function is taking source and destination as parameters and inserts them in the following command 'dd if=${IMAGE_IN} | pv | dd of='${IMAGE_OUT}' bs=4K conv=noerror,sync'. If you're investigating remote system, the script is going to copy itself there. Then if the parameter ${TARGET_HOST} is set, then the script is going to download the image to analyst system using this command >> "ssh -p${TARGET_PORT} ${TARGET_USER}@${TARGET_HOST} 'dd if=${IMAGE_IN} bs=4K conv=noerror,sync' | pv | dd of='${IMAGE_OUT}'" (im heavily using pv to make sure progress is tracked)

      Install binaries that are required by the script to function correctly.
      1) Dependancies
      2) Yara and rules
      3) ExifTool
      4) Init check
      5) chckrootkit
      6) LiME

• Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions.
• If that is not successful, wafw00f sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is.
• If that is also not successful, wafw00f analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to wafw00f's attacks.

• Documentation/Wiki
• Pypi Package Repository

• Sandro Gauci (@SandroGauci)
• Pinaki Mondal (@0xInfection)

• Network security, keep an eye on all devices in your company or at home that are confronted with internet.
• Vulnerabilities. And so much more.

• Shodan Eye goes from Python 2 to Python 3
• Save the output of the Shodan Eye results
• The entry of the Shodan password is no longer visible.

• This was written for educational purpose and pentest only.
• The author will not be responsible for any damage ..!
• The author of this tool is not responsible for any misuse of the information.
• You will not misuse the information to gain unauthorized access.
• This information shall only be used to expand knowledge and not for causing malicious or damaging attacks.
• Performing any hacks without written permission is illegal..!

• Download and run Python 3.7.x setup file from Python.org. On Install Python 3.7, enable Add Python 3.7 to PATH.
• Download shodan-eye-master.zip file.>
• Then unzip it.
• Open CMD or PowerShell window at the Osueta folder you have just unzipped and enter these commands:
  pip install shodan
python shodan-eye.py

• First, you must download and run Ruby-lang setup file from RubyInstaller.org, choose Add Ruby executables to your PATH and Use UTF-8 as default external encoding.
• Then, download and install curl (32-bit or 64-bit) from Curl.haxx.se/windows. After that, go to Nmap.org/download.html to download and install the lastest Nmap version.
• Download killshot-master.zip and unzip it.
• Open CMD or PowerShell window at the KillShot folder you've just unzipped and enter these commands:
  ruby setup.rb
ruby killshot.rb

• an interoperable environment that supports the digital investigator during the four phases of the digital investigation
• a user-friendly graphical interface
• user-friendly tools

•  All devices are blocked in Read-Only mode, by default.
•  New tools, new OSINT, Autopsy 4.13 onboard, APFS ready,BTRFS forensic tool, NVME SSD drivers ready!
•  SSH server disabled by default (see Manual page for enabling it).
•  SCRCPY - screen your android device
• Autopsy 4.13 + additional plugins by McKinnon.
•  X11VNC Server - to control CAINE remotely.
•  hashcat
• NEW SCRIPTS (Forensics Tools - Analysis menu)
•  AutoMacTc - a forensics tool for Mac.
•  Bitlocker - volatility plugin
•  Autotimeliner - Automagically extract forensic timeline from volatile memory dumps.
•  Firmwalker - firmware analyzer.
•  CDQR - Cold Disk Quick Response tool
•  many others fixing and software updating.

• Windows --> test.exe (payload and listener)
• Android --> test.apk (payload and listener)
• Linux --> test.py (payload and listener)
• MacOS --> test.jar (payload and listener)
• Web --> test.php (payload and listener)
• Scan if a target is vulnerable to ms17_010 (EnternalBlue)
• Exploit Windows 7/2008 x64 ONLY by IP (ms17_010_eternalblue)
• Exploit Windows Vista/XP/2000/2003 ONLY by IP (ms17_010_psexec)
• Exploit Windows with a link (HTA Server)
• Contact with me - My accounts

• For Debian-based distro users: sudo apt install sox ffmpeg
• For Arch Linux-based user: sudo pacman -S sox ffmpeg

• eXpliot - Internet Of Things Exploitation Framework
• RouterSploit: Exploitation Framework for Embedded Devices