Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username, socialscan returns whether it is available, taken or invalid on online platforms.
Other similar tools check username availability by requesting the profile page of the username in question and based on information like the HTTP status code or error text on the requested page, determine whether a username is already taken. This is a naive approach that fails in the following cases:
- Reserved keywords: Most platforms have a set of keywords that they don’t allow to be used in usernames (A simple test: try checking reserved words like ‘admin’ or ‘home’ or ‘root’ and see if other services mark them as available)
- Deleted/banned accounts: Deleted/banned account usernames tend to be unavailable even though the profile pages might not exist
Therefore, these tools tend to come up with false positives and negatives. This method of checking is also dependent on platforms having web-based profile pages and cannot be extended to email addresses. socialscan aims to plug these gaps by directly querying the registration servers of the platforms instead, retrieving the appropriate CSRF tokens, headers, and cookies.
Socialscan Command-Line Tool To Check For Email And Social Media Username Usage Features
Features that differentiate socialscan from similar tools (e.g. knowem.com, Namechk, and Sherlock):
- 100% accuracy: socialscan’s query method eliminates the false positives and negatives that often occur in similar tools, ensuring that results are always accurate.
- Speed: socialscan uses
asyncioalong withaiohttpto conduct all queries concurrently, providing fast searches even with bulk queries involving hundreds of usernames and email addresses. On a test computer with average specs and Internet speed, 100 queries were executed in ~4 seconds. - Library / CLI: socialscan can be executed through a CLI, or imported as a Python library to be used with existing code.
- Email support: socialscan supports queries for both email addresses and usernames.
Install Socialscan Command-Line Tool To Check For Email And Social Media Username Usage
pip
|
1 |
> pip install socialscan |
Install from source
|
1 2 3 |
> git clone https://github.com/iojw/socialscan.git > cd socialscan > pip install . |
ocialscan Command-Line Tool To Check For Email And Social Media Username Usage
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
usage: socialscan [list of usernames/email addresses to check] optional arguments: -h, --help show this help message and exit --platforms [platform [platform ...]], -p [platform [platform ...]] list of platforms to query (default: all platforms) --view-by {platform,query} view results sorted by platform or by query (default: query) --available-only, -a only print usernames/email addresses that are available and not in use --cache-tokens, -c cache tokens for platforms requiring more than one HTTP request (Snapchat, GitHub, Instagram. Lastfm & Tumblr), reducing total number of requests sent --input input.txt, -i input.txt file containg list of queries to execute --proxy-list proxy_list.txt file containing list of HTTP proxy servers to execute queries with --verbose, -v show query responses as they are received --show-urls display profile URLs for usernames on supported platforms (profiles may not exist if usernames are reserved or belong to deleted/banned accounts) --json json.txt output results in JSON format to the specified file --version show program's version number and exit |
You can download Socialscan here:
Or read more here.
Topic: Hacking Tools
CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool, it aims to prevent vulnerabilities from getting to production infrastructure through vulnerable CloudFormation scripts.
You can use CFRipper to prevent deploying insecure AWS resources into your Cloud environment. You can write your own compliance checks by adding new custom plugins.
CFRipper should be part of your CI/CD pipeline. It runs just before a CloudFormation stack is deployed or updated and if the CloudFormation script fails to pass the security check it fails the deployment and notifies the team that owns the stack. Rules are the heart of CFRipper. When running CFRipper the CloudFormation stack will be checked against each rule and the results combined.
Usage of CFRipper for CloudFormation Security Scanning
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
Usage: [OPTIONS] [TEMPLATES]... Analyse AWS Cloudformation templates passed by parameter. Exit codes: - 0 = all templates valid and scanned successfully - 1 = error / issue in scanning at least one template - 2 = at least one template is not valid according to CFRipper (template scanned successfully) - 3 = unknown / unhandled exception in scanning the templates Options: --version Show the version and exit. --resolve / --no-resolve Resolves cloudformation variables and intrinsic functions [default: False] --resolve-parameters FILENAME JSON/YML file containing key-value pairs used for resolving CloudFormation files with templated parameters. For example, {"abc": "ABC"} will change all occurrences of {"Ref": "abc"} in the CloudFormation file to "ABC". --format [json|txt] Output format [default: txt] --output-folder DIRECTORY If not present, result will be sent to stdout --logging [ERROR|WARNING|INFO|DEBUG] Logging level [default: INFO] --rules-config-file FILENAME Loads rules configuration file (type: [.py, .pyc]) --rules-filters-folder DIRECTORY All files in the folder must be of type: [.py, .pyc] --aws-account-id TEXT A 12-digit AWS account number eg. 123456789012 --aws-principals TEXT A comma-separated list of AWS principals eg. arn:aws:iam::123456789012:root,234567890123, arn:aws:iam::111222333444:user/user-name --help Show this message and exit. |
You can download CFRipper here:
Or read more here.
Topic: Security Software
CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
At the core of it, you provide it with a list of credentials you have dumped (or hashes, it can pass-the-hash) and a list of systems on the domain (the author suggests scanning for port 445 first, or you can use “–scan”). It will tell you if the credentials you dumped are valid on the domain, and if you have local administrator access to a host.
Usage of CredNinja to Test Credential Validity of Dumped Credentials or Hashes
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
.d8888b. 888 888b 888 d8b d8b d88P Y88b 888 8888b 888 Y8P Y8P 888 888 888 88888b 888 888 888d888 .d88b. .d88888 888Y88b 888 888 88888b. 8888 8888b. 888 888P" d8P Y8b d88" 888 888 Y88b888 888 888 "88b "888 "88b 888 888 888 88888888 888 888 888 Y88888 888 888 888 888 .d888888 Y88b d88P 888 Y8b. Y88b 888 888 Y8888 888 888 888 888 888 888 "Y8888P" 888 "Y8888 "Y88888 888 Y888 888 888 888 888 "Y888888 888 d88P 888P" v2.3 (Built 1/26/2018) - Chris King (@raikiasec) For help: ./CredNinja.py -h usage: CredNinja.py -a accounts_to_test.txt -s systems_to_test.txt [-t THREADS] [--ntlm] [--valid] [--invalid] [-o OUTPUT] [-p PASSDELIMITER] [--delay SECONDS %JITTER] [--timeout TIMEOUT] [--stripe] [--scan] [--scan-timeout SCAN_TIMEOUT] [-h] [--no-color] [--os] [--domain] [--users] [--users-time USERS_TIME] Quickly check the validity of multiple user credentials across multiple servers and be notified if that user has local administrator rights on each server. Required Arguments: -a accounts_to_test.txt, --accounts accounts_to_test.txt A word or file of user credentials to test. Usernames are accepted in the form of "DOMAIN\USERNAME:PASSWORD" -s systems_to_test.txt, --servers systems_to_test.txt A word or file of servers to test against. This can be a single system, a filename containing a list of systems, a gnmap file, or IP addresses in cidr notation. Each credential will be tested against each of these servers by attempting to browse C$ via SMB Optional Arguments: -t THREADS, --threads THREADS Number of threads to use. Defaults to 10 --ntlm Treat the passwords as NTLM hashes and attempt to pass-the-hash! --valid Only print valid/local admin credentials --invalid Only print invalid credentials -o OUTPUT, --output OUTPUT Print results to a file -p PASSDELIMITER, --passdelimiter PASSDELIMITER Change the delimiter between the account username and password. Defaults to ":" --delay SECONDS %JITTER Delay each request per thread by specified seconds with jitter (example: --delay 20 10, 20 second delay with 10% jitter) --timeout TIMEOUT Amount of seconds wait for data before timing out. Default is 15 seconds --stripe Only test one credential on one host to avoid spamming a single system with multiple login attempts (used to check validity of credentials). This will randomly select hosts from the provided host file. --scan Perform a quick check to see port 445 is available on the host before queueing it up to be processed --scan-timeout SCAN_TIMEOUT Sets the timeout for the scan specified by --scan argument. Default of 2 seconds -h, --help Get help about this script's usage --no-color Turns off output color. Written file is always colorless Additional Information Retrieval: --os Display the OS of the system if available (no extra request is being sent) --domain Display the primary domain of the system if available (no extra request is being sent) --users List the users that have logged in to the system in the last 6 months (requires LOCAL ADMIN). Returns usernames with the number of days since their home directory was changed. This sends one extra request to each host --users-time USERS_TIME Modifies --users to search for users that have logged in within the last supplied amount of days (default 100 days) |
The tool really shines on large networks where it can parse a large amount of hosts quite quickly.
It is intended to be run on Kali Linux
You can download CredNinja here:
Or read more here.
Topic: Hacking Tools
assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are potentially related to a given domain from a variety of sources including Facebook, ThreatCrowd, Virustotal and more.
assetfinder uses a variety of sources including those in the infosec space and social networks which can give relevant info:
- crt.sh
- certspotter
- hackertarget
- threatcrowd
- wayback machine
- dns.bufferover.run
- facebook – Needs FB_APP_ID and FB_APP_SECRET environment variables set (https://developers.facebook.com/) and you need to be careful with your app’s rate limits
- virustotal – Needs VT_API_KEY environment variable set (https://developers.virustotal.com/reference)
- findsubdomains – Needs SPYSE_API_TOKEN environment variable set (the free version always gives the first response page, and you also get “25 unlimited requests”) — (https://spyse.com/apidocs)
Sources to be implemented:
- http://api.passivetotal.org/api/docs/
- https://community.riskiq.com/ (?)
- https://riddler.io/
- http://www.dnsdb.org/
- https://certdb.com/api-documentation
Usage of assetfinder to Find Related Domains and Subdomains
The usage is very simple with only one option basically, to limit the search to subdomains only – by default it will scan for all associated domains and subdomains.
|
1 |
assetfinder [--subs-only] <domain> |
Installing assetfinder to Find Related Domains and Subdomains
If you have Go installed and configured (i.e. with $GOPATH/bin in your $PATH):
|
1 |
go get -u github.com/tomnomnom/assetfinder |
Another similar and recent tool that uses many of these sources and more and is also worth checking out is The OWASP Amass Project- DNS Enumeration, Attack Surface Mapping & External Asset Discovery.
You can download assetfinder here:
Source: assetfinder-master.zip
Linux: assetfinder-linux-386-0.1.1.tgz
Windows: assetfinder-windows-386-0.1.1.zip
Or read more here.
Topic: Hacking Tools
Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a ‘Swiss Army Knife’ for pen-testing and/or hacking CTF’s. Karkinos Beginner Friendly Penetration Testing Tool Features Encoding/Decoding characters Encrypting/Decrypting text or files Reverse shell handling Cracking and generating hashes How to Install Karkinos Beginner Friendly Penetration Testing Tool Dependencies are: Any server capable […]
Topic: Hacking Tools
Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound to identify and exploit ACL based privilege escalation paths. It takes a starting and ending point and will use Neo4j pathfinding algorithms to find the most efficient ACL based privilege escalation path. Features of Aclpwn.Py Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py currently has […]
Topic: Hacking Tools