Bash script for checking HTTP headers for security

For checking http header for security perspective you can visit Security Headers . It will check for following header.

Access Control Allow Origin
Content Security Policy
Cross Domain Meta Policy
NoSniff
Server Information
Strict Transport Security
UTF-8 Character Encoding
X-Frame-Options
X-Powered-By
X-XSS-Protection

I wrote bash script which check HTTP header of website against securityheaders.com & give output.

git clone https://github.com/niravkdesai/securityheaders.git

chmod +x header.sh

./header.sh

HTTP-header-for-security

HTTP-Header

Bash script for checking an account that has been compromised in a data breach.

Troyhunt start great website  for checking your email address has been compromised in data breach or not.Right now Adobe,Stratfor,Gawker,Pixel Federation,Yahoo!,Sony,Vodafone `s breach email address is listed. You can check it manually on their site.

I wrote simple bash script for checking against their site that email address has been compromised or not.You can also write in python using simple requests module.

python-havebeenpwned

python-havebeenpwned

 

have-i-been-pwned bash script

have-i-been-pwned bash script

Usage:-
git clone https://github.com/niravkdesai/haveibeenpwned.git

cd haveibeenpwned

chmod +x haveibeenpwned.sh

./haveibeenpwned.sh

Please enter email address to check against http://haveibeenpwned.com

troyhunt%40hotmail.com

You have been pwned in [“Adobe”] breach

Python script for auditing robots.txt

Before one year i wrote different  methods to exploit robots.txt file; you can find it here. Sometimes, due to weak directory permission you can get into dis-allowed directory from robots.txt.This python script  check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.For Original article click here.

It require python3 and urlib3 module.

git clone https://github.com/behindthefirewalls/Parsero.git
cd Parsero
python3 parsero.py -h
python3 parsero.py -u localhost/mutillidae

Exploit Robots.txt

Auditing Robots.txt

Now you can see that which dis-allowed directory is allowed , it means for which we got HTTP-status code 200.

Truecaller Name Retriever python script

Truecaller is a global phone directory application for smartphones and feature phones, and accessible via a Web site. If you have any unknown mobile number you can search in truecaller website or using truecaller application.This python script is written by A’mmer Almadani. Script is still in developing phase.More functions will be added soon.

git clone https://github.com/Logic-gate/callerpy.git

cd callerpy

Now open caller.py file & enter your twitter credential in line 39,40. it will use for authentication.

python caller.py -h

usage: callerpy.py [-h] -n number [-c country] [-cc country code] -l login

TrueCaller Name Retriever

optional arguments:
-h, –help            show this help message and exit
-n number, –number number
Phone Number Without Country Code (default: None)
-c country, –country country
Country | String (default: None)
-cc country code, –countrycode country code
Country | Int (default: None)
-l login, –login login
Login Method | twitter, g+, fb (default: twitter)

python callerpy.py -n 9016986989 -c india-other -l twitter

Truecaller Name Retriever

Truecaller Name Retriever Python Script

Python script to search email addresses against the Gravatar database.

Gravatar is a service for providing globally unique avatars.When the user posts a comment on such a blog that requires an e-mail address, the blogging software checks whether that e-mail address has an associated avatar at Gravatar. If so, the Gravatar is shown along with the comment.Script is made by averagesecurityguy . Our script take email address & check against gravatar database , if email address is exist , then extract username , location, account detail.First we will understand how it`s work , for developer resources click here.

To view details of email address ; we need  to create email hash of address. For example , if you want to check email address nirav.desai1991@gmail.com. We have to create md5 hash of email address.

root@bt:~#echo -n nirav.desai1991@gmail.com| md5sum
dfd36ad92895ea6b7829d2918ad07fcf

To extract details about email address we have to make following request
http://en.gravatar.com/dfd36ad92895ea6b7829d2918ad07fcf.json

And there we can get details about my gravatar profile.

It`s just simple details how it`s work. Now we will go to script, Gravatar.py takes a file with a list of email address, one on each line, and searches Gravatar for information about the email address. If address is  registered with Gravatar, then selected data points are extracted from the  Gravatar profile.

wget https://raw.github.com/averagesecurityguy/scripts/master/gravatar.py

Now you need email address list file .

python gravatar.py email

gravatar email address

gravatar email address search

Cloudflare Resolver Bash script

CloudFlare is a content delivery network and distributed domain name server service marketed as improving website performance and speed and providing security. Before one year i posted different methods to find out real I.P. behind cloudflare.

All those methods are only working , if there is admin misconfiguration.

(1)DNS bruteforce

(2)NMAP

(3)Netcraft toolbar

I made simple bash script which do all things for you, you just have to provide name of website which is behind cloudflare.

git clone https://github.com/niravkdesai/cloudflare-ip.git

cd cloudflare-ip

chmod +x cloudflare-ip.sh

./cloudflare-ip.sh

In script you have to change I.P. in line 45 . i used dns variable , because for unknown DNS my isp redirect to  its address ,so we can know that response is valid or not.Change that I.P. according to your setting.

cloudflare-resolver

cloudflare-resolver