Collect emails using kali linux

> Run your Kali Linux
> Open a terminal
> Type:

theharvester -d -b all

> Hit enter and wait for results.

How to generate shellcode from custom exe in metasploit

To use a custom exe as a payload or to use your custom exe in a document or excel file, you have to “convert” your exe to shellcode. To accomplish this:

1> Run Kali Linux

2> Open a terminal window

3> Type


and hit enter

4> Type

use payload/generic/custom

and hit enter

5> Choose your custom exe:

set PAYLOADFILE /root/Desktop/mycustomexe.exe

6> Choose optionally a name-title:

set PAYLOADSTR mycustomexe

7> Type


and hit enter


OWASP Xenotix XSS Exploit Framework

OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1500+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes highly offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.


  • Manual Mode Scanner
  • Auto Mode Scanner
  • DOM Scanner
  • Multiple Parameter Scanner
  • POST Request Scanner
  • Header Scanner
  • Fuzzer
  • Hidden Parameter Detector


  • WAF Fingerprinting
  • Victim Fingerprinting
  • Browser Fingerprinting
  • Browser Features Detector
  • Ping Scan
  • Port Scan
  • Internal Network Scan


  • Send Message
  • Cookie Thief
  • Phisher
  • Tabnabbing
  • Keylogger
  • HTML5 DDoSer
  • Load File
  • Executable Drive By
  • JavaScript Shell
  • Reverse HTTP WebShell
  • Drive-By Reverse Shell
  • Metasploit Browser Exploit
  • Firefox Reverse Shell Addon (Persistent)
  • Firefox Session Stealer Addon (Persistent)
  • Firefox Keylogger Addon (Persistent)
  • Firefox DDoSer Addon (Persistent)
  • Firefox Linux Credential File Stealer Addon (Persistent)
  • Firefox Download and Execute Addon (Persistent)


  • WebKit Developer Tools
  • Payload Encoder
  • JavaScript Beautify
  • Hash Calculator
  • Hash Detector




Defeat web trackers

Ghostery sees the “invisible” web, detecting trackers, web bugs, pixels, and beacons placed on web pages by Facebook, Google Analytics, and over 1,000 other ad networks, behavioral data providers, web publishers – all companies interested in your activity. After showing you who operates behind the scenes, Ghostery also gives you the opportunity to learn more about each company it identifies, including links to their privacy policy and opt-out options. Ghostery allows you to block scripts from companies that you don’t trust, delete local shared objects, and even block images and iframes.

Download for Firefox


Firefox Anti-phishing addon

WorldIP is a Firefox Geo Add-on with security features and advanced network tools, anti-phishing mechanisms and protects against DNS spoofing and fake sites. It provides also all DNS records for a domain, the real location of the web server, the country and extended information about the datacenter.

WorldIP provides the following information:
- all IP addresses of the server (IPv4 and IPv6), Reverse DNS, web-server
- all DNS entries for domains (A,AAAA,MX,NS,SPF,TXT,SOA,CNAME,PTR), their TTL
- real country, flag
- data center, provider, autonomous system (AS)
- your external IP address, ISP and change log (by time or when changing proxy)

- ping and traceroute from all continents (around 40 servers worldwide). Advanced traceroutes with three protocols simultaneously (TCP/UDP/ICMP)
- ping and traceroute from your computer
- links to Looking Glasses of 43 global providers (by provider name or by country/city)
- whois, BGP connections on

- verification of compliance of the website with the IP address, protection against DNS spoofing/DNS hijacking. These attacks are used by different viruses and trojans, some unscrupulous providers, governments and security agencies.

DNS attacks redirect legitimate traffic to a fake website, or when proxying traffic in the Man-in-the-Middle (MitM) attacks for different purposes such as
- stealing passwords
- listening to internet traffic
- providing falsified information
- intercepting online banking transactions
- for censorship

For more, visit the plugin’s home page:

To download add-on for firefox:


Anti-Forensics – Delete UserAssist History

Windows Explorer maintains a list of frequently programs executed and shortcuts opened on a Windows machine in the UserAssist registry entries. This is achieved by maintaining a count of application use and last execution date and time in each users NTUSER.DAT registry file.

UserAssist registry key :


Under UserAssist key there are two subkeys named,

{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} and {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}

if you use Windows 7.

To delete UserAssist history, you have to delete the two subkeys Count that you will find under {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} and {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} respectively.


Memory Protection Feature

Data Execution Prevention (DEP) is a memory protection feature available in modern operating systems, Linux, Mac OS X, iOS, Microsoft Windows and Android. DEP allows memory pages to be designated as non-executable. Its duty is to prevent the content of a region of memory to be executed as instructions by a program, service, device driver, etc. With DEP enabled, pages belonging to stack, data segments and heep are protected against exploits. An application receives an exception with the status code STATUS_ACCESS_VIOLATION if it tries to execute code from a page that is marked as non-executable.

DEP runs in two modes: hardware-enforced DEP for CPUs that can mark memory pages as nonexecutable, and software-enforced DEP with limited protection for CPUs that do not have hardware support. Software-enforced DEP does not protect against execution of code in data pages, but counters SEH overwrite, another type of attack.

DEP was introduced on Linux in 2004 (kernel 2.6.8), on Windows in 2004 with Windows XP Service Pack 2, while Apple introduced DEP when they moved to x86 in 2006.

Hardware-enforced DEP enables the NX bit on compatible CPUs, through the automatic use of PAE kernel in 32-bit Windows and the native support on 64-bit kernels. Windows Vista DEP works by marking certain parts of memory as being intended to hold only data, which the NX or XD bit enabled processor then understands as non-executable. This helps prevent buffer overflow attacks from succeeding. In Windows, from version Vista, whether DEP is enabled or disabled for a particular process can be viewed on the Processes tab in the Windows Task Manager.

Software DEP (with no NX bit) is what Microsoft calls their enforcement of “Safe Structured Exception Handling”. Software DEP/SafeSEH simply checks when an exception is raised to make sure that the exception is registered in a function table for the application, and requires the program to be built with it. However, even though it creates an impression that software DEP is related to the prevention of executing code in data pages, it is a different form of protection.

In Microsoft Windows if an x86 processor supports DEP, and the system’s BIOS supports it and it has been enabled, either by the manufacturer or the user,[5] then the NX features are turned on in Windows, on a limited “OptIn” basis. (PAE must also be enabled in 32-bit Windows.) This setting provides protection only for a limited set of Windows system and binary files. To achieve full protection, the user must choose either “OptOut” (“turn on DEP for all program services except those I select”), covering all programs and processes not specifically exempted, or “AlwaysOn”, covering all. These are configurable through the System Properties interface. If DEP is not supported by the particular x86 processor used, no protection is given. Intel’s IA-64 architecture also has a form of NX, supported by Windows.

OptIn: DEP is enabled for system modules only (user application must explicitly opt in)

OptOut: DEP is enabled for all modules (user application must explicitly opt out)

AlwaysOn: enables DEP for all applications

AlwaysOff: disables DEP for all applications

How to view current system policy

Open command line, change directory to %systemroot%\system32 and execute:

bcdedit.exe /enum all | findstr "nx"

How to set DEP policy

bcdedit.exe /set nx AlwaysOn

How to examine DEP status for an application
1. Download Process Explorer
2. Run it
3. Edit displayed columns to add DEP status column. (Menu->View->Select Columns..)

Retrieve MX records

nslookup is a command-line administrative tool for testing and troubleshooting DNS servers.

The syntax for noninteractive mode is:

nslookup [-option] [hostname] [server]

Commands:   (identifiers are shown in uppercase, [] means optional)

 NAME            – print info about the host/domain NAME using default
 NAME1 NAME2     – as above, but use NAME2 as server
 help or ?       – print info on common commands
 set OPTION      – set an option

    all                 – print options, current server and host
    [no]debug           – print debugging information
    [no]d2              – print exhaustive debugging information
    [no]defname         – append domain name to each query
    [no]recurse         – ask for recursive answer to query
    [no]search          – use domain search list
    [no]vc              – always use a virtual circuit
    domain=NAME         – set default domain name to NAME
    srchlist=N1[/N2/.../N6] – set domain to N1 and search list to N1, N2,
                          and so on
    root=NAME           – set root server to NAME
    retry=X             – set number of retries to X
    timeout=X           – set initial time-out interval to X seconds
    type=X              – set query type (for example, A, ANY, CNAME, MX,
                          NS, PTR, SOA, SRV)
    querytype=X         – same as type
                – set query class (for example, IN (Internet), ANY)
    [no]msxfr           – use MS fast zone transfer
    ixfrver=X           – current version to use in IXFR transfer request

 server NAME     – set default server to NAME, using current default server
 lserver NAME    – set default server to NAME, using initial server
 finger [USER]   – finger the optional NAME at the current default host
 root            – set current default server to the root
 ls [opt] DOMAIN [> FILE] – list addresses in DOMAIN (optional: output to

    -a          -  list canonical names and aliases
    -d          -  list all records
    -t TYPE     -  list records of the given type (for example, A, CNAME,
                   MX, NS, PTR, and so on)

 view FILE       – sort an ‘ls’ output file and view it with pg
 exit            – exit the program

Query MX Records

nslookup -type=mx


Resolve hostname to ip without using ping

To resolve a hostname to its IP address without using Ping (ICMP echo request), you can use dig or nslookup. You should avoid using ping because ICMP requests may alert administrators when an IDS/IPS system is installed at the target system or even worse ICMP echo requests are blocked from a firewall.

dig hostname


nslookup hostname


Enumerate domain for DNS entries

DNSDICT6 can be used to enumerate a domain for DNS entries. It uses a dictionary file if supplied or a built-in list otherwise. This tool is based on dnsmap by

> Open Backtrack 5 R3

> Open BackTrack > Information Gathering > Network Analysis > DNS Analysis and click dnsdict6

> Type:

dnsdict6 -4 -x -t 16 [domain]

-4 dump IPv4 addresses
-x choose the dictionary size (xtreme=3211)
-t NO specify the number of threads to use (default: 8, max: 32).