gabemarshall / brosec Goto Github PK

Using latest debian testing, brosec does not copy the output in clipboard, so i have to select it myself and copy it each time. Thats how it goes :

`4. Obtain a TTY via Python

 => python -c 'import pty;pty.spawn("/bin/bash")'



Choose a payload: (1-4) or enter "back" to return to the main menu: 4
python -c 'import pty;pty.spawn("/bin/bash")'`

So it just write it in terminal after i choose it, instead of copying it.

Template Literal is fastest, smallest and simplest template engine, because it use JS's literal template feature.

It's 55 times faster than EJS, and it also use less CPU and RAM ressources, so it may be a good idea to use it instead of EJS 😀

Hi,
Is there a way to 'back' to main menu for Mac OS X(El capitan)? Delete or FN + Delete is not working.

Wonderful utility! 10/10!

If you are up to it, maybe consider adding metasploit payloads as well? http://netsec.ws/?p=331

If not, close this issue as you like

Cheers!

I see that many of the payloads have been inspired by resources in SecLists.

What if we can seed a local MongoDB or SQLite with all the payloads from SecLists upon initialization of brosec; that way the user would have a comprehensive list of payloads, rather than just a select few?

When prompted to open a netcat listener with text "(Y/n)" hitting enter doesn't seem to default to yes, despite prompt saying so with the capital Y convention.

Choose a payload: (1-5) or enter "back" to return to the main menu:  1
Enter the type of shell to use (/bin/sh, cmd.exe, etc: ::  /bin/sh/
Should I start a netcat listener for you? (Y/n) :: ::

How do you feel about using Standard?
Advantages:

• Catches unused variables (aka keeps code base clean and prevents the root cause of so many hard-to-detect bugs)
• Forces JS best practices

/Users/jumpman/Desktop/Dev/Security/Brosec/payloads/injection.js:52
returnToPrepare(result.)
^
TypeError: Cannot read property '' of undefined
at /Users/jumpman/Desktop/Dev/Security/Brosec/payloads/injection.js:52:26

The amount of blank lines between the payloads and their titles seems to be excessive and does not handle resizing of the window well.

This app needs a flag finding regex. Would use, A+++++.

...maybe even a section of useful regex for pentesting, you know?

Bros encode (which uses the blessed library) technically works, but doesn't display properly.

I notice that HTTP is occasionally the only (easy) outgoing method that I have on some engagements. It would be nice if the bros http server supported a very basic multipart/form-data with file picking functionality for exfiltration purposes.

While this isn't supported out of the box by SimpleHTTPServer by default, here is an example - https://gist.github.com/3346170

Node specific references:
https://howtonode.org/really-simple-file-uploads
https://github.com/expressjs/multer

Colors such as gray don't show up on particular configurations. I use http://ethanschoonover.com/solarized for example and can't see certain text.

Default view:

Highlighted:

Note that 'help' and '(1-5):' don't appear unless highlighted.

After it emits -"Output copied to clipboard", what is the the next step? I have set RHOST, RPORT, LHOST, LPORT, USER and PATH but failed to understand how these can be useful to attack the remote IP?

The text given is not exactly clear in what it is asking and what it expects as input.

Enter the type of shell to use (/bin/sh, cmd.exe, etc: ::  

Additionally, there is no closing parenthesis.