.,:: .: .,,. ... :::::::.. .,-:::::; ,;;, `;;;, .,;;,;;'`';, ,;;, .;;;;;;;. ;;;;``;;;; ,;;-'````' ,[' [n '[[,,[[' [[, _,[[,[' [n ,[[ \[[,[[[,/[[[' [[[ [[[[[[[| $$ $$ Y$$$P Y$$P"$$$$ $$ $$$, $$$$$$$$$c "$$c. "$$ Y8, ,8" oP"``"Yo, ,,_,d8"Y8, ,8" "888,_ _,88P888b "88bo,`Y8bo,,,o88o "YmmP,m" "Mm, "MP" "YmmP (O) "YMMMMMP" MMMM "W/ `'YMUP"YMM ========================================================================= ------------------------------------------------------------------------- The Leatherman Web-based Intrusion Toolset by nummish ------------------------------------------------------------------------- ========================================================================= Leatherman is a general-purpose set of tools/commands/scripts that can be helpful while enumerating and penetrating a system. It's not an auto-rooter, or some other be-all end-all security tool. It was something I wrote to make my life easier. This package should contain the following files: o This READ.ME file o leatherman.php o leatherman.pl o bootstrap.php o bootstrap.pl leatherman.*: These are the actual tools in question. One is a php script, the other is the perl CGI version. Upload them to the appropriate directory on the web server and connect. Everything you need is all contained in the single file. That's right, you'll only need to upload one of the files, and YOU get to choose. If you want to compromise someone's half assed CGI shopping cart, turn to page 34. If you want to take advantage of an awkwardly written php blog turn to page 73. Once you've loaded the page, everything should be obvious. If not, you should delete this and turn off your computer. bootstrap.*: Sometimes uploading a file on a server is a huge pain in the ass. I've been there, you've been there, your cousin's roomate's boyfriend's younger sister has been there (but hey, she's been around anyways). So when you're stuck piping a shell script line by line through a modified querystring, you can pull out your trusty copy of the leatherman bootstrap code in fun bite sized chunks. From there, uploading the full leatherman code is easy. A time saver if I say so myself! Known Deficiencies: o Under BSD, it claims netcat is not available, because of my lame coding quality. I'll fix it at the next point release. Just man for netcat on the CLI box if you're on a BSD. o It will PLASTER crap in the logs. You were warned. o This obviously doesn't help if you are attacking an IIS server. An ASP one is in the works, but I've been using Linux for so long that I'm now a windows cripple. If you have suggestions for the ASP version PLEASE email me. (My PGP key should be on 0x90.org) o Most of the find and directory listings time out. That's just how things are, get over it. Hopefully you find this useful. - nummish