Category Archives: Information Security


Foremost adalah program recovery data forensik untuk Linux yang digunakan untuk memulihkan file menggunakan header, footer, dan struktur data mereka melalui proses yang dikenal sebagai file carving.

[1] Install Foremost

yum install foremost -y
Donwload packet foremost

tar -xvzf foremost-1.5.7.tar.gz
cd foremost-1.5.7

[2] Command foremost

man foremost

[3] Untuk konfigurasi foremost ada di file # vi /etc/foremost.conf

[4] Contoh command untuk menjalankan foremost

pertama lihat file yang akan di recovery berada di mana

# df -h

Filesystem Size Used Avail Use% Mounted on
/dev/mapper/centos00-root 50G 4,4G 46G 9% /
devtmpfs 905M 0 905M 0% /dev
tmpfs 915M 0 915M 0% /dev/shm
tmpfs 915M 8,5M 907M 1% /run
tmpfs 915M 0 915M 0% /sys/fs/cgroup
/dev/mapper/centos00-home 469G 241G 229G 52% /home
/dev/sda1 497M 171M 327M 35% /boot
tmpfs 183M 0 183M 0% /run/user/0

Data yang akan saya recover ada di home : /dev/mapper/centos00-root

foremost -t pdf,jpg -T -v -Q -o /home/output /dev/mapper/centos00-root





Dumpzila adalah tools untuk forensik browser

[1] Download dumpzilla di website resminya ada di

[2] Setelah source dumpzilla berhasil di download, lalu jalankan script python


Version: 15/03/2013

Usage: python browser_profile_directory [Options]


--All (Shows everything but the DOM data. Doesn't extract thumbnails or HTML 5 offline)
 --Cookies [-showdom -domain <string> -name <string> -hostcookie <string> -access <date> -create <date> -secure <0/1> -httponly <0/1> -range_last -range_create <start> <end>]
 --Permissions [-host <string>]
 --Downloads [-range <start> <end>]
 --Forms [-value <string> -range_forms <start> <end>]
 --History [-url <string> -title <string> -date <date> -range_history <start> <end> -frequency]
 --Bookmarks [-range_bookmarks <start> <end>]
 --Cacheoffline [-range_cacheoff <start> <end> -extract <directory>]
 --Thumbnails [-extract_thumb <directory>]
 --Range <start date> <end date>
 --Passwords (Decode only in Unix)
 --Watch [-text <string>] (Shows in daemon mode the URLs and text form in real time. -text' Option allow filter, support all grep Wildcards. Exit: Ctrl + C. only Unix).

Wildcards: '%' Any string of any length (Including zero length)
 '_' Single character
 '\' Escape character

Date syntax: YYYY-MM-DD HH:MM:SS

Win profile: 'C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\xxxx.default'
Unix profile: '/home/xx/.mozilla/seamonkey/xxxx.default/'

[3] Contoh untuk melihat history

$ python /home/space/.mozilla/firefox/g8gha5kg.default/ --History

Last visit: 2017-08-25 16:32:51
Title: Add New Post ‹ — WordPress
Frequency: 10

Total information

Total urls in History: 1861

Cheers – Andito Yugo Wicaksono


Operative Framework

Operative Framework adalah open-source berbasis Python dan sangat powerful yang dapat digunakan untuk menemukan informasi domain yang terdaftar dengan alamat email yang sama, serta banyak fungsi investigasi lainnya. Tool reconnaissance ini memberi informasi tentang target dengan memeriksa relasi di domain yang mereka miliki.

[1] Installing the Operative Framework

git clone
cd operative-framework
pip install -r requirements.txt

Jika paket pip belum terinstall bisa melakukan installasi python-pip

# sudo apt install python-pip
atau menggunakan git clone
git clone

[2] Jalankan

$ python
__ _ 
 ____ ____ ___ _________ _/ /_(_) _____ 
 / __ \/ __ \/ _ \/ ___/ __ `/ __/ / | / / _ \
/ /_/ / /_/ / __/ / / /_/ / /_/ /| |/ / __/
\____/ .___/\___/_/ \__,_/\__/_/ |___/\___/ 
 /_/ Version: 2.0 BETA | Twitter: @graniet75
 If you don't know how run it use :help

$ operative > modules 
 * viadeo_search Viadeo employee search module
 * email_to_domain Get domain with email
 * reverse_ipdomain Reverse ip domain check (Yougetsignal)
 * vhost_IPchecker Reverse IP domain check (BING)
 * https_gathering SSL/TLS information gathering (sslyze)
 * subdomain_search Search subdomain with google dork
 * getform_data Get all form parameters (BETA)
 * defaultPassword Search default password from manufactor
 * domain_search Search enterprise domain name
 * header_retrieval No module description found
 * file_common Read/Search common file
 * waf_gathering WAF information gathering : need wafw00f
 * cms_gathering Check if CMS is used (wordpress,joomla,magento)
 * get_websiteurl Extract url on website domain
 * metatag_look get meta name,content
 * search_db Forensics module for SQL database
 * website_archive Search archive of website domain (
 * linkedin_search Linkedin employee search module
 * sample_module Module sample
 * whois_domain Whois information for domain
 * tools_suggester Check website & show possible tools for CMS exploitation
 * generate_email Generate email with employee list
$ operative >

example : how to use

$ operative > use whois_domain
Loading : core/modules/
$ operative (core/modules/whois_domain) > show options
- website(is_required):No value
$ operative (core/modules/whois_domain) > set 
$ operative (core/modules/whois_domain) > run








quasiBot ( complex webshell manager )

QuasiBot is a complex webshell manager written in PHP, which operate on web-based backdoors implemented by user himself. Using prepared php backdoors, quasiBot will work as C&C trying to communicate with each backdoor. Tool goes beyond average web-shell managers, since it delivers useful functions for scanning, exploiting and so on. It is quasi-HTTP botnet, therefore it is called. Also, quasiBot allows you to perform various bruteforce attacks on services such as ftp, ssh or databases.

All data about bots is stored in SQL database, ATM only MySQL is supported. TOR proxy is also supported, the goal was to create secure connection between C&C and backdoors; using SOCKS5, it is able to torify all connections between you and web server. All configuration is stored in config file. QuasiBot it’s still under construction so i am aware of any potential bugs.

You will need any web server software; tested on Linux, Apache 2.2 and PHP 5.4.4. Fully written in PHP.

Download QuasiBot

#How it works?

  • quasiBot is operating on web-shells delivered by user, each backdoor is being verified by md5 hash which changes every hour
quasiBot (C&C) -[request/verification]-> Bots (Webshells) -[response/verification]-> quasiBot (C&C) -[request/command]-> Bots (Webshells) -[response/execution]-> quasiBot (C&C)


  • Backdoors consists of two types, with and without DDoS module, source code is included and displayed in home page;
  • Connection between C&C and server is being supported by curl, TOR proxy is supported, User Agent is being randomized from an array
quasiBot (C&C) -[PROXY/TOR]-> Bots (Webshells) <-[PROXY/TOR]- quasiBot (C&C)
  • Webshells can be removed and added at ‘Settings’ tab, they are stored in database
  • ‘RSS’ tab contain latest exploits and vulnerabilities feeds
  • ‘RCE’ tab allows to perform Remote Code Execution on specific server using selected PHP function
  • ‘Scan’ tab allows to resolve IP or URL and perform basic scan using nmap, dig and whois – useful in the phase of gathering information
  • ‘Pwn’ tab stands for few functions, which generally will help collect informations about server and try to find exploits for currently used OS version using Exploit Suggestor module
  • ‘MySQL Manager’, as the name says, can be used to perform basic operations on specific database – it could be helpful while looking for config files that include mysql connections on remote server; it also displays some informations about it’s envoirment
  • ‘Run’ tab allows you to run specific command on every bots at once
  • ‘DDoS’ tab allows you to perform UDP DoS attacks using all bots or single one, expanded backdoor is required
  • ‘Shell’ tab allows you to spawn reverse or bind shell; you may pick between few languages that will be used for creating reverse shell
  • You may enable authorisation module, user is being validated by session, auth credentials are stored in config file, not in db; using Cookie Auth, user won’t be able to use quasiBot until specific cookie will be used
  • ‘Bruteforce’ category consists of few modules, they allow you to perform single or massive attacks on ftp, ssh, mysql, pgsql, mssql and wordpress
  • Broken credentials are stored in database, bruteforce on websites can be done via tor
  • Whole front-end is maintaned by a pleasant, functional interface







#Running quasi for first time

  • Move all files to prepared directory, change default settings in config file (config.php)
  • Visiting quasiBot for the first time will create needed database and it’s structure
  • In ‘Settings’ tab, you are able to add and delete shells, you’re ready to go
  • Using authorisation? To logout, simply add GET logout to current URL, like quasi/index.php?logout



  • Windows support in ‘PWN’ module
  • Bruteforce WWW: Joomla
  • Optimization
  • ???


  • 0.3
  • Bruteforce: SSH, FTP, WWW, DB’s
  • Details
  • 0.2
  • Added authorization (Sessions / Cookie Auth)
  • Added Shell Module (Reverse / Bind shell)
  • Added Linux Exploit Suggestor module

Referrence :





RIPS – PHP Security Analysis

RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the site.

Download packet RIPS –>

Unzip packet to /var/www/html/rips

Access url via localhost web –> http://localhost/rips/index.php

Untuk menganalisa scrip php dengan cara memasukkan file/path lalu klik scan


Cheers – Andito Yugo Wicaksono

Source Code Analysis Tools

Open Source or Free Tools Of This Type

Bandit – bandit is a comprehensive source vulnerability scanner for Python

Brakeman – Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications

Codesake Dawn – Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby

FindBugs – Find Bugs (including a few security flaws) in Java programs

FindSecBugs – A security specific plugin for FingBugs that significantly improves FindBug’s ability to find security vulnerabilities in Java programs

Flawfinder Flawfinder – Scans C and C++

Google CodeSearchDiggity – Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.

PMD – PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)

PreFast (Microsoft) – PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.

Puma Scan – Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.

RIPS – RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the site.

SonarQube – Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by SonarLint.

VisualCodeGrepper (VCG) – Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

Xanitizer – Scans Java for security vulnerabilities, mainly via taint analysis. The tool comes with a number of predefined vulnerability detectors which can additionally be extended by the user.

Source :


What is FoxyProxy ?

FoxyProxy sells reliable, fast, secure VPN and proxy servers in 68+ different countries with 5 ways to connect. Our free proxy and VPN management tools set industry standards as far back as 2006, with our award-winning Firefox addons used by millions.

[1] Untuk installasinya bisa langsung add-on melalui web browser mozilla firefox

[2] Setelah selesai terinstall lalu buka FoxyProxy, buat proxy baru sebagai contoh akan memakai localhost

– Select mode untuk mengaktifkan proxy

Cheers – Andito Yugo Wicaksono