FSociety is an open source penetration testing framework that consists of a variety of hacking tools which range from information gathering to post-exploitation.
If you are passionate about cyber security, you must have heard of the famous Mr Robot series. Fsociety is a framework that has been used in the series to carry out the various hacking attacks. I don’t want to give you any spoilers but for those who have not watched this TV show, I would highly recommend it.
Advantages of Fsociety framework.
1) It comes with a complete tool set for all the penetration testing stages.
2) It can be used in platforms such as Windows, Linux and Android.
3) It is super easy to get started.
4) It is automated, It therefore gets you a moment to sip over a cup of tea.
Getting started with Fsociety
Steps on how to install and get started with Fsociety:
FSOCIETY can be cloned from github https://github.com/Manisso/fsociety.
- To clone from github run
git clone https://github.com/Manisso/fsociety.git
- Navigate to the directory where you have cloned fsociety.
- Provide executable permission on install.sh by running this command on the terminal
chmod +x install.sh
- Finally execute
./install.sh to install
- To run just type :
fsociety
The following screen will appear:
You can now use tools from each category above by typing in the number of the type of attack you want to use. These include:
- Information Gathering
- Password Attacks
- Wireless Testing
- Exploitation Tools
- Sniffing & Spoofing
- Web Hacking
- Private Web Hacking
Let me briefly point out some of the tools Mentioned above.
- Information Gathering
This is the first and most important phase of any penetration testing. The pen tester gathers all the publicly available information about their target and seeks ways in which they can be exploited.
Fsociety covers the following tools for information gathering:
- Nmap
- Setoolkit
- Host To IP
- WPScan
- CMS Scanner
- XSStrike
- Dork — Google Dorks Passive Vulnerability Auditor
- Scan A server’s Users
- Crips
So, what next after getting the user information? I would try to attack the passwords and Fsociety got us covered at number 2.
- Password Attacks
For password attack, Fsociety uses:
- Cupp: (Common User Passwords Profiler), is tool to generate wordlist from common user profiler.
- Ncrack
In case we wish to attack the system from the wireless side, we can test the target’s wireless infrastructure using Tools provided for us in number 3.
- Wireless Testing
For wireless testing, the following tools are available:
- Reaver
- Pixiewps
- Bluetooth Honeypot
After testing the target’s wireless infrastructure, we then move to the fun part, where we attempt to exploit and take advantage of the target’s system. Luckily enough, Fsociety got us covered on that too at number 4.
- Exploitation Tools
These are the tools That will allow you to take advantage of the vulnerabilities You discovered. The following tools are provided to help you with that task:
- ATSCAN
- sqlmap
- Shellnoob
- Commix
- FTP Auto Bypass
- JBoss Autopwn
Once we succeed or even if we don’t, we can try sniffing and spoofing to get what we want using our number 5.
- Sniffing and Spoofing
Just to note: Spoofing and Sniffing are types of cyber-attacks. In simple words, Spoofing means to pretend to be someone else. Sniffing means to illegally listen into another’s conversation.
The tools used for sniffing and spoofing in Fsociety are:
- Setoolkit
- SSLtrip
- pyPISHER
- SMTP Mailer
If our entry point happens to be the web, we have tools to help us with this at number 6 and 7.
- Web Hacking
It consists of tools used for web penetration testing and also CMS (Content Management System).
Tools available include:
- Drupal Hacking
- Inurlbr
- WordPress & Joomla Scanner
- Gravity Form Scanner
- File Upload Checker
- WordPress Exploit Scanner
- WordPress Plugins Scanner
- Shell and Directory Finder
- Joomla! 1.5–3.4.5 remote code execution
- Vbulletin 5.X remote code execution
- BruteX — Automatically brute force all services running on a target
- Arachni — Web Application Security Scanner Framework
- Private Web Hacking
Under private web hacking the following tools are available:
- Get all websites
- Get joomla websites
- Get wordpress websites
- Control Panel Finder
- Zip Files Finder
- Upload File Finder
- Get server users
- SQli Scanner
- Ports Scan (range of ports)
- Ports Scan (common ports)
- Get server Info
- Bypass Cloudflare
We are also provided with some post-exploitation tools as an option at number 8.
- Post Exploitation
The following are tools available for post exploitation:
- Shell Checker
- POET
- Weeman
Thank you for stopping by. The next article will cover the various steps of using the Fsociety tools. We’d be glad to have you on this journey as we explore Fsociety.
DISCLAIMER: This article is for learning purposes only. I am not responsible for any harm caused while referring to it.
Fredwave is a Certified Information Systems Security Professional | Member CSEAN & NA Resource Centre | AHQ Web Admin|Convener #SoldiersLivesMatter | Web&Mobile App Developer.
I do agree with all of the ideas you have presented for your post. Gale Trumaine Hake
I have fun with, cause I discovered just what I was having a look for. Dianna Huberto Berny