AppTrust GridTrust TSS


Cross Site Scripting Anonymous Browser (XAB) [ Download ]

Cross Site Scripting Anonymous Browser (XAB) leverages sites vulnerable to XSS and client browsers to build a network of drones. It does not replace the current anonymous browsing proxies, but provides an alternative that does not require willing participants. XAB is released as a proof of concept and as a jumping point for further research in the area of Cross Site Scripting.

The tool and the concept behind it debuted in the XAB Blackhat presentation by Jeff Yestrumskas and Matt Flick and was updated in their XAB DEF CON presentation later that year.

iNERGY v1.0 [ Download ]

iNERGy profiles a person's energy usage by analyzing the energy usage tweets posted to their Twitter account. The tool predicts when the person is home, sleeping, and away from home in order to show how a burglar or stalker could use energy usage information maliciously. iNERGy was released at DEF CON 18 during Tony Flick's 'Getting Social with the Smart Grid' presentation.


  1. Apache
  2. Net::Twitter perl module
  3. HTML::Entities perl module
  4. GD::Graph perl module
  5. GD::Graph::bars perl module
  6. GD::Graph::linespoints perl module
  7. Data::ICal perl module
  8. Data::ICal::DateTime perl module
  9. Tie::File perl module
  10. Time::Piece perl module
  11. Data::Dumper perl module
  12. Date::Manip perl module

Installation Instructions

  1. Unzip the tool files into the web server directory
  2. Enable the perl module for Apache
  3. Add the following lines to the httpd.conf file:
    AddHandler cgi-script .cgi .pl
    ScriptAlias /perl/ /var/www/perl
    * Note the web server IP address

Execution Instructions

  1. Browse to http://IP/index.html


FYRM Associates does not condone or encourage illegal behavior. This tool is being released for educational purposes and to inform people of the dangers of posting too much information to social networking sites.

GuestStealer v1.1 [ Download ]

GuestStealer allows for the stealing of VMware guests from vulnerable hosts based on the Directory Traversal Vulnerability detailed in CVE-2009-3373 and VMSA-2009-0015. GuestStealer was released at ShmooCon 2010 during Tony Flick's 'Stealing Guests...The VMware Way' presentation.


  1. Perl interpreter
  2. LWP::Simple perl module
  3. XML::Simple perl module
  4. Data::Dumper perl module
  5. Crypt::SSLeay perl module


  1. perl gueststealer-v1.1.pl -h <Host> -p <Web Access UI Port> -s <SSL Web Access UI> -t <Server Type> -o <Output Directory>
  2. -h = The target host (IP Address or Host Name)
    -p = Port for the Web Access UI (Defaults: ESX/ESXi = 80/443, Server = 8222/8333)
    -s = Is the Web Access UI utilizing SSL (yes/no)
    -t = Target type (server/esx/esxi)
    -o = Output directory
  3. Example Usage:
    perl gueststealer-v1.1.pl -h -p 8333 -s yes -t server -o /tmp

NessusPBE [ Download ]

NessusPBE simplifies the process of understanding Nessus output by transforming the data into an actionable format. Specifically, NessusPBE reads in .nbe formatted Nessus reports and creates spreadsheets that can be opened by most office suites, including Microsoft Excel and OpenOffice Spreadsheet. NessusPBE creates three spreadsheets: a list of services identified by Nessus, a list of open ports whose service was not identified by Nessus, and a list of Nessus’ findings.


  1. Perl interpreter
  2. Nessus output in the .nbe format


  1. From a command line: ./NessusPBE.pl -i <input .nbe> -o <output prefix>
    Example: ./NessusPBE.pl –i AcmeBank.nbe –o AcmeBankNessus
  2. Open the resulting output files: <output-prefix>-OpenPorts.csv <output-prefix>-UnknownPorts.csv <output-prefix>-VulnList.tsv
    Example: AcmeBank-OpenPorts.csv AcmeBank-UnknownPorts.csv AcmeBank-VulnList.tsv

home . about . services . events . tools . careers . contact . blog

FYRM Associates ©