Cross Site Scripting Anonymous Browser (XAB)

Cross Site Scripting Anonymous Browser (XAB) leverages sites vulnerable to XSS and client browsers to build a network of drones. It does not replace the current anonymous browsing proxies, but provides an alternative that does not require willing participants. XAB is released as a proof of concept and as a jumping point for further research in the area of Cross Site Scripting.

The tool and the concept behind it debuted in the XAB Blackhat presentation by Jeff Yestrumskas and Matt Flick and was updated in their XAB DEF CON presentation later that year.

Download XAB


GuestStealer allows for the stealing of VMware guests from vulnerable hosts based on the Directory Traversal Vulnerability detailed in CVE-2009-3373 and VMSA-2009-0015. GuestStealer was released at ShmooCon during Tony Flick’s ‘Stealing Guests…The VMware Way’ presentation.

  • Perl
  • LWP::Simple Perl module
  • XML::Simple Perl module
  • Data::Dumper Perl module
  • Crypt::SSLeay Perl module
$ perl -h <host> -p <web access UI port> -s <ssl web access UI> -t <server type> -o <output directory>
-h = the target host (IP address or host name)
-p = port for the web access UI (defaults: ESX/ESXi = 80|443, server = 8222|8333)
-s = is the web access UI utilizing SSL (yes|no)
-t = target type (server/esx/esxi)
-o = output directory
Example Usage:

$ perl -h -p 8333 -s yes -t server -o /tmp

Download Gueststealer

Nessus PBE

NessusPBE simplifies the process of understanding Nessus output by transforming the data into an actionable format. Specifically, NessusPBE reads in .nbe formatted Nessus reports and creates spreadsheets that can be opened by most office suites, including Microsoft Excel and OpenOffice Spreadsheet. NessusPBE creates three spreadsheets: a list of services identified by Nessus, a list of open ports whose service was not identified by Nessus, and a list of Nessus’ findings.

Download Nessus PBE


iNERGy profiles a person’s energy usage by analyzing the energy usage tweets posted to their Twitter account. The tool predicts when the person is home, sleeping, and away from home in order to show how a burglar or stalker could use energy usage information maliciously. iNERGy was released at DEF CON 18 during Tony Flick’s Getting Social with the Smart Grid presentation.

Download iNERGY