diff --git a/CHANGELOG.md b/CHANGELOG.md index 28ea800..13fad72 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,6 @@ ## CHANGELOG: +* v9.1 - Updated Nuclei sc0pe templates +* v9.1 - Fixed issue with Nuclei sc0pe parsers not working * v9.1 - Fixed issue with GAU installer/commmand not working * v9.1 - Fixed issue with passive URL fetching * v9.1 - Fixed issue with nuclei not being installed diff --git a/README.md b/README.md index 6984550..5edd214 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ [![](https://sn1persecurity.com/wordpress/wp-content/uploads/2022/05/Sn1per-Enterprise-workspace-navigator1-3.png)](https://sn1persecurity.com/) ## The ultimate pentesting toolkit. -See how Sn1per can help your security team +Integrate with the leading commercial and open source vulnerability scanners to scan for the latest CVEs and vulnerabilities. [![](https://sn1persecurity.com/wordpress/wp-content/uploads/2022/05/Sn1per-Enterprise-workspace-report1-3.png)](https://sn1persecurity.com/) @@ -26,7 +26,7 @@ Security tools are expensive and time-consuming, but with Sn1per, you can save t [![](https://sn1persecurity.com/wordpress/wp-content/uploads/2022/05/Sn1per-Enterprise-host-list3-1.png)](https://sn1persecurity.com/) ### Find what you can't see. -Hacking is a problem that's only getting worse. But, with Sn1per, you can find what you can’t see—hidden assets and vulnerabilities in your environment. Integrate with the leading commercial and open source vulnerability scanners to scan for the latest CVEs and vulnerabilities. Find out quickly how hackers can attack your business or organization before it’s too late. +Hacking is a problem that's only getting worse. But, with Sn1per, you can find what you can’t see—hidden assets and vulnerabilities in your environment. [![](https://sn1persecurity.com/wordpress/wp-content/uploads/2022/05/Sn1per-Enterprise-host-list2-1.png)](https://sn1persecurity.com/) diff --git a/modes/webporthttp.sh b/modes/webporthttp.sh index f0934d3..c769f5c 100644 --- a/modes/webporthttp.sh +++ b/modes/webporthttp.sh @@ -347,7 +347,7 @@ if [[ "$MODE" = "webporthttp" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING NUCLEI SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - nuclei -silent -t /usr/share/sniper/plugins/nuclei-templates/ -c $THREADS -target http://$TARGET:${PORT} -o $LOOT_DIR/web/nuclei-http-${TARGET}-port${PORT}.txt + nuclei -silent -t /root/nuclei-templates/ -c $THREADS -target http://$TARGET:${PORT} -o $LOOT_DIR/web/nuclei-http-${TARGET}-port${PORT}.txt fi SSL="false" source $INSTALL_DIR/modes/web_autopwn.sh diff --git a/modes/webporthttps.sh b/modes/webporthttps.sh index 9bf48b7..111a8b1 100644 --- a/modes/webporthttps.sh +++ b/modes/webporthttps.sh @@ -356,7 +356,7 @@ if [[ "$MODE" = "webporthttps" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING NUCLEI SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - nuclei -silent -t /usr/share/sniper/plugins/nuclei-templates/ -c $THREADS -target https://$TARGET:${PORT} -o $LOOT_DIR/web/nuclei-https-${TARGET}-port${PORT}.txt + nuclei -silent -t /root/nuclei-templates/ -c $THREADS -target https://$TARGET:${PORT} -o $LOOT_DIR/web/nuclei-https-${TARGET}-port${PORT}.txt fi cd $INSTALL_DIR SSL="true" diff --git a/templates/active/Apache_Tomcat_Scanner.sh b/templates/active/Apache_Tomcat_Scanner.sh index 8aaf4e2..a83121c 100644 --- a/templates/active/Apache_Tomcat_Scanner.sh +++ b/templates/active/Apache_Tomcat_Scanner.sh @@ -2,8 +2,8 @@ AUTHOR='@xer0dayz' VULN_NAME='Apache Tomcat Detected' URI='/404_DOES_NOT_EXIST' METHOD='GET' -MATCH="Apache\ Tomcat" +MATCH="Apache\ Tomcat\/[0-9]?[0-9]\.[0-9]?[0-9]\.[0-9]?[0-9]" SEVERITY='P5 - INFO' CURL_OPTS="--user-agent '' -s -L --insecure" SECONDARY_COMMANDS='' -GREP_OPTIONS='-i' \ No newline at end of file +GREP_OPTIONS='-o' \ No newline at end of file diff --git a/templates/active/PHP_Info.sh b/templates/active/PHP_Info.sh index 27c17a9..09dc318 100644 --- a/templates/active/PHP_Info.sh +++ b/templates/active/PHP_Info.sh @@ -2,8 +2,8 @@ AUTHOR='@xer0dayz' VULN_NAME='PHP Info Detected 1' URI='/phpinfo.php' METHOD='GET' -MATCH='PHP Version ' +MATCH='>PHP Version \<' SEVERITY='P4 - LOW' CURL_OPTS="--user-agent '' -s -L --insecure" SECONDARY_COMMANDS='' -GREP_OPTIONS='-i' \ No newline at end of file +GREP_OPTIONS='-e' \ No newline at end of file diff --git a/templates/active/VMware_vCenter_Unauthenticated_Arbitrary_File_Read.sh b/templates/active/VMware_vCenter_Unauthenticated_Arbitrary_File_Read.sh index 74526f9..81a4fdb 100644 --- a/templates/active/VMware_vCenter_Unauthenticated_Arbitrary_File_Read.sh +++ b/templates/active/VMware_vCenter_Unauthenticated_Arbitrary_File_Read.sh @@ -2,7 +2,7 @@ AUTHOR='@xer0dayz' VULN_NAME='VMware vCenter Unauthenticated Arbitrary File Read' URI='/eam/vib?id=C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx\\vcdb.properties' METHOD='GET' -MATCH="dbtype|password\.ecrypted" +MATCH="dbtype\ |password\.ecrypted" SEVERITY='P2 - HIGH' CURL_OPTS="--user-agent '' -s -L --insecure" SECONDARY_COMMANDS='' diff --git a/templates/passive/network/Interesting_Domain_Found.sh b/templates/passive/network/Interesting_Domain_Found.sh index 546a22f..d3514a8 100644 --- a/templates/passive/network/Interesting_Domain_Found.sh +++ b/templates/passive/network/Interesting_Domain_Found.sh @@ -1,7 +1,8 @@ AUTHOR='@xer0dayz' VULN_NAME='Interesting Domain Found' -FILENAME="$LOOT_DIR/domains/domains-all-sorted_NA.txt" -MATCH='admin|dev|portal|stage|prod|tst|test' +echo "$TARGET" > /tmp/target +FILENAME="/tmp/target" +MATCH="admin|dev|portal|stage|prod|tst|test" SEVERITY='P5 - INFO' GREP_OPTIONS='-i' SEARCH='positive' diff --git a/templates/passive/network/Possible_Takeover_Detected.sh b/templates/passive/network/Possible_Takeover_Detected.sh index b363968..40c5809 100644 --- a/templates/passive/network/Possible_Takeover_Detected.sh +++ b/templates/passive/network/Possible_Takeover_Detected.sh @@ -1,7 +1,7 @@ AUTHOR='@xer0dayz' VULN_NAME='Possible Takeover Detected' FILENAME="$LOOT_DIR/nmap/takeovers-$TARGET.txt" -MATCH='netlify|wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|modulus|unbounce|uservoice|wpengine|cloudapp' +MATCH='anima|bitly|wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp|azure|trafficmanager|netifly|brandpa' SEVERITY='P5 - INFO' GREP_OPTIONS='-i' SEARCH='positive' diff --git a/templates/passive/network/recursive/Component_With_Known_Vulnerabilities_-_NMap.sh b/templates/passive/network/recursive/Component_With_Known_Vulnerabilities_-_NMap.sh index bd84452..1ec39c8 100644 --- a/templates/passive/network/recursive/Component_With_Known_Vulnerabilities_-_NMap.sh +++ b/templates/passive/network/recursive/Component_With_Known_Vulnerabilities_-_NMap.sh @@ -1,6 +1,7 @@ AUTHOR='@xer0dayz' VULN_NAME='Component With Known Vulnerabilities - NMap' FILENAME="$LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/output/nmap-$TARGET.txt $LOOT_DIR/output/nmap-$TARGET-*.txt" +OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') MATCH="vulners.com" GREP_OPTIONS='-ih' TYPE="network" diff --git a/templates/passive/network/recursive/Interesting_Ports_Found.sh b/templates/passive/network/recursive/Interesting_Ports_Found.sh index 88c493b..431a637 100644 --- a/templates/passive/network/recursive/Interesting_Ports_Found.sh +++ b/templates/passive/network/recursive/Interesting_Ports_Found.sh @@ -1,7 +1,7 @@ AUTHOR='@xer0dayz' VULN_NAME='Interesting Ports Found' FILENAME="$LOOT_DIR/nmap/ports-$TARGET.txt" -MATCH="21\ |22\ |23\ |137\ |139\ |445\ |8080\ |8443\ |3306\ |5900\ |53\ |8081\ " +MATCH="21\ |22\ |23\ |137\ |139\ |445\ |8080\ |8443\ |3306\ |5900\ |53\ |8081\ |5432\ " SEVERITY='P5 - INFO' GREP_OPTIONS='-i' SECONDARY_COMMANDS='' @@ -9,6 +9,15 @@ OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') TYPE='network' rm -f /tmp/match.out 2> /dev/null -rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null -cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/match.out && echo "$SEVERITY, $VULN_NAME, $TARGET, $(cat /tmp/match.out | tr '\n' ' ' | sed -r "s/ /dev/null | tee -a "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null && /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(cat /tmp/match.out | tr '\n' ' ') (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(cat /tmp/match.out | tr '\n' ' ' | sed -r "s/> $LOOT_DIR/scans/notifications.txt || rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null +cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null | head -n 1 2> /dev/null > /tmp/match.out + +CHARS="$(wc -c /tmp/match.out 2> /dev/null | awk '{print $1}' 2> /dev/null)" +if [[ $CHARS > 0 ]]; then + echo "$SEVERITY, $VULN_NAME, $TARGET, $(cat /tmp/match.out 2> /dev/null)" | tee "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null + # /bin/bash "$INSTALL_DIR/bin/slack.sh" "[+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(cat /tmp/match.out | tr '\n' ' ') (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" + #echo "•?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(cat /tmp/match.out) (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt +else + rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null +fi + rm -f /tmp/match.out 2> /dev/null diff --git a/templates/passive/network/recursive/Nessus_Import.sh b/templates/passive/network/recursive/Nessus_Import.sh deleted file mode 100644 index 9bc8fc0..0000000 --- a/templates/passive/network/recursive/Nessus_Import.sh +++ /dev/null @@ -1,14 +0,0 @@ -AUTHOR='@xer0dayz' -VULN_NAME='Nessus Import' -FILENAME="${LOOT_DIR}/output/nessus-report_${TARGET}_*.csv" -OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') -TYPE="network" - -rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -grep Critical $FILENAME 2> /dev/null | egrep "tcp|udp" | cut -d, -f4,5,6,7,8,9 | tr \" " " | tr \, " " | sort -u | awk -F ' ' '{print "P1 - CRITICAL, " $5 ", " $2 ":" $4 ", " $6}' | grep -v 'was found to be open' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt -grep High $FILENAME 2> /dev/null | egrep "tcp|udp" | cut -d, -f4,5,6,7,8,9 | tr \" " " | tr \, " " | sort -u | awk -F ' ' '{print "P2 - HIGH, " $5 ", " $2 ":" $4 ", " $6}' | grep -v 'was found to be open' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt -grep Medium $FILENAME 2> /dev/null | egrep "tcp|udp" | cut -d, -f4,5,6,7,8,9 | tr \" " " | tr \, " " | sort -u | awk -F ' ' '{print "P3 - MEDIUM, " $5 ", " $2 ":" $4 ", " $6}' | grep -v 'was found to be open' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt -grep Low $FILENAME 2> /dev/null | egrep "tcp|udp" | cut -d, -f4,5,6,7,8,9 | tr \" " " | tr \, " " | sort -u | awk -F ' ' '{print "P4 - LOW, " $5 ", " $2 ":" $4 ", " $6}' | grep -v 'was found to be open' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt -grep None $FILENAME 2> /dev/null | egrep "tcp|udp" | cut -d, -f4,5,6,7,8,9 | tr \" " " | tr \, " " | sort -u | awk -F ' ' '{print "P5 - INFO, " $5 ", " $2 ":" $4 ", " $6}' | grep -v 'was found to be open' | grep -v "None" 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt - -cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null \ No newline at end of file diff --git a/templates/passive/web/Autocomplete_Enabled.sh b/templates/passive/web/Autocomplete_Enabled.sh index 4ea02ce..935439e 100644 --- a/templates/passive/web/Autocomplete_Enabled.sh +++ b/templates/passive/web/Autocomplete_Enabled.sh @@ -1,6 +1,6 @@ AUTHOR='@xer0dayz' VULN_NAME='Autocomplete Enabled' -FILENAME="$LOOT_DIR/web/websource-$TARGET-*.txt" +FILENAME="$LOOT_DIR/web/websource-htt*-$TARGET-*.txt" MATCH='autocomplete=\"on\"' SEVERITY='P4 - LOW' GREP_OPTIONS='-i' diff --git a/templates/passive/web/CORS_Policy_-_Allow-Credentials_Enabled.sh b/templates/passive/web/CORS_Policy_-_Allow-Credentials_Enabled.sh index c1abf8c..7d0ff8e 100644 --- a/templates/passive/web/CORS_Policy_-_Allow-Credentials_Enabled.sh +++ b/templates/passive/web/CORS_Policy_-_Allow-Credentials_Enabled.sh @@ -1,6 +1,6 @@ AUTHOR='@xer0dayz' VULN_NAME='CORS Policy - Allow-Credentials Enabled' -FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET.txt" +FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" MATCH='Access-Control-Allow-Credentials: true' SEVERITY='P4 - LOW' GREP_OPTIONS='-i' diff --git a/templates/passive/web/CORS_Policy_-_Allow-Origin_Wildcard.sh b/templates/passive/web/CORS_Policy_-_Allow-Origin_Wildcard.sh index 3be71d7..c82218a 100644 --- a/templates/passive/web/CORS_Policy_-_Allow-Origin_Wildcard.sh +++ b/templates/passive/web/CORS_Policy_-_Allow-Origin_Wildcard.sh @@ -1,6 +1,6 @@ AUTHOR='@xer0dayz' VULN_NAME='CORS Policy - Allow-Origin Wildcard' -FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET.txt" +FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" MATCH='Access-Control-Allow-Origin: *' SEVERITY='P4 - LOW' GREP_OPTIONS='-i' diff --git a/templates/passive/web/Clear-text_Communications_HTTP.sh b/templates/passive/web/Clear-text_Communications_HTTP.sh index d8b8286..34d260d 100644 --- a/templates/passive/web/Clear-text_Communications_HTTP.sh +++ b/templates/passive/web/Clear-text_Communications_HTTP.sh @@ -1,12 +1,10 @@ if [ "$SSL" = "false" ]; then AUTHOR='@xer0dayz' VULN_NAME='Clear-Text Protocol - HTTP' - FILENAME="$LOOT_DIR/web/headers-http-$TARGET.txt" + FILENAME="$LOOT_DIR/web/headers-http-$TARGET-*.txt" MATCH="200\ OK" SEVERITY='P2 - HIGH' GREP_OPTIONS='-i' SEARCH='positive' SECONDARY_COMMANDS='' -else - break fi \ No newline at end of file diff --git a/templates/passive/web/Drupal_Detected.sh b/templates/passive/web/Drupal_Detected.sh index e27175d..0928236 100644 --- a/templates/passive/web/Drupal_Detected.sh +++ b/templates/passive/web/Drupal_Detected.sh @@ -1,6 +1,6 @@ AUTHOR='@xer0dayz' VULN_NAME='Drupal Detected' -FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET.txt" +FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" MATCH="X\-Generator\:\ Drupal\ " SEVERITY='P5 - INFO' GREP_OPTIONS='-i' diff --git a/templates/passive/web/Expired_SSL_Certificate.sh b/templates/passive/web/Expired_SSL_Certificate.sh index a1001ba..6dda221 100644 --- a/templates/passive/web/Expired_SSL_Certificate.sh +++ b/templates/passive/web/Expired_SSL_Certificate.sh @@ -1,6 +1,6 @@ AUTHOR='@xer0dayz' VULN_NAME='Expired SSL Certificate' -FILENAME="$LOOT_DIR/web/curldebug-$TARGET.txt" +FILENAME="$LOOT_DIR/web/curldebug-$TARGET-*.txt" MATCH='certificate has expired' SEVERITY='P3 - MEDIUM' GREP_OPTIONS='' diff --git a/templates/passive/web/Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh b/templates/passive/web/Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh index af55836..3ec85dd 100644 --- a/templates/passive/web/Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh +++ b/templates/passive/web/Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh @@ -1,6 +1,6 @@ AUTHOR='@xer0dayz' VULN_NAME='Fortinet FortiGate SSL VPN Panel Passive Detection' -FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET.txt" +FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" MATCH="Server\:\ xxxxxxxx-xxxxx" SEVERITY='P5 - INFO' GREP_OPTIONS='-i' diff --git a/templates/passive/web/Insecure_Cookie_-_HTTPOnly_Not_Set.sh b/templates/passive/web/Insecure_Cookie_-_HTTPOnly_Not_Set.sh index c7bded7..1ad64d8 100644 --- a/templates/passive/web/Insecure_Cookie_-_HTTPOnly_Not_Set.sh +++ b/templates/passive/web/Insecure_Cookie_-_HTTPOnly_Not_Set.sh @@ -1,6 +1,6 @@ AUTHOR='@xer0dayz' VULN_NAME='Insecure Cookie - HTTPOnly Not Set' -FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET.txt" +FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" MATCH='Set-Cookie' SEVERITY='P3 - MEDIUM' GREP_OPTIONS='-i' diff --git a/templates/passive/web/Insecure_Cookie_-_Secure_Not_Set.sh b/templates/passive/web/Insecure_Cookie_-_Secure_Not_Set.sh index 6ee7ac8..8fe492d 100644 --- a/templates/passive/web/Insecure_Cookie_-_Secure_Not_Set.sh +++ b/templates/passive/web/Insecure_Cookie_-_Secure_Not_Set.sh @@ -1,6 +1,6 @@ AUTHOR='@xer0dayz' VULN_NAME='Insecure Cookie - Secure Not Set' -FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET.txt" +FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" MATCH='Set-Cookie' SEVERITY='P3 - MEDIUM' GREP_OPTIONS='-i' diff --git a/templates/passive/web/Insecure_SSL_TLS_Connection.sh b/templates/passive/web/Insecure_SSL_TLS_Connection.sh index fdaa66a..0a5a88e 100644 --- a/templates/passive/web/Insecure_SSL_TLS_Connection.sh +++ b/templates/passive/web/Insecure_SSL_TLS_Connection.sh @@ -1,10 +1,8 @@ -if [ "$SSL" = "true" ]; then - AUTHOR='@xer0dayz' - VULN_NAME='Weak SSL TLS Protocols' - FILENAME="$LOOT_DIR/web/sslscan-$TARGET.txt" - MATCH=' SSLv' - SEVERITY='P2 - HIGH' - GREP_OPTIONS='-i' - SEARCH='positive' - SECONDARY_COMMANDS='' -fi \ No newline at end of file +AUTHOR='@xer0dayz' +VULN_NAME='Weak SSL TLS Protocols' +FILENAME="$LOOT_DIR/web/sslscan-$TARGET.txt $LOOT_DIR/web/sslscan-$TARGET-*.txt" +MATCH="SSLv* enabled" +SEVERITY='P2 - HIGH' +GREP_OPTIONS='-i' +SEARCH='positive' +SECONDARY_COMMANDS='' \ No newline at end of file diff --git a/templates/passive/web/Insecure_SSL_TLS_Connection_CN_Mismatch.sh b/templates/passive/web/Insecure_SSL_TLS_Connection_CN_Mismatch.sh index 9be0b25..88aa039 100644 --- a/templates/passive/web/Insecure_SSL_TLS_Connection_CN_Mismatch.sh +++ b/templates/passive/web/Insecure_SSL_TLS_Connection_CN_Mismatch.sh @@ -1,13 +1,9 @@ -if [ "$SSL" = "true" ]; then - AUTHOR='@xer0dayz' - VULN_NAME='Insecure SSL TLS Connection CN Mismatch' - FILENAME="$LOOT_DIR/web/curldebug-$TARGET.txt" - MATCH='failed to verify the legitimacy of the server' - SEVERITY='P3 - MEDIUM' - GREP_OPTIONS='-i' - SEARCH='positive' - SECONDARY_COMMANDS='' - URI="/" -else - break -fi +AUTHOR='@xer0dayz' +VULN_NAME='Insecure SSL TLS Connection CN Mismatch' +FILENAME="$LOOT_DIR/web/curldebug-$TARGET.txt" +MATCH='failed to verify the legitimacy of the server' +SEVERITY='P3 - MEDIUM' +GREP_OPTIONS='-i' +SEARCH='positive' +SECONDARY_COMMANDS='' +URI="/" diff --git a/templates/passive/web/Interesting_Title_Found.sh b/templates/passive/web/Interesting_Title_Found.sh index 88ce800..814f07c 100644 --- a/templates/passive/web/Interesting_Title_Found.sh +++ b/templates/passive/web/Interesting_Title_Found.sh @@ -1,7 +1,7 @@ AUTHOR='@xer0dayz' VULN_NAME='Interesting Title Found' -FILENAME="$LOOT_DIR/web/title-htt*-$TARGET.txt" -MATCH='admin|dev|portal' +FILENAME="$LOOT_DIR/web/title-htt*-$TARGET-*.txt" +MATCH='admin|dev|portal|login|sign|signup|registration|account' SEVERITY='P5 - INFO' GREP_OPTIONS='-i' SEARCH='positive' diff --git a/templates/passive/web/Server_Header_Disclosure.sh b/templates/passive/web/Server_Header_Disclosure.sh index 7b0d3aa..c58cdec 100644 --- a/templates/passive/web/Server_Header_Disclosure.sh +++ b/templates/passive/web/Server_Header_Disclosure.sh @@ -1,18 +1,18 @@ if [ "$SSL" = "false" ]; then AUTHOR='@xer0dayz' VULN_NAME='Server Header Disclosure - HTTP' - FILENAME="$LOOT_DIR/web/headers-http-$TARGET.txt" + FILENAME="$LOOT_DIR/web/headers-http-$TARGET-*.txt" MATCH="Server\:" - SEVERITY='P4 - LOW' + SEVERITY='P5 - INFO' GREP_OPTIONS='-i' SEARCH='positive' SECONDARY_COMMANDS='' else AUTHOR='@xer0dayz' VULN_NAME='Server Header Disclosure - HTTPS' - FILENAME="$LOOT_DIR/web/headers-https-$TARGET.txt" + FILENAME="$LOOT_DIR/web/headers-https-$TARGET-*.txt" MATCH="Server\:" - SEVERITY='P4 - LOW' + SEVERITY='P5 - INFO' GREP_OPTIONS='-i' SEARCH='positive' SECONDARY_COMMANDS='' diff --git a/templates/passive/web/X-Powered-By_Header_Found.sh b/templates/passive/web/X-Powered-By_Header_Found.sh index 9fde91f..99f46ca 100644 --- a/templates/passive/web/X-Powered-By_Header_Found.sh +++ b/templates/passive/web/X-Powered-By_Header_Found.sh @@ -1,6 +1,6 @@ AUTHOR='@xer0dayz' VULN_NAME='X-Powered-By Header Found' -FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET.txt" +FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" MATCH='X-Powered-By' SEVERITY='P5 - INFO' GREP_OPTIONS='-i' diff --git a/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTP.sh b/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTP.sh index 2e81258..736bb2d 100644 --- a/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTP.sh +++ b/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTP.sh @@ -6,14 +6,14 @@ GREP_OPTIONS='-ih' rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null MATCH="\[critical\]" -egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P1 - CRITICAL, Nuclei Vulnerability Scan, " $3 ", " $6}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P1 - CRITICAL, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null MATCH="\[high\]" -egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P2 - HIGH, Nuclei Vulnerability Scan, " $3 ", " $6}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P2 - HIGH, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null MATCH="\[medium\]" -egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Nuclei Vulnerability Scan, " $3 ", " $6}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null MATCH="\[low\]" -egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nuclei Vulnerability Scan, " $3 ", " $6}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null MATCH="\[info\]" -egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Nuclei Vulnerability Scan, " $3 ", " $6}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null \ No newline at end of file diff --git a/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTPS.sh b/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTPS.sh index aac3093..85c9873 100644 --- a/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTPS.sh +++ b/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTPS.sh @@ -6,14 +6,14 @@ GREP_OPTIONS='-ih' rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null MATCH="\[critical\]" -egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P1 - CRITICAL, Nuclei Vulnerability Scan, " $3 ", " $6}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P1 - CRITICAL, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null MATCH="\[high\]" -egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P2 - HIGH, Nuclei Vulnerability Scan, " $3 ", " $6}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P2 - HIGH, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null MATCH="\[medium\]" -egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Nuclei Vulnerability Scan, " $3 ", " $6}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null MATCH="\[low\]" -egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nuclei Vulnerability Scan, " $3 ", " $6}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null MATCH="\[info\]" -egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Nuclei Vulnerability Scan, " $3 ", " $6}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null \ No newline at end of file