Sn1per v1.6b by 1N3 @CrowdShield

install.sh

@@ -24,14 +24,14 @@ echo -e "$OKGREEN + -- --=[This script will install or upgrade your Sn1per insta
 read answer
 
 echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
-apt-get install unicornscan waffit host whois arachni theHarvester dnsenum dirb dnsrecon curl nmap php5 php5-curl wapiti hydra iceweasel wpscan sqlmap arachni w3af golismero nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb python nbtscan sslscan amap
+apt-get install cutycapt unicornscan waffit host whois arachni theHarvester dnsenum dirb dnsrecon curl nmap php5 php5-curl wapiti hydra iceweasel wpscan sqlmap arachni w3af golismero nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb python nbtscan sslscan amap
 
 echo -e "$OKORANGE + -- --=[Installing gem dependencies...$RESET"
 gem install rake
 gem install ruby-nmap net-http-persistent mechanize text-table
 
 echo -e "$OKORANGE + -- --=[Cleaning up old extensions...$RESET"
-rm -Rf Findsploit/ Brutex/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/
+rm -Rf Findsploit/ Brutex/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/ Sublist3r/
 
 echo -e "$OKORANGE + -- --=[Downloading extensions...$RESET"
 git clone https://github.com/1N3/Findsploit.git
@@ -43,6 +43,7 @@ git clone https://github.com/1N3/SuperMicro-Password-Scanner
 git clone https://github.com/Dionach/CMSmap.git
 git clone https://github.com/0xsauby/yasuo.git
 git clone https://github.com/johndekroon/serializekiller.git
+git clone https://github.com/aboul3la/Sublist3r.git
 
 echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
 mkdir loot 2> /dev/null

loot/README.md

@@ -25,6 +25,7 @@ Sn1per is an automated scanner that can be used during a penetration test to enu
 # ./sniper <target> <report>
 # ./sniper <target> stealth <report>
 # ./sniper <target> port <portnum> 
+# ./sniper <target> web
 # ./sniper <target> nobrute <report>
 # ./sniper <targets.txt> airstrike <report>
 # ./sniper <targets.txt> nuke <report>
@@ -34,6 +35,7 @@ Sn1per is an automated scanner that can be used during a penetration test to enu
 * REPORT: Outputs all results to text in the loot directory for later reference. To enable reporting, append 'report' to any sniper mode or command.
 * STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking
 * PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
+* WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.   
 * NOBRUTE: Launches a full scan against a target host/domain without brute forcing services.
 * AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP's that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
 * NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. 
@@ -44,6 +46,10 @@ https://gist.github.com/1N3/8214ec2da2c91691bcbc
 ```
 
 ## CHANGELOG:
+* v1.6a - Added improvements to recon phase
+* v1.6a - Fixed small issue with 3rd party extension
+* v1.6a - Various improvements to overall optimization of scans
+* v1.6a - Added new "web" mode for full web application scans 
 * v1.6 - Added 4 new modes including: stealth, port, airstrike and nuke
 * v1.6 - Added Java de-serialization scanner
 * v1.6 - Added reporting option to output to console and text file for all scans
@@ -84,4 +90,4 @@ https://gist.github.com/1N3/8214ec2da2c91691bcbc
 
 ## FUTURE:
 * Add in OpenVAS integration
-* Look into HTML reporting or text based output options to save scan data
+* Look into HTML reporting options

loot/nmap-192.168.1.1.xml

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE nmaprun>
-<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
-<!-- Nmap 7.01 scan initiated Sat Feb 20 08:17:59 2016 as: nmap -sS -sV -T4 -A -O -p 1-65535 -&#45;open -oX loot/nmap-192.168.1.1.xml 192.168.1.1 -->
-<nmaprun scanner="nmap" args="nmap -sS -sV -T4 -A -O -p 1-65535 -&#45;open -oX loot/nmap-192.168.1.1.xml 192.168.1.1" start="1455974279" startstr="Sat Feb 20 08:17:59 2016" version="7.01" xmloutputversion="1.04">
-<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>

loot/nmap-bugcrowd.com.xml

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE nmaprun>
-<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
-<!-- Nmap 7.01 scan initiated Sat Feb 20 08:45:31 2016 as: nmap -sS -sV -T4 -A -O -p 1-65535 -&#45;open -oX loot/nmap-bugcrowd.com.xml bugcrowd.com -->
-<nmaprun scanner="nmap" args="nmap -sS -sV -T4 -A -O -p 1-65535 -&#45;open -oX loot/nmap-bugcrowd.com.xml bugcrowd.com" start="1455975931" startstr="Sat Feb 20 08:45:31 2016" version="7.01" xmloutputversion="1.04">
-<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>

loot/nmap-crowdshield.com.xml

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE nmaprun>
-<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
-<!-- Nmap 7.01 scan initiated Sat Feb 20 08:18:44 2016 as: nmap -sS -sV -T4 -A -O -p 1-65535 -&#45;open -oX loot/nmap-crowdshield.com.xml crowdshield.com -->
-<nmaprun scanner="nmap" args="nmap -sS -sV -T4 -A -O -p 1-65535 -&#45;open -oX loot/nmap-crowdshield.com.xml crowdshield.com" start="1455974324" startstr="Sat Feb 20 08:18:44 2016" version="7.01" xmloutputversion="1.04">
-<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>

sniper

@@ -138,6 +138,7 @@ if [ "$MODE" = "stealth" ]; then
 		dnsrecon -d $TARGET -t axfr
 		dnsenum $TARGET -f BruteX/wordlists/namelist.txt
 		mv -f *_ips.txt loot/ 2>/dev/null
+		python Sublist3r/sublist3r.py -d $TARGET -b -t 30 2>/dev/null
 	fi
 	echo ""
 	echo -e "$OKGREEN################################### Running passive scans #########################$RESET"
@@ -146,6 +147,7 @@ if [ "$MODE" = "stealth" ]; then
 	whatweb http://$TARGET
 	xsstracer $TARGET 80
 	sslscan --no-failed $TARGET
+	cutycapt --url=http://$TARGET --out=loot/$TARGET-port80.jpg
 	exit
 fi
 
@@ -203,6 +205,7 @@ if [ "$MODE" = "airstrike" ]; then
 			dnsrecon -d $a -t axfr
 			dnsenum $a -f BruteX/wordlists/namelist.txt
 			mv -f *_ips.txt loot/ 2>/dev/null
+			python Sublist3r/sublist3r.py -d $TARGET -b -t 30 2>/dev/null
 		fi
 		echo ""
 		echo -e "$OKGREEN################################### Running passive scans #########################$RESET"
@@ -211,6 +214,7 @@ if [ "$MODE" = "airstrike" ]; then
 		whatweb http://$a
 		xsstracer $a 80
 		sslscan --no-failed $a
+		cutycapt --url=http://$TARGET --out=loot/$TARGET-port80.jpg
 	done;
 	exit
 fi
@@ -280,6 +284,7 @@ then
 	dnsrecon -d $TARGET -t axfr
 	dnsenum $TARGET -f BruteX/wordlists/namelist.txt
 	mv -f *_ips.txt loot/ 2>/dev/null
+	python Sublist3r/sublist3r.py -d $TARGET -b -t 30 2>/dev/null
 fi
 echo ""
 echo -e "$OKGREEN################################### Pinging host ###################################$RESET"
@@ -460,6 +465,7 @@ else
 	echo -e "$RESET"
 
 	nikto -h http://$TARGET 
+	cutycapt --url=http://$TARGET --out=loot/$TARGET-port80.jpg
 	
 	if [ "$MODE" = "web" ]
 	then
@@ -601,6 +607,7 @@ else
 	echo ""
 	echo -e "$RESET"
 	nikto -h https://$TARGET 
+	cutycapt --url=https://$TARGET --out=loot/$TARGET-port443.jpg
 	
 	if [ "$MODE" = "web" ]
 	then
@@ -761,6 +768,7 @@ else
 	./massbleed $TARGET port 8000
 	cd ..
 	nikto -h http://$TARGET:8000 
+	cutycapt --url=http://$TARGET:8000 --out=loot/$TARGET-port8000.jpg
 	#arachni http://$TARGET:8000 --output-only-positives
 fi
 
@@ -779,6 +787,7 @@ else
 	./massbleed $TARGET port 8100
 	cd ..
 	nikto -h http://$TARGET:8100 
+	cutycapt --url=http://$TARGET:8100 --out=loot/$TARGET-port8100.jpg
 	#arachni http://$TARGET:8100 --output-only-positives
 fi
 
@@ -797,6 +806,7 @@ else
 	./massbleed $TARGET port 8080
 	cd ..
 	nikto -h http://$TARGET:8080 
+	cutycapt --url=http://$TARGET:8080 --out=loot/$TARGET-port8080.jpg
 	nmap -p 8080 --script=*proxy* $TARGET
 	#arachni http://$TARGET:8080 --output-only-positives
 	msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
@@ -817,6 +827,7 @@ else
 	./massbleed $TARGET port 8180
 	cd ..
 	nikto -h http://$TARGET:8180 
+	cutycapt --url=http://$TARGET:8180 --out=loot/$TARGET-port8180.jpg
 	nmap -p 8180 --script=*proxy* $TARGET
 	#arachni http://$TARGET:8180 --output-only-positives
 	msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8180; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
@@ -837,6 +848,7 @@ else
 	./massbleed $TARGET port 8443
 	cd ..
 	nikto -h https://$TARGET:8443 
+	cutycapt --url=https://$TARGET:8443 --out=loot/$TARGET-port8443.jpg
 	nmap -p 8443 --script=*proxy* $TARGET
 	#arachni https://$TARGET:8443 --output-only-positives
 fi