From eed2af8a0b57215e98795e68e4dda4aed7f434fc Mon Sep 17 00:00:00 2001 From: root Date: Mon, 4 Jul 2016 17:24:34 -0700 Subject: [PATCH] Sn1per by 1N3 @CrowdShield --- README.md | 5 +++++ install.sh | 2 +- sniper | 38 +++++++++++++++++++++++++++----------- 3 files changed, 33 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index a2777d5..46f7ee2 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ Sn1per is an automated scanner that can be used during a penetration test to enu * Automatically launches Google hacking queries against a target domain * Automatically enumerates open ports * Automatically brute forces sub-domains and DNS info +* Automatically checks for sub-domain hijacking * Automatically runs targeted NMap scripts against open ports * Automatically runs targeted Metasploit scan and exploit modules * Automatically scans all web applications for common vulnerabilities @@ -50,6 +51,10 @@ https://gist.github.com/1N3/8214ec2da2c91691bcbc ``` ## CHANGELOG: +* v1.8 - Added sub-domain hijack scans for all sub-domains +* v1.8 - Added auto explort of all sub-domains to /domains directory +* v1.8 - Added additional stealth and airstrike checks for port 80 and 443 +* v1.8 - Fixed issue with theHarvester not working with google * v1.7g - Added email security/spoofing checks * v1.7f - Added Zenmap XML auto-imports * v1.7f - Added ClamAV RCE Nmap script diff --git a/install.sh b/install.sh index 226b90e..9c68c71 100644 --- a/install.sh +++ b/install.sh @@ -24,7 +24,7 @@ echo -e "$OKGREEN + -- --=[This script will install or upgrade your Sn1per insta read answer echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET" -apt-get install zenmap sslyze joomscan uniscan xprobe2 cutycapt unicornscan waffit host whois arachni theharvester dnsenum dirb dnsrecon curl nmap php5 php5-curl wapiti hydra iceweasel wpscan sqlmap arachni w3af golismero nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb python nbtscan sslscan amap +apt-get install dos2unix zenmap sslyze joomscan uniscan xprobe2 cutycapt unicornscan waffit host whois arachni theharvester dnsenum dirb dnsrecon curl nmap php5 php5-curl wapiti hydra iceweasel wpscan sqlmap arachni w3af golismero nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb python nbtscan sslscan amap pip install dnspython colorama tldextract echo -e "$OKORANGE + -- --=[Installing gem dependencies...$RESET" diff --git a/sniper b/sniper index 46cbe2d..518d454 100644 --- a/sniper +++ b/sniper @@ -1,5 +1,5 @@ #!/bin/bash -# + -- --=[Sn1per v1.7 by 1N3 +# + -- --=[Sn1per v1.8 by 1N3 # + -- --=[http://crowdshield.com # # Sn1per - Automated Pentest Recon Tool @@ -9,6 +9,7 @@ # - Automatically collects Google hacking recon info # - Automatically run port scans # - Automatically brute force sub-domains via DNS +# - Automatically checks for sub-domain hijacking # - Automatically run targeted nmap scripts against open ports # - Automatically scans all web applications # - Automatically brute forces all open services @@ -68,7 +69,7 @@ if [ -z $TARGET ]; then echo -e "$OKRED /_/ $RESET" echo -e "" echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET" - echo -e "$OKORANGE + -- --=[sn1per v1.7 by 1N3$RESET" + echo -e "$OKORANGE + -- --=[sn1per v1.8 by 1N3$RESET" echo -e "$OKORANGE + -- --=[Usage: sn1per $RESET" echo "" exit @@ -176,7 +177,7 @@ if [ "$MODE" = "stealth" ]; then echo -e "$OKRED /_/ $RESET" echo -e "$RESET" echo -e "$OKORANGE + -- --=[http://crowdshield.com" - echo -e "$OKORANGE + -- --=[sn1per v1.7 by 1N3" + echo -e "$OKORANGE + -- --=[sn1per v1.8 by 1N3" echo -e "$OKRED " echo -e "$OKRED ./\." echo -e "$OKRED ./ '\." @@ -216,13 +217,16 @@ if [ "$MODE" = "stealth" ]; then echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET" whois $TARGET echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET" - theharvester -d $TARGET -l 100 -b all 2> /dev/null + theharvester -d $TARGET -l 100 -b bing 2> /dev/null echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET" dig -x $TARGET dnsenum $TARGET mv -f *_ips.txt loot/ 2>/dev/null echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET" - python Sublist3r/sublist3r.py -d $TARGET -vvv 2>/dev/null + python Sublist3r/sublist3r.py -d $TARGET -vvv -o loot/domains/domains-$TARGET.txt 2>/dev/null + dos2unix loot/domains/domains-$TARGET.txt 2>/dev/null + echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET" + for a in `cat loot/domains/domains-$TARGET.txt`; do dig $a CNAME | egrep -i "heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr" 2>/dev/null; done; echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET" python SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null fi @@ -233,9 +237,12 @@ if [ "$MODE" = "stealth" ]; then nmap -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" wafw00f http://$TARGET + wafw00f https://$TARGET echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" whatweb http://$TARGET + whatweb https://$TARGET xsstracer $TARGET 80 + xsstracer $TARGET 443 echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET" sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET sslscan --no-failed $TARGET @@ -262,7 +269,7 @@ if [ "$MODE" = "airstrike" ]; then echo -e "$OKRED /_/ $RESET" echo -e "$RESET" echo -e "$OKORANGE + -- --=[http://crowdshield.com" - echo -e "$OKORANGE + -- --=[sn1per v1.7 by 1N3" + echo -e "$OKORANGE + -- --=[sn1per v1.8 by 1N3" for a in `cat $TARGET`; do @@ -307,13 +314,16 @@ if [ "$MODE" = "airstrike" ]; then echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET" whois $a echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET" - theharvester -d $a -l 100 -b all 2> /dev/null + theharvester -d $a -l 100 -b bing 2> /dev/null echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET" dig -x $a dnsenum $a mv -f *_ips.txt loot/ 2>/dev/null echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET" - python Sublist3r/sublist3r.py -d $a -vvv 2>/dev/null + python Sublist3r/sublist3r.py -d $a -vvv -o loot/domains/domains-$a.txt 2>/dev/null + dos2unix loot/domains/domains-$a.txt 2>/dev/null + echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET" + for b in `cat loot/domains/domains-$a.txt`; do dig $b CNAME | egrep -i 'heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr' 2>/dev/null; done; echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET" python SimpleEmailSpoofer/spoofcheck.py $a 2>/dev/null fi @@ -324,9 +334,12 @@ if [ "$MODE" = "airstrike" ]; then nmap -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $a echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" wafw00f http://$a + wafw00f https://$a echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" whatweb http://$a + whatweb https://$a xsstracer $a 80 + xsstracer $a 443 echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET" sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $a sslscan --no-failed $a @@ -412,7 +425,7 @@ echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" echo -e "$OKRED /_/ $RESET" echo -e "$RESET" echo -e "$OKORANGE + -- --=[http://crowdshield.com" -echo -e "$OKORANGE + -- --=[sn1per v1.7 by 1N3" +echo -e "$OKORANGE + -- --=[sn1per v1.8 by 1N3" echo -e "$RESET" echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET" nslookup $TARGET @@ -424,13 +437,16 @@ then echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET" whois $TARGET echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET" - theharvester -d $TARGET -l 100 -b all 2> /dev/null + theharvester -d $TARGET -l 100 -b bing 2> /dev/null echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET" dig -x $TARGET dnsenum $TARGET mv -f *_ips.txt loot/ 2>/dev/null echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET" - python Sublist3r/sublist3r.py -d $TARGET -vvv 2>/dev/null + python Sublist3r/sublist3r.py -d $TARGET -vvv -o loot/domains/domains-$TARGET.txt 2>/dev/null + dos2unix loot/domains/domains-$TARGET.txt 2>/dev/null + echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET" + for a in `cat loot/domains/domains-$TARGET.txt`; do dig $a CNAME | egrep -i 'heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr' 2>/dev/null; done; echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET" python SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null fi