Sn1per by 1N3@CrowdShield

CHANGELOG.md

@@ -1,4 +1,30 @@
 ## CHANGELOG:
+* v3.0 - Improved performance of various sniper modes
+* v3.0 - Added Aquatone domain flyover tool
+* v3.0 - Added slurp S3 public AWS scanner
+* v3.0 - Updated Sub-domain hijacking site list
+* v3.0 - Changed look and feel of console output to help readability
+* v3.0 - Added online/offline check to implement changes to scans when in online vs. offline mode
+* v2.9 - New improved fullportonly scan mode
+* v2.9 - Added online check to see if there's an active internet connection
+* v2.9 - Changed default browser to firefox to clear up errors in loot commmand
+* v2.9 - Created uninstall.sh script to uninstall sniper
+* v2.9 - Removed automatic workspace creation per scan
+* v2.9 - Added curl timeout in update command to fix lag
+* v2.9 - Fixed minor NMap UDP scan flag issue
+* v2.9 - Added Metagoofil
+* v2.9 - Updated theharvester scan options to include more results
+* v2.8 - Improved discovery mode scan performance and output
+* v2.8 - Improved fullportonly scan performance
+* v2.8 - Improved startup performance options
+* v2.8 - Added Cansina web/file brute force tool
+* v2.8 - Added webporthttp and webporthttps modes
+* v2.8 - Added custerd software enumeration tool
+* v2.7 - Fixed issue with sniper update command and install.sh not running
+* v2.7 - Fixed errors with GooHak
+* v2.7 - Fixed syntax errors in sniper conditional statements 
+* v2.7 - Added CloudFail 
+* v2.7 - Fixed issue with [: ==: unary operator expected errors
 * v2.6 - Added Blackarch Linux support 
 * v2.6 - Added $BROWSER variable to set default browser
 * v2.5g - Updated README with update command
@@ -167,10 +193,3 @@
 * v1.4 - Added Breach-Miner for detection of breached accounts
 * v1.4 - Fixed minor errors with nmap
 * v1.4 - Removed debug output from goohak from displaying on console
-
-## FUTURE:
-* Add auto logging and reporting to all scans
-* Add HTML reporting for scans
-* Add automated Wireless attacks to Sn1per
-* Add automated MITM attacks to Sn1per
-* Add web mode port option for customized web scans

LICENSE.md

@@ -0,0 +1,2 @@
+## LICENSE:
+This software is free to distribute, modify and use with the condition that credit is provided to the creator (1N3@CrowdShield) and is not for commercial use.

README.md

@@ -1,4 +1,4 @@
-![alt tag](https://github.com/1N3/Sn1per/blob/master/Sn1per-logo.jpg)
+![alt tag](https://github.com/1N3/Sn1per/blob/master/sn1per-logo.png)
 
 ## ABOUT:
 Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. 
@@ -7,29 +7,29 @@ Sn1per is an automated scanner that can be used during a penetration test to enu
 [![Sn1per Demo](https://img.youtube.com/vi/nA_V_u3QZA4/0.jpg)](https://www.youtube.com/watch?v=nA_V_u3QZA4)
 
 ## FEATURES:
-* Automatically collects basic recon (ie. whois, ping, DNS, etc.)
+- [x] Automatically collects basic recon (ie. whois, ping, DNS, etc.)
-* Automatically launches Google hacking queries against a target domain
+- [x] Automatically launches Google hacking queries against a target domain
-* Automatically enumerates open ports via NMap port scanning
+- [x] Automatically enumerates open ports via NMap port scanning
-* Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
+- [x] Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
-* Automatically checks for sub-domain hijacking
+- [x] Automatically checks for sub-domain hijacking
-* Automatically runs targeted NMap scripts against open ports
+- [x] Automatically runs targeted NMap scripts against open ports
-* Automatically runs targeted Metasploit scan and exploit modules
+- [x] Automatically runs targeted Metasploit scan and exploit modules
-* Automatically scans all web applications for common vulnerabilities
+- [x] Automatically scans all web applications for common vulnerabilities
-* Automatically brute forces ALL open services
+- [x] Automatically brute forces ALL open services
-* Automatically test for anonymous FTP access
+- [x] Automatically test for anonymous FTP access
-* Automatically runs WPScan, Arachni and Nikto for all web services
+- [x] Automatically runs WPScan, Arachni and Nikto for all web services
-* Automatically enumerates NFS shares
+- [x] Automatically enumerates NFS shares
-* Automatically test for anonymous LDAP access
+- [x] Automatically test for anonymous LDAP access
-* Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
+- [x] Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
-* Automatically enumerate SNMP community strings, services and users
+- [x] Automatically enumerate SNMP community strings, services and users
-* Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
+- [x] Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
-* Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
+- [x] Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
-* Automatically tests for open X11 servers
+- [x] Automatically tests for open X11 servers
-* Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
+- [x] Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
-* Performs high level enumeration of multiple hosts and subnets
+- [x] Performs high level enumeration of multiple hosts and subnets
-* Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
+- [x] Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
-* Automatically gathers screenshots of all web sites
+- [x] Automatically gathers screenshots of all web sites
-* Create individual workspaces to store all scan output
+- [x] Create individual workspaces to store all scan output
 
 ## KALI LINUX INSTALL:
 ```
@@ -58,6 +58,8 @@ sniper <CIDR> discover
 sniper <target> port <portnum> 
 sniper <target> fullportonly <portnum>
 sniper <target> web <report>
+sniper <target> webporthttp <port>
+sniper <target> webporthttps <port>
 sniper <target> nobrute <report>
 sniper <targets.txt> airstrike <report>
 sniper <targets.txt> nuke <report>
@@ -72,6 +74,8 @@ sniper update
 * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
 * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.
 * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.   
+* **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.
+* **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.
 * **NOBRUTE:** Launches a full scan against a target host/domain without brute forcing services.
 * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP's that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
 * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. 
@@ -81,3 +85,13 @@ sniper update
 ## SAMPLE REPORT:
 https://gist.github.com/1N3/8214ec2da2c91691bcbc
 
+## LICENSE:
+This software is free to distribute, modify and use with the condition that credit is provided to the creator (1N3@CrowdShield) and is not for commercial use.
+
+## DONATIONS:
+Donations are welcome. This will help fascilitate improved features, frequent updates and better overall support for sniper.
+- [x] BTC 1Fav36btfmdrYpCAR65XjKHhxuJJwFyKum
+- [x] ETH 0x20bB09273702eaBDFbEE9809473Fd04b969a794d
+- [x] LTC LQ6mPewec3xeLBYMdRP4yzeta6b9urqs2f
+- [x] XMR 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbS3EN24xprAQ1Z5Sy5s
+- [x] ZCASH t1fsizsk2cqqJAjRoUmXJSyoVa9utYucXt7

TODO.md

@@ -1,7 +1,19 @@
 ###TODO:
 
-* Add web port scans for directed web scans
+* Implement a module system for running specific commands/modules
+* Add checks to make sure all commands exist at startup. If not, refer to installer. 
+* Add command line parsing of options/modes
+
+sniper --target crowdshield.com --workspace crowdshield.com --report --bruteforce --web --recon --portscan
+sniper --target crowdshield.com --kalionly --offline --webportonly 443
+
+* Create a sniper-kali release to only use base Kali image toolsets
+* Check if there's an active internet connection, if not, run offline mode
+* Add automatic reporting and workspace creation for all scans by default
 * Add proxy support for all scans
-* Add various modes (airstrike,nuke,web,etc.) for discovery scans
+* Create uninstall.sh script
-* Add automatic reporting for all scans by default
+* Add AWS security checks
-* Add reporting for discover mode
+* Look into adding aquatone
+* Look into adding gobuster
+* Update subdomain list with aquatone list
+* Increase thread count for file/dir brute force

install.sh

@@ -32,20 +32,22 @@ mkdir $LOOT_DIR/screenshots 2> /dev/null
 mkdir $LOOT_DIR/nmap 2> /dev/null
 mkdir $LOOT_DIR/reports 2> /dev/null
 mkdir $LOOT_DIR/output 2> /dev/null
-cp -Rf $PWD/* $INSTALL_DIR 
+mkdir $LOOT_DIR/osint 2> /dev/null
+cp -Rf $PWD/* $INSTALL_DIR 2> /dev/null
 cd $INSTALL_DIR
 
 echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
-apt-get install ruby rubygems python dos2unix zenmap sslyze arachni aha libxml2-utils rpcbind uniscan xprobe2 cutycapt unicornscan waffit host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap
+apt-get install xdg-utils metagoofil clusterd ruby rubygems python dos2unix zenmap sslyze arachni aha libxml2-utils rpcbind uniscan xprobe2 cutycapt unicornscan waffit host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap
-pip install dnspython colorama tldextract urllib3 ipaddress
+pip install dnspython colorama tldextract urllib3 ipaddress requests
 
 echo -e "$OKORANGE + -- --=[Installing gem dependencies...$RESET"
+gem install aquatone
 gem install rake
 gem install ruby-nmap net-http-persistent mechanize text-table
 
 echo -e "$OKORANGE + -- --=[Cleaning up old extensions...$RESET"
 rm -Rf Findsploit/ BruteX/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/ Sublist3r/ shocker/ jexboss/ serializekiller/ testssl.sh/ SimpleEmailSpoofer/ ssh-audit/ plugins/ 2> /dev/null
-mkdir $PLUGINS_DIR
+mkdir $PLUGINS_DIR 2> /dev/null
 cd $PLUGINS_DIR
 mkdir -p $PLUGINS_DIR/nmap_scripts/ 2> /dev/null
 
@@ -64,10 +66,18 @@ git clone https://github.com/nccgroup/shocker.git
 git clone --depth 1 https://github.com/drwetter/testssl.sh.git 
 git clone https://github.com/lunarca/SimpleEmailSpoofer 
 git clone https://github.com/arthepsy/ssh-audit 
+git clone https://github.com/m0rtem/CloudFail.git
+git clone https://github.com/deibit/cansina
+wget https://github.com/bbb31/slurp/releases/download/1.3/slurp.zip
+unzip slurp.zip
+rm -f slurp.zip
+wget https://github.com/michenriksen/aquatone/blob/master/subdomains.lst -O /usr/share/sniper/plugins/Sublist3r/subdomains.lst
+wget https://raw.githubusercontent.com/1N3/IntruderPayloads/master/FuzzLists/dirbuster-quick.txt -O /usr/share/sniper/plugins/cansina/dirbuster-quick.txt
 wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5638.nse -O /usr/share/nmap/scripts/http-vuln-cve2017-5638.nse
 wget https://raw.githubusercontent.com/xorrbit/nmap/865142904566e416944ebd6870d496c730934965/scripts/http-vuln-INTEL-SA-00075.nse -O /usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse
-cp $INSTALL_DIR/bin/iis-buffer-overflow.nse /usr/share/nmap/scripts/iis-buffer-overflow.nse
+cp $INSTALL_DIR/bin/iis-buffer-overflow.nse /usr/share/nmap/scripts/iis-buffer-overflow.nse 2> /dev/null
 echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
+cd $PLUGINS_DIR/CloudFail/ && apt-get install python3-pip && pip3 install -r requirements.txt
 cd $PLUGINS_DIR/Findsploit/ && bash install.sh
 cd $PLUGINS_DIR/BruteX/ && bash install.sh
 cd $INSTALL_DIR 

uninstall.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# Uninstall script for sn1per
+#
+# VARS
+OKBLUE='\033[94m'
+OKRED='\033[91m'
+OKGREEN='\033[92m'
+OKORANGE='\033[93m'
+RESET='\e[0m'
+
+echo -e "$OKRED                ____               $RESET"
+echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
+echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
+echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
+echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
+echo -e "$OKRED               /_/                 $RESET"
+echo -e "$RESET"
+echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
+echo ""
+
+INSTALL_DIR=/usr/share/sniper
+
+echo -e "$OKGREEN + -- --=[This script will uninstall sniper and remove ALL files under $INSTALL_DIR. Are you sure you want to continue?$RESET"
+read answer 
+
+rm -Rf /usr/share/sniper/
+rm -f /usr/bin/sniper
+
+echo -e "$OKORANGE + -- --=[Done!$RESET"
+echo -e "$OKORANGE + -- --=[To run, type 'sniper'! $RESET"