def brutespray(self):
utils.print_good('Starting brutespray')
cmd = 'python $PLUGINS_PATH/brutespray/brutespray.py --file $WORKSPACE/vulnscan/$TARGET-nmap.xml --threads 5 --hosts 5 -o $WORKSPACE/bruteforce/$OUTPUT/'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options, '$WORKSPACE/bruteforce/$OUTPUT/')
def subjack(self):
utils.print_good('Starting subjack')
cmd = '$GO_PATH/subjack -w $WORKSPACE/subdomain/final-$TARGET.txt -t 100 -timeout 30 -o $WORKSPACE/subdomain/takeover-$TARGET-subjack.txt -ssl'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
print()
def truffleHog(self):
utils.print_good('Starting truffleHog')
cmd = 'trufflehog --regex --entropy=True $TARGET | tee $WORKSPACE/gitscan/$TARGET-trufflehog.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options, '$WORKSPACE/gitscan/$TARGET-trufflehog.txt')
def subover(self):
utils.print_good('Starting SubOver')
cmd = '$PLUGINS_PATH/SubOver/SubOver -l $WORKSPACE/subdomain/final-$TARGET.txt -v -t 100 | tee $WORKSPACE/subdomain/takeover-$TARGET-subover.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
print()
def testssl(self):
utils.print_good('Starting testssl')
cmd = 'bash $PLUGINS_PATH/testssl.sh/testssl.sh --parallel --logfile $WORKSPACE/ssl/$TARGET-testssl.txt $TARGET'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options, '$WORKSPACE/ssl/$TARGET-testssl.txt')
def create_html(self):
utils.print_good('Create beautify HTML report')
cmd = 'xsltproc -o $WORKSPACE/vulnscan/$OUTPUT.html $PLUGINS_PATH/nmap-bootstrap.xsl $WORKSPACE/vulnscan/$OUTPUT-nmap.xml'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options, '$WORKSPACE/vulnscan/$TARGET.html')
def create_ip_result(self):
utils.print_good('Create IP for list of domain result')
cmd = '$PLUGINS_PATH/massdns/scripts/ptr.py | $PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -q -t PTR -w $WORKSPACE/subdomain/final-IP-$OUTPUT.txt'
cmd = utils.replace_argument(self.options, cmd)
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/subdomain/final-IP-$OUTPUT.txt')
def nmap_vuln(self):
utils.print_good('Starting nmap vulnerable scan')
cmd = 'nmap -T4 -Pn -n -sSV -p- $STRIP_TARGET --script vulners --oA $WORKSPACE/vulnscan/$OUTPUT-nmap'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options, '$WORKSPACE/vulnscan/$TARGET-nmap.xml')
def amass(self):
utils.print_good('Starting amass')
cmd = '$GO_PATH/amass -active -d $TARGET |tee $WORKSPACE/subdomain/$OUTPUT-amass.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options, '$WORKSPACE/subdomain/$OUTPUT-amass.txt')
def masscan(self):
utils.print_good('Starting masscan')
cmd = 'sudo masscan --rate 10000 -p0-65535 -iL $WORKSPACE/subdomain/final-IP-$OUTPUT.txt -oG $WORKSPACE/portscan/$OUTPUT-masscan.gnmap -oX $WORKSPACE/portscan/$OUTPUT-masscan.xml --wait 0'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
print()
def eyewitness_common(self):
utils.print_good('Starting EyeWitness for web')
cmd = 'python $PLUGINS_PATH/EyeWitness/EyeWitness.py -f $WORKSPACE/subdomain/IP-$TARGET.txt --web --prepend-https --threads 20 -d $WORKSPACE/screenshot/'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
print()
def subfinder(self):
utils.print_good('Starting subfinder')
cmd = '$GO_PATH/subfinder -d $TARGET -b -t 100 -o $WORKSPACE/subdomain/$OUTPUT-subfinder.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options, '$WORKSPACE/subdomain/$OUTPUT-subfinder.txt')
def unique_result(self):
utils.print_good('Unique result')
cmd = "cat $WORKSPACE/subdomain/$OUTPUT-*.txt | sort | awk '{print tolower($0)}' | uniq >> $WORKSPACE/subdomain/final-$OUTPUT.txt"
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options, '$WORKSPACE/subdomain/final-$OUTPUT.txt')
def corstest(self):
utils.print_good('Starting truffleHog')
cmd = '$PLUGINS_PATH/CORStest/corstest.py -q $WORKSPACE/subdomain/final-$OUTPUT.txt | tee $WORKSPACE/cors/$TARGET-corstest.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options, '$WORKSPACE/cors/$TARGET-corstest.txt')
def gobuster(self):
utils.print_good('Starting gobuster')
cmd = '$GO_PATH/gobuster -m dns -np -t 100 -w $PLUGINS_PATH/wordlists/all.txt -u $TARGET -o $WORKSPACE/directory/$OUTPUT-gobuster.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options, '$WORKSPACE/directory/$OUTPUT-gobuster.txt')
def massdns(self):
utils.print_good('Starting massdns')
cmd = '$PLUGINS_PATH/massdns/scripts/subbrute.py $PLUGINS_PATH/massdns/lists/names.txt $TARGET | $PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/$OUTPUT-massdns.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
print()
def aquaton(self):
utils.print_good('Starting aquatone')
cmd = 'cat $WORKSPACE/subdomain/final-$TARGET.txt | $GO_PATH/aquatone -threads 20 -out $WORKSPACE/screenshot/$OUTPUT-aquatone.html'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/screenshot/$OUTPUT-aquatone.html')
def direct_masscan(self):
utils.print_good('Starting masscan')
ip = socket.gethostbyname(self.options['env']['STRIP_TARGET'])
cmd = 'sudo nmap -sS -T4 -Pn -n -p- {0} -oG $WORKSPACE/portscan/$OUTPUT-nmap.gnmap -oX $WORKSPACE/portscan/$OUTPUT-nmap.xml '.format(ip)
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
print()
def ipOinst(self):
utils.print_good('Starting IPOinst')
cmd = '$PLUGINS_PATH/IPOsint/ip-osint.py -t $TARGET -o $WORKSPACE/ipspace/$OUTPUT-ipspace.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/ipspace/$OUTPUT-ipspace.txt')
def create_ip_result(self):
utils.print_good('Create IP for list of domain result')
cmd = '$PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt $WORKSPACE/subdomain/final-$OUTPUT.txt'
cmd = utils.replace_argument(self.options, cmd)
execute.run(cmd)
cmd = '''cat $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt | grep -e ' A ' | cut -d 'A' -f 2 | tr -d ' ' > $WORKSPACE/subdomain/final-IP-$OUTPUT.txt'''
cmd = utils.replace_argument(self.options, cmd)
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/subdomain/final-IP-$OUTPUT.txt')
def masscan(self):
utils.print_good('Starting masscan')
if self.options['speed'] == 'slow':
cmd = 'sudo masscan --rate 10000 -p0-65535 -iL $WORKSPACE/subdomain/final-IP-$OUTPUT.txt -oG $WORKSPACE/portscan/$OUTPUT-masscan.gnmap -oX $WORKSPACE/portscan/$OUTPUT-masscan.xml --wait 0'
elif self.options['speed'] == 'quick':
utils.print_good("Only scan for single target in quick speed")
cmd = 'sudo masscan --rate 10000 -p0-65535 $IP -oG $WORKSPACE/portscan/$OUTPUT-masscan.gnmap -oX $WORKSPACE/portscan/$OUTPUT-masscan.xml --wait 0'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/portscan/$OUTPUT-masscan.xml')
def proxy_parsing(options):
# return if proxy config file found
if options['PROXY_FILE'] != "None":
proxy_file = options['PROXY_FILE']
utils.print_info("Detected proxychains file: {0}".format(proxy_file))
return
elif options['PROXY'] != "None":
proxy_file = options['CWD'] + '/core/proxychains.conf'
utils.print_info("Detected proxychains file: {0}".format(proxy_file))
if options['PROXY'] != "None":
proxy_parsed = urllib.parse.urlsplit(options['PROXY'])
scheme = proxy_parsed.scheme
host = proxy_parsed.netloc.split(':')[0]
port = proxy_parsed.netloc.split(':')[1]
proxy_element = "\n" + scheme + " " + host + " " + port
raw_data = utils.just_read(proxy_file).splitlines()
for i in range(len(raw_data)):
if '[ProxyList]' in raw_data[i]:
init_part = raw_data[:i]
proxy_part = raw_data[i:]
# check if this proxy is exist or not
check_duplicate = False
for item in proxy_part:
if proxy_element.strip() in item.strip():
check_duplicate = True
if not check_duplicate:
proxy_part.append(proxy_element)
real_proxy_data = "\n".join(init_part + proxy_part)
utils.just_write(proxy_file, real_proxy_data)
if options['PROXY'] != "None" or options['PROXY_FILE'] != "None":
if not shutil.which(options['PROXY_CMD'].split(' ')[0]):
utils.print_bad("Look like proxy mode doesn't support your OS")
sys.exit(0)
else:
#simple check for proxy is good
utils.print_info("Testing proxy with simple curl command")
if execute.run(options['PROXY_CMD'] +
" curl -s ipinfo.io/ip") == execute.run(
"curl -s ipinfo.io/ip"):
utils.print_bad("Look like your proxy not work properly")
sys.exit(0)
def gobuster(self):
utils.print_good('Starting gobuster')
if self.options['speed'] == 'slow':
cmd = '$GO_PATH/gobuster -m dns -np -t 100 -w $PLUGINS_PATH/wordlists/all.txt -u $TARGET -o $WORKSPACE/subdomain/$OUTPUT-gobuster.txt'
elif self.options['speed'] == 'quick':
cmd = '$GO_PATH/gobuster -m dns -np -t 100 -w $PLUGINS_PATH/wordlists/shorts.txt -u $TARGET -o $WORKSPACE/subdomain/$OUTPUT-gobuster.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/subdomain/$OUTPUT-gobuster.txt')
def proxy_parsing(options):
# return if proxy config file found
if options['PROXY_FILE'] != "None":
proxy_file = options['PROXY_FILE']
utils.print_info("Detected proxychains file: {0}".format(proxy_file))
return
elif options['PROXY'] != "None":
proxy_file = options['CWD'] + '/core/proxychains.conf'
utils.print_info("Detected proxychains file: {0}".format(proxy_file))
if options['PROXY'] != "None":
proxy_parsed = urllib.parse.urlsplit(options['PROXY'])
scheme = proxy_parsed.scheme
host = proxy_parsed.netloc.split(':')[0]
port = proxy_parsed.netloc.split(':')[1]
proxy_element = "\n" + scheme + " " + host + " " + port
raw_data = utils.just_read(proxy_file).splitlines()
for i in range(len(raw_data)):
if '[ProxyList]' in raw_data[i]:
init_part = raw_data[:i]
proxy_part = raw_data[i:]
# check if this proxy is exist or not
check_duplicate = False
for item in proxy_part:
if proxy_element.strip() in item.strip():
check_duplicate = True
if not check_duplicate:
proxy_part.append(proxy_element)
real_proxy_data = "\n".join(init_part + proxy_part)
utils.just_write(proxy_file, real_proxy_data)
if options['PROXY'] != "None" or options['PROXY_FILE'] != "None":
if not shutil.which(options['PROXY_CMD'].split(' ')[0]):
utils.print_bad("Look like proxy mode doesn't support your OS")
sys.exit(0)
else:
#simple check for proxy is good
utils.print_info("Testing proxy with simple curl command")
if execute.run(options['PROXY_CMD'] + " curl -s ipinfo.io/ip") == execute.run("curl -s ipinfo.io/ip"):
utils.print_bad("Look like your proxy not work properly")
sys.exit(0)
def massdns(self):
utils.print_good('Starting massdns')
cmd = '$PLUGINS_PATH/massdns/scripts/subbrute.py $DOMAIN_FULL $TARGET | $PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/raw-massdns.txt'
# cmd = '$PLUGINS_PATH/massdns/scripts/subbrute.py $PLUGINS_PATH/massdns/lists/names.txt $TARGET | $PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/$OUTPUT-massdns.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
massdns_raw = utils.replace_argument(self.options, '$WORKSPACE/subdomain/raw-massdns.txt')
massdns_output = utils.replace_argument(self.options, '$WORKSPACE/subdomain/$OUTPUT-massdns.txt')
with open(massdns_raw, 'r+') as d:
ds = d.read().splitlines()
for line in ds:
newline = line.split(' ')[0][:-1]
with open(massdns_output, 'a+') as m:
m.write(newline + "\n")
utils.check_output(self.options, '$WORKSPACE/subdomain/$OUTPUT-massdns.txt')
def create_ip_result(self):
utils.print_good('Create IP for list of domain result')
domains = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/final-$OUTPUT.txt')
with open(domains, 'r+') as d:
ds = d.read().splitlines()
for domain in ds:
try:
ip = socket.gethostbyname(domain.strip())
cmd = 'echo {0} >> $WORKSPACE/subdomain/IP-$OUTPUT.txt'.format(
ip)
cmd = utils.replace_argument(self.options, cmd)
execute.run(cmd)
except:
pass
cmd = 'cat $WORKSPACE/subdomain/IP-$OUTPUT.txt | sort | uniq > $WORKSPACE/subdomain/final-IP-$OUTPUT.txt'
cmd = utils.replace_argument(self.options, cmd)
execute.run(cmd)
def linkfinder(self):
utils.print_good('Starting linkfinder')
cmd = '$PLUGINS_PATH/linkfinder.py -i $BURPSTATE -b -o cli | tee $WORKSPACE/burp-$TARGET-linkfinder.txt'
cmd = utils.replace_argument(self.options, cmd)
execute.run(cmd)
utils.print_info("Execute: {0} ".format(cmd))
def direct_brutespray(self):
cmd = 'python $PLUGINS_PATH/brutespray/brutespray.py --file $WORKSPACE/portscan/$OUTPUT-masscan.xml --threads 5 --hosts 5 -o $WORKSPACE/bruteforce/$OUTPUT/'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
def dirhunt(self):
utils.print_good('Starting dirhunt')
cmd = 'dirhunt $TARGET $MORE --progress-disabled --threads 20 | tee $WORKSPACE/directory/$STRIP_TARGET-dirhunt.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
def sleuthql(self):
utils.print_good('Starting sleuthql')
cmd = 'python3 $PLUGINS_PATH/sleuthql/sleuthql.py -d $TARGET -f $BURPSTATE'
cmd = utils.replace_argument(self.options, cmd)
execute.run(cmd)
utils.print_info("Execute: {0} ".format(cmd))
def sqlmap(self):
utils.print_good('Starting sqlmap')
cmd = '$PLUGINS_PATH/sqlmap/sqlmap.py -l $BURPSTATE --batch $MORE'
cmd = utils.replace_argument(self.options, cmd)
execute.run(cmd)
utils.print_info("Execute: {0} ".format(cmd))
def dirhunt(self):
utils.print_good('Starting dirhunt')
cmd = 'dirhunt $TARGET $MORE --progress-disabled --threads 20 | tee $WORKSPACE/directory/$STRIP_TARGET-dirhunt.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)