def dig_info(self): utils.print_good('Starting basic Dig') utils.make_directory(self.options['WORKSPACE'] + '/screenshot/digs') final_subdomains = utils.replace_argument(self.options, '$WORKSPACE/subdomain/final-$OUTPUT.txt') #run command directly instead of run it via module cause there're a lot of command to run all_domains = utils.just_read(final_subdomains).splitlines() if self.options['DEBUG'] == 'True': all_domains = all_domains[:10] custom_logs = {"module": self.module_name, "content": []} for part in list(utils.chunks(all_domains, 5)): for domain in part: cmd = utils.replace_argument( self.options, 'dig all {0} | tee $WORKSPACE/screenshot/digs/{0}.txt'.format(domain)) output_path = utils.replace_argument(self.options, 'tee $WORKSPACE/screenshot/digs/{0}.txt'.format(domain)) execute.send_cmd(self.options, cmd, '', '', self.module_name, True) # time.sleep(0.5) custom_logs['content'].append( {"cmd": cmd, "std_path": '', "output_path": output_path, "status": "Done"}) #just wait couple seconds and continue but not completely stop the routine time.sleep(5) print(custom_logs) #submit a log utils.print_info('Update activities log') utils.update_activities(self.options, str(custom_logs))
def observatory(self): utils.print_good('Starting observatory') if self.is_direct: domain_file = self.is_direct else: if self.options['SPEED'] == 'quick': utils.print_good('Skipping {0} in quick mode'.format(self.module_name)) return None domain_file = utils.replace_argument( self.options, '$WORKSPACE/subdomain/final-$OUTPUT.txt') with open(domain_file, 'r') as d: domains = d.read().splitlines() if self.options['DEBUG'] == "True": utils.print_info("Only get 30 target debug mode") domains = domains[:10] for part in list(utils.chunks(domains, 1)): for domain in part: cmd = 'observatory --rescan -q {0} --format=json -z --attempts 50 | tee $WORKSPACE/headers/details/{0}-observatory.json'.format( domain.strip()) cmd = utils.replace_argument(self.options, cmd) execute.send_cmd(self.options, cmd, '', '', self.module_name, nolog=True) time.sleep(10) utils.just_waiting(self.options, self.module_name, seconds=10, times=2) return True
def brutespray(self): utils.print_good('Starting brutespray') cmd = 'python $PLUGINS_PATH/brutespray/brutespray.py --file $WORKSPACE/vulnscan/$TARGET-nmap.xml --threads 5 --hosts 5 -o $WORKSPACE/bruteforce/$OUTPUT/' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/bruteforce/$OUTPUT/')
def run(self): commands = execute.get_commands( self.options, self.module_name).get('routines') for item in commands: utils.print_good('Starting {0}'.format(item.get('banner'))) #really execute it execute.send_cmd(self.options, item.get('cmd'), item.get( 'output_path'), item.get('std_path'), self.module_name) time.sleep(1) utils.just_waiting(self.options, self.module_name, seconds=10, times=5) main_json = utils.reading_json(utils.replace_argument( self.options, '$WORKSPACE/$COMPANY.json')) for item in commands: if "Whois" in item.get('cmd'): main_json["Info"]["Whois"] = {"path": item.get('output_path')} if "Dig" in item.get('cmd'): main_json["Info"]["Dig"] = {"path": item.get('output_path')} utils.just_write(utils.replace_argument( self.options, '$WORKSPACE/$COMPANY.json'), main_json, is_json=True)
def debug(options): utils.print_good("Debug routine") utils.print_good("Running with {0} speed".format(options['SPEED'])) # Create skeleton json pprint(options) initials.Initials(options) recon.Recon(options)
def create_html(self): utils.print_good('Create beautify HTML report') cmd = 'xsltproc -o $WORKSPACE/portscan/$OUTPUT-html.html $PLUGINS_PATH/nmap-bootstrap.xsl $WORKSPACE/portscan/$OUTPUT-masscan.xml' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/portscan/$OUTPUT-html.html')
def corstest(self): utils.print_good('Starting CORS') cmd = '$PLUGINS_PATH/CORStest/corstest.py -q $WORKSPACE/subdomain/final-$OUTPUT.txt | tee $WORKSPACE/cors/$TARGET-corstest.txt' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/cors/$TARGET-corstest.txt')
def ipOinst(self): utils.print_good('Starting IPOinst') cmd = '$PLUGINS_PATH/IPOsint/ip-osint.py -t $TARGET -o $WORKSPACE/ipspace/$OUTPUT-ipspace.txt' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/ipspace/$OUTPUT-ipspace.txt')
def register(self, guid: str, psk: str, response): """ Register a session with the server Usage: register [-h] [<guid>] [<psk>] """ print_good(f"Registered new session (guid: {response.result['guid']} psk: {response.result['psk']})")
def subfinder(self): utils.print_good('Starting subfinder') cmd = '$GO_PATH/subfinder -d $TARGET -t 100 -o $WORKSPACE/subdomain/$OUTPUT-subfinder.txt' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/subdomain/$OUTPUT-subfinder.txt')
def __init__(self, options): utils.make_directory(options['env']['WORKSPACE'] + '/bruteforce/') self.options = options if self.options['speed'] == 'slow': self.routine() elif self.options['speed'] == 'quick': utils.print_good("Skipping for quick speed")
def gobuster(self): utils.print_good('Starting gobuster') cmd = '$GO_PATH/gobuster -m dns -np -t 100 -w $PLUGINS_PATH/wordlists/all.txt -u $TARGET -o $WORKSPACE/directory/$OUTPUT-gobuster.txt' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/directory/$OUTPUT-gobuster.txt')
def start(self, response): """ Start the selected listener Usage: start [-h] """ listener = response.result print_good(f"Started listener \'{listener['options']['Name']['Value']}\'")
def masscan(self): utils.print_good('Starting masscan') cmd = 'sudo masscan --rate 10000 -p0-65535 -iL $WORKSPACE/subdomain/final-IP-$OUTPUT.txt -oG $WORKSPACE/portscan/$OUTPUT-masscan.gnmap -oX $WORKSPACE/portscan/$OUTPUT-masscan.xml --wait 0' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/portscan/$OUTPUT-masscan.xml')
def subover(self): utils.print_good('Starting SubOver') cmd = '$PLUGINS_PATH/SubOver/SubOver -l $WORKSPACE/subdomain/final-$TARGET.txt -v -t 100 | tee $WORKSPACE/subdomain/takeover-$TARGET-subover.txt' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output( self.options, '$WORKSPACE/subdomain/takeover-$TARGET-subover.txt')
def direct_masscan(self): utils.print_good('Starting masscan') ip = socket.gethostbyname(self.options['env']['STRIP_TARGET']) cmd = 'sudo nmap -sS -T4 -Pn -n -p- {0} -oG $WORKSPACE/portscan/$OUTPUT-nmap.gnmap -oX $WORKSPACE/portscan/$OUTPUT-nmap.xml '.format(ip) cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) print()
def amass(self): utils.print_good('Starting amass') cmd = '$GO_PATH/amass -active -d $TARGET |tee $WORKSPACE/subdomain/$OUTPUT-amass.txt' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/subdomain/$OUTPUT-amass.txt')
def subjack(self): utils.print_good('Starting subjack') cmd = '$GO_PATH/subjack -w $WORKSPACE/subdomain/final-$TARGET.txt -t 100 -timeout 30 -o $WORKSPACE/subdomain/takeover-$TARGET-subjack.txt -ssl' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output( self.options, '$WORKSPACE/subdomain/takeover-$TARGET-subjack.txt')
def aquaton(self): utils.print_good('Starting aquatone') cmd = 'cat $WORKSPACE/subdomain/final-$TARGET.txt | $GO_PATH/aquatone -threads 20 -out $WORKSPACE/screenshot/$OUTPUT-aquatone.html' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/screenshot/$OUTPUT-aquatone.html')
def truffleHog(self): utils.print_good('Starting truffleHog') cmd = 'trufflehog --regex --entropy=True $TARGET | tee $WORKSPACE/gitscan/$TARGET-trufflehog.txt' cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument(self.options, '$WORKSPACE/gitscan/$TARGET-trufflehog.txt') std_path = utils.replace_argument(self.options, '$WORKSPACE/gitscan/std-$TARGET-trufflehog.std') execute.send_cmd(cmd, output_path, std_path, self.module_name)
def unique_result(self): utils.print_good('Unique result') cmd = "cat $WORKSPACE/subdomain/$OUTPUT-*.txt | sort | awk '{print tolower($0)}' | uniq >> $WORKSPACE/subdomain/final-$OUTPUT.txt" cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/subdomain/final-$OUTPUT.txt')
def massdns(self): utils.print_good('Starting massdns') cmd = '$PLUGINS_PATH/massdns/scripts/subbrute.py $PLUGINS_PATH/massdns/lists/names.txt $TARGET | $PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/$OUTPUT-massdns.txt' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/subdomain/$OUTPUT-massdns.txt')
def nmap_vuln(self): utils.print_good('Starting nmap vulnerable scan') cmd = 'nmap -T4 -Pn -n -sSV -p- $STRIP_TARGET --script vulners --oA $WORKSPACE/vulnscan/$OUTPUT-nmap' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/vulnscan/$TARGET-nmap.xml')
def wfuzz(self): utils.print_good('Starting wfuzz') if self.is_direct: domains = utils.just_read(self.is_direct).splitlines() else: #matching IP with subdomain main_json = utils.reading_json( utils.replace_argument(self.options, '$WORKSPACE/$COMPANY.json')) domains = [x.get('Domain') for x in main_json['Subdomains']] if self.options['DEBUG'] == 'True': domains = domains[:5] custom_logs = {"module": self.module_name, "content": []} for part in utils.chunks(domains, 3): for domain in part: #just strip everything to save local, it won't affect the result strip_domain = domain.replace('http://', '').replace( 'https://', '').replace('/', '-') cmd = "wfuzz -f $WORKSPACE/directory/quick/{1}-wfuzz.txt,raw -c -w $PLUGINS_PATH/wordlists/quick-content-discovery.txt -t 100 --sc 200,307 -u '{0}/FUZZ' | tee $WORKSPACE/directory/quick/std-{1}-wfuzz.std".format( domain.strip(), strip_domain) cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument( self.options, '$WORKSPACE/directory/quick/{0}-wfuzz.txt'.format( strip_domain)) std_path = utils.replace_argument( self.options, '$WORKSPACE/directory/quick/std-{0}-wfuzz.std'.format( strip_domain)) execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name) # time.sleep(0.5) #set status to done because this gonna will be submit when all command was done custom_logs['content'].append({ "cmd": cmd, "std_path": std_path, "output_path": output_path, "status": "Done" }) #just wait couple seconds and continue but not completely stop the routine time.sleep(20) #submit a log utils.print_info('Update activities log') utils.update_activities(self.options, str(custom_logs)) #just save commands logfile = utils.replace_argument(self.options, '$WORKSPACE/log.json') utils.save_all_cmd(self.options, logfile)
def unique_result(self): utils.print_good('Unique result') # gobuster clean up go_raw = utils.replace_argument( self.options, '$WORKSPACE/subdomain/raw-$OUTPUT-gobuster.txt') if utils.not_empty_file(go_raw): go_clean = [x.split(' ')[1] for x in utils.just_read(go_raw).splitlines()] go_output = utils.replace_argument( self.options, '$WORKSPACE/subdomain/$OUTPUT-gobuster.txt') utils.just_write(go_output, "\n".join(go_clean)) # massdns clean up massdns_raw = utils.replace_argument( self.options, '$WORKSPACE/subdomain/raw-massdns.txt') if utils.not_empty_file(massdns_raw): massdns_output = utils.replace_argument( self.options, '$WORKSPACE/subdomain/$OUTPUT-massdns.txt') if not os.path.exists(massdns_raw): with open(massdns_raw, 'r+') as d: ds = d.read().splitlines() for line in ds: newline = line.split(' ')[0][:-1] with open(massdns_output, 'a+') as m: m.write(newline + "\n") utils.check_output(utils.replace_argument( self.options, '$WORKSPACE/subdomain/$OUTPUT-massdns.txt')) # joining the output all_output = glob.glob(utils.replace_argument(self.options, '$WORKSPACE/subdomain/$OUTPUT-*.txt')) domains = [] for file in all_output: domains += utils.just_read(file).splitlines() output_path = utils.replace_argument(self.options, '$WORKSPACE/subdomain/full-$OUTPUT.txt') utils.just_write(output_path, "\n".join(set([x.strip() for x in domains]))) # finding more subdomain permutation_domains = self.permutation() if permutation_domains: domains.extend(permutation_domains) output_path = utils.replace_argument( self.options, '$WORKSPACE/subdomain/full-$OUTPUT.txt') utils.just_write(output_path, "\n".join( set([x.strip() for x in domains]))) else: output_path = utils.replace_argument( self.options, '$WORKSPACE/subdomain/final-$OUTPUT.txt') utils.just_write(output_path, "\n".join( set([x.strip() for x in domains]))) time.sleep(1) slack.slack_file('report', self.options, mess={ 'title': "{0} | {1} | Output".format(self.options['TARGET'], self.module_name), 'filename': '{0}'.format(output_path), })
def linkfinder(self): utils.print_good('Starting linkfinder') cmd = '$PLUGINS_PATH/linkfinder.py -i $BURPSTATE -b -o cli | tee $WORKSPACE/burp-$TARGET-linkfinder.txt' cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument( self.options, '$WORKSPACE/burp-$TARGET-linkfinder.txt') std_path = utils.replace_argument( self.options, '$WORKSPACE/burp-$TARGET-linkfinder.txt') execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name)
def generate_resource_file(stager, listener): with open(f"{stager}.res", 'w') as resource_file: resource_file.write("listeners\n") resource_file.write(f"use {listener.name}\n") resource_file.write(f"set BindIP {listener['BindIP']}\n") resource_file.write(f"set Port {listener['Port']}\n") resource_file.write("start") print_good(f"Generated resource file: {filename}")
def gitrob(self): utils.print_good('Starting gitrob') really_target = utils.replace_argument(self.options, '$TARGET').split('/')[3] # only get organization name cmd = '$GO_PATH/gitrob -save $WORKSPACE/gitscan/$TARGET-gitrob -threads 10 -github-access-token $GITHUB_API_KEY {0}'.format(really_target) cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument(self.options, '$WORKSPACE/gitscan/$TARGET-gitrob') std_path = utils.replace_argument(self.options, '$WORKSPACE/gitscan/std-$TARGET-gitrob.std') execute.send_cmd(cmd, output_path, std_path, self.module_name)
def eyewitness_common(self): utils.print_good('Starting EyeWitness for web') cmd = 'python $PLUGINS_PATH/EyeWitness/EyeWitness.py -f $WORKSPACE/subdomain/final-$TARGET.txt --web --prepend-https --threads 20 -d $WORKSPACE/screenshot/eyewitness-$TARGET/' cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument(self.options, '$WORKSPACE/screenshot/') std_path = utils.replace_argument( self.options, '$WORKSPACE/screenshot/std-eyewitness-$TARGET.std') execute.send_cmd(cmd, output_path, std_path, self.module_name)
def initial(self): #check if this module is done from portscan or not require_file = utils.replace_argument( self.options, '$WORKSPACE/vulnscan/$OUTPUT-nmap.xml') if not os.path.exists(require_file): self.nmap_vuln() self.create_html() else: utils.print_good('This module is already run')
def generate(self, listener): with open('msbuild.xml', 'w') as stager: with open('stagers/templates/msbuild.xml') as template: template = template.read() template = template.replace('C2_URL', f"https://{listener['BindIP']}:{listener['Port']}") template = template.replace('C2_CHANNEL', f"{listener.name}") stager.write(template) print_good(f"Generated stager to {stager.name}") print_info("Launch with 'C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe msbuild.xml'")
def create_ip_result(self): utils.print_good('Create IP for list of domain result') # check if direct input is file or just single string if self.is_direct: if utils.not_empty_file(self.is_direct): cmd = '$PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt $INPUT_LIST' # just return if direct input is just a string else: return else: final_ip = utils.replace_argument( self.options, '$WORKSPACE/subdomain/final-IP-$OUTPUT.txt') if utils.not_empty_file(final_ip): return cmd = '$PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt $WORKSPACE/subdomain/final-$OUTPUT.txt' cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument( self.options, '$WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt') execute.send_cmd(self.options, cmd, '', '', self.module_name) utils.just_waiting(self.options, self.module_name, seconds=5) # matching IP with subdomain main_json = utils.reading_json( utils.replace_argument(self.options, '$WORKSPACE/$COMPANY.json')) # get ips from amass stuff ips = [] if self.is_direct: if self.options.get("INPUT_LIST"): ips.extend(utils.extract_ip(self.options.get('INPUT_LIST'))) if utils.not_empty_file(output_path): data = utils.just_read(output_path).splitlines() for line in data: if " A " in line: subdomain = line.split('. A ')[0] ip = line.split('. A ')[1] ips.append(str(ip)) for i in range(len(main_json['Subdomains'])): if subdomain == main_json['Subdomains'][i]['Domain']: main_json['Subdomains'][i]['IP'] = ip final_ip = utils.replace_argument( self.options, '$WORKSPACE/subdomain/final-IP-$OUTPUT.txt') utils.just_write(final_ip, "\n".join(ips)) utils.just_write(utils.replace_argument(self.options, '$WORKSPACE/$COMPANY.json'), main_json, is_json=True)
def create_ip_result(self): utils.print_good('Create IP for list of domain result') cmd = '$PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt $WORKSPACE/subdomain/final-$OUTPUT.txt' cmd = utils.replace_argument(self.options, cmd) execute.run(cmd) cmd = '''cat $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt | grep -e ' A ' | cut -d 'A' -f 2 | tr -d ' ' > $WORKSPACE/subdomain/final-IP-$OUTPUT.txt''' cmd = utils.replace_argument(self.options, cmd) execute.run(cmd) utils.check_output(self.options, '$WORKSPACE/subdomain/final-IP-$OUTPUT.txt')
def generate_resource_file(stager, listener): filename = f"{stager}.res" with open(filename, 'w') as resource_file: resource_file.write("listeners\n") resource_file.write(f"use {listener.name}\n") resource_file.write(f"set BindIP {listener['BindIP']}\n") resource_file.write(f"set Port {listener['Port']}\n") resource_file.write("start\n") resource_file.write("modules\n") print_good(f"Generated resource file: {filename}")
def linkfinder(self): utils.print_good('Starting linkfinder') if self.is_direct: if utils.not_empty_file(self.is_direct): http_domains = utils.just_read(self.is_direct) # just return if direct input is just a string else: domain = self.is_direct strip_domain = utils.get_domain(domain) if strip_domain == domain: domain = 'http://' + domain cmd = 'python3 $PLUGINS_PATH/LinkFinder/linkfinder.py -i {0} -d -o cli | tee $WORKSPACE/assets/linkfinder/{1}-linkfinder.txt'.format( domain, strip_domain) cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument( self.options, '$WORKSPACE/assets/linkfinder/{0}-linkfinder.txt'.format( strip_domain)) std_path = utils.replace_argument( self.options, '$WORKSPACE/assets/linkfinder/{0}-linkfinder.std'.format( strip_domain)) execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name) return None else: if self.options['SPEED'] != 'slow': utils.print_good("Skipping linkfinder in quick mode") return None http_domains = utils.replace_argument( self.options, '$WORKSPACE/assets/http-$OUTPUT.txt') utils.make_directory(self.options['WORKSPACE'] + '/assets/linkfinder') if utils.not_empty_file(http_domains): domains = utils.just_read(http_domains) for domain in domains.splitlines(): strip_domain = utils.get_domain(domain) cmd = 'python3 $PLUGINS_PATH/LinkFinder/linkfinder.py -i {0} -d -o cli | tee $WORKSPACE/assets/linkfinder/{1}-linkfinder.txt'.format( domain, strip_domain) cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument( self.options, '$WORKSPACE/assets/linkfinder/{0}-linkfinder.txt'.format( strip_domain)) std_path = utils.replace_argument( self.options, '$WORKSPACE/assets/linkfinder/{0}-linkfinder.std'.format( strip_domain)) execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name)
def __init__(self, options): utils.make_directory(options['WORKSPACE'] + '/bruteforce/') self.options = options if utils.resume(self.options, self.module_name): utils.print_info("It's already done. use '-f' options to force rerun the module") return if self.options['SPEED'] == 'slow': self.routine() elif self.options['SPEED'] == 'quick': utils.print_good("Skipping for quick speed")
def run(self): commands = execute.get_commands(self.options, self.module_name).get('routines') for item in commands: utils.print_good('Starting {0}'.format(item.get('banner'))) #really execute it execute.send_cmd(self.options, item.get('cmd'), item.get( 'output_path'), item.get('std_path'), self.module_name) utils.just_waiting(self.options, self.module_name, seconds=10) #just save commands logfile = utils.replace_argument(self.options, '$WORKSPACE/log.json') utils.save_all_cmd(self.options, logfile)
def dirsearch(self): utils.print_good('Starting dirsearch') if self.is_direct: domains = utils.just_read(self.is_direct).splitlines() else: #matching IP with subdomain main_json = utils.reading_json(utils.replace_argument( self.options, '$WORKSPACE/$COMPANY.json')) domains = [x.get('Domain') for x in main_json['Subdomains']] if self.options['DEBUG'] == 'True': domains = domains[:5] custom_logs = {"module": self.module_name, "content": []} for part in utils.chunks(domains, 3): for domain in part: #just strip everything to save local, it won't affect the result strip_domain = domain.replace( 'http://', '').replace('https://', '').replace('/', '-') cmd = "python3 $PLUGINS_PATH/dirsearch/dirsearch.py -b -e php,zip,aspx,js --wordlist=$PLUGINS_PATH/wordlists/really-quick.txt --simple-report=$WORKSPACE/directory/quick/{1}-dirsearch.txt -t 50 -u {0}".format( domain, strip_domain) cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument( self.options, '$WORKSPACE/directory/quick/{0}-dirsearch.txt'.format(strip_domain)) std_path = utils.replace_argument( self.options, '$WORKSPACE/directory/quick/std-{0}-dirsearch.std'.format(strip_domain)) execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name) # time.sleep(0.5) #set status to done because this gonna will be submit when all command was done custom_logs['content'].append( {"cmd": cmd, "std_path": std_path, "output_path": output_path, "status": "Done"}) #just wait couple seconds and continue but not completely stop the routine time.sleep(20) #submit a log utils.print_info('Update activities log') # utils.update_activities(self.options, str(custom_logs)) utils.force_done(self.options, self.module_name) #just save commands logfile = utils.replace_argument(self.options, '$WORKSPACE/log.json') utils.save_all_cmd(self.options, logfile)
def start(self): """ Start the selected listener Usage: start [-h] """ try: self.selected.start() self.listeners.append(self.selected) print_good(f"Listener '{self.selected['Name']}' started successfully!") state.LISTENERS = len(self.listeners) except Exception as e: print_bad(f"Error starting listener '{self.selected['Name']}': {e}")
def quick_gobuster(self): utils.print_good('Starting gobuster for short wordlist') if self.is_direct: domains = utils.just_read(self.is_direct).splitlines() else: #matching IP with subdomain main_json = utils.reading_json(utils.replace_argument(self.options, '$WORKSPACE/$COMPANY.json')) domains = [x.get('Domain') for x in main_json['Subdomains']] if self.options['DEBUG'] == 'True': domains = domains[:5] custom_logs = {"module": self.module_name, "content": []} for part in utils.chunks(domains, 3): for domain in part: #just strip everything to save local, it won't affect the result strip_domain = domain.replace( 'http://', '').replace('https://', '').replace('/', '-') cmd = '$GO_PATH/gobuster -k -q -e -x php,jsp,aspx,html,json -w $PLUGINS_PATH/wordlists/quick-content-discovery.txt -t 100 -o $WORKSPACE/directory/{1}-gobuster.txt -s 200,301,307 -u "{0}" '.format( domain.strip(), strip_domain) cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument( self.options, '$WORKSPACE/directory/quick/{0}-gobuster.txt'.format(strip_domain)) std_path = utils.replace_argument( self.options, '$WORKSPACE/directory/quick/std-{0}-gobuster.std'.format(strip_domain)) execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name) # time.sleep(0.5) #set status to done because this gonna will be submit when all command was done custom_logs['content'].append({"cmd": cmd, "std_path": std_path, "output_path": output_path, "status": "Done"}) #just wait couple seconds and continue but not completely stop the routine time.sleep(20) #submit a log utils.print_info('Update activities log') utils.force_done(self.options, self.module_name) # utils.update_activities(self.options, str(custom_logs)) #just save commands logfile = utils.replace_argument(self.options, '$WORKSPACE/log.json') utils.save_all_cmd(self.options, logfile)
def normal(options): utils.print_good("Running with {0} speed".format(options['SPEED'])) # Create skeleton json initials.Initials(options) ##Finding subdomain subdomain.SubdomainScanning(options) ##waiting for previous module utils.just_waiting(options, 'SubdomainScanning') # ##Scanning for subdomain take over takeover.TakeOverScanning(options) ##Screen shot the target on common service screenshot.ScreenShot(options) ##Recon recon.Recon(options) ##Scanning for CorsScan cors.CorsScan(options) # ##Discovery IP space ipspace.IPSpace(options) # ##SSL Scan sslscan.SSLScan(options) # ##Headers Scan headers.HeadersScan(options) # ##### Note: From here the module gonna take really long time for scanning service and stuff like that utils.print_info('This gonna take a while') # #Scanning all port using result from subdomain scanning and also checking vulnerable service based on version portscan.PortScan(options) #Directory scan dirbrute.DirBrute(options) # #Starting vulnerable scan vulnscan.VulnScan(options) # brutethings.BruteThings(options) conclusion.Conclusion(options)
def job_result(self, result_tuple): guid, job_id, data = result_tuple session = list(filter(lambda x: x == guid, self.sessions))[0] if not session.data: session.set_session_info(data) print_good(f"New session {session.guid} connected! ({session.address})") state.SESSIONS = len(self.sessions) return for session in self.sessions: if session == guid: results = json.loads(session.crypto.decrypt(data)) print_good(f"{guid} returned job result (id: {job_id})") print(results['result'])
def generate(self, listener, filename=None, as_string=False): stager_filename = filename if filename else 'msbuild.xml' with open('stagers/templates/msbuild.xml') as template: template = template.read() template = template.replace('C2_URL', f"{listener.name}://{listener['BindIP']}:{listener['Port']}") if not as_string: with open(stager_filename, 'w') as stager: stager.write(template) print_good(f"Generated stager to {stager.name}") print_info( f"Launch with 'C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe {stager_filename}'") else: return template
def create_ip_result(self): utils.print_good('Create IP for list of domain result') if self.is_direct: cmd = '$PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt $INPUT' else: final_ip = utils.replace_argument( self.options, '$WORKSPACE/subdomain/final-IP-$OUTPUT.txt') if utils.not_empty_file(final_ip): return cmd = '$PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt $WORKSPACE/subdomain/final-$OUTPUT.txt' cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument( self.options, '$WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt') execute.send_cmd(self.options, cmd, '', '', self.module_name) utils.just_waiting(self.options, self.module_name, seconds=5) # matching IP with subdomain main_json = utils.reading_json(utils.replace_argument( self.options, '$WORKSPACE/$COMPANY.json')) with open(output_path, 'r') as i: data = i.read().splitlines() ips = [] for line in data: if " A " in line: subdomain = line.split('. A ')[0] ip = line.split('. A ')[1] ips.append(ip) for i in range(len(main_json['Subdomains'])): if subdomain == main_json['Subdomains'][i]['Domain']: main_json['Subdomains'][i]['IP'] = ip final_ip = utils.replace_argument( self.options, '$WORKSPACE/subdomain/final-IP-$OUTPUT.txt') with open(final_ip, 'w+') as fip: fip.write("\n".join(str(ip) for ip in ips)) utils.just_write(utils.replace_argument( self.options, '$WORKSPACE/$COMPANY.json'), main_json, is_json=True)
def gobuster(self): utils.print_good('Starting gobuster') if self.options['SPEED'] != 'slow': utils.print_good("Skipping in quick mode") return main_json = utils.reading_json(utils.replace_argument(self.options, '$WORKSPACE/$COMPANY.json')) domains = [x.get('Domain') for x in main_json['Subdomains']] for domain in domains: cmd = '$GO_PATH/gobuster -k -q -e -fw -x php,jsp,aspx,html,json -w $PLUGINS_PATH/wordlists/dir-all.txt -t 100 -o $WORKSPACE/directory/$TARGET-gobuster.txt -s 200,301,307 -u "$TARGET" ' cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument( self.options, '$WORKSPACE/directory/{0}-gobuster.json'.format(domain)) std_path = utils.replace_argument( self.options, '$WORKSPACE/directory/std-{0}-gobuster.std'.format(domain)) execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name, True)
def masscan(self): utils.print_good('Starting masscan') time.sleep(1) if self.is_direct: ip_file = utils.replace_argument( self.options, '$WORKSPACE/subdomain/final-IP-$OUTPUT.txt') # print(ip_file) # print(utils.just_read(ip_file)) ip_list = utils.just_read(ip_file).splitlines() ip_list = list(set([ip for ip in ip_list if ip != 'N/A'])) else: main_json = utils.reading_json(utils.replace_argument( self.options, '$WORKSPACE/$COMPANY.json')) main_json['Modules'][self.module_name] = [] if self.options['SPEED'] == 'slow': ip_list = [x.get("IP") for x in main_json['Subdomains'] if x.get("IP") is not None] + main_json['IP Space'] elif self.options['SPEED'] == 'quick': ip_list = [x.get("IP") for x in main_json['Subdomains'] if x.get("IP") is not None] ip_list = set([ip for ip in ip_list if ip != 'N/A']) if self.options['DEBUG'] == "True": utils.print_info("just testing 5 first host") ip_list = list(ip_list)[:5] utils.just_write(utils.replace_argument( self.options, '$WORKSPACE/subdomain/IP-$TARGET.txt'), "\n".join(ip_list)) # print(ip_list) time.sleep(1) cmd = "sudo masscan --rate 1000 -p0-65535 -iL $WORKSPACE/subdomain/IP-$TARGET.txt -oX $WORKSPACE/portscan/$OUTPUT-masscan.xml --wait 0" cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument( self.options, '$WORKSPACE/portscan/$OUTPUT-masscan.xml') std_path = utils.replace_argument( self.options, '$WORKSPACE/portscan/std-$OUTPUT-masscan.std') execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name)
def nmap_vuln(self): utils.print_good('Starting Nmap VulnScan') if self.is_direct: ip_list = utils.just_read(self.is_direct).splitlines() ip_list = list(set([ip for ip in ip_list if ip != 'N/A'])) else: main_json = utils.reading_json(utils.replace_argument( self.options, '$WORKSPACE/$COMPANY.json')) main_json['Modules'][self.module_name] = [] if self.options['SPEED'] == 'slow': ip_list = [x.get("IP") for x in main_json['Subdomains'] if x.get("IP") is not None] + main_json['IP Space'] elif self.options['SPEED'] == 'quick': ip_list = [x.get("IP") for x in main_json['Subdomains'] if x.get("IP") is not None] ip_list = list(set([ip for ip in ip_list if ip != 'N/A'])) if self.options['DEBUG'] == 'True': ip_list = list(ip_list)[:5] # Scan every 5 IP at time Increse if you want for part in utils.chunks(ip_list, 2): for ip in part: cmd = 'sudo nmap --open -T4 -Pn -n -sSV -p- {0} --script $PLUGINS_PATH/vulners.nse --oA $WORKSPACE/vulnscan/{0}-nmap'.format( ip.strip()) cmd = utils.replace_argument(self.options, cmd) output_path = utils.replace_argument( self.options, '$WORKSPACE/vulnscan/{0}-nmap.nmap'.format(ip.strip())) std_path = utils.replace_argument( self.options, '$WORKSPACE/vulnscan/std-{0}-nmap.std'.format(ip.strip())) execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name) # check if previous task done or not every 30 second while not utils.checking_done(self.options, module=self.module_name): time.sleep(60) #just save commands logfile = utils.replace_argument(self.options, '$WORKSPACE/log.json') utils.save_all_cmd(self.options, logfile)
def sleuthql(self): utils.print_good('Starting sleuthql') cmd = 'python3 $PLUGINS_PATH/sleuthql/sleuthql.py -d $TARGET -f $BURPSTATE' cmd = utils.replace_argument(self.options, cmd) execute.send_cmd(self.options, cmd, '', '', self.module_name)
def sqlmap(self): utils.print_good('Starting sqlmap') cmd = '$PLUGINS_PATH/sqlmap/sqlmap.py -l $BURPSTATE --batch $MORE' cmd = utils.replace_argument(self.options, cmd) execute.send_cmd(self.options, cmd, '', '', self.module_name)
def dirhunt(self): utils.print_good('Starting dirhunt') cmd = 'dirhunt $TARGET $MORE --progress-disabled --threads 20 | tee $WORKSPACE/directory/$STRIP_TARGET-dirhunt.txt' cmd = utils.replace_argument(self.options, cmd) utils.print_info("Execute: {0} ".format(cmd)) execute.run(cmd)