def dig_info(self):
utils.print_good('Starting basic Dig')
utils.make_directory(self.options['WORKSPACE'] + '/screenshot/digs')
final_subdomains = utils.replace_argument(self.options, '$WORKSPACE/subdomain/final-$OUTPUT.txt')
#run command directly instead of run it via module cause there're a lot of command to run
all_domains = utils.just_read(final_subdomains).splitlines()
if self.options['DEBUG'] == 'True':
all_domains = all_domains[:10]
custom_logs = {"module": self.module_name, "content": []}
for part in list(utils.chunks(all_domains, 5)):
for domain in part:
cmd = utils.replace_argument(
self.options, 'dig all {0} | tee $WORKSPACE/screenshot/digs/{0}.txt'.format(domain))
output_path = utils.replace_argument(self.options, 'tee $WORKSPACE/screenshot/digs/{0}.txt'.format(domain))
execute.send_cmd(self.options, cmd, '', '', self.module_name, True)
# time.sleep(0.5)
custom_logs['content'].append(
{"cmd": cmd, "std_path": '', "output_path": output_path, "status": "Done"})
#just wait couple seconds and continue but not completely stop the routine
time.sleep(5)
print(custom_logs)
#submit a log
utils.print_info('Update activities log')
utils.update_activities(self.options, str(custom_logs))
def observatory(self):
utils.print_good('Starting observatory')
if self.is_direct:
domain_file = self.is_direct
else:
if self.options['SPEED'] == 'quick':
utils.print_good('Skipping {0} in quick mode'.format(self.module_name))
return None
domain_file = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/final-$OUTPUT.txt')
with open(domain_file, 'r') as d:
domains = d.read().splitlines()
if self.options['DEBUG'] == "True":
utils.print_info("Only get 30 target debug mode")
domains = domains[:10]
for part in list(utils.chunks(domains, 1)):
for domain in part:
cmd = 'observatory --rescan -q {0} --format=json -z --attempts 50 | tee $WORKSPACE/headers/details/{0}-observatory.json'.format(
domain.strip())
cmd = utils.replace_argument(self.options, cmd)
execute.send_cmd(self.options, cmd, '', '', self.module_name, nolog=True)
time.sleep(10)
utils.just_waiting(self.options, self.module_name, seconds=10, times=2)
return True
def brutespray(self):
utils.print_good('Starting brutespray')
cmd = 'python $PLUGINS_PATH/brutespray/brutespray.py --file $WORKSPACE/vulnscan/$TARGET-nmap.xml --threads 5 --hosts 5 -o $WORKSPACE/bruteforce/$OUTPUT/'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options, '$WORKSPACE/bruteforce/$OUTPUT/')
def run(self):
commands = execute.get_commands(
self.options, self.module_name).get('routines')
for item in commands:
utils.print_good('Starting {0}'.format(item.get('banner')))
#really execute it
execute.send_cmd(self.options, item.get('cmd'), item.get(
'output_path'), item.get('std_path'), self.module_name)
time.sleep(1)
utils.just_waiting(self.options, self.module_name, seconds=10, times=5)
main_json = utils.reading_json(utils.replace_argument(
self.options, '$WORKSPACE/$COMPANY.json'))
for item in commands:
if "Whois" in item.get('cmd'):
main_json["Info"]["Whois"] = {"path": item.get('output_path')}
if "Dig" in item.get('cmd'):
main_json["Info"]["Dig"] = {"path": item.get('output_path')}
utils.just_write(utils.replace_argument(
self.options, '$WORKSPACE/$COMPANY.json'), main_json, is_json=True)
def debug(options):
utils.print_good("Debug routine")
utils.print_good("Running with {0} speed".format(options['SPEED']))
# Create skeleton json
pprint(options)
initials.Initials(options)
recon.Recon(options)
def create_html(self):
utils.print_good('Create beautify HTML report')
cmd = 'xsltproc -o $WORKSPACE/portscan/$OUTPUT-html.html $PLUGINS_PATH/nmap-bootstrap.xsl $WORKSPACE/portscan/$OUTPUT-masscan.xml'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/portscan/$OUTPUT-html.html')
def corstest(self):
utils.print_good('Starting CORS')
cmd = '$PLUGINS_PATH/CORStest/corstest.py -q $WORKSPACE/subdomain/final-$OUTPUT.txt | tee $WORKSPACE/cors/$TARGET-corstest.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/cors/$TARGET-corstest.txt')
def ipOinst(self):
utils.print_good('Starting IPOinst')
cmd = '$PLUGINS_PATH/IPOsint/ip-osint.py -t $TARGET -o $WORKSPACE/ipspace/$OUTPUT-ipspace.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/ipspace/$OUTPUT-ipspace.txt')
def register(self, guid: str, psk: str, response):
"""
Register a session with the server
Usage: register [-h] [<guid>] [<psk>]
"""
print_good(f"Registered new session (guid: {response.result['guid']} psk: {response.result['psk']})")
def subfinder(self):
utils.print_good('Starting subfinder')
cmd = '$GO_PATH/subfinder -d $TARGET -t 100 -o $WORKSPACE/subdomain/$OUTPUT-subfinder.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/subdomain/$OUTPUT-subfinder.txt')
def __init__(self, options):
utils.make_directory(options['env']['WORKSPACE'] + '/bruteforce/')
self.options = options
if self.options['speed'] == 'slow':
self.routine()
elif self.options['speed'] == 'quick':
utils.print_good("Skipping for quick speed")
def gobuster(self):
utils.print_good('Starting gobuster')
cmd = '$GO_PATH/gobuster -m dns -np -t 100 -w $PLUGINS_PATH/wordlists/all.txt -u $TARGET -o $WORKSPACE/directory/$OUTPUT-gobuster.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/directory/$OUTPUT-gobuster.txt')
def start(self, response):
"""
Start the selected listener
Usage: start [-h]
"""
listener = response.result
print_good(f"Started listener \'{listener['options']['Name']['Value']}\'")
def debug(options):
utils.print_good("Debug routine")
utils.print_good("Running with {0} speed".format(options['SPEED']))
# Create skeleton json
pprint(options)
initials.Initials(options)
recon.Recon(options)
def masscan(self):
utils.print_good('Starting masscan')
cmd = 'sudo masscan --rate 10000 -p0-65535 -iL $WORKSPACE/subdomain/final-IP-$OUTPUT.txt -oG $WORKSPACE/portscan/$OUTPUT-masscan.gnmap -oX $WORKSPACE/portscan/$OUTPUT-masscan.xml --wait 0'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/portscan/$OUTPUT-masscan.xml')
def subover(self):
utils.print_good('Starting SubOver')
cmd = '$PLUGINS_PATH/SubOver/SubOver -l $WORKSPACE/subdomain/final-$TARGET.txt -v -t 100 | tee $WORKSPACE/subdomain/takeover-$TARGET-subover.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(
self.options, '$WORKSPACE/subdomain/takeover-$TARGET-subover.txt')
def direct_masscan(self):
utils.print_good('Starting masscan')
ip = socket.gethostbyname(self.options['env']['STRIP_TARGET'])
cmd = 'sudo nmap -sS -T4 -Pn -n -p- {0} -oG $WORKSPACE/portscan/$OUTPUT-nmap.gnmap -oX $WORKSPACE/portscan/$OUTPUT-nmap.xml '.format(ip)
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
print()
def amass(self):
utils.print_good('Starting amass')
cmd = '$GO_PATH/amass -active -d $TARGET |tee $WORKSPACE/subdomain/$OUTPUT-amass.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/subdomain/$OUTPUT-amass.txt')
def subjack(self):
utils.print_good('Starting subjack')
cmd = '$GO_PATH/subjack -w $WORKSPACE/subdomain/final-$TARGET.txt -t 100 -timeout 30 -o $WORKSPACE/subdomain/takeover-$TARGET-subjack.txt -ssl'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(
self.options, '$WORKSPACE/subdomain/takeover-$TARGET-subjack.txt')
def aquaton(self):
utils.print_good('Starting aquatone')
cmd = 'cat $WORKSPACE/subdomain/final-$TARGET.txt | $GO_PATH/aquatone -threads 20 -out $WORKSPACE/screenshot/$OUTPUT-aquatone.html'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/screenshot/$OUTPUT-aquatone.html')
def truffleHog(self):
utils.print_good('Starting truffleHog')
cmd = 'trufflehog --regex --entropy=True $TARGET | tee $WORKSPACE/gitscan/$TARGET-trufflehog.txt'
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(self.options, '$WORKSPACE/gitscan/$TARGET-trufflehog.txt')
std_path = utils.replace_argument(self.options, '$WORKSPACE/gitscan/std-$TARGET-trufflehog.std')
execute.send_cmd(cmd, output_path, std_path, self.module_name)
def unique_result(self):
utils.print_good('Unique result')
cmd = "cat $WORKSPACE/subdomain/$OUTPUT-*.txt | sort | awk '{print tolower($0)}' | uniq >> $WORKSPACE/subdomain/final-$OUTPUT.txt"
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/subdomain/final-$OUTPUT.txt')
def massdns(self):
utils.print_good('Starting massdns')
cmd = '$PLUGINS_PATH/massdns/scripts/subbrute.py $PLUGINS_PATH/massdns/lists/names.txt $TARGET | $PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/$OUTPUT-massdns.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/subdomain/$OUTPUT-massdns.txt')
def nmap_vuln(self):
utils.print_good('Starting nmap vulnerable scan')
cmd = 'nmap -T4 -Pn -n -sSV -p- $STRIP_TARGET --script vulners --oA $WORKSPACE/vulnscan/$OUTPUT-nmap'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/vulnscan/$TARGET-nmap.xml')
def wfuzz(self):
utils.print_good('Starting wfuzz')
if self.is_direct:
domains = utils.just_read(self.is_direct).splitlines()
else:
#matching IP with subdomain
main_json = utils.reading_json(
utils.replace_argument(self.options,
'$WORKSPACE/$COMPANY.json'))
domains = [x.get('Domain') for x in main_json['Subdomains']]
if self.options['DEBUG'] == 'True':
domains = domains[:5]
custom_logs = {"module": self.module_name, "content": []}
for part in utils.chunks(domains, 3):
for domain in part:
#just strip everything to save local, it won't affect the result
strip_domain = domain.replace('http://', '').replace(
'https://', '').replace('/', '-')
cmd = "wfuzz -f $WORKSPACE/directory/quick/{1}-wfuzz.txt,raw -c -w $PLUGINS_PATH/wordlists/quick-content-discovery.txt -t 100 --sc 200,307 -u '{0}/FUZZ' | tee $WORKSPACE/directory/quick/std-{1}-wfuzz.std".format(
domain.strip(), strip_domain)
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(
self.options,
'$WORKSPACE/directory/quick/{0}-wfuzz.txt'.format(
strip_domain))
std_path = utils.replace_argument(
self.options,
'$WORKSPACE/directory/quick/std-{0}-wfuzz.std'.format(
strip_domain))
execute.send_cmd(self.options, cmd, output_path, std_path,
self.module_name)
# time.sleep(0.5)
#set status to done because this gonna will be submit when all command was done
custom_logs['content'].append({
"cmd": cmd,
"std_path": std_path,
"output_path": output_path,
"status": "Done"
})
#just wait couple seconds and continue but not completely stop the routine
time.sleep(20)
#submit a log
utils.print_info('Update activities log')
utils.update_activities(self.options, str(custom_logs))
#just save commands
logfile = utils.replace_argument(self.options, '$WORKSPACE/log.json')
utils.save_all_cmd(self.options, logfile)
def unique_result(self):
utils.print_good('Unique result')
# gobuster clean up
go_raw = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/raw-$OUTPUT-gobuster.txt')
if utils.not_empty_file(go_raw):
go_clean = [x.split(' ')[1] for x in utils.just_read(go_raw).splitlines()]
go_output = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/$OUTPUT-gobuster.txt')
utils.just_write(go_output, "\n".join(go_clean))
# massdns clean up
massdns_raw = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/raw-massdns.txt')
if utils.not_empty_file(massdns_raw):
massdns_output = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/$OUTPUT-massdns.txt')
if not os.path.exists(massdns_raw):
with open(massdns_raw, 'r+') as d:
ds = d.read().splitlines()
for line in ds:
newline = line.split(' ')[0][:-1]
with open(massdns_output, 'a+') as m:
m.write(newline + "\n")
utils.check_output(utils.replace_argument(
self.options, '$WORKSPACE/subdomain/$OUTPUT-massdns.txt'))
# joining the output
all_output = glob.glob(utils.replace_argument(self.options,
'$WORKSPACE/subdomain/$OUTPUT-*.txt'))
domains = []
for file in all_output:
domains += utils.just_read(file).splitlines()
output_path = utils.replace_argument(self.options, '$WORKSPACE/subdomain/full-$OUTPUT.txt')
utils.just_write(output_path, "\n".join(set([x.strip() for x in domains])))
# finding more subdomain
permutation_domains = self.permutation()
if permutation_domains:
domains.extend(permutation_domains)
output_path = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/full-$OUTPUT.txt')
utils.just_write(output_path, "\n".join(
set([x.strip() for x in domains])))
else:
output_path = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/final-$OUTPUT.txt')
utils.just_write(output_path, "\n".join(
set([x.strip() for x in domains])))
time.sleep(1)
slack.slack_file('report', self.options, mess={
'title': "{0} | {1} | Output".format(self.options['TARGET'], self.module_name),
'filename': '{0}'.format(output_path),
})
def linkfinder(self):
utils.print_good('Starting linkfinder')
cmd = '$PLUGINS_PATH/linkfinder.py -i $BURPSTATE -b -o cli | tee $WORKSPACE/burp-$TARGET-linkfinder.txt'
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(
self.options, '$WORKSPACE/burp-$TARGET-linkfinder.txt')
std_path = utils.replace_argument(
self.options, '$WORKSPACE/burp-$TARGET-linkfinder.txt')
execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name)
def generate_resource_file(stager, listener):
with open(f"{stager}.res", 'w') as resource_file:
resource_file.write("listeners\n")
resource_file.write(f"use {listener.name}\n")
resource_file.write(f"set BindIP {listener['BindIP']}\n")
resource_file.write(f"set Port {listener['Port']}\n")
resource_file.write("start")
print_good(f"Generated resource file: {filename}")
def gitrob(self):
utils.print_good('Starting gitrob')
really_target = utils.replace_argument(self.options, '$TARGET').split('/')[3] # only get organization name
cmd = '$GO_PATH/gitrob -save $WORKSPACE/gitscan/$TARGET-gitrob -threads 10 -github-access-token $GITHUB_API_KEY {0}'.format(really_target)
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(self.options, '$WORKSPACE/gitscan/$TARGET-gitrob')
std_path = utils.replace_argument(self.options, '$WORKSPACE/gitscan/std-$TARGET-gitrob.std')
execute.send_cmd(cmd, output_path, std_path, self.module_name)
def eyewitness_common(self):
utils.print_good('Starting EyeWitness for web')
cmd = 'python $PLUGINS_PATH/EyeWitness/EyeWitness.py -f $WORKSPACE/subdomain/final-$TARGET.txt --web --prepend-https --threads 20 -d $WORKSPACE/screenshot/eyewitness-$TARGET/'
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(self.options,
'$WORKSPACE/screenshot/')
std_path = utils.replace_argument(
self.options, '$WORKSPACE/screenshot/std-eyewitness-$TARGET.std')
execute.send_cmd(cmd, output_path, std_path, self.module_name)
def initial(self):
#check if this module is done from portscan or not
require_file = utils.replace_argument(
self.options, '$WORKSPACE/vulnscan/$OUTPUT-nmap.xml')
if not os.path.exists(require_file):
self.nmap_vuln()
self.create_html()
else:
utils.print_good('This module is already run')
def linkfinder(self):
utils.print_good('Starting linkfinder')
cmd = '$PLUGINS_PATH/linkfinder.py -i $BURPSTATE -b -o cli | tee $WORKSPACE/burp-$TARGET-linkfinder.txt'
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(
self.options, '$WORKSPACE/burp-$TARGET-linkfinder.txt')
std_path = utils.replace_argument(
self.options, '$WORKSPACE/burp-$TARGET-linkfinder.txt')
execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name)
def generate(self, listener):
with open('msbuild.xml', 'w') as stager:
with open('stagers/templates/msbuild.xml') as template:
template = template.read()
template = template.replace('C2_URL', f"https://{listener['BindIP']}:{listener['Port']}")
template = template.replace('C2_CHANNEL', f"{listener.name}")
stager.write(template)
print_good(f"Generated stager to {stager.name}")
print_info("Launch with 'C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe msbuild.xml'")
def create_ip_result(self):
utils.print_good('Create IP for list of domain result')
# check if direct input is file or just single string
if self.is_direct:
if utils.not_empty_file(self.is_direct):
cmd = '$PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt $INPUT_LIST'
# just return if direct input is just a string
else:
return
else:
final_ip = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/final-IP-$OUTPUT.txt')
if utils.not_empty_file(final_ip):
return
cmd = '$PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt $WORKSPACE/subdomain/final-$OUTPUT.txt'
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt')
execute.send_cmd(self.options, cmd, '', '', self.module_name)
utils.just_waiting(self.options, self.module_name, seconds=5)
# matching IP with subdomain
main_json = utils.reading_json(
utils.replace_argument(self.options, '$WORKSPACE/$COMPANY.json'))
# get ips from amass stuff
ips = []
if self.is_direct:
if self.options.get("INPUT_LIST"):
ips.extend(utils.extract_ip(self.options.get('INPUT_LIST')))
if utils.not_empty_file(output_path):
data = utils.just_read(output_path).splitlines()
for line in data:
if " A " in line:
subdomain = line.split('. A ')[0]
ip = line.split('. A ')[1]
ips.append(str(ip))
for i in range(len(main_json['Subdomains'])):
if subdomain == main_json['Subdomains'][i]['Domain']:
main_json['Subdomains'][i]['IP'] = ip
final_ip = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/final-IP-$OUTPUT.txt')
utils.just_write(final_ip, "\n".join(ips))
utils.just_write(utils.replace_argument(self.options,
'$WORKSPACE/$COMPANY.json'),
main_json,
is_json=True)
def create_ip_result(self):
utils.print_good('Create IP for list of domain result')
cmd = '$PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt $WORKSPACE/subdomain/final-$OUTPUT.txt'
cmd = utils.replace_argument(self.options, cmd)
execute.run(cmd)
cmd = '''cat $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt | grep -e ' A ' | cut -d 'A' -f 2 | tr -d ' ' > $WORKSPACE/subdomain/final-IP-$OUTPUT.txt'''
cmd = utils.replace_argument(self.options, cmd)
execute.run(cmd)
utils.check_output(self.options,
'$WORKSPACE/subdomain/final-IP-$OUTPUT.txt')
def generate_resource_file(stager, listener):
filename = f"{stager}.res"
with open(filename, 'w') as resource_file:
resource_file.write("listeners\n")
resource_file.write(f"use {listener.name}\n")
resource_file.write(f"set BindIP {listener['BindIP']}\n")
resource_file.write(f"set Port {listener['Port']}\n")
resource_file.write("start\n")
resource_file.write("modules\n")
print_good(f"Generated resource file: {filename}")
def linkfinder(self):
utils.print_good('Starting linkfinder')
if self.is_direct:
if utils.not_empty_file(self.is_direct):
http_domains = utils.just_read(self.is_direct)
# just return if direct input is just a string
else:
domain = self.is_direct
strip_domain = utils.get_domain(domain)
if strip_domain == domain:
domain = 'http://' + domain
cmd = 'python3 $PLUGINS_PATH/LinkFinder/linkfinder.py -i {0} -d -o cli | tee $WORKSPACE/assets/linkfinder/{1}-linkfinder.txt'.format(
domain, strip_domain)
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(
self.options,
'$WORKSPACE/assets/linkfinder/{0}-linkfinder.txt'.format(
strip_domain))
std_path = utils.replace_argument(
self.options,
'$WORKSPACE/assets/linkfinder/{0}-linkfinder.std'.format(
strip_domain))
execute.send_cmd(self.options, cmd, output_path, std_path,
self.module_name)
return None
else:
if self.options['SPEED'] != 'slow':
utils.print_good("Skipping linkfinder in quick mode")
return None
http_domains = utils.replace_argument(
self.options, '$WORKSPACE/assets/http-$OUTPUT.txt')
utils.make_directory(self.options['WORKSPACE'] + '/assets/linkfinder')
if utils.not_empty_file(http_domains):
domains = utils.just_read(http_domains)
for domain in domains.splitlines():
strip_domain = utils.get_domain(domain)
cmd = 'python3 $PLUGINS_PATH/LinkFinder/linkfinder.py -i {0} -d -o cli | tee $WORKSPACE/assets/linkfinder/{1}-linkfinder.txt'.format(
domain, strip_domain)
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(
self.options,
'$WORKSPACE/assets/linkfinder/{0}-linkfinder.txt'.format(
strip_domain))
std_path = utils.replace_argument(
self.options,
'$WORKSPACE/assets/linkfinder/{0}-linkfinder.std'.format(
strip_domain))
execute.send_cmd(self.options, cmd, output_path, std_path,
self.module_name)
def __init__(self, options):
utils.make_directory(options['WORKSPACE'] + '/bruteforce/')
self.options = options
if utils.resume(self.options, self.module_name):
utils.print_info("It's already done. use '-f' options to force rerun the module")
return
if self.options['SPEED'] == 'slow':
self.routine()
elif self.options['SPEED'] == 'quick':
utils.print_good("Skipping for quick speed")
def run(self):
commands = execute.get_commands(self.options, self.module_name).get('routines')
for item in commands:
utils.print_good('Starting {0}'.format(item.get('banner')))
#really execute it
execute.send_cmd(self.options, item.get('cmd'), item.get(
'output_path'), item.get('std_path'), self.module_name)
utils.just_waiting(self.options, self.module_name, seconds=10)
#just save commands
logfile = utils.replace_argument(self.options, '$WORKSPACE/log.json')
utils.save_all_cmd(self.options, logfile)
def dirsearch(self):
utils.print_good('Starting dirsearch')
if self.is_direct:
domains = utils.just_read(self.is_direct).splitlines()
else:
#matching IP with subdomain
main_json = utils.reading_json(utils.replace_argument(
self.options, '$WORKSPACE/$COMPANY.json'))
domains = [x.get('Domain') for x in main_json['Subdomains']]
if self.options['DEBUG'] == 'True':
domains = domains[:5]
custom_logs = {"module": self.module_name, "content": []}
for part in utils.chunks(domains, 3):
for domain in part:
#just strip everything to save local, it won't affect the result
strip_domain = domain.replace(
'http://', '').replace('https://', '').replace('/', '-')
cmd = "python3 $PLUGINS_PATH/dirsearch/dirsearch.py -b -e php,zip,aspx,js --wordlist=$PLUGINS_PATH/wordlists/really-quick.txt --simple-report=$WORKSPACE/directory/quick/{1}-dirsearch.txt -t 50 -u {0}".format(
domain, strip_domain)
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(
self.options, '$WORKSPACE/directory/quick/{0}-dirsearch.txt'.format(strip_domain))
std_path = utils.replace_argument(
self.options, '$WORKSPACE/directory/quick/std-{0}-dirsearch.std'.format(strip_domain))
execute.send_cmd(self.options, cmd, output_path,
std_path, self.module_name)
# time.sleep(0.5)
#set status to done because this gonna will be submit when all command was done
custom_logs['content'].append(
{"cmd": cmd, "std_path": std_path, "output_path": output_path, "status": "Done"})
#just wait couple seconds and continue but not completely stop the routine
time.sleep(20)
#submit a log
utils.print_info('Update activities log')
# utils.update_activities(self.options, str(custom_logs))
utils.force_done(self.options, self.module_name)
#just save commands
logfile = utils.replace_argument(self.options, '$WORKSPACE/log.json')
utils.save_all_cmd(self.options, logfile)
def start(self):
"""
Start the selected listener
Usage: start [-h]
"""
try:
self.selected.start()
self.listeners.append(self.selected)
print_good(f"Listener '{self.selected['Name']}' started successfully!")
state.LISTENERS = len(self.listeners)
except Exception as e:
print_bad(f"Error starting listener '{self.selected['Name']}': {e}")
def quick_gobuster(self):
utils.print_good('Starting gobuster for short wordlist')
if self.is_direct:
domains = utils.just_read(self.is_direct).splitlines()
else:
#matching IP with subdomain
main_json = utils.reading_json(utils.replace_argument(self.options, '$WORKSPACE/$COMPANY.json'))
domains = [x.get('Domain') for x in main_json['Subdomains']]
if self.options['DEBUG'] == 'True':
domains = domains[:5]
custom_logs = {"module": self.module_name, "content": []}
for part in utils.chunks(domains, 3):
for domain in part:
#just strip everything to save local, it won't affect the result
strip_domain = domain.replace(
'http://', '').replace('https://', '').replace('/', '-')
cmd = '$GO_PATH/gobuster -k -q -e -x php,jsp,aspx,html,json -w $PLUGINS_PATH/wordlists/quick-content-discovery.txt -t 100 -o $WORKSPACE/directory/{1}-gobuster.txt -s 200,301,307 -u "{0}" '.format(
domain.strip(), strip_domain)
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(
self.options, '$WORKSPACE/directory/quick/{0}-gobuster.txt'.format(strip_domain))
std_path = utils.replace_argument(
self.options, '$WORKSPACE/directory/quick/std-{0}-gobuster.std'.format(strip_domain))
execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name)
# time.sleep(0.5)
#set status to done because this gonna will be submit when all command was done
custom_logs['content'].append({"cmd": cmd, "std_path": std_path, "output_path": output_path, "status": "Done"})
#just wait couple seconds and continue but not completely stop the routine
time.sleep(20)
#submit a log
utils.print_info('Update activities log')
utils.force_done(self.options, self.module_name)
# utils.update_activities(self.options, str(custom_logs))
#just save commands
logfile = utils.replace_argument(self.options, '$WORKSPACE/log.json')
utils.save_all_cmd(self.options, logfile)
def normal(options):
utils.print_good("Running with {0} speed".format(options['SPEED']))
# Create skeleton json
initials.Initials(options)
##Finding subdomain
subdomain.SubdomainScanning(options)
##waiting for previous module
utils.just_waiting(options, 'SubdomainScanning')
# ##Scanning for subdomain take over
takeover.TakeOverScanning(options)
##Screen shot the target on common service
screenshot.ScreenShot(options)
##Recon
recon.Recon(options)
##Scanning for CorsScan
cors.CorsScan(options)
# ##Discovery IP space
ipspace.IPSpace(options)
# ##SSL Scan
sslscan.SSLScan(options)
# ##Headers Scan
headers.HeadersScan(options)
# ##### Note: From here the module gonna take really long time for scanning service and stuff like that
utils.print_info('This gonna take a while')
# #Scanning all port using result from subdomain scanning and also checking vulnerable service based on version
portscan.PortScan(options)
#Directory scan
dirbrute.DirBrute(options)
# #Starting vulnerable scan
vulnscan.VulnScan(options)
# brutethings.BruteThings(options)
conclusion.Conclusion(options)
def job_result(self, result_tuple):
guid, job_id, data = result_tuple
session = list(filter(lambda x: x == guid, self.sessions))[0]
if not session.data:
session.set_session_info(data)
print_good(f"New session {session.guid} connected! ({session.address})")
state.SESSIONS = len(self.sessions)
return
for session in self.sessions:
if session == guid:
results = json.loads(session.crypto.decrypt(data))
print_good(f"{guid} returned job result (id: {job_id})")
print(results['result'])
def generate(self, listener, filename=None, as_string=False):
stager_filename = filename if filename else 'msbuild.xml'
with open('stagers/templates/msbuild.xml') as template:
template = template.read()
template = template.replace('C2_URL', f"{listener.name}://{listener['BindIP']}:{listener['Port']}")
if not as_string:
with open(stager_filename, 'w') as stager:
stager.write(template)
print_good(f"Generated stager to {stager.name}")
print_info(
f"Launch with 'C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe {stager_filename}'")
else:
return template
def create_ip_result(self):
utils.print_good('Create IP for list of domain result')
if self.is_direct:
cmd = '$PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt $INPUT'
else:
final_ip = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/final-IP-$OUTPUT.txt')
if utils.not_empty_file(final_ip):
return
cmd = '$PLUGINS_PATH/massdns/bin/massdns -r $PLUGINS_PATH/massdns/lists/resolvers.txt -t A -o S -w $WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt $WORKSPACE/subdomain/final-$OUTPUT.txt'
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/massdns-IP-$OUTPUT.txt')
execute.send_cmd(self.options, cmd, '', '', self.module_name)
utils.just_waiting(self.options, self.module_name, seconds=5)
# matching IP with subdomain
main_json = utils.reading_json(utils.replace_argument(
self.options, '$WORKSPACE/$COMPANY.json'))
with open(output_path, 'r') as i:
data = i.read().splitlines()
ips = []
for line in data:
if " A " in line:
subdomain = line.split('. A ')[0]
ip = line.split('. A ')[1]
ips.append(ip)
for i in range(len(main_json['Subdomains'])):
if subdomain == main_json['Subdomains'][i]['Domain']:
main_json['Subdomains'][i]['IP'] = ip
final_ip = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/final-IP-$OUTPUT.txt')
with open(final_ip, 'w+') as fip:
fip.write("\n".join(str(ip) for ip in ips))
utils.just_write(utils.replace_argument(
self.options, '$WORKSPACE/$COMPANY.json'), main_json, is_json=True)
def gobuster(self):
utils.print_good('Starting gobuster')
if self.options['SPEED'] != 'slow':
utils.print_good("Skipping in quick mode")
return
main_json = utils.reading_json(utils.replace_argument(self.options, '$WORKSPACE/$COMPANY.json'))
domains = [x.get('Domain') for x in main_json['Subdomains']]
for domain in domains:
cmd = '$GO_PATH/gobuster -k -q -e -fw -x php,jsp,aspx,html,json -w $PLUGINS_PATH/wordlists/dir-all.txt -t 100 -o $WORKSPACE/directory/$TARGET-gobuster.txt -s 200,301,307 -u "$TARGET" '
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(
self.options, '$WORKSPACE/directory/{0}-gobuster.json'.format(domain))
std_path = utils.replace_argument(
self.options, '$WORKSPACE/directory/std-{0}-gobuster.std'.format(domain))
execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name, True)
def masscan(self):
utils.print_good('Starting masscan')
time.sleep(1)
if self.is_direct:
ip_file = utils.replace_argument(
self.options, '$WORKSPACE/subdomain/final-IP-$OUTPUT.txt')
# print(ip_file)
# print(utils.just_read(ip_file))
ip_list = utils.just_read(ip_file).splitlines()
ip_list = list(set([ip for ip in ip_list if ip != 'N/A']))
else:
main_json = utils.reading_json(utils.replace_argument(
self.options, '$WORKSPACE/$COMPANY.json'))
main_json['Modules'][self.module_name] = []
if self.options['SPEED'] == 'slow':
ip_list = [x.get("IP")
for x in main_json['Subdomains'] if x.get("IP") is not None] + main_json['IP Space']
elif self.options['SPEED'] == 'quick':
ip_list = [x.get("IP")
for x in main_json['Subdomains'] if x.get("IP") is not None]
ip_list = set([ip for ip in ip_list if ip != 'N/A'])
if self.options['DEBUG'] == "True":
utils.print_info("just testing 5 first host")
ip_list = list(ip_list)[:5]
utils.just_write(utils.replace_argument(
self.options, '$WORKSPACE/subdomain/IP-$TARGET.txt'), "\n".join(ip_list))
# print(ip_list)
time.sleep(1)
cmd = "sudo masscan --rate 1000 -p0-65535 -iL $WORKSPACE/subdomain/IP-$TARGET.txt -oX $WORKSPACE/portscan/$OUTPUT-masscan.xml --wait 0"
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(
self.options, '$WORKSPACE/portscan/$OUTPUT-masscan.xml')
std_path = utils.replace_argument(
self.options, '$WORKSPACE/portscan/std-$OUTPUT-masscan.std')
execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name)
def nmap_vuln(self):
utils.print_good('Starting Nmap VulnScan')
if self.is_direct:
ip_list = utils.just_read(self.is_direct).splitlines()
ip_list = list(set([ip for ip in ip_list if ip != 'N/A']))
else:
main_json = utils.reading_json(utils.replace_argument(
self.options, '$WORKSPACE/$COMPANY.json'))
main_json['Modules'][self.module_name] = []
if self.options['SPEED'] == 'slow':
ip_list = [x.get("IP")
for x in main_json['Subdomains'] if x.get("IP") is not None] + main_json['IP Space']
elif self.options['SPEED'] == 'quick':
ip_list = [x.get("IP")
for x in main_json['Subdomains'] if x.get("IP") is not None]
ip_list = list(set([ip for ip in ip_list if ip != 'N/A']))
if self.options['DEBUG'] == 'True':
ip_list = list(ip_list)[:5]
# Scan every 5 IP at time Increse if you want
for part in utils.chunks(ip_list, 2):
for ip in part:
cmd = 'sudo nmap --open -T4 -Pn -n -sSV -p- {0} --script $PLUGINS_PATH/vulners.nse --oA $WORKSPACE/vulnscan/{0}-nmap'.format(
ip.strip())
cmd = utils.replace_argument(self.options, cmd)
output_path = utils.replace_argument(
self.options, '$WORKSPACE/vulnscan/{0}-nmap.nmap'.format(ip.strip()))
std_path = utils.replace_argument(
self.options, '$WORKSPACE/vulnscan/std-{0}-nmap.std'.format(ip.strip()))
execute.send_cmd(self.options, cmd, output_path, std_path, self.module_name)
# check if previous task done or not every 30 second
while not utils.checking_done(self.options, module=self.module_name):
time.sleep(60)
#just save commands
logfile = utils.replace_argument(self.options, '$WORKSPACE/log.json')
utils.save_all_cmd(self.options, logfile)
def sleuthql(self):
utils.print_good('Starting sleuthql')
cmd = 'python3 $PLUGINS_PATH/sleuthql/sleuthql.py -d $TARGET -f $BURPSTATE'
cmd = utils.replace_argument(self.options, cmd)
execute.send_cmd(self.options, cmd, '', '', self.module_name)
def sqlmap(self):
utils.print_good('Starting sqlmap')
cmd = '$PLUGINS_PATH/sqlmap/sqlmap.py -l $BURPSTATE --batch $MORE'
cmd = utils.replace_argument(self.options, cmd)
execute.send_cmd(self.options, cmd, '', '', self.module_name)
def dirhunt(self):
utils.print_good('Starting dirhunt')
cmd = 'dirhunt $TARGET $MORE --progress-disabled --threads 20 | tee $WORKSPACE/directory/$STRIP_TARGET-dirhunt.txt'
cmd = utils.replace_argument(self.options, cmd)
utils.print_info("Execute: {0} ".format(cmd))
execute.run(cmd)
