Vxscan – Comprehensive Scanning Tool

Python3 comprehensive scanning tool, mainly used for sensitive file detection (directory scanning and js leak interface), WAF/CDN identification, port scanning, fingerprint/service identification, operating system identification, weak password detection, POC scanning, SQL injection, winding Pass CDN, check the next station.Update2019.6.18Fixed the problem of fingerprint recognition iis website error, modified apps.jsonRemoved some third-party libraries and scripts that are prone to errorsScanning is completed if it flashes, it is because the program first detects dns parsing and ping operation.The first time you use Vxscan, fake_useragent will load the ua list of https://fake-useragent.herokuapp.com/browsers/0.1.11 here, and a load timeout error may occur.RequirementsPython version > 3.6requeststqdmpyfigletfake-useragentbeautifulsoup4geoip2tldextractpython-nmapgeoip2tldextractlxmlpymongovirustotal_pythonapt install libpq-dev nmapwget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gzAfter decompressing, put GeoLite2-City.mmdb inside to vxscan/db/GeoLite2-City.mmdbwget https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gzAfter decompressing, put the GeoLite2-ASN.mmdb inside to vxscan/db/GeoLite2-ASN.mmdbpip3 install -r requirements.txtFeaturesGenerate a dictionary list using Cartesian product method, support custom dictionary listRandom UserAgent, XFF, X-Real-IPCustomize 404 page recognition, access random pages and then compare the similarities through difflib to identify custom 302 jumpsWhen scanning the directory, first detect the http port and add multiple http ports of one host to the scan target.Filter invalid Content-Type, invalid status?WAF/CDN detectionUse the socket to send packets to detect common ports and send different payload detection port service fingerprints.Hosts that encounter full port open (portspoof) automatically skipCall wappalyzer.json and WebEye to determine the website fingerprintIt is detected that the CDN or WAF website automatically skipsCall nmap to identify the operating system fingerprintCall weak password detection script based on port open (FTP/SSH/TELNET/Mysql/MSSQL…)Call POC scan based on fingerprint identification or port, or click on the open WEB port of IPAnalyze sensitive asset information (domain name, mailbox, apikey, password, etc.) in the js fileGrab website connections, test SQL injection, LFI, etc.Call some online interfaces to obtain information such as VT, www.yougetsignal.com and other websites, determine the real IP through VT pdns, and query the website by www.yougetsignal.com and api.hackertarget.com.Usagepython3 Vxscan.py -hoptional arguments: -h, –help show this help message and exit -u URL, –url URL Start scanning this url -u xxx.com -i INET, –inet INET cidr eg. 1.1.1.1 or 1.1.1.0/24 -f FILE, –file FILE read the url from the file -t THREADS, –threads THREADS Set scan thread, default 150 -e EXT, –ext EXT Set scan suffix, -e php,asp -w WORD, –word WORD Read the dict from the file 1. Scan a websitepython3 vxscan.py -u http://www.xxx.com/ 2. Scan a website from a file listpython3 vxscan.py -f hosts.txt3. cidr eg. 1.1.1.1 or 1.1.1.0/24python3 vxscan.py -i 127.0.0.0/244. Set thread 100, combine only php suffix, use custom dictionarypython3 vxscan.py -u http://www.xxx.com -e php -t 100 -w ../dict.txtStructure/├─Vxscan.py main file├─db│ ├─apps.json Web fingerprint information│ ├─apps.txt Web fingerprint information (WEBEYE)│ ├─password.txt password├─report Report directory├─lib │ ├─common.py Determine CDN, port scan, POC scan, etc.│ ├─color.py Terminal color output│ ├─active.py Judge dns parsing and ping ip survival│ ├─save_html.py Generate html report│ ├─waf.py waf rules│ ├─osdetect.py Operating system version identification│ ├─random_header.py random header│ ├─scan_port.py PortScan│ ├─jsparse.py Grab the website js connection, analyze ip address, link, email, etc.│ &#9500 ;─settings.py Setting│ ├─pyh.py Generate html│ ├─wappalyzer.py Fingerprint recognition script│ ├─sql_injection.py Grab the website connection and test the SQL injection script├─script │ ├─Poc.py Poc script│ ├─……├─requirements.txt├─logo.jpg├─error.logWaf/CDN list360360wzwsAnquanbaoArmorBaiduYunjiasuAWS WAFAdNovumAiree CDNArt of Defence HyperGuardArvanCloudBarracuda NGBeluga CDNBinarySECBlockDoSBluedon ISTCacheFly CDNChinaCache CDNCisco ACE XML GatewayCloudFlare CDNCloudfront CDNComodoCompStateDenyALL WAFDenyAllDistil FirewallDoSArrest Internet SecurityF5 BIG-IP APMF5 BIG-IP ASMF5-TrafficShieldFastly CDNFortiWebFortiWeb FirewallGoDaddyGreyWizard FirewallHuaweiCloudWAFHyperGuard FirewallIBM DataPowerISAServerImmunify360Imperva SecureSphereIncapsula CDNJiasuleKONAKeyCDNModSecurityNGENIX CDNNSFOCUSNaxsiNetContinuumNetContinuum WAFNeusoft SEnginxNewdefendPalo Alto FirewallPerimeterX FirewallPowerCDNProfenseQiniu CDNReblaze FirewallSDWAFSafe3SafedogSiteLock TrueShieldSonicWALLSonicWallSophos UTM FirewallStingraySucuriTeros WAFUsp-SecVarnishWallarmWatchGuardWebKnightWest263CDNYundunYunsuoZenEdge Firewallaesecurealiyunazion CDNcloudflare CDNdotDefenderlimelight CDNmaxcdn CDNmod_securityyunsuoOutputThe following is the AWVS scanner test website results[ { “testphp.vulnweb.com": { "WAF": "NoWAF", "Webinfo": { "apps": [ "Nginx", "PHP", "DreamWeaver", "php" ], "title": "Home of Acunetix Art", "server": "nginx/1.4.1", "pdns": [ "176.28.50.165 : 2019-06-09 02:05:52" ], "reverseip": [ "176.28.50.165", "rs202995.rs.hosteurope.de", "testhtml5.vulnweb.com", "testphp.ingensec.ch", "testphp.ingensec.com", "testphp.ingensec.fr", "testphp.vulnweb.com", "vulnweb.com", "www.vulnweb.com" ] }, "Ports": [ "IMAPS:993", "ssh:22", "imap:143", "http:80", "Unknown:8880", "pop:110", "POP3:995", "smtp:25", "Unknown:8443", "SMTPS:465", "DNS:53", "ftp:21" ], "Ipaddr": "176.28.50.165", "Address": "德国 ", "Vuln": [ "http://testphp.vulnweb.com | Home of Acunetix Art", "MySQL SQLi:http://testphp.vulnweb.com/search.php?test=query", "MySQL SQLi:http://testphp.vulnweb.com/artists.php?artist=1", "MySQL SQLi:http://testphp.vulnweb.com/listproducts.php?cat=2" ], "URLS": [ { "rsp_code": 200, "rsp_len": 12473, "title": "None", "contype": "xml", "url": "/.idea/workspace.xml" }, { "rsp_code": 200, "rsp_len": 1, "title": "None", "contype": "plain", "url": "/CVS/Root" }, { "rsp_code": 200, "rsp_len": 4732, "title": "search", "contype": "html", "url": "/search.php" }, { "rsp_code": 200, "rsp_len": 1, "title": "None", "contype": "plain", "url": "/CVS/Entries" }, { "rsp_code": 200, "rsp_len": 3265, "title": "Home of WASP Art", "contype": "plain", "url": "/index.bak" }, { "rsp_code": 200, "rsp_len": 143, "title": "None", "contype": "xml", "url": "/.idea/scopes/scope_settings.xml" }, { "rsp_code": 200, "rsp_len": 3265, "title": "Home of WASP Art", "contype": "zip", "url": "/index.zip" }, { "rsp_code": 200, "rsp_len": 275, " title": "None", "contype": "xml", "url": "/.idea/modules.xml" }, { "rsp_code": 200, "rsp_len": 5523, "title": "login page", "contype": "html", "url": "/login.php" }, { "rsp_code": 200, "rsp_len": 278, "title": "Index of /admin/", "contype": "html", "url": "/admin/" }, { "rsp_code": 200, "rsp_len": 224, "title": "None", "contype": "xml", "url": "/crossdomain.xml" }, { "rsp_code": 302, "rsp_len": 14, "title": "None", "contype": "html", "url": "/userinfo.php" }, { "rsp_code": 200, "rsp_len": 6, "title": "None", "contype": "plain", "url": "/.idea/.name" }, { "rsp_code": 200, "rsp_len": 4958, "title": "Home of Acunetix Art", "contype": "html", "url": "/index.php" } ] } }]NoteReference cnnetarmy Srchunter design ideasRefer to the weak password module of brut3k1t:Https://github.com/ex0dus-0x/brut3k1tFingerprint recognition mainly calls Wappalyzer and WebEye:https://github.com/b4ubles/python3-Wappalyzerhttps://github.com/zerokeeper/WebEyePoc referenced:BBscan scanner https://github.com/lijiejie/BBScanPOC-T https://github.com/Xyntax/POC-T/tree/2.0/scriptPerun https://github.com/WyAtu/PerunRefer to the anthx port scan, service judgment:https://raw.githubusercontent.com/AnthraX1/InsightScan/master/scanner.pyInjecting the crawler reference:DSSS https://github.com/stamparm/DSSSJs sensitive information regular extraction reference:https://github.com/nsonaniya2010/SubDomainizerWAF judges the use of waf00f and whatwaf judgment rules:https://github.com/EnableSecurity/wafw00fhttps://github.com/Ekultek/WhatWafDownload Vxscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/0ZDcFApPJl8/vxscan-comprehensive-scanning-tool.html

BlueGhost – A Network Tool Designed To Assist Blue Teams In Banning Attackers From Linux Servers

This tool utilizes various linux network tools and bash scripting to assist blue teams on defending debian and ubuntu based servers from malicious attackers. Scan/Ban shows connected IPs, scans IP addresses for open ports using nmap and whois search to gather reconnaissance on connected IPs, shows activity on the system, checks abuseipdb.com for reports and offers a ban function to ban unwanted IPs using iptables. UbanAnAddress A function to unban IPs. ListAllBanned A function to list all banned IPs. TraceRoute A function to perform traceroutes on IPs. InstallationEnter this one liner command in terminal to install:sudo git clone https://github.com/d4rk007/BlueGhost; cd BlueGhost; source install.sh; cd;Download BlueGhost

Link: http://feedproxy.google.com/~r/PentestTools/~3/pFM6w1Spwtc/blueghost-network-tool-designed-to.html

Seccubus – Easy Automated Vulnerability Scanning, Reporting And Analysis

Seccubus automates regular vulnerability scans with various tools and aids security people in the fast analysis of its output, both on the first scan and on repeated scans.On repeated scan delta reporting ensures that findings only need to be judged when they first appear in the scan results or when their output changes.Seccubus 2.x is the only actively developed and maintained branch and all support for Seccubus V1 has officially been dropped.Seccubus V2 works with the following scanners:NessusOpenVASSkipfishMedusa (local and remote)Nikto (local and remote)NMap (local and remote)OWASP-ZAP (local and remote)SSLyzeMedusaQualys SSL labstestssl.sh (local and remote)For more information visit [www.seccubus.com]Default password, changinge it!!!!!After installation the default username and paswword for seccubus is:admin / GiveMeVulns!It is highly recommended you change this after installation./bin/seccubus_passwd -u adminChange logChanges of this branch vs the latest/previous releasex-x-2019 – v2.53 Development releaseThis is work in progressDifferences with 2.52Download Seccubus

Link: http://feedproxy.google.com/~r/PentestTools/~3/V6X3rDBzIjs/seccubus-easy-automated-vulnerability.html

UPDATE: Kali Linux 2019.2 Release

PenTestIT RSS Feed
Kali Linux 2019.2, the latest and the greatest Kali Linux release is now officially available! This is the second 2019 release, which comes after Kali Linux 2019.1, that was made available in the month of February. This new release majorly focuses on Kali Linux NetHunter updates including 13 new images and added device support along withRead more about UPDATE: Kali Linux 2019.2 Release
The post UPDATE: Kali Linux 2019.2 Release appeared first on PenTestIT.

Link: http://pentestit.com/update-kali-linux-2019-2-release/

Trigmap – A Wrapper For Nmap To Automate The Pentest

Trigmap is a wrapper for Nmap. You can use it to easily start Nmap scan and especially to collect informations into a well organized directory hierarchy. The use of Nmap makes the script portable (easy to run not only on Kali Linux) and very efficient thanks to the optimized Nmap algorithms.DetailsTrigmap can performs several tasks using Nmap scripting engine (NSE):Port ScanService and Version DetectionWeb Resources EnumerationVulnerability AssessmentCommon Vulnerabilities TestCommon Exploits TestDictionary Attacks Against Active ServicesDefault Credentials TestUsageTrigmap can be used in two ways:Interactive mode:trigmap [ENTER], and the script does the restNON-interactive mode:trigmap -h|–host [-tp|–tcp TCP ports] [-up|–udp UDP ports] [-f|–file file path] [-s|–speed time profile] [-n|–nic NIC] [-p|–phase phases]If you want to see the help: trigmap –help to print this helperFor more screenshots see the relative directory of the repository.Dir HierarchyCustomizationIt’s possible to customize the script by changing the value of variables at the beginning of the file. In particularly you can choose the wordlists used by the Nmap scripts and the most important Nmap scan parameters (ping, scan, timing and script).################################################# PARAMETERS #################################################GENERAL_USER_LIST=’general_user_wordlist_short.txt’WIN_USER_LIST=’win_user_wordlist_short.txt’UNIX_USER_LIST=’unix_user_wordlist_short.txt’SHORT_PASS_LIST=’fasttrack.txt’LONG_PASS_LIST=’rockyou.txt’################################################# NMAP SETTING ################################################## PE (echo req), PP (timestamp-request)# you can add a port on every ping scanNMAP_PING=’-PE -PS80,443,22,25,110,445 -PU -PP -PA80,443,22,25,110,445’NMAP_OTHER=’-sV –allports -O –fuzzy –min-hostgroup 256’SCRIPT_VA='(auth or vuln or exploit or http-* and not dos)’SCRIPT_BRUTE='(auth or vuln or exploit or http-* or brute and not dos)’SCRIPT_ARGS=”userdb=$GENERAL_USER_LIST,passdb=$SHORT_PAS S_LIST"CUSTOM_SCAN=’–max-retries 3 –min-rate 250′ # LIKE UNICORNSCANTwin BrotherThis project is very similar to Kaboom, but it has a different philosophy; infact, it uses only Nmap, while Kaboom uses different tools, one for each task. The peculiarity of Trigmap is the portability and the efficient, but it’s recommended to use both the tools to scan the targets in a such way to gather more evidence with different tools (redundancy and reliability).Download Trigmap

Link: http://feedproxy.google.com/~r/PentestTools/~3/4v03LmjMcd4/trigmap-wrapper-for-nmap-to-automate.html

Sn1per v7.0 – Automated Pentest Framework For Offensive Security Experts

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to https://xerosecurity.com.SN1PER PROFESSIONAL FEATURES:Professional reporting interfaceSlideshow for all gathered screenshotsSearchable and sortable DNS, IP and open port databaseDetailed host reportsNMap HTML host reportsQuick links to online recon tools and Google hacking queriesTakeovers and Email SecurityHTML5 NotepadORDER SN1PER PROFESSIONAL:To obtain a Sn1per Professional license, go to https://xerosecurity.com.DEMO VIDEO:SN1PER COMMUNITY FEATURES:Automatically collects basic recon (ie. whois, ping, DNS, etc.)Automatically launches Google hacking queries against a target domainAutomatically enumerates open ports via NMap port scanningAutomatically brute forces sub-domains, gathers DNS info and checks for zone transfersAutomatically checks for sub-domain hijackingAutomatically runs targeted NMap scripts against open portsAutomatically runs targeted Metasploit scan and exploit modulesAutomatically scans all web applications for common vulnerabilitiesAutomatically brute forces ALL open servicesAutomatically test for anonymous FTP accessAutomatically runs WPScan, Arachni and Nikto for all web servicesAutomatically enumerates NFS sharesAutomatically test for anonymous LDAP accessAutomatically enumerate SSL/TLS ciphers, protocols and vulnerabilitiesAutomatically enumerate SNMP community strings, services and usersAutomatically list SMB users and shares, check for NULL sessions and exploit MS08-067Automatically exploit vulnerable JBoss, Java RMI and Tomcat serversAutomatically tests for open X11 serversAuto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat CredsPerforms high level enumeration of multiple hosts and subnetsAutomatically integrates with Metasploit Pro, MSFConsole and Zenmap for reportingAutomatically gathers screenshots of all web sitesCreate individual workspaces to store all scan outputEXPLOITS:Drupal RESTful Web Services unserialize() SA-CORE-2019-003Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache StrutsDrupal: CVE-2018-7600: Remote Code Execution – SA-CORE-2018-002GPON Routers – Authentication Bypass / Command Injection CVE-2018-10561MS17-010 EternalBlue SMB Remote Windows Kernel Pool CorruptionApache Tomcat: Remote Code Execution (CVE-2017-12617)Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)Apache Struts 2 Framework Checks – REST plugin with XStream handler (CVE-2017-9805)Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249Shellshock Bash Shell remote code execution CVE-2014-6271HeartBleed OpenSSL Detection CVE-2014-0160MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843MS08-067 Microsoft Server Service Relative Path Stack CorruptionWebmin File Disclosure CVE-2006-3392VsFTPd 2.3.4 BackdoorProFTPd 1.3.3C BackdoorMS03-026 Microsoft RPC DCOM Interface OverflowDistCC Daemon Command ExecutionJBoss Java De-SerializationHTTP Writable Path PUT/DELETE File AccessApache Tomcat User EnumerationTomcat Application Manager Login BruteforceJenkins-CI EnumerationHTTP WebDAV ScannerAndroid Insecure ADBAnonymous FTP AccessPHPMyAdmin BackdoorPHPMyAdmin Auth BypassOpenSSH User EnumerationLibSSH Auth BypassSMTP User EnumerationPublic NFS MountsKALI LINUX INSTALL:bash install.shUBUNTU/DEBIAN/PARROT INSTALL:bash install_debian_ubuntu.shDOCKER INSTALL:docker build DockerfileUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCEsniper -t|–target <TARGET> -o|–osint -re|–recon -fp|–fullportonly -b|–bruteforce[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] FLYOVER MODEsniper -t|–target <TARGET> -m|–mode flyover -w|–workspace <WORKSPACE_ALIAS>[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TA RGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT HTTP MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT HTTPS MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] WEBSCAN MODEsniper -t|–target <TARGET> -m|–mode webscan[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] LOOT REIMPORTALL FUNCTIONsniper -w <WORKSPACE_ALIAS& gt; –reimportall[*] DELETE WORKSPACEsniper -w <WORKSPACE_ALIAS> -d[*] DELETE HOST FROM WORKSPACEsniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh[*] SCHEDULED SCANS’sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'[*] SCAN STATUSsniper –status[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.FLYOVER: Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.WEBSCAN: Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per

Link: http://feedproxy.google.com/~r/PentestTools/~3/IoUOymJezTw/sn1per-v70-automated-pentest-framework.html

BruteDum – Brute Force Attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC With Hydra, Medusa And Ncrack

BruteDum is a SSH, FTP, Telnet, PostgreSQL, RDP, VNC brute forcing tool with Hydra, Medusa and Ncrack. BruteDum can work with aany Linux distros if they have Python 3.Features of BruteDumSSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra (recommended)SSH, FTP, Telnet, PostgreSQL, RDP, VNC with MedusaSSH, FTP, Telnet, PostgreSQL, RDP, VNC with NcrackScan victim’s ports with NmapInstall and run on LinuxYou have to install Python 3 first:Install Python 3 on Arch Linux and its distros: sudo pacman -S python3Install Python 3 on Debian and its distros: sudo apt install python3You have to install Hydra, Medusa, Nmap and Ncrack too: On Arch Linux and its distros: sudo pacman -S nmap hydra medusa ncrack On Debian and its distros: sudo apt install nmap hydra medusa ncrack git clone https://github.com/GitHackTools/BruteDumcd BruteDumpython3 brutedum.pyScreenshotsScanning victim’s ports with NmapReady to brute force Brute force has done ContactTwitter: @SecureGFDownload BruteDum

Link: http://feedproxy.google.com/~r/PentestTools/~3/3Z-_-kI5aD8/brutedum-brute-force-attacks-ssh-ftp.html

Goscan – Interactive Network Scanner

GoScan is an interactive network scanner client, featuring auto-completion, which provides abstraction and automation over nmap.Although it started as a small side-project I developed in order to learn @golang, GoScan can now be used to perform host discovery, port scanning, and service enumeration not only in situations where being stealthy is not a priority and time is limited (think at CTFs, OSCP, exams, etc.), but also (with a few tweaks in its configuration) during professional engagements.GoScan is also particularly suited for unstable environments (think unreliable network connectivity, lack of “screen", etc.), given that it fires scans and maintain their state in an SQLite database. Scans run in the background (detached from the main thread), so even if connection to the box running GoScan is lost, results can be uploaded asynchronously (more on this below). That is, data can be imported into GoScan at different stages of the process, without the need to restart the entire process from scratch if something goes wrong.In addition, the Service Enumeration phase integrates a collection of other tools (e.g., EyeWitness, Hydra, nikto, etc.), each one tailored to target a specific service.InstallationBinary installation (Recommended)Binaries are available from the Release page.# Linux (64bit)$ wget https://github.com/marco-lancini/goscan/releases/download/v2.3/goscan_2.3_linux_amd64.zip$ unzip goscan_2.3_linux_amd64.zip# Linux (32bit)$ wget https://github.com/marco-lancini/goscan/releases/download/v2.3/goscan_2.3_linux_386.zip$ unzip goscan_2.3_linux_386.zip# After that, place the executable in your PATH$ chmod +x goscan$ sudo mv ./goscan /usr/local/bin/goscanBuild from source$ git clone https://github.com/marco-lancini/goscan.git$ cd goscan/goscan/$ make setup$ make buildTo create a multi-platform binary, use the cross command via make:$ make crossDocker$ git clone https://github.com/marco-lancini/goscan.git$ cd goscan/$ docker-compose up –buildUsageGoScan supports all the main steps of network enumeration: Step Commands 1. Load targets Add a single target via the CLI (must be a valid CIDR): load target SINGLE Upload multiple targets from a text file or folder: load target MULTI <path-to-file> 2. Host Discovery Perform a Ping Sweep: sweep <TYPE> <TARGET>Or load results from a previous discovery:Add a single alive host via the CLI (must be a /32): load alive SINGLE <IP>Upload multiple alive hosts from a text file or folder: load alive MULTI <path-to-file> 3. Port Scanning Perform a port scan: portscan <TYPE> <TARGET>Or upload nmap results from XML files or folder: load portscan <path-to-file> 4. Service Enumeration Dry Run (only show commands, without performing them): enumerate <TYPE> DRY <TARGET>Perform enumeration of detected services: enumerate <TYPE> <POLITE/AGGRESSIVE> <TARGET> 5. Special Scans EyeWitnessTake screenshots of websites, RDP services, and open VNC servers (KALI ONLY): special eyewitnessEyeWitness.py needs to be in the system pathExtract (Windows) domain information from enumeration dataspecial domain <users/hosts/servers>DNSEnumerate DNS (nmap, dnsrecon, dnsenum): special dns DISCOVERY <domain>Bruteforce DNS: special dns BRUTEFORCE <domain>Reverse Bruteforce DNS: special dns BRUTEFORCE_REVERSE <domain> <base_IP> Utils Show results: show <targets/hosts/ports>Automatically configure settings by loading a config file: set config_file <PATH>Change the output folder (by default ~/goscan): set output_folder <PATH>Modify the default nmap switches: set nmap_switches <SWEEP/TCP_FULL/TCP_STANDARD/TCP_VULN/UDP_STANDARD> <SWITCHES>Modify the default wordlists: set_wordlists <FINGER_USER/FTP_USER/…> <PATH> External IntegrationsThe Service Enumeration phase currently supports the following integrations: WHAT INTEGRATION ARP nmap DNS nmapdnsrecondnsenumhost FINGER nmapfinger-user-enum FTP nmapftp-user-enumhydra [AGGRESSIVE] HTTP nmapniktodirbEyeWitnesssqlmap [AGGRESSIVE]fimap [AGGRESSIVE] RDP nmapEyeWitness SMB nmapenum4linuxnbtscansamrdump SMTP nmapsmtp-user-enum SNMP nmapsnmpcheckonesixtyonesnmpwalk SSH hydra [AGGRESSIVE] SQL nmap VNC EyeWitness Download Goscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/QvZdo-L3mC8/goscan-interactive-network-scanner.html

Freevulnsearch – Free And Open NMAP NSE Script To Query Vulnerabilities Via The cve-search.org API

This NMAP NSE script is part of the Free OCSAF project – https://freecybersecurity.org. In conjunction with the version scan “-sV" in NMAP, the corresponding vulnerabilities are automatically assigned using CVE (Common Vulnerabilities and Exposures) and the severity of the vulnerability is assigned using CVSS (Common Vulnerability Scoring System). For more clarity, the CVSS are still assigned to the corresponding v3.0 CVSS ratings:Critical (CVSS 9.0 – 10.0)High (CVSS 7.0 – 8.9)Medium (CVSS 4.0 – 6.9)Low (CVSS 0.1 – 3.9)None (CVSS 0.0)The CVEs are queried by default using the CPEs determined by NMAP via the ingenious and public API of the cve-search.org project, which is provided by circl.lu. For more information visit https://www.cve-search.org/api/.Confidentiality information:The queries are made using the determined CPE via the circl.lu API. For further information on the confidentiality of the circl.lu API, please visit https://www.circl.lu/services/cve-search/ directly.The best way is to install cve-search (https://github.com/cve-search/cve-search) locally and use your own API withnmap -sV –script freevulnsearch –script-args apipath= <target>Installation:You can either specify the script path directly in the NMAP command, for examplenmap -sV –script ~/freevulnsearch <target>or copy the script into the appropriate directory of your NMAP installation.In KALI LINUXâ„¢ for example: /usr/share/nmap/scripts/sudo nmap –script-ubdatedbImportant note: First read the confidentiality information. It is recommended to run freevulnsearch.nse separately without additional NSE scripts. If you do not want to make an assignment to the category safe, vuln and external, then do not execute the nmap –script-updatedb command mentioned above.Usage:The usage is simple, just use NMAP -sV and this script.nmap -sV –script freevulnsearch <target>According to my tests, for stability reasons, only http without TLS should be used when querying the API for many simultaneous requests. For this reason, you can optionally disable TLS using an input argument. Important, after that the API query to circl.lu is unencrypted.nmap -sV –script freevulnsearch –script-args notls=yes <target>If you scan with the categories safe or vuln then exclude the script or the category external or do not add the script to the NMAP default directory. It is recommended to run freevulnsearch.nse separately without additional NSE scripts.CPE exception handling for format:If a NMAP CPE is not clear, several functions in the freevulnsearch.nse script check whether the formatting of the CPE is inaccurate. For example:(MySQL) 5.0.51a-3ubuntu5 -to- 5.0.51a(Exim smtpd) 4.90_1 -to- 4.90(OpenSSH) 6.6.1p1 -to- 6.6:p1(OpenSSH) 7.5p1 -to- 7.5:p1…Download Freevulnsearch

Link: http://www.kitploit.com/2019/03/freevulnsearch-free-and-open-nmap-nse.html

Decker – Declarative Penetration Testing Orchestration Framework

Decker is a penetration testing orchestration framework. It leverages HashiCorp Configuration Language 2 (the same config language as Terraform) to allow declarative penetration testing as code, so your tests can be versioned, shared, reused, and collaborated on with your team or the community.Example of a decker config file:// variables are pulled from environment// ex: DECKER_TARGET_HOST// they will be available throughout the config files as var.*// ex: ${var.target_host}variable “target_host" { type = "string"}// resources refer to plugins// resources need unique names so plugins can be used more than once// they are declared with the form: ‘resource "plugin_name" "unique_name" {}’// their outputs will be available to others using the form unique_name.*// ex: nmap.443resource "nmap" "nmap" { host = "${var.target_host}" plugin_enabled = "true"}resource "sslscan" "sslscan" { host = "${var.target_host}" plugin_enabled = "${nmap.443 == "open"}"}Run a plugin for each item in a list:variable "target_host" { type = "string"}resource "nslookup" "nslookup" { dns_server = "8.8.4.4" host = "${var.target_host}"}resource "metasploit" "metasploit" { for_each = "${nslookup.ip_address}" exploit = "auxiliary/scanner/portscan/tcp" options = { RHOSTS = "${each.key}/32" INTERFACE = "eth0" }}Complex configuration combining for_each with nested values:variable "target_host" { type = "string"}resource "nslookup" "nslookup" { dns_server = "8.8.4.4" host = "${var.target_host}"}resource "nmap" "nmap" { for_each = "${nslookup.ip_address}" host = "${each.key}"}// for each IP, check if nmap found port 25 open.// if yes, run metasploit’s smtp_enum scannerresource "metasploit" "metasploit" { for_each = "${nslookup.ip_address}" exploit = "auxiliary/scanner/smtp/smtp_enum" options = { RHOSTS = "${each.key}" } plugin_enabled = "${nmap["${each.key}"].25 == "open"}"}Output formatsSeveral output formats are available and more than one can be selected at the same time.Setting DECKER_OUTPUTS_JSON or DECKER_OUTPUTS_XML to "true" will output json and xml formatted files respectively.Output .json files in addition to plain text: export DECKER_OUTPUTS_JSON="true"Output .xml files in addition to plain text: export DECKER_OUTPUTS_XML="true"Why the name decker?My friend Courtney came to the rescue when I was struggling to come up with a name and found decker in a SciFi word glossary… and it sounded cool.A future cracker; a software expert skilled at manipulating cyberspace, especially at circumventing security precautions.Running an example config with dockerTwo volumes are mounted:Directory named decker-reports where decker will output a file for each plugin executed. The file’s name will be {unique_resource_name}.report.txt.examples directory containing decker config files. Mounting this volume allows you to write configs locally using your favorite editor and still run them within the container.One environment variable is passed in:DECKER_TARGET_HOSTThis is referenced in the config files as {var.target_host}. Decker will loop through all environment variables named DECKER_*, stripping away the prefix and setting the rest to lowercase.docker run -it –rm \ -v "$(pwd)/decker-reports/":/tmp/reports/ \ -v "$(pwd)/examples/":/decker-config/ \ -e DECKER_TARGET_HOST=example.com \ stevenaldinger/decker:kali decker ./decker-config/example.hclWhen decker finishes running the config, look in ./decker-reports for the outputs.Running an example config without dockerYou’ll likely want to set the directory decker writes reports to with the DECKER_REPORTS_DIR environment variable.Something like this would be appropriate. Just make sure whatever you set it to is an existing directory.export DECKER_REPORTS_DIR="$HOME/decker-reports"You’ll also need to set a target host if you’re running one of the example config files.export DECKER_TARGET_HOST=""Then just run a config file. Change to the root directory of this repo and run:./decker ./examples/example.hclContributingContributions are very welcome and appreciated. See docs/contributions.md for guidelines.DevelopmentUsing docker for development is recommended for a smooth experience. This ensures all dependencies will be installed and ready to go.Refer to Directory Structure below for an overview of the go code.Quick Start(on host machine): make docker_build(on host machine): make docker_run (will start docker container and open an interactive bash session)(inside container): dep ensure -v(inside container): make build_all(inside container): make runInitialize git hooksRun make init to add a pre-commit script that will run linting and tests on each commit.Plugin DevelopmentDecker itself is just a framework that reads config files, determines dependencies in the config files, and runs plugins in an order that ensures plugins with dependencies on other plugins (output of one plugin being an input for another) run after the ones they depend on.The real power of decker comes from plugins. Developing a plugin can be as simple or as complex as you want it to be, as long as the end result is a .so file containing the compiled plugin code and a .hcl file in the same directory declaring the inputs the plugin is expecting a user to configure.The recommended way to get started with decker plugin development is by cloning the decker-plugin repository and following the steps in its documentation. It should only take you a few minutes to get a "Hello World" decker plugin running.Installing pluginsBy default, plugins are expected to be in a directory relative to wherever the decker binary is, at <decker binary>/internal/app/decker/plugins/<plugin name>/<plugin name>.so. Additional paths can be added by setting the DECKER_PLUGIN_DIRS environment variable. The default plugin path will still be used if DECKER_PLUGIN_DIRS is set.Example: export DECKER_PLUGIN_DIRS="/path/to/my/plugins:/additional/path/to/plugins"There should be an HCL file next to the .so file at <decker binary>/internal/app/decker/plugins/<plugin name>/<plugin name>.hcl that defines its inputs and outputs. Currently, only string, list, and map inputs are supported. Each input should have an input block that looks like this:input "my_input" { type = "string" default = "some default value"}Directory Structure.├── build│   ├── ci/│   └── package/├── cmd│   ├── decker│   │   └── main.go│   └── README.md├── deployments/├── docs/├── examples│   └── example.hcl├── githooks│   ├── pre-commit├── Gopkg.toml├── internal│   ├── app│   │   └── decker│   │   └── plugins│   │   ├── a2sv│   │   │   ├── a2sv.hcl│   │   │   ├── main.go│   │   │   └── README.md│   │   └── …│   │   ├── main.go│   │   ├── README.md│   │   └── xxx.hcl│   ├── pkg│   │   ├── dependencies/│   │   ├── gocty/│   │   ├── hcl/│   │   ├── paths/│   │   ├── plugins/│   │   └── reports/│   └── README.md├── LICENSE├── Makefile├── README.md└── scripts ├── build-plugins.sh └── README.mdcmd/decker/main.go is the driver. Its job is to parse a given config file, load the appropriate plugins based on the file’s resource blocks, and run the plugins with the specified inputs.examples has a couple example configurations to get you started with decker. If you use the kali docker image (stevenaldinger/decker:kali), all dependencies should be installed for all config files and things should run smoothly.internal/pkg is where most of the actual code is. It contains all the packages imported by main.go.dependencies is responsible for building the plugin dependency graph and returning a topologically sorted array that ensures plugins are run in a working order.gocty offers helpers for encoding and decoding go-cty values which are used to handle dynamic input types.hcl is responsible for parsing HCL files, including creating evaluation contexts that let blocks properly decode when they depend on other plugin blocks.paths is responsible for returning file paths for the decker binary, config files, plugin config files, and generated reports.plugins is responsible for determining if plugins are enabled and running them.reports is responsible for writing reports to the file system.internal/app/decker/plugins are modular pieces of code written as Golang plugins, implementing a simple interface that allows them to be loaded and called at run-time with inputs and outputs specified in the plugin’s config file (also in HCL). An example can be found at internal/app/decker/plugins/nslookup/nslookup.hcl.decker config files offer a declarative way to write penetration tests. The manifests are written in HashiCorp Configuration Language 2) and describe the set of plugins to be used in the test as well as their inputs.Download Decker

Link: http://feedproxy.google.com/~r/PentestTools/~3/v-JzhQO-i2Q/decker-declarative-penetration-testing.html