Fierce – Semi-Lightweight Scanner That Helps Locate Non-Contiguous IP Space And Hostnames Against Specified Domains

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.It’s really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for.This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network.Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That’s especially useful in targeted malware.Options:-connect Attempt to make http connections to any non RFC1918 (public) addresses. This will output the return headers but be warned, this could take a long time against a company with many targets, depending on network/machine lag. I wouldn’t recommend doing this unless it’s a small company or you have a lot of free time on your hands (could take hours-days). Inside the file specified the text “Host:\n" will be replaced by the host specified. Usage:perl fierce.pl -dns example.com -connect headers.txt-delay The number of seconds to wait between lookups.-dns The domain you would like scanned.-dnsfile Use DNS servers provided by a file (one per line) for reverse lookups (brute force).-dnsserver Use a particular DNS server for reverse lookups (probably should be the DNS server of the target). Fierce uses your DNS server for the initial SOA query and then uses the target’s DNS server for all additional queries by default.-file A file you would like to output to be logged to.-fulloutput When combined with -connect this will output everything the webserver sends back, not just the HTTP headers.-help This screen.-nopattern Don’t use a search pattern when looking for nearby hosts. Instead dump everything. This is really noisy but is useful for finding other domains that spammers might be using. It will also give you lots of false positives, especially on large domains.-range Scan an internal IP range (must be combined with -dnsserver). Note, that this does not support a pattern and will simply output anything it finds. Usage:perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co-search Search list. When fierce attempts to traverse up and down ipspace it may encounter other servers within other domains that may belong to the same company. If you supply a comma delimited list to fierce it will report anything found. This is especially useful if the corporate servers are named different from the public facing website. Usage:perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany Note that using search could also greatly expand the number of hosts found, as it will continue to traverse once it locates servers that you specified in your search list. The more the better.-suppress Suppress all TTY output (when combined with -file).-tcptimeout Specify a different timeout (default 10 seconds). You may want to increase this if the DNS server you are querying is slow or has a lot of network lag.-threads Specify how many threads to use while scanning (default is single threaded).-traverse Specify a number of IPs above and below whatever IP you have found to look for nearby IPs. Default is 5 above and below. Traverse will not move into other C blocks.-version Output the version number.-wide Scan the entire class C after finding any matching hostnames in that class C. This generates a lot more traffic but can uncover a lot more information.-wordlist Use a seperate wordlist (one word per line). Usage:perl fierce.pl -dns examplecompany.com -wordlist dictionary.txtfierce Usage Exampleroot@kali:~# fierce -dns example.com DNS Servers for example.com: b.iana-servers.net a.iana-servers.netTrying zone transfer first…Testing b.iana-servers.net Request timed out or transfer not allowed.Testing a.iana-servers.net Request timed out or transfer not allowed.Unsuccessful in zone transfer (it was worth a shot)Okay, trying the good old fashioned way… brute forceChecking for wildcard DNS…Nope. Good.Now performing 2280 test(s)…Download Fierce-Domain-Scanner

Link: http://feedproxy.google.com/~r/PentestTools/~3/X8Fc7tY8OFI/fierce-semi-lightweight-scanner-that.html

Scanner-Cli – A Project Security/Vulnerability/Risk Scanning Tool

The Hawkeye scanner-cli is a project security, vulnerability and general risk highlighting tool. It is meant to be integrated into your pre-commit hooks and your pipelines.Running and configuring the scannerThe Hawkeye scanner-cli assumes that your directory structure is such that it keeps the toolchain’s files on top level. Roughly, this is what it boils down to:Node.js projects have a package.json on top levelRuby projects will have a Gemfile on top levelPython projects will have a requirements.txt on top levelPHP projects will have a composer.lock on top levelJava projects will have a build (gradle) or target (maven) folder, and include .java and .jar filesThis is not exhaustive as sometimes tools require further files to exist. To understand how the modules decide whether they can handle a project, please check the How it works section and the modules folder.Docker (recommended)The docker image is hands-down the easiest way to the scanner. Please note that your project root (e.g. $PWD) needs to be mounted to /target.docker run –rm -v $PWD:/target hawkeyesec/scanner-cliThe docker build is also the recommended way to run the scanner in your CI pipelines. This is an example of running Hawkeye against one of your projects in GoCD:

Link: http://feedproxy.google.com/~r/PentestTools/~3/JoL8_BBnrhQ/scanner-cli-project-securityvulnerabili.html

Malice – VirusTotal Wanna Be (Now With 100% More Hipster)

Malice’s mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company.Try It OutDEMO: demo.malice.iousername: malicepassword: ecilamRequirementsHardware~16GB disk space~4GB RAMSoftwareDockerGetting Started (OSX)Install$ brew install maliceio/tap/maliceUsage: malice [OPTIONS] COMMAND [arg…]Open Source Malware Analysis FrameworkVersion: 0.3.11Author: blacktop – Options: –debug, -D Enable debug mode [$MALICE_DEBUG] –help, -h show help –version, -v print the versionCommands: scan Scan a file watch Watch a folder lookup Look up a file hash elk Start an ELK docker container plugin List, Install or Remove Plugins help Shows a list of commands or help for one commandRun ‘malice COMMAND –help’ for more information on a command.Scan some malware$ malice scan evil.malwareNOTE: On the first run malice will download all of it’s default plugins which can take a while to complete.Malice will output the results as a markdown table that can be piped or copied into a results.md that will look great on Github see hereStart Malice’s Web UI$ malice elkYou can open the Kibana UI and look at the scan results here: http://localhost (assuming you are using Docker for Mac)Type in malice as the Index name or pattern and click Create. Now click on the Malice Tab and behold!!! Getting Started (Docker in Docker)Install/Update all Pluginsdocker run –rm -v /var/run/docker.sock:/var/run/docker.sock malice/engine plugin update –allScan a filedocker run –rm -v /var/run/docker.sock:/var/run/docker.sock \ -v `pwd`:/malice/samples \ -e MALICE_VT_API=$MALICE_VT_API \ malice/engine scan SAMPLEDocumentationDocumentationPluginsExamplesRoadmapContributingDownload Malice

Link: http://feedproxy.google.com/~r/PentestTools/~3/MYaRxSE3IIE/malice-virustotal-wanna-be-now-with-100.html

Tyton – Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+

Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+.For more information, visit Tyton’s website.Detected AttacksHidden ModulesSyscall Table HookingNetwork Protocol HookingNetfilter HookingZeroed Process InodesProcess Fops HookingInterrupt Descriptor Table HookingAdditional FeaturesNotifications: Users (including myself) do not actively monitor their journald logs, so a userland notification daemon has been included to monitor journald logs and display them to the user using libnotify. Notifications are enabled after install by XDG autorun, so if your DM does not have /etc/xdg/autostart it will fail.DKMS: Dynamic Kernel Module Support has been added for Arch and Fedora/CentOS (looking to expand in the near future). DKMS allows the (near) seamless upgrading of Kernel modules during kernel upgrades. This is mainly important for distributions that provide rolling releases or upgrade their kernel frequently.InstallingDependenciesLinux Kernel 4.4.0-31 or greaterCorresponding Linux Kernel HeadersGCCMakeLibnotifyLibsystemdPackage ConfigGTK3From SourceUbuntu/Debian/Kalisudo apt install linux-headers-$(uname -r) gcc make libnotify-dev pkg-config libgtk-3-dev libsystemd-devgit clone https://github.com/nbulischeck/tyton.gitcd tytonmakesudo insmod tyton.koNote: For Ubuntu 14.04, libsystemd-dev is named libsystemd-journal-dev.Archsudo pacman -S linux-headers gcc make libnotify libsystemd pkgconfig gtk3git clone https://github.com/nbulischeck/tyton.gitcd tytonmakesudo insmod tyton.koNote: It’s recommended to install Tyton through the AUR so you can benefit from DKMS.Fedora/CentOSdnf install kernel-devel gcc make libnotify libnotify-devel systemd-devel gtk3-devel gtk3git clone https://github.com/nbulischeck/tyton.gitcd tytonmakesudo insmod tyton.koKernel Module ArgumentsThe kernel module can be passed a specific timeout argument on insertion through the command line.To do this, run the command sudo insmod tyton.ko timeout=X where X is the number of minutes you would like the kernel module to wait before executing its scan again.AURTyton is available on the AUR here.You can install it using the AUR helper of your choice:yaourt -S tyton-dkms-gityay -S tyton-dkms-gitpakku -S tyton-dkms-gitDownload Tyton

Link: http://feedproxy.google.com/~r/PentestTools/~3/-SpNjyLloZM/tyton-linux-kernel-mode-rootkit-hunter.html

Sitadel – Web Application Security Scanner

Sitadel is basically an update for WAScan making it compatible for python >= 3.4 It allows more flexibility for you to write new modules and implement new features :Frontend framework detectionContent Delivery Network detectionDefine Risk Level to allow for scansPlugin systemDocker image available to build and runInstallation$ git clone https://github.com/shenril/Sitadel.git$ cd Sitadel$ pip install .$ python sitadel.py –helpFeaturesFingerprints ServerWeb Frameworks (CakePHP,CherryPy,…)Frontend Frameworks (AngularJS,MeteorJS,VueJS,…)Web Application Firewall (Waf)Content Management System (CMS)Operating System (Linux,Unix,..)Language (PHP,Ruby,…)Cookie SecurityContent Delivery Networks (CDN)Attacks: Bruteforce Admin InterfaceCommon BackdoorsCommon Backup DirectoryCommon Backup FileCommon DirectoryCommon FileLog FileInjection HTML InjectionSQL InjectionLDAP InjectionXPath InjectionCross Site Scripting (XSS)Remote File Inclusion (RFI)PHP Code InjectionOther HTTP Allow MethodsHTML ObjectMultiple IndexRobots PathsWeb DavCross Site Tracing (XST)PHPINFO.ListingVulnerabilities ShellShockAnonymous Cipher (CVE-2007-1858)Crime (SPDY) (CVE-2012-4929)Struts-ShockExampleSimple runpython sitadel http://website.com Run with risk level at DANGEROUS and do not follow redirectionspython sitadel http://website.com -r 2 –no-redirectRun specifics modules only and full verbositypython sitadel http://website.com -a admin backdoor -f header server -vvvRun with dockerdocker build -t sitadel .docker run sitadel http://example.comDownload Sitadel

Link: http://feedproxy.google.com/~r/PentestTools/~3/zfPWuXefLsw/sitadel-web-application-security-scanner.html

Interlace – Easily Turn Single Threaded Command Line Applications Into Fast, Multi Threaded Ones With CIDR And Glob Support

Easily turn single threaded command line applications into fast, multi threaded application with CIDR and glob support.SetupInstall using:$ python3 setup.py installDependencies will then be installed and Interlace will be added to your path as interlace.Usage Argument Description -t Specify a target or domain name either in comma format, CIDR notation, or as an individual host. -tL Specify a list of targets or domain names -threads Specify the maximum number of threads to run at any one time (DEFAULT:5) -timeout Specify a timeout value in seconds for any one thread (DEFAULT:600) -c Specify a single command to execute over each target or domain -cL Specify a list of commands to execute over each target or domain -o Specify an output folder variable that can be used in commands as _output_ -p Specify a list of port variable that can be used in commands as _port_. This can be a single port, a comma delimited list, or use dash notation -rp Specify a real port variable that can be used in commands as _realport_ –no-cidr If set then CIDR notation in a target file will not be automatically be expanded into individual hosts. –no-color If set then any foreground or background colours will be stripped out –silent If set then only important information will be displayed and banners and other information will be redacted. -v If set then verbose output will be displayed in the terminal Further information regarding ports (-p) Example Notation Type 80 Single port 1-80 Dash notation, perform a command for each port from 1-80 80,443 Perform a command for both port 80, and port 443 Further information regarding targets (-t or -tL)Both -t and -tL will be processed the same. You can pass targets the same as you would when using nmap. This can be done using CIDR notation, dash notation, or a comma delimited list of targets. A single target list file can also use different notation types per line.Variable ReplacementsThe following varaibles will be replaced in commands at runtime: Variable Replacement _target_ Replaced with the expanded target list that the current thread is running against _host_ Works the same as _target_, can be used interchangably. _output_ Replaced with the output folder variable from interlace _port_ Replaced with the expanded port variable from interlace _realport_ Replaced with the real port variable from interlace Usage ExamplesRun Nikto Over Multiple SitesLet’s assume that you had a file targets.txt that had the following contents:bugcrowd.comhackerone.comYou could use interlace to run over any number of targets within this file using: bash➜ /tmp interlace -tL ./targets.txt -threads 5 -c “nikto –host _target_ > ./_target_-nikto.txt" -v==============================================Interlace v1.0 by Michael Skelton (@codingo_)==============================================[14:33:23] [THREAD] [nikto –host hackerone.com > ./hackerone.com-nikto.txt] Added to Queue [14:33:23] [THREAD] [nikto –host bugcrowd.com > ./bugcrowd.com-nikto.txt] Added to Queue This would run nikto over each host and save to a file for each target. Note that in the above example since we’re using the > operator so results won’t be fed back to the terminal, however this is desired functionality as otherwise we wouldn’t be able to attribute which target Nikto results were returning for.For applications where you desire feedback simply pass commands as you normally would (or use tee).Run Nikto Over Multiple Sites and PortsUsing the above example, let’s assume you want independant scans to be run for both ports 80 and 443 for the same targets. You would then use the following:➜ /tmp interlace -tL ./targets.txt -threads 5 -c "nikto –host _target_:_port_ > ./_target_-_port_-nikto.txt" -p 80,443 -v==============================================Interlace v1.0 by Michael Skelton (@codingo_)==============================================[14:33:23] [THREAD] [nikto –host hackerone.com:80 > ./hackerone.com-nikto.txt] Added to Queue [14:33:23] [THREAD] [nikto –host bugcrowd.com:80 > ./hackerone.com-nikto.txt] Added to Queue [14:33:23] [THREAD] [nikto –host bugcrowd.com:443 > ./bugcrowd.com-nikto.txt] Added to Queue [14:33:23] [THREAD] [nikto –host hackerone.com:443 > ./hackerone.com-nikto.txt] Added to Queue Run a List of Commands against Target HostsOften with penetration tests there’s a list of commands you want to run on nearly every job. Assuming that list includes testssl.sh, nikto, and sslscan, you could save a command list with the following in a file called commands.txt:nikto –host _target_:_port_ > _output_/_target_-nikto.txtsslscan _target_:_port_ > _output_/_target_-sslscan.txttestssl.sh _target_:_port_ > _output_/_target_-testssl.txtIf you were then given a target, example.com you could run each of these commands against this target using the following:interlace -t example.com -o ~/Engagements/example/ -cL ./commands.txt -p 80,443This would then run nikto, sslscan, and testssl.sh for both port 80 and 443 against example.com and save files into your engagements folder.CIDR notation with an application that doesn’t support itInterlace automatically expands CIDR notation when starting threads (unless the –no-cidr flag is passed). This allows you to pass CIDR notation to a variety of applications:To run a virtual host scan against every target within 192.168.12.0/24 using a direct command you could use:interlace -t 192.168.12.0/24 -c "vhostscan _target_ -oN _output_/_target_-vhosts.txt" -o ~/scans/ -threads 50This is despite VHostScan not having any inbuilt CIDR notation support. Since Interlace expands the notation before building a queue of threads, VHostScan for all intents is only receiving a list of direct IP addresses to scan.Glob notation with an application that doesn’t support itInterlace automatically expands glob ranges when starting threads. This allows you to pass glob ranges to a variety of applications:To run a virtual host scan against every target within 192.168.12.* using a direct command you could use:interlace -t 192.168.12.* -c "vhostscan _target_ -oN _output_/_target_-vhosts.txt" -o ~/scans/ -threads 50Yet again, VHostScan does not having any inbuilt glob range format support.Threading Support for an application that doesn’t support itRun a virtual host scan against each host in a file (target-lst.txt), whilst also limiting scans at any one time to 50 maximum threads.This could be done using a direct command:interlace -tL ./target-list.txt -c "vhostscan -t _target_ -oN _output_/_target_-vhosts.txt" -o ~/scans/ -threads 50Or, alternatively, to run the same command as above, but using a command file, this would be done using:interlace -cL ./vhosts-commands.txt -tL ./target-list.txt -threads 50 -o ~/scansThis presumes that the contents of the command file is:vhostscan -t $target -oN _output_/_target_-vhosts.txtThis would output a file for each target in the specified output folder. You could also run multiple commands simply by adding them into the command file.Auhors and ThanksOriginally written by Michael Skelton (codingo) and Sajeeb Lohani (sml555) with help from Charelle Collett (@Charcol0x89) for threading refactoring and overall appraoch, and Luke Stephens (hakluke) for testing and approach.Download Interlace

Link: http://feedproxy.google.com/~r/PentestTools/~3/WogS-qr4dno/interlace-easily-turn-single-threaded.html

Kube-Hunter – Hunt For Security Weaknesses In Kubernetes Clusters

Kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster you don’t own!Run kube-hunter: kube-hunter is available as a container (aquasec/kube-hunter), and we also offer a web site at kube-hunter.aquasec.com where you can register online to receive a token allowing you see and share the results online. You can also run the Python code yourself as described below.Contribute: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your own modules please read Guidelines For Developing Your First kube-hunter Module.HuntingWhere should I run kube-hunter?Run kube-hunter on any machine (including your laptop), select Remote scanning and give the IP address or domain name of your Kubernetes cluster. This will give you an attackers-eye-view of your Kubernetes setup.You can run kube-hunter directly on a machine in the cluster, and select the option to probe all the local network interfaces.You can also run kube-hunter in a pod within the cluster. This gives an indication of how exposed your cluster would be in the event that one of your application pods is compromised (through a software vulnerability, for example).Scanning optionsBy default, kube-hunter will open an interactive session, in which you will be able to select one of the following scan options. You can also specify the scan option manually from the command line. These are your options: Remote scanning To specify remote machines for hunting, select option 1 or use the –remote option. Example: ./kube-hunter.py –remote some.node.com Internal scanning To specify internal scanning, you can use the –internal option. (this will scan all of the machine’s network interfaces) Example: ./kube-hunter.py –internal Network scanning To specify a specific CIDR to scan, use the –cidr option. Example: ./kube-hunter.py –cidr 192.168.0.0/24 Active HuntingActive hunting is an option in which kube-hunter will exploit vulnerabilities it finds, in order to explore for further vulnerabilities. The main difference between normal and active hunting is that a normal hunt will never change state of the cluster, while active hunting can potentially do state-changing operations on the cluster, which could be harmful.By default, kube-hunter does not do active hunting. To active hunt a cluster, use the –active flag. Example: ./kube-hunter.py –remote some.domain.com –activeList of testsYou can see the list of tests with the –list option: Example: ./kube-hunter.py –listTo see active hunting tests as well as passive: ./kube-hunter.py –list –activeOutputTo control logging, you can specify a log level, using the –log option. Example: ./kube-hunter.py –active –log WARNING Available log levels are:DEBUGINFO (default)WARNINGTo see only a mapping of your nodes network, run with –mapping option. Example: ./kube-hunter.py –cidr 192.168.0.0/24 –mapping This will output all the Kubernetes nodes kube-hunter has found.DeploymentThere are three methods for deploying kube-hunter:On MachineYou can run the kube-hunter python code directly on your machine.PrerequisitesYou will need the following installed:python 2.7pipClone the repository:git clone git@github.com:aquasecurity/kube-hunter.gitInstall module dependencies:cd ./kube-hunterpip install -r requirements.txtIn the case where you have python 3.x in the path as your default, and python2 refers to a python 2.7 executable, use “python2 -m pip install -r requirements.txt"Run: ./kube-hunter.pyContainerAqua Security maintains a containerised version of kube-hunter at aquasec/kube-hunter. This container includes this source code, plus an additional (closed source) reporting plugin for uploading results into a report that can be viewed at kube-hunter.aquasec.com. Please note that running the aquasec/kube-hunter container and uploading reports data are subject to additional terms and conditions.The Dockerfile in this repository allows you to build a containerised version without the reporting plugin.If you run the kube-hunter container with the host network it will be able to probe all the interfaces on the host:docker run -it –rm –network host aquasec/kube-hunterNote for Docker for Mac/Windows: Be aware that the "host" for Docker for Mac or Windows is the VM which Docker runs containers within. Therefore specifying –network host allows kube-hunter access to the network interfaces of that VM, rather than those of your machine. By default kube-hunter runs in interactive mode. You can also specify the scanning option with the parameters described above e.g.docker run –rm aquasec/kube-hunter –cidr 192.168.0.0/24PodThis option lets you discover what running a malicious container can do/discover on your cluster. This gives a perspective on what an attacker could do if they were able to compromise a pod, perhaps through a software vulnerability. This may reveal significantly more vulnerabilities.The job.yaml file defines a Job that will run kube-hunter in a pod, using default Kubernetes pod access settings.Run the job with kubectl create with that yaml file.Find the pod name with kubectl describe job kube-hunterView the test results with kubectl logs Download Kube-Hunter

Link: http://feedproxy.google.com/~r/PentestTools/~3/Dr1bT8peAAc/kube-hunter-hunt-for-security.html

Doppelganger – Python Script To Scan Duplicate Copies In A Given Directory

Doppelganger is a python script to scan duplicate copies in a given directory. This tool compare not only file names, but also file hashes to ensure no false search results.FeaturesFind duplicate musicFind duplicate videosFind duplicate picturesFind duplicate documentsHow doppelganger search duplicate filesHow to Install and Run in Linux[1] Enter the following command in the terminal to download it.git clone https://github.com/Sameera-Madhushan/Doppelganger[2] After downloading the program, enter the following command to navigate to the Digger directory and listing the contentscd Doppelganger && ls[3] Now run the script with following command.python3 doppelganger.pyHow to Install and Run in Windows[1] Download and run Python 2.7.x and Python 3.7 setup file from Python.orgIn Install Python 3.7, enable Add Python 3.6 to PATH [2] Download and run Git setup file from Git-scm.com, choose Use Git from Windows Command Propmt.[3] Afther that, Run Command Propmt and enter this commands:cd Doppelganger python3 doppelganger.py Download Doppelganger

Link: http://feedproxy.google.com/~r/PentestTools/~3/cKnwHPtVRVY/doppelganger-python-script-to-scan.html

Celerystalk – An Asynchronous Enumeration and Vulnerability Scanner

celerystalk helps you automate your network scanning/enumeration process with asynchronous jobs (aka tasks) while retaining full control of which tools you want to run.Configurable – Some common tools are in the default config, but you can add any tool you wantService Aware – Uses nmap/nessus service names rather than port numbers to decide which tools to runScalable – Designed for scanning multiple hosts, but works well for scanning one host at a timeVirtualHosts – Supports subdomain recon and virtualhost scanningJob Control – Supports canceling, pausing, and resuming of tasks, inspired by Burp scannerScreenshots Automatically takes screenshots of every url identified via brute force (gobuster) and spidering (Photon)Install/SetupSupported Operating Systems: KaliSupported Python Version: 2.xYou must install and run celerystalk as root# git clone https://github.com/sethsec/celerystalk.git# cd celerystalk/setup# ./install.sh# cd ..# ./celerystalk -hYou must install and run celerystalk as rootUsing celerystalk – The basics[CTF/HackTheBox mode] – How to scan a host by IP# nmap 10.10.10.10 -Pn -p- -sV -oX tenten.xml # Run nmap# ./celerystalk workspace create -o /htb # Create default workspace and set output dir# ./celerystalk import -f tenten.xml # Import scan # ./celerystalk db services # If you want to see what services were loaded# ./celerystalk scan # Run all enabled commands# ./celerystalk query watch (then Ctrl+c) # Watch scans as move from pending > running > complete# ./celerystalk report # Generate report# firefox /htb/celerystalkReports/Workspace-Report[Default.html] & # View report [Vulnerability Assessment Mode] – How to scan a list of in-scope hosts/networks and any subdomains that resolve to any of the in-scope IPs# nmap -iL client-inscope-list.txt -Pn -p- -sV -oX client.xml # Run nmap# ./celerystalk workspace create -o /assessments/client # Create default workspace and set output dir# ./celerystalk import -f client.xml -S scope.txt # Import scan and scope files# ./celerystalk subdomains -d client.com,client.net # Find subdomains and determine if in scope# ./celerystalk scan # Run all enabled commands# ./celerystalk query watch (then Ctrl+c) # Wait for scans to finish# ./celerystalk report # Generate report# firefox /celerystalkReports/Workspace-Report[Default].html &# View report [URL Mode] – How to scan a a URL (Use this mode to scan sub-directories found during first wave of scans).# ./celerystalk workspace create -o /assessments/client # Create default workspace and set output dir# ./celerystalk scan -u http://10.10.10.10/secret_folder/ # Run all enabled commands# ./celerystalk query watch (then Ctrl+c) # Wait for scans to finish# ./celerystalk report # Generate report# firefox <path>/celerystalkReports/Workspace-Report[Default].html &# View report Using celerystalk – Some more detail Configure which tools you’d like celerystalk to execute: The install script drops a config.ini file in the celerystalk folder. The config.ini script is broken up into three sections: Service Mapping – The first section normalizes Nmap & Nessus service names for celerystalk (this idea was created by @codingo_ in Reconnoitre AFAIK). [nmap-service-names]http = http,http-alt,http-proxy,www,http?https = ssl/http,https,ssl/http-alt,ssl/http?ftp = ftp,ftp?mysql = mysqldns = dns,domain,domainDomain Recon Tools – The second section defines the tools you’d like to use for subdomain discovery (an optional feature): [domain-recon]amass : /opt/amass/amass -d [DOMAIN]sublist3r : python /opt/Sublist3r/sublist3r.py -d [DOMAIN]Service Configuration – The rest of the confi.ini sections define which commands you want celerystalk to run for each identified service (i.e., http, https, ssh). Disable any command by commenting it out with a ; or a #.Add your own commands using [TARGET],[PORT], and [OUTPUT] placeholders.Here is an example: [http]whatweb : whatweb http://[TARGET]:[PORT] -a3 –colour=never > [OUTPUT].txtcewl : cewl http://[TARGET]:[PORT]/ -m 6 -w [OUTPUT].txtcurl_robots : curl http://[TARGET]:[PORT]/robots.txt –user-agent ‘Googlebot/2.1 (+http://www.google.com/bot.html)’ –connect-timeout 30 –max-time 180 > [OUTPUT].txtnmap_http_vuln : nmap -sC -sV -Pn -v -p [PORT] –script=http-vuln* [TARGET] -d -oN [OUTPUT].txt -oX [OUTPUT].xml –host-timeout 120m –script-timeout 20mnikto : nikto -h http://[TARGET] -p [PORT] &> [OUTPUT].txtgobuster-common : gobuster -u http://[TARGET]:[PORT]/ -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s ‘200,204,301,302,307,403,500’ -e -n -q > [OUTPUT].txtphoton : python /opt/Photon/photon.py -u http://[TARGET]:[PORT] -o [OUTPUT];gobuster_2.3-medium : gobuster -u http://[TARGET]:[PORT]/ -k -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s ‘200,204,301,307,403,500’ -e -n -q > [OUTPUT].txt Run Nmap or Nessus: Nmap: Run nmap against your target(s). Required: enable version detection (-sV) and output to XML (-oX filename.xml). All other nmap options are up to you. Here are some examples: nmap target(s) -Pn -p- -sV -oX filename.xml nmap -iL target_list.txt -Pn -sV -oX filename.xmlNessus: Run nessus against your target(s) and export results as a .nessus file Create worksapce: Option Description no options Prints current workspace create Creates new workspace -w Define new workspace name -o Define output directory assigned to workspace Create default workspace ./celerystalk workspace create -o /assessments/client Create named workspace ./celerystalk workspace create -o /assessments/client -w client Switch to another worksapce ./celerystalk workspace client Import Data: Import data into celerystalk Option Description -f scan.xml Nmap/Nessus xmlAdds all IP addresses from this file to hosts table and marks them all in scope to be scanned.Adds all ports and service types to services table. -S scope.txt Scope fileShow file differences that haven’t been staged -D subdomains.txt (sub)Domains filecelerystalk determines whether each subdomain is in scope by resolving the IP and looking for IP in the DB. If there is a match, the domain is marked as in scope and will be scanned. Import Nmap XML file: ./celerystalk import -f /assessments/nmap.xml Import Nessus file: ./celerystalk import -f /assessments/scan.nessus Import list of Domains: ./celerystalk import -D <file>Import list of IPs/Ranges: ./celerystalk import -S <file>Specify workspace: ./celerystalk import -f <file> Import multiple files: ./celerystalk import -f nmap.xml -S scope.txt -D domains.txt Find Subdomains (Optional): celerystalk will perform subdomain recon using the tools specified in the config.ini. Option Description -d domain1,domain2,etc Run Amass, Sublist3r, etc. and store domains in DBAfter running your subdomain recon tools celerystalk determines whether each subdomain is in scope by resolving the IP and looking for IP in the DB. If there is a match, the domain is marked as in scope and will be scanned. Find subdomains: celerystalk subdomains -d domain1.com,domain2.com Launch Scan: I recommend using the import command first and running scan with no options, however you do have the option to do it all at once (import and scan) by using the flags below. celerystalk will submit tasks to celery which asynchronously executes them and logs output to your output directory. Option Description no options Scan all in scope hostsReads DB and scans every in scope IP and subdomain.Launches all enabled tools for IPs, but only http/http specific tools against virtualhosts -t ip,vhost,cidr Scan specific target(s) from DB or scan fileScan a subset of the in scope IPs and/or subdomains. -s SimulationSends all of the tasks to celery, but all commands are executed with a # before them rendering them inert. Use these only if you want to skip the import phase and import/scan all at once -f scan.xml Import and process Nmap/Nessus xml before scanAdds all IP addresses from this file to hosts table and marks them all in scope to be scanned.Adds all ports and service types to services table. -S scope.txt Import and process scope file before scanShow file differences that haven’t been staged. -D subdomains.txt Import and process (sub)domains file before scan celerystalk determines whether each subdomain is in scope by resolving the IP and looking for IP in the DB. If there is a match, the domain is marked as in scope and will be scanned. -d domain1,domain2,etc Find Subdomains and scan in scope hostsAfter running your subdomain recon tools celerystalk determines whether each subdomain is in scope by resolving the IP and looking for IP in the DB. If there is a match, the domain is marked as in scope and will be scanned. Scan imported hosts/subdomains Scan all in scope hosts: ./celerystalk scan Scan subset of DB hosts: ./celerystalk scan -t 10.0.0.1,10.0.0.3 ./celerystalk scan -t 10.0.0.100-200 ./celerystalk scan -t 10.0.0.0/24 ./celerystalk scan -t sub.domain.comSimulation mode: ./celerystalk scan -sImport and Scan Start from Nmap XML file: ./celerystalk scan -f /pentest/nmap.xml -o /pentestStart from Nessus file: ./celerystalk scan -f /pentest/scan.nessus -o /pentestScan all in scope vhosts: ./celerystalk scan -f <file> -o /pentest -d domain1.com,domain2.comScan subset hosts in XML: ./celerystalk scan -f <file> -o /pentest -t 10.0.0.1,10.0.0.3 ./celerystalk scan -f <file> -o /pentest -t 10.0.0.100-200 ./celerystalk scan -f <file> -o /pentest -t 10.0.0.0/24Simulation mode: ./celerystalk scan -f <file> -o /pentest -s Rescan: Use this command to rescan an already scanned host. Option Description no option For each in scope host in the DB, celerystalk will ask if if you want to rescan it -t ip,vhost,cidr Scan a subset of the in scope IPs and/or subdomains. Rescan all hosts: ./celerystalk rescanRescan some hosts ./celerystalk rescan-t 1.2.3.4,sub.domain.com Simulation mode: ./celerystalk rescan -s Query Status: Asynchronously check the status of the tasks queue as frequently as you like. The watch mode actually executes the linux watch command so you don’t fill up your entire terminal buffer. Option Description no options Shows all tasks in the defualt workspace watch Sends command to the unix watch command which will let you get an updated status every 2 seconds brief Limit of 5 results per status (pending/running/completed/cancelled/paused) summary Shows only a banner with numbers and not the tasks themselves Query Tasks: ./celerystalk query ./celerystalk query watch ./celerystalk query brief ./celerystalk query summary ./celerystalk query summary watch Cancel/Pause/Resume Tasks: Cancel/Pause/Resume any task(s) that are currently running or in the queue. Option Description cancel Canceling a running task will send a kill -TERMCanceling a queued task* will make celery ignore it (uses celery’s revoke).Canceling all tasks* will kill running tasks and revoke all queued tasks. pause Pausing a single task uses kill -STOP to suspend the process.Pausing all tasks* attemps to kill -STOP all running tasks, but it is a little wonky and you mind need to run it a few times. It is possible a job completed before it was able to be paused, which means you will have a worker that is still accepting new jobs. resume Resuming tasks* sends a kill -CONT which allows the process to start up again where it left off. Cancel/Pause/Resume Tasks: ./celerystalk <verb> 5,6,10-20 #Cancel/Pause/Resume tasks 5, 6, and 10-20 from current workspace ./celerystalk <verb> all #Cancel/Pause/Resume all tasks from current workspaces Run Report: Run a report which combines all of the tool output into an html file and a txt file. Run this as often as you like. Each time you run the report it overwrites the previous report. Create Report: ./celerystalk report #Create a report for all scanneed hosts in current workspaceScreenshot: Access the DB: List the workspaces, hosts, services, or paths stored in the celerystalk database Option Description workspaces Show all known workspaces and the output directory associated with each workspace services Show all known open ports and service types by IP hosts Show all hosts (IP addresses and subdomains/vhosts) and whether they are in scope and whether they have been submitted for scanning paths Show all paths that have been identified by vhost -w workspace Specify a non-default workspace Show workspaces: ./celeryststalk db workspacesShow services: ./celeryststalk db services Show hosts: ./celeryststalk db hostsShow paths: ./celeryststalk db paths Export DB: Export each table of the DB to a csv file Option Description no options Export the services, hosts, and paths table from the default database -w workspace Specify a non-default workspace Export current DB: ./celerystalk db exportExport another DB: ./celerystalk db export -w testUsageUsage: celerystalk workspace create -o <output_dir> [-w workspace_name] celerystalk workspace [<workspace_name>] celerystalk import [-f <nmap_file>] [-S scope_file] [-D subdomains_file] [-u <url>] celerystalk subdomains -d <domains> [-s] celerystalk scan [-f <nmap_file>] [-t <targets>] [-d <domains>] [-S scope_file] [-D subdomains_file] [-s] celerystalk scan -u <url> [-s] celerystalk rescan [-t <targets>] [-s] celerystalk query ([full] | [summary] | [brief]) [watch] celerystalk query [watch] ([full] | [summary] | [brief]) celerystalk report celerystalk cancel ([all]|[<task_ids>]) celerystalk pause ([all]|[<task_ids>]) celerystalk resume ([all]|[<task_ids>]) celerystalk db ([workspaces] | [services] | [hosts] | [vhosts] | [paths]) celerystalk db export celerystalk shutdown celerystalk interactive celerystalk (help | -h | –help)Options: -h –help Show this screen -v –version Show version -f <nmap_file> Nmap xml import file -o <output_dir> Output directory -S <scope_file> Scope import file -D <subdomains_file> Subdomains import file -t <targets> Target(s): IP, IP Range, CIDR -u <url> URL to parse and scan with all configured tools -w <workspace> Workspace -d –domains Domains to scan for vhosts -s –simulation Simulation mode. Submit tasks comment out all commandsExamples: Workspace Create default workspace celerystalk workspace create -o /assessments/client Create named workspace celerystalk workspace create -o /assessments/client -w client Switch to another worksapce celerystalk workspace client2 Import Import Nmap XML file: celerystalk import -f /assessments/nmap.xml Import Nessus file: celerystalk import -f /assessments/scan.nessus Import list of Domains: celerystalk import -D <file> Import list of IPs/Ranges: celerystalk import -S <file> Import multiple files: celerystalk import -f nmap.xml -S scope.txt -D domains.txt Subdomain Recon Find subdomains: celerystalk subdomains -d domain1.com,domain2.com Scan Scan all in scope hosts: celerystalk scan Scan subset of DB hosts: celerystalk scan -t 10.0.0.1,10.0.0.3 celerystalk scan -t 10.0.0.100-200 celerystalk scan -t 10.0.0.0/24 celerystalk scan -t sub.domain.com Simulation mode: celerystalk scan -s Import and Scan Start from Nmap XML file: celerystalk scan -f /pentest/nmap.xml Start from Nessus file: celerystalk scan -f /pentest/scan.nessus Scan subset hosts in XML: celerystalk scan -f <file> -t 10.0.0.1,10.0.0.3 celerystalk scan -f <file> -t 10.0.0.100-200 celerystalk scan -f <file> -t 10.0.0.0/24 celerystalk scan -f <file> -t sub.domain.com Simulation mode: celerystalk scan -f <file> -s Rescan Rescan all hosts: celerystalk rescan Rescan some hosts celerystalk rescan-t 1.2.3.4,sub.domain.com Simulation mode: celerystalk rescan -s Query Mode All tasks: celerystalk query Update status every 2s: celerystalk query watch Show only 5 tasks per mode: celerystalk query brief Show stats only celerystalk query summary Show stats every 2s: celerystalk query summary watch Job Control (cancel/pause/resume) Specific tasks: celerystalk cancel 5,6,10-20 celerystalk pause 5,6,10-20 celerystalk resume 5,6,10-20 All tasks current worspace: celerystalk cancel all celerystalk pause all celerystalk resume all Access the DB Show workspaces: celeryststalk db workspaces Show services: celeryststalk db services Show hosts: celeryststalk db hosts Show vhosts only celeryststalk db vhosts Show paths: celeryststalk db paths Export DB Export current DB: celerystalk db exportCreditThis project was inspired by many great tools:https://github.com/codingo/Reconnoitre by @codingo_https://github.com/frizb/Vanquish by @frizbhttps://github.com/leebaird/discover by @discoverscriptshttps://github.com/1N3/Sn1perhttps://github.com/SrFlipFlop/Network-Security-Analysis by @SrFlipFlopThanks to @offensivesecurity and @hackthebox_eu for their lab networksAlso, thanks to:@decidedlygray for pointing me towards celery, helping me solve python problems that were over my head, and for the extensive beta testing@kerpanic for inspiring me to dust off an old project and turn it into celerystalkMy TUV OpenSky team and my IthacaSec hackers for testing this out and submitting bugs and featuresDownload Celerystalk

Link: http://feedproxy.google.com/~r/PentestTools/~3/9zxM11uFyz8/celerystalk-asynchronous-enumeration.html

Dawnscanner – Dawn Is A Static Analysis Security Scanner For Ruby Written Web Applications (Sinatra, Padrino And ROR Frameworks)

dawnscanner is a source code scanner designed to review your ruby code for security issues.dawnscanner is able to scan plain ruby scripts (e.g. command line applications) but all its features are unleashed when dealing with web applications source code. dawnscanner is able to scan major MVC (Model View Controller) frameworks, out of the box:Ruby on RailsSinatraPadrinoQuick update from November, 2018As you can see dawnscanner is on hold since more then an year. Sorry for that. It’s life. I was overwhelmed by tons of stuff and I dedicated free time to Offensive Security certifications. True to be told, I’m starting OSCE journey really soon.The dawnscanner project will be updated soon with new security checks and kickstarted again.Paolodawnscanner version 1.6.6 has 235 security checks loaded in its knowledge base. Most of them are CVE bulletins applying to gems or the ruby interpreter itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.An overall introductionWhen you run dawnscanner on your code it parses your project Gemfile.lock looking for the gems used and it tries to detect the ruby interpreter version you are using or you declared in your ruby version management tool you like most (RVM, rbenv, …).Then the tool tries to detect the MVC framework your web application uses and it applies the security check accordingly. There checks designed to match rails application or checks that are appliable to any ruby code.dawnscanner can also understand the code in your views and to backtrack sinks to spot cross site scripting and sql injections introduced by the code you actually wrote. In the project roadmap this is the code most of the future development effort will be focused on.dawnscanner security scan result is a list of vulnerabilities with some mitigation actions you want to follow in order to build a stronger web application.InstallationYou can install latest dawnscanner version, fetching it from Rubygems by typing:$ gem install dawnscanner If you want to add dawn to your project Gemfile, you must add the following:group :development do gem ‘dawnscanner’, :require=>falseendAnd then upgrade your bundle$ bundle installYou may want to build it from source, so you have to check it out from github first:$ git clone https://github.com/thesp0nge/dawnscanner.git$ cd dawnscanner$ bundle install$ rake installAnd the dawnscanner gem will be built in a pkg directory and then installed on your system. Please note that you have to manage dependencies on your own this way. It makes sense only if you want to hack the code or something like that.UsageYou can start your code review with dawnscanner very easily. Simply tell the tool where the project root directory.Underlying MVC framework is autodetected by dawnscanner using target Gemfile.lock file. If autodetect fails for some reason, the tool will complain about it and you have to specify if it’s a rails, sinatra or padrino web application by hand.Basic usage is to specify some optional command line option to fit best your needs, and to specify the target directory where your code is stored.$ dawn [options] targetIn case of need, there is a quick command line option reference running dawn -h at your OS prompt.$ dawn -hUsage: dawn [options] target_directoryExamples: $ dawn a_sinatra_webapp_directory $ dawn -C the_rails_blog_engine $ dawn -C –json a_sinatra_webapp_directory $ dawn –ascii-tabular-report my_rails_blog_ecommerce $ dawn –html -F my_report.html my_rails_blog_ecommerce -G, –gem-lock force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock (DEPRECATED) -d, –dependencies force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lockReporting -a, –ascii-tabular-report cause dawn to format findings using tables in ascii art (DEPRECATED) -j, –json cause dawn to format findings using json -K, –console cause dawn to format findings using plain ascii text -C, –count-only dawn will only count vulnerabilities (useful for scripts) -z, –exit-on-warn dawn will return number of found vulnerabilities as exit code -F, –file filename tells dawn to write output to filename -c, –config-file filename tells dawn to load configuration from filenameDisable security check family –disable-cve-bulletins disable all CVE security checks –disable-code-quality disable all code quality checks –disable-code-style disable all code style checks –disable-owasp-ror-cheatsheet disable all Owasp Ruby on Rails cheatsheet checks –disable-owasp-top-10 disable all Owasp Top 10 checksFlags useful to query Dawn -S, –search-knowledge-base [check_name] search check_name in the knowledge base –list-knowledge-base list knowledge-base content –list-known-families list security check families contained in dawn’s knowledge base –list-known-framework list ruby MVC frameworks supported by dawn –list-scan-registry list past scan informations stored in scan registry Service flags -D, –debug enters dawn debug mode -V, –verbose the output will be more verbose -v, –version show version information -h, –help show this helpRake taskTo include dawnscanner in your rake task list, you simply have to put this line in your Rakefilerequire ‘dawn/tasks’Then executing $ rake -T you will have a dawn:run task you want to execute.$ rake -T…rake dawn:run # Execute dawnscanner on the current directory…Interacting with the knowledge baseYou can dump all security checks in the knowledge base this way$ dawn –list-knowledge-baseUseful in scripts, you can use –search-knowledge-base or -S with as parameter the check name you want to see if it’s implemented as a security control or not.$ dawn -S CVE-2013-642107:59:30 [*] dawn v1.1.0 is starting upCVE-2013-6421 found in knowledgebase.$ dawn -S this_test_does_not_exist08:02:17 [*] dawn v1.1.0 is starting upthis_test_does_not_exist not found in knowledgebasedawnscanner security scan in actionAs output, dawnscanner will put all security checks that are failed during the scan.This the result of Codedake::dawnscanner running against a Sinatra 1.4.2 web application wrote for a talk I delivered in 2013 at Railsberry conference.As you may see, dawnscanner first detects MVC running the application by looking at Gemfile.lock, than it discards all security checks not appliable to Sinatra (49 security checks, in version 1.0, especially designed for Ruby on Rails) and it applies them.$ dawn ~/src/hacking/railsberry201318:40:27 [*] dawn v1.1.0 is starting up18:40:27 [$] dawn: scanning /Users/thesp0nge/src/hacking/railsberry201318:40:27 [$] dawn: sinatra v1.4.2 detected18:40:27 [$] dawn: applying all security checks18:40:27 [$] dawn: 109 security checks applied – 0 security checks skipped18:40:27 [$] dawn: 1 vulnerabilities found18:40:27 [!] dawn: CVE-2013-1800 check failed18:40:27 [$] dawn: Severity: high18:40:27 [$] dawn: Priority: unknown18:40:27 [$] dawn: Description: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.18:40:27 [$] dawn: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile18:40:27 [$] dawn: Evidence:18:40:27 [$] dawn: Vulnerable crack gem version found: 0.3.118:40:27 [*] dawn is leavingWhen you run dawnscanner on a web application with up to date dependencies, it’s likely to return a friendly no vulnerabilities found message. Keep it up working that way!This is dawnscanner running against a Padrino web application I wrote for a scorecard quiz game about application security. Italian language only. Sorry.18:42:39 [*] dawn v1.1.0 is starting up18:42:39 [$] dawn: scanning /Users/thesp0nge/src/CORE_PROJECTS/scorecard18:42:39 [$] dawn: padrino v0.11.2 detected18:42:39 [$] dawn: applying all security checks18:42:39 [$] dawn: 109 security checks applied – 0 security checks skipped18:42:39 [*] dawn: no vulnerabilities found.18:42:39 [*] dawn is leavingIf you need a fancy HTML report about your scan, just ask it to dawnscanner with the –html flag used with the –file since I wanto to save the HTML to disk.$ dawn /Users/thesp0nge/src/hacking/rt_first_app –html –file report.html09:00:54 [*] dawn v1.1.0 is starting up09:00:54 [*] dawn: report.html created (2952 bytes)09:00:54 [*] dawn is leavingUseful linksProject homepage: http://dawnscanner.orgTwitter profile: @dawnscannerGithub repository: https://github.com/thesp0nge/dawnscannerMailing list: https://groups.google.com/forum/#!forum/dawnscannerThanks tosaten: first issue posted about a typo in the READMEpresidentbeef: for his outstanding work that inspired me creating dawn and for double check comparison matrix. Issue #2 is yours :)marinerJB: for misc bug reports and further ideasMatteo: for ideas on API and their usage with github.com hooksDownload Dawnscanner

Link: http://feedproxy.google.com/~r/PentestTools/~3/gox5JYdlGTc/dawnscanner-dawn-is-static-analysis.html