RTA (Red Team Arsenal) – An Intelligent Scanner To Detect Security Vulnerabilities In Companies Layer 7 Assets

Red Team Arsenal is a web/network security scanner which has the capability to scan all company’s online facing assets and provide an holistic security view of any security anomalies. It’s a closely linked collections of security engines to conduct/simulate attacks and monitor public facing assets for anomalies and leaks.It’s an intelligent scanner detecting security anomalies in all layer 7 assets and gives a detailed report with integration support with nessus. As companies continue to expand their footprint on INTERNET via various acquisitions and geographical expansions, human driven security engineering is not scalable, hence, companies need feedback driven automated systems to stay put.InstallationSupported PlatformsRTA has been tested both on Ubuntu/Debian (apt-get based distros) and as well as Mac OS. It should ideally work with any linux based distributions with mongo and python installed (install required python libraries from install/py_dependencies manually).Prerequisites:There are a few packages which are necessary before proceeding with the installation:Git client: sudo apt-get install gitPython 2.7, which is installed by default in most systemsPython pip: sudo apt-get install python-pipMongoDB: Read the official installation guide to install it on your machine.Finally run python install/install.pyThere are also optional packages/tools you can install (highly recommended):Integrating Nessus:Integrating Nessus into Red Team Arsenal can be done is simple 3 steps:Download and install Nessus community edition (if you don’t have a paid edition). If you already have an installation (it can be remote installation as well), then go to step (2). Update the config file (present on the root directory of RTA) with Nessus URL, username and password. Create a nessus policy where you can configure the type of scans and plugins to run and name it RTA (Case sensitive – use full uppercase). Once the config file has the correct Nessus information (url, username, password), use the flag –nessus while running RTA to launch nessus scan over the entire subdomains gathered by RTA (one single scan initiated with all the subdomains gathered). Usage Short Form Long Form Description -u –url Domain URL to scan -v –verbose Enable the verbose mode and display results in realtime -n –nessus Launch a Nessus scan with all the subdomains -s –scraper Run scraper based on config keywords -h –help show the help message and exit Sample Outputa0xnirudh@exploitbox /RTA (master*) $ python rta.py –url “0daylabs.com" -v -s ____ _ _____ _ _ | _ \ ___ __| | |_ _|__ __ _ _ __ ___ / \ _ __ ___ ___ _ __ __ _| | | |_) / _ \/ _` | | |/ _ \/ _` | ‘_ ` _ \ / _ \ | ‘__/ __|/ _ \ ‘_ \ / _` | | | _ < __/ (_| | | | __/ (_| | | | | | | / ___ \| | \__ \ __/ | | | (_| | | |_| \_\___|\__,_| |_|\___|\__,_|_| |_| |_| /_/ \_\_| |___/\___|_| |_|\__,_|_|[i] Checking for Zonetransfer[i] Zone Transfer is not enabled[i] Checking for SPF records[+] SPF record lookups is good. Current value is: 9[-] Enumerating subdomains now for 0daylabs.com[-] Searching now in Baidu..[-] Searching now in Yahoo..[-] Searching now in Google..[-] Searching now in Bing..[-] Searching now in Ask..[-] Searching now in Netcraft..[-] Searching now in DNSdumpster..[-] Searching now in Virustotal..[-] Searching now in ThreatCrowd..[-] Searching now in SSL Certificates..[-] Searching now in PassiveDNS..[-] Total Unique Subdomains Found: 3blog.0daylabs.comwww.0daylabs.comtest.0daylabs.com[+] Verifying Subdomains and takeover options[+] Possible subdomain takeovers (Manual verification required): test.0daylabs.com[i] Verified and Analyzed Subdomains:[i] URL: blog.0daylabs.com[i] Wappalyzer: [u'jQuery', u'Varnish', u'Font Awesome', u'Twitter Bootstrap', u'Google Analytics', u'Google Font API', u'Disqus', u'Google AdSense'][i] Scraper Results[+] ShodanHostname: test.0daylabs.com IP: Ports: 179Hostname: test.0daylabs.com IP: Ports: 179[+] TwitterURL: https://twitter.com/tweetrpersonal9/status/832624003751694340 search string: 0daylabsURL: https://twitter.com/ratokeshi/status/823957535564644355 search string: 0daylabsNotificationsConfiguring Slack:RTA can also do push notifications to slack which includes the main scan highlight along with Nessus and other integrated scanner reports divided on the basis of severity.In your slack, create an incoming webhook and point it to the channel where you need the RTA to send the report. You can read more about creating incoming webhooks on slack documentation. In the config file, update the URL in the slack section with full URL (including https://) for the incoming webhook. Once slack is configured, you will automatically start getting reports on your configured slack channelRoadmapHere are couple of ideas which we have in mind to do going ahead with RTA. If you have any ideas/feature requests which is not listed below, feel free to raise an issue in github.Email the results once the scan is completed. Extend the current RTA API so that we can launch custom scans with required options via the API. Launch custom scans based on Wappalyzer results (eg: wpscan if wordpress is detected) Investigate and integrate more web security scanners including but not limited to Arachni, Wapiti, Skipfish and others ! JSON/XML output formatting for the RTA scan result. Improving the logic for Subdomain takeover. Multi threading support for faster scan comple. ContributorsAwesome people who built this project:Lead Developers:Anirudh Anand (@a0xnirudh)Project Contributors:Mohan KK (@MohanKallepalli)Ankur Bhargava (@_AnkurB)Prajal Kulkarni (@prajalkulkarni)Himanshu Kumar Das (@mehimansu)Special ThanksSublist3rDownload RTA

Link: http://feedproxy.google.com/~r/PentestTools/~3/MXF7YfYc5U8/rta-red-team-arsenal-intelligent.html

M0B-tool – Auto Detect CMS And Exploit

Tool to auto detect CMS and exploit.Features:Bing dork scanner by domainDork by countryBRUTE FORCE [WordPress (auto scrap name) – Joomla – Drupal – Opencart – Magento]Shell finderIp scanner and brute forceAuto detect cms and exploitRunperl MENU.plInstallgit clone https://github.com/mobrine-mob/M0B-tool.gitscript created by M0BBING DORK SCANNERWHEN THE SCAN END , your gonna find all urls in /resultDORK BY COUNTRYyou put a dorkand you get a list of dork like this :example?lotid=+site:acexample?lotid=+site:adexample?lotid=+site:aeexample?lotid=+site:afexample?lotid=+site:agexample?lotid=+site:aiexample?lotid=+site:alexample?lotid=+site:amexample?lotid=+site:anexample?lotid=+site:aoexample?lotid=+site:aqexample?lotid=+site:arexample?lotid=+site:asexample?lotid=+site:atexample?lotid=+site:auexample?lotid=+site:awexample?lotid=+site:axexample?lotid=+site:azexample?lotid=+site:baexample?lotid=+site:bbexample?lotid=+site:bdWordPress – Joomla – Drupal – Opencart – Magento BRUTE FORCEIf you want to brute force with your own passwords list change the list name to passwords.txtNote that your going to find the good ones in Result.txt on the main M0B folderIP SCANNER & brute force for ssh , ftp and the prevent brute forceIt’s need more work , you can find some bugsAUTO DETECT CMS AND EXPLOITWARNING:If you want to exploit drupal (add admin you need to upload drupal.php in your localhost or upload it in your shell and edit it in the script)Download M0B-tool

Link: http://feedproxy.google.com/~r/PentestTools/~3/hHmVFacJIao/m0b-tool-auto-detect-cms-and-exploit.html

JoomlaScan – Tool To Find The Components Installed In Joomla CMS, Built Out Of The Ashes Of Joomscan

A free and open source software to find the components installed in Joomla CMS, built out of the ashes of Joomscan.FeaturesScanning the Joomla CMS sites in search of components/extensions (database of more than 600 components);Locate the browsable folders of component (Index of …);Locate the components disabled or protectedLocate each file useful to identify the version of a components (Readme, Manifest, License, Changelog)Locate the robots.txt file or error_log fileSupports HTTP or HTTPS connectionsConnection timeoutNext FeaturesLocate the version of Joomla CMSFind ModuleCustomized User Agent and Random AgentThe user can change the connection timeoutA database of vulnerable componentsUsageusage: python joomlascan.py [-h] [-u URL] [-t THREADS] [-v]optional arguments:-h, –help show this help message and exit-u URL, –url URL The Joomla URL/domain to scan.-t THREADS, –threads THREADS The number of threads to use when multi-threading requests (default: 10).-v, –version show program’s version number and exitRequirementsPythonbeautifulsoup4 (To install this library from terminal type: $ sudo easy_install beautifulsoup4 or $ sudo pip install beautifulsoup4)Changelog2016.12.12 0.5beta > Implementation of the Multi Thread, Updated database from 656 to 686 components, Fix Cosmetics and Minor Fix.2016.05.20 0.4beta > Find README.md, Find Manifes.xml, Find Index file of Components (Only if descriptive), User Agent and TimeOut on Python Request, Updated database from 587 to 656 components, Fix Cosmetics and Minor Fix.2016.03.18 0.3beta > Find index file on components directory2016.03.14 0.2beta > Find administrator components and file Readme, Changelog, License.2016.02.12 0.1beta > Initial releaseDownload JoomlaScan

Link: http://feedproxy.google.com/~r/PentestTools/~3/eB9tJ1p5f9Y/joomlascan-tool-to-find-components.html

C5Scan – Vulnerability Scanner And Information Gatherer For The Concrete5 CMS

Vulnerability scanner and information gatherer for the Concrete5 CMS. Is a little out of date presently pending a refactor.concrete5 is an open-source content management system (CMS) for publishing content on the World Wide Web and intranets. concrete5 is designed for ease of use, for users with a minimum of technical skills. It enables users to edit site content directly from the page. It provides version management for every page, similar to wiki software, another type of web site development software. concrete5 allows users to edit images through an embedded editor on the page.Usepython c5scan.py -u (-r)-u –url Insert your target URL here-r –robots If found, print contents of robots.txtDependenciespip install httplib2 requestsExample$ python c5scan.py -u localhost -r*********************************************************** ~ C5scan ~ ** A vulnerability and information gatherer for concrete5 ** auraltension@riseup.net ***********************************************************No http:// or https:// provided. Trying http://URL: http://localhost/[+] Discovered version from meta ‘generator’ tag[+] Interesting header: server: Apache/2.2.14 (Ubuntu)[+] Interesting header: x-powered-by: PHP/5.3.2-1ubuntu4.24[+] robots.txt found at http://localhost/robots.txtUser-agent: *Disallow: /blocks Disallow: /concrete Disallow: /config Disallow: /controllers Disallow: /css Disallow: /elements Disallow: /helpers Disallow: /jobs Disallow: /js Disallow: /languages Disallow: /libraries Disallow: /mail Disallow: /models Disallow: /packages Disallow: /single_pages Disallow: /themes Disallow: /toolsDisallow: /updatesEnumerating updates in /updates/[+] Update version exists[+] Update version existsLooking for Readme files[+] Found a readme at: http://localhost/concrete/libraries/3rdparty/adodb/readme.txt[+] Found a readme at: http://localhost/concrete/libraries/3rdparty/adodb/docs/docs-adodb.htm[+] Found a readme at: http://localhost/concrete/blocks/video/README[+] Found a readme at: http://localhost/concrete/libraries/3rdparty/StandardAnalyzer/Readme.txt[+] Found a readme at: http://localhost/concrete/libraries/3rdparty/securimage/README.txtChecking for known vulnerabilities in updates[+] A known vulnerability exists for Injection in index.php cID paramhttp://www.exploit-db.com/exploits/31735/Checking for known vulnerabilities in current version[+] A known vulnerability exists for Injection in index.php cID paramhttp://www.exploit-db.com/exploits/31735/Finished.Download C5Scan

Link: http://feedproxy.google.com/~r/PentestTools/~3/ahrJlUVB65M/c5scan-vulnerability-scanner-and.html

Pyfiscan – Web-Application Vulnerability And Version Scanner

Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.RequirementsPython 2.7Python modules PyYAML docoptGNU/Linux web serverTesting is done mainly with GNU/Linux Debian stable. Windows is not currently supported.Detects following softwareATutorb2evolutionBigTree CMSBugzillaCentreonClarolineClipperCMSCMSimpleCMSMSCollabtiveConcrete5CoppermineCotontiCroogoCubeCartDolibarrDotclearDrupale107EspoCRMEtherpadFluxBBFoswikiGalleryGollumHelpDEZkHumHubImpressCMSImpressPagesJamroomJoomlaKanboardKCFinderLiteCartMagnoliaMaharaMantisBTMediaWikiMicroweberMiniBBMODX RevolutionMoinMoinMyBBNibbleblogOpen Source Social NetworkOpenCartosDateownCloudOxwallPBBoardphpBB3PhpGedViewphpMyAdminPiwigoPiwikPmWikiPostfix AdminRedaxoRoundcubeSaurusCMSSerendipityShaarliSMFSpina CMSSPIPSquirrelMailTestLinkTikiWikiTracWikkaWikiWordPressX-CartZenphotoZikulaDetects following end-of-life software:Bugzilla 4.2 is end-of-life since 2015-11-30Drupal 6 is end-of-life since 2016-02-24Gallery 1Joomla 1.5 is end-of-life since 2012-04-30Joomla 1.6 is end-of-life since 2011-08-19. 1.6.x should be upgraded to 1.6.6 before moving to 1.7.xJoomla 1.7 is end-of-life since 2012-02-24Joomla 2.5MediaWiki 1.18MediaWiki 1.19 is end-of-life since 2015-04-25MediaWiki 1.20MediaWiki 1.21 is end-of-life since 2014-06-25MediaWiki 1.22MediaWiki 1.23 is end-of-life since 2017-05-31MediaWiki 1.24MediaWiki 1.25MediaWiki 1.26 is end-of-life since 2016-11-20MediaWiki 1.28 is end-of-life since 2017-11-01ownCloud 4ownCloud 5ownCloud 6ownCloud 7ownCloud 8.0ownCloud 8.1ownCloud 8.2SaurusCMSInstallationapt-get install python python-pip libpython2.7-dev libyaml-dev git libyaml-devgit clone https://github.com/fgeek/pyfiscan.git && cd pyfiscanpip2 install -r requirements.lstor you can use BlackArch Linux.NotesWordPressAnnouncing a secure SWFUpload forkJoomlaUpgrade should be done using “Extension manager -> Upgrade" in version 1.6.6 and laterRelease and support cycleSetup Security checklistUpgrading and migrating JoomlaJoomla 2.x creates random SQL table prefixJoomla 3.x informs and shows user a button to remove installation-directoryCreates ./configuration.php in installationCreates robots.txt, which contains word "Joomla"SMFEnd of life of SMF 1.0Installer requests users with button to delete install.phpTikiWikiEnd of life of TikiWiki 7.x8.4 is last release of TikiWiki 8.xEnd of life of TikiWiki 8.xMediaWikiEnd of Life of 1.18.xGalleryNot installed when config.php is missing.http://codex.galleryproject.org/Gallery2:SecurityUpgrade using: http://example.org/gallery3/index.php/upgrade php index.php upgradephpBB (version unknown)Open installation is not a vulnerability since web-interface requests user to authenticate by inserting random data to file.CoppermineNot installed when include/config.inc.php is missing.Owncloudstatus.php outputs: {"installed":"true","version":"5.0.6","versionstring":"5.0.5","edition":""}PiwigoNot installed if local/config/database.inc.php is missing.ClarolineNot installed when platform/conf/claro_main.conf.php is missing.Installation pages request user to remove claroline/install/ directory.Download Pyfiscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/gTn3cxTqU6A/pyfiscan-web-application-vulnerability.html