Sn1per Community Edition by @xer0dayz - https://xerosecurity.com

CHANGELOG.md

@@ -1,4 +1,16 @@
 ## CHANGELOG:
+* v7.3 - Added CVE-2019-15107 Webmin <= 1.920 - Unauthenticated RCE MSF exploit
+* v7.3 - Added massdns plugin
+* v7.3 - Added altdns plugin
+* v7.3 - Added dnsgen plugin
+* v7.3 - Updated web file/dir wordlists from public exploits and honeypots
+* v7.3 - Added time stamps to all commands
+* v7.3 - Removed CloudFront from domain hijacking checks
+* v7.3 - Removed snmp-brute.nse script due to scan issues
+* v7.3 - Fixed issue with discover scan workspace names
+* v7.3 - Fixed issue with DockerFile (sed: can't read /usr/bin/msfdb: No such file or directory)
+* v7.3 - Fixed issue with installer on docker not having pip installed
+* v7.3 - Fixed issue with port 161 not being referenced correctly in scans
 * v7.2 - Added experimental OpenVAS API integration
 * v7.2 - Improved Burpsuite 2.x API integration with vuln reporting
 * v7.2 - Added hunter.io API integration to recon mode scans

install.sh

@@ -83,6 +83,14 @@ git clone https://github.com/rbsec/dnscan.git
 git clone https://github.com/christophetd/censys-subdomain-finder.git
 pip install -r $PLUGINS_DIR/censys-subdomain-finder/requirements.txt
 pip3 install -r $PLUGINS_DIR/dnscan/requirements.txt 
+git clone https://github.com/infosec-au/altdns.git 
+git clone https://github.com/blechschmidt/massdns.git
+git clone https://github.com/ProjectAnte/dnsgen
+cd dnsgen
+pip3 install -r requirements.txt
+python3 setup.py install
+cd ..
+pip install py-altdns
 pip3 install webtech
 mv $INSTALL_DIR/bin/slurp.zip $PLUGINS_DIR
 unzip slurp.zip
@@ -99,6 +107,8 @@ cd ~/go/bin;go get -u github.com/subfinder/subfinder; mv subfinder /usr/local/bi
 cd /usr/share/nmap/scripts/
 git clone https://github.com/scipag/vulscan
 wget https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse
+mkdir -p ~/.msf4/modules/exploits/web
+wget https://raw.githubusercontent.com/1N3/Exploits/master/defcon_webmin_unauth_rce.rb -O ~/.msf4/modules/exploits/web/defcon_webmin_unauth_rce.rb
 cd $PLUGINS_DIR
 echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
 mv ~/.sniper.conf ~/.sniper.conf.old 2> /dev/null

modes/airstrike.sh

@@ -23,7 +23,7 @@ if [ "$MODE" = "airstrike" ]; then
       if [ ! -z "$WORKSPACE" ]; then
         args="$args -w $WORKSPACE"
         WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
-        echo -e "$OKBLUE[*] Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
+        echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
         mkdir -p $WORKSPACE_DIR 2> /dev/null
         mkdir $WORKSPACE_DIR/domains 2> /dev/null
         mkdir $WORKSPACE_DIR/screenshots 2> /dev/null

modes/bruteforce.sh

@@ -1,11 +1,11 @@
 if [ "$AUTOBRUTE" = "0" ]; then
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   echo -e "$OKRED SKIPPING BRUTE FORCE $RESET"
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
 else
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   echo -e "$OKRED RUNNING BRUTE FORCE $RESET"
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
     /bin/bash "$INSTALL_DIR/bin/slack.sh" "[xerosecurity.com] •?((¯°·._.• Started Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
   fi
@@ -15,6 +15,10 @@ else
   cd $INSTALL_DIR
   rm -f hydra.restore
   rm -f scan.log
+  CRACKED=$(egrep -h -i -s password $LOOT_DIR/credentials/brutex-$TARGET.txt 2> /dev/null | grep host 2> /dev/null)
+  if [ ${#CRACKED} -ge 5 ]; then
+    echo "$CRACKED" > $LOOT_DIR/output/cracked-$TARGET.txt 2> /dev/null
+  fi
   echo ""
   if [ "$SLACK_NOTIFICATIONS_BRUTEFORCE" == "1" ]; then
     /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/credentials/brutex-$TARGET.txt"

modes/discover.sh

@@ -2,9 +2,10 @@
 if [ "$MODE" = "discover" ]; then
   if [ "$REPORT" = "1" ]; then
     if [ ! -z "$WORKSPACE" ]; then
+      WORKSPACE="$(echo $WORKSPACE | tr / -)"
       args="$args -w $WORKSPACE"
       LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
-      echo -e "$OKBLUE[*] Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
+      echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
       mkdir -p $LOOT_DIR 2> /dev/null
       mkdir $LOOT_DIR/ips 2> /dev/null
       mkdir $LOOT_DIR/screenshots 2> /dev/null
@@ -39,33 +40,33 @@ if [ "$MODE" = "discover" ]; then
   echo -e "$OKRED                                                                   \/$RESET"
   echo ""
   OUT_FILE=$(echo $TARGET | tr / -)
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   echo -e "$OKRED RUNNING PING DISCOVERY SCAN $RESET"
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   nmap -sP $TARGET | tee $LOOT_DIR/ips/sniper-$OUT_FILE-ping.txt
   cat $LOOT_DIR/ips/sniper-$OUT_FILE-ping.txt 2> /dev/null | grep "scan report" | awk '{print $5}' > $LOOT_DIR/ips/sniper-$OUT_FILE-ping-sorted.txt
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   echo -e "$OKRED RUNNING TCP PORT SCAN $RESET"
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   nmap -v -p $QUICK_PORTS -sS $TARGET -Pn 2> /dev/null | tee $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt 2>/dev/null 
   cat $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt | grep open | grep on | awk '{print $6}' > $LOOT_DIR/ips/sniper-$OUT_FILE-tcpips.txt
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   echo -e "$OKRED RUNNING UDP PORT SCAN $RESET"
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   nmap -v -p $DEFAULT_UDP_PORTS -sU -Pn $TARGET 2> /dev/null | tee $LOOT_DIR/ips/sniper-$OUT_FILE-udp.txt 2>/dev/null 
   cat $LOOT_DIR/ips/sniper-$OUT_FILE-udp.txt | grep open | grep on | awk '{print $6}' > $LOOT_DIR/ips/sniper-$OUT_FILE-udpips.txt
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   echo -e "$OKRED CURRENT TARGETS $RESET"
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   cat $LOOT_DIR/ips/sniper-$OUT_FILE-ping-sorted.txt $LOOT_DIR/ips/sniper-$OUT_FILE-tcpips.txt $LOOT_DIR/ips/sniper-$OUT_FILE-udpips.txt 2> /dev/null > $LOOT_DIR/ips/sniper-$OUT_FILE-ips-unsorted.txt
   sort -u $LOOT_DIR/ips/sniper-$OUT_FILE-ips-unsorted.txt > $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt
   cat $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt
   echo ""
   echo -e "$OKRED[+]$RESET Target list saved to $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt "
   echo -e "$OKRED[i] To scan all IP's, use sniper -f $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt -m flyover -w $WORKSPACE $RESET"
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   echo -e "$OKRED SCAN COMPLETE! $RESET"
-  echo -e "${OKGREEN}====================================================================================${RESET}"
+  echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•"
   if [ "$SLACK_NOTIFICATIONS" == "1" ]; then
     /bin/bash "$INSTALL_DIR/bin/slack.sh" "[xerosecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
   fi

modes/flyover.sh

@@ -10,7 +10,7 @@ if [ "$MODE" = "flyover" ]; then
     if [ ! -z "$WORKSPACE" ]; then
       args="$args -w $WORKSPACE"
       WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE
-      echo -e "$OKBLUE[*] Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
+      echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
       mkdir -p $WORKSPACE_DIR 2> /dev/null
       mkdir $WORKSPACE_DIR/domains 2> /dev/null
       mkdir $WORKSPACE_DIR/screenshots 2> /dev/null
@@ -65,7 +65,10 @@ if [ "$MODE" = "flyover" ]; then
       webtech -u https://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-https.txt 2> /dev/null &
 
       nmap -sS --open -Pn -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null & 
-
+      WEBHOST=$(cat $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null | egrep "80|443" | grep open | wc -l 2> /dev/null) 
+      if [ "$WEBHOST" -gt "0" ]; then
+        echo "$TARGET" >> $LOOT_DIR/web/webhosts-unsorted.txt 2> /dev/null
+      fi
       cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" 2>/dev/null | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null & 2> /dev/null
 
       if [ $CUTYCAPT = "1" ]; then
@@ -77,26 +80,36 @@ if [ "$MODE" = "flyover" ]; then
           cutycapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null &
         fi
       fi
-
       if [ $WEBSCREENSHOT = "1" ]; then
         cd $LOOT_DIR
-        python $INSTALL_DIR/bin/webscreenshot.py -t 5 http://$TARGET:80 2> /dev/null > /dev/null &
-        python $INSTALL_DIR/bin/webscreenshot.py -t 5 https://$TARGET:443 2> /dev/null > /dev/null &
+        python2 $INSTALL_DIR/bin/webscreenshot.py -t 5 http://$TARGET:80 2> /dev/null > /dev/null &
+        python2 $INSTALL_DIR/bin/webscreenshot.py -t 5 https://$TARGET:443 2> /dev/null > /dev/null &
       fi
-
       echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
-
+      echo "$TARGET" >> $LOOT_DIR/domains/targets-all-presorted.txt
       i=$((i+1))
       if [ "$i" -gt "$THREADS" ]; then
         i=1
         sleep 15
       fi
-
     done
     sleep 15
     sort -u LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null
+    sort -u $LOOT_DIR/domains/targets-all-presorted.txt 2> /dev/null > $LOOT_DIR/domains/targets-all-sorted.txt
     rm -f $INSTALL_DIR/wget-log* 2> /dev/null
     killall webtech 2> /dev/null
+    for TARGET in `cat $LOOT_DIR/domains/targets-all-sorted.txt`; do
+      HOST_UP=$(cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2> /dev/null | grep "host up" 2> /dev/null)
+      if [ ${#HOST_UP} -ge 2 ]; then
+        echo "$TARGET" >> $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null
+      fi
+
+      rm -f $LOOT_DIR/nmap/ports-$TARGET.txt 2> /dev/null
+      for PORT in `cat $LOOT_DIR/nmap/nmap-$TARGET.xml $LOOT_DIR/nmap/nmap-$TARGET-*.xml 2>/dev/null | egrep 'state="open"' | cut -d' ' -f3 | cut -d\" -f2 | sort -u | grep '[[:digit:]]'`; do
+        echo "$PORT " >> $LOOT_DIR/nmap/ports-$TARGET.txt
+      done      
+    done
+    sort -u $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null > $LOOT_DIR/nmap/livehosts-sorted.txt 2> /dev/null
     echo -e "$OKRED=====================================================================================$RESET"
     if [ "$LOOT" = "1" ]; then
       loot