Skip to content

Files

Latest commit

 

History

History
154 lines (108 loc) · 4.87 KB

README.md

File metadata and controls

154 lines (108 loc) · 4.87 KB

Interesting-Things

V1.0

Single-WebApp-Target essentials scanning methodology tool starting at recon-information gathering for the juicy stuff ended up in exploitation.

Let's suppose you are browsing your gathered main host subdomains or you are in the process of the exploitation for specific target and faced a host that you need to :

- Fuzz it's main directory without getting a lot of flase positives during content-discovery process.
- Fuzz it's subdomains, looking for hidden services or administrator dashboards.
- Gather it's URLS from more than one resource and spidering the host looking for different functionalities, content managments systems or just more params.
- Filter - Grep - Sed those URLS results into common vulnerabilities effecting extract params and get/save gathered JS files to make the next steps more clear.
- Scan it's ports with services detections plus find out public CVE's related to those services and output the results to grepable text files , xml and nice looking HTML template.
- Running new common application CVE's detection scripts, common security misconfigurations, sub-takeover scanning and more.
- Use timelimit command to control running process time to avoid taking too much time on gathering process for specific hosts and focusing more on exploitation phase.

Instead of doing all of this by running a single command line for each process and move you make, you can do it all on one command to make it much easier to understand host different functionalities and navigate to manual testing or process the output files as input for another exploitation tools.



Workflow

Install - Configurations - Usage

Make sure you have these tools installed and works globally.

FFUF, nuclei, timelimit, Hakrawler, GAU, Gospider, xurls, gf, NMAP, gf-patterns, zile

  • Configurations
Edit the file.
Example: 
# Word lists - Change - 
http_FFUF_wordlist="/lists/quickhits-2000.txt"; # fuzzing main directory 
https_FFUF_wordlist="/lists/quickhits-2000.txt"; #fuzzing main directory 
ffuf_sub_list="/SecLists/Discovery/DNS/medium-words.txt";


# nuclei_template - Change - 
nuclei_template="/oneline/nuclei-templates/";
zilePATH="/tools/zile/zile.py"; # Set zile tool path


# Control tool running time.  - Change - ( in secconds )
# Every mentioned tool will take a 60 seconds to gather URLs according to this configurations

gau_timelimit="60"; 
hakrawler_timelimit="60";
gospider_timelimit="60";



# Telegram Bot

telegram_bot_access_token="xx"; # Change to your telegram bot access token.
telegram_group_id="xx"; # Change to your telegram group id without -

  • Usage
git clone https://github.com/osamahamad/Interesting-Things
cd Interesting-Things
chmod +x interest
./interest sub.target.com
OR
./interest target.com
If you want to use globally :
mv interest /usr/bin/interest
# I recomend to add this line in the last line of you tool if you are working on VPS ( if you want to copy the files to your public_html direcotry to browse the results using the browser. 
message Result%3A%20http%3A%2F%2FVPS_IP%2Finteresting-targets%2F$1$(date | jq -sRr @uri) ;
cp -r $1  /var/www/html/host/public_html/interesting-targets/$1

Output

Directory named [ interesting-targets ] -> targetname ->

http-ffuf-filename.out
https-ffuf-filename.out
fuf_subdomains.out
target.out

/scrap/all-js-urls.out
/scrap/all-urls.out
/scrap/gau.out
/scrap/gospider.out
/scrap/hakrawler.out
/scrap/patterns/*.out
/scrap/zile.out

/NMAP/nmap-bootstrap.xsl
/NMAP/nmap-scan-result.gnmap
/NMAP/nmap-scan-result.nmap
/NMAP/nmap-scan-result.xml
/NMAP/nmap-scan-result.html

/nuclei/*.out

Credits

All these tools creators :

FFUF, nuclei, timelimit, Hakrawler, GAU, Gospider, xurls, gf, NMAP, gf-patterns, zile

@phspade for the function of telegram bot messages, I like it more than slack actually ( didn't know about it before ) and convert mostly all my tools from slack notification to telegram.

InfoSec Community.