BABYSPLOIT – AN BEGINNER PENTESTING TOOL

BABYSPLOIT INTRO:-

Babysploit is a pentesting tool kit used in initial phase of pentesting. BabySploit mostly covers each and every scan. This tool is a bundle of all the small tools. This tool is used for people who are new in hacking and want to learn initial phases of pentesting, as per ethical hacking expert from International Institute of Cyber Security.

 

INSTALLING BABYSPLOIT:-

IF YOU ARE NOT USING KALI LINUX FOLLOW BELOW STEPS TO INSTALL BABYSPLOIT:-

  • If you are running any other linux distros. You need to clone tool from github.
  • For cloning type:- git clone git://github.com/M4cs/BabySploit ~/BabySploit
  • After cloning open the babysploit folder and run below commands for creating an virtual environment for the babysploit.
  • For upgrading

type sudo apt-get update

then

type sudo apt-get upgrade

  • After upgrading the linux you have to install python libraries:-

For installing python type sudo python3 install.py

  • Create the babysploit environment in linux.

For creating environment type virtualenv babysploit

then type source babysploit/bin/activate

  • After creating the environment:-
    type pip3 install -r requirements.txt
    then type python start.py

IF YOU ARE USING KALI LINUX FOLLOW BELOW STEPS TO INSTALL BABYSPLOIT:-

  • If you are running on kali linux, you have to upgrade the kali linux in order to run babysploit.
  • For upgrading kali linux

type  sudo apt-get update

then

type sudo apt-get upgrade

  • After upgrade type:- git clone git://github.com/M4cs/BabySploit ~/BabySploit then follow below steps.
  • Then type ls.
  • Install the required libraries for the babysploit

For that type: pip3 -r requirement.txt

root@kali:~/BabySploit# ls
babysploit images install.py LICENSE.md pdfs README.md requirements.txt sites start.py
root@kali:~/BabySploit# pip3 install -r requirements.txt
Requirement already satisfied: netifaces==0.10.7 in /usr/local/lib/python3.6/dist-packages (from -r requirements.txt (line 1))
Requirement already satisfied: urllib3==1.24 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2))
Requirement already satisfied: humanfriendly==4.17 in /usr/local/lib/python3.6/dist-packages (from -r requirements.txt (line 3))
Requirement already satisfied: terminaltables==3.1.0 in /usr/local/lib/python3.6/dist-packages (from -r requirements.txt (line 4))
Requirement already satisfied: pyfiglet==0.7.6 in /usr/local/lib/python3.6/dist-packages (from -r requirements.txt (line 5))
Requirement already satisfied: requests==2.20.1 in /usr/local/lib/python3.6/dist-packages (from -r requirements.txt (line 6))
Requirement already satisfied: PyPDF3==1.0.1 in /usr/local/lib/python3.6/dist-packages (from -r requirements.txt (line 7))
Requirement already satisfied: raccoon-scanner==0.8.5 in /usr/local/lib/python3.6/dist-packages (from -r requirements.txt (line 8))
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/lib/python3/dist-packages (from requests==2.20.1->-r requirements.txt (line 6))
Requirement already satisfied: certifi>=2017.4.17 in /usr/lib/python3/dist-packages (from requests==2.20.1->-r requirements.txt (line 6))
Requirement already satisfied: idna<2.8,>=2.5 in /usr/lib/python3/dist-packages (from requests==2.20.1->-r requirements.txt (line 6))
Requirement already satisfied: tqdm in /usr/local/lib/python3.6/dist-packages (from PyPDF3==1.0.1->-r requirements.txt (line 7))
Requirement already satisfied: click in /usr/lib/python3/dist-packages (from raccoon-scanner==0.8.5->-r requirements.txt (line 8))
Requirement already satisfied: lxml in /usr/lib/python3/dist-packages (from raccoon-scanner==0.8.5->-r requirements.txt (line 8))
Requirement already satisfied: beautifulsoup4 in /usr/lib/python3/dist-packages (from raccoon-scanner==0.8.5->-r requirements.txt (line 8))
Requirement already satisfied: xmltodict in /usr/local/lib/python3.6/dist-packages (from raccoon-scanner==0.8.5->-r requirements.txt (line 8))
Requirement already satisfied: fake-useragent in /usr/local/lib/python3.6/dist-packages (from raccoon-scanner==0.8.5->-r requirements.txt (line 8))
Requirement already satisfied: dnspython in /usr/lib/python3/dist-packages (from raccoon-scanner==0.8.5->-r requirements.txt (line 8))

We have already have the installed dependencies that is why we are getting  “Requirement already satisfied”

  • Then type python3 start.py
root@kali:~/BabySploit# python3 start.py
.-""-. _
/ _ \ _ /|)
.'---""-.| /|) /|/
.' `. /|/ /|/
__/_ \ . /|/ /|/
.' `-. .8-. \\-/|/ /|/
J .--. Y .o./ .o8\ |/\ `/_.-.
| ( \ 98P 888| /\ / ( ` |
| `-._/ | `"|/\ / \|\ F
`. . "-'|\ / \/\ J
|---' _/\ / \// ` |
J /// / / F
_\ .'`-._ ./// / /\\.'
/ `. / .-' `<-'/// / _/\ \\
F.--.\|| `.`/ /.-' )|\ \`.
\__.-/)' `.-' ')/\\ /
.-' .'/ \ ') `-'
( .'.' '`. .'
\'.' ' `. .-'
/ ' `.__.-'/|
J : `._/ |
| : |
J ;-"""-. F
\ / \ /
`.J L _.'
F |--' |
J | |__
L | `.
| |-. \|
| \ )_.'
F -.\ )-'
\ )_)
`""""""""

[i] Default Gateway: 192.168.1.1 [i]

BabySploit!
Developed by @maxbridgland
https://github.com/M4cs/BabySploit

[i] Loaded Configuration... [i]

BabySploit is a framework aimed at helping aspiring
penetration testers learn how to use the most common and
useful tools in the field. Below is a table displaying
what commands are available and what they do.

lqqqqqqqqqqqqqqqqwqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Command               x Description                                                                     x
tqqqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x help or ?                 x Display this menu                                                         x
x info                          x Display current configuration options            x
x search                    x Search exploitdb for exploits and get link           x
x tools                       x Display available tools                            x
x set <key name> x Set configuration key                                           x    
x reset                      x Reset configuration to default                      x
x update                  x Check for updates and update thes framework            x
x tutorial                x Run the tutorial wizard                                               x
x exit                        x Exit framework                                                              x
mqqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

[babysploit]>

CLI OUTPUT OF BABYSPLOIT:

  • Typing help or ? will display the same menu appearing above in red font.
  • For checking the current configuration option type info in linux terminal.
[babysploit]> info 
lhost: 0.0.0.0 lport: 8080
rhost: google.com rport: 80
platform: Linux 4.15.0-kali2-686-pae usernamelist:
lists/users passwordlist: lists/pass/rockyou.txt
urlpath: /connect
  • Then type tools to view list of tools included in babysploit.

 

BABYSPLOIT INBUILT TOOLS:-

 

[babysploit]> tools
______ __
/_ __/___ ____ / /____
/ / / __ \/ __ \/ / ___/
/ / / /_/ / /_/ / (__ )
/_/ \____/\____/_/____/

Simply enter the name of the tool you want to use to use it.

lInformation Gatheringqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x x x
x Tool                      x Description                                           x
tqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x nmap                  x nmap port scanner tool                                    x
x iplookup           x ip info tool                                                 x
x dnslookup       x dns lookup tool                                                 x
x censyslookup x censys api lookup | req api creds                                  x
x raccoon            x use raccoon scanner tool | command: raccoon --help           x
x cfbypass           x cloudflare bypasser                                          x
mqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

lExploitationqqwqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x x x
x Tool                       x Description               x
tqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x searchsploit       x search available exploits (use search command) x
x reverseshell       x reverse shell tool for creating payloads       x
x ftpvulnscan       x check for ftp buffer overflow                   x
x wpseku               x wordpress vulnerability scanner                                   x
mqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

lPhishingqqwqqqqqqqqqqqqqqqqqqqqk
x                                x Description           x
x Tool x                  x
tqqqqqqqqqqnqqqqqqqqqqqqqqqqqqqqu
x blackeye            x BlackEye Phish Kit               x
mqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqj

lCryptography/Steganographyk
x                               x                        x
x Tool                    x Description                  x
tqqqqqqqqqnqqqqqqqqqqqqqqqu
x pdfmeta            x pdf meta data                     x
mqqqqqqqqqvqqqqqqqqqqqqqqqj

lBruteforcingqqqwqqqqqqqqqqqqqqqqqqqqqqk
x                             x                                                  x
x Tool                   x Description                    x
tqqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqqqqqqqu
x ftpbruteforce x ftp brute force tool                    x
mqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqj

There are many tools which can be used in information gathering.

NOW WE WILL FIRST TAKE IPLOOKUP TOOL:-

Iplookup is used to know the ip of the target.

  • Type iplookup
  • Then type testphp.vulnweb.com
[babysploit]> iplookup
[?] Enter IP or Domain To Lookup: testphp.vulnweb.com 
[!] Sending Request... 
[!] Request Successful Displaying Response: 
Location: Frankfurt am Main, Hesse Germany 60313 
IP: 176.28.50.165 ISP: 
Host Europe GmbH Scan Complete. 

SneakyBoy..
  • After scanning the target, Iplookup has found target IP address and the location of the target. And its ISP.
  • The above output can be used in initial phase of information gathering

NOW WE WILL TAKE DNSLOOKUP TOOL:-

 Dnslookup is used to know the records of the target.

  • Type dnslookup
  • Then type hackthissite.org
[babysploit]> dnslookup
[?] Please Enter The Domain You'd Like To Lookup: hackthissite.org

Checking For A Records
----------------------

First A Record: 137.74.187.100 | TTL: 1603
Second A Record: 137.74.187.102 | TTL 1603

Checking For MX Records
-------------------------

First MX Record: 30 aspmx5.googlemail.com | TTL: 3600
Second MX Record: 10 aspmx.l.google.com | TTL: 3600

Checking For AAAA Records
-------------------------

First AAAA Record: 2001:41d0:8:ccd8:137:74:187:100 | TTL: 3600
Second AAAA Record: 2001:41d0:8:ccd8:137:74:187:102 | TTL: 3600

Checking For TXT Records
-------------------------

[!] Failed To Find TXT Records [!]

DNS Lookup Complete!
  • After scanning the target dnslookup has found some of the records which can be used in other hacking activities.

NOW WE WILL TAKE RACCOON TOOL:-

Raccoon is a tool used in information gathering. Raccoon is mostly used to show the DNS records, port scanner and URL fuzzer.

  • For using raccoon type raccoon –help.
[babysploit]> raccoon --help
Usage: raccoon [OPTIONS] TARGET

Options:
--version Show the version and exit.
-d, --dns-records TEXT Comma separated DNS records to query.
Defaults to: A,MX,NS,CNAME,SOA,TXT
--tor-routing Route HTTP traffic through Tor (uses port
9050). Slows total runtime significantly
--proxy-list TEXT Path to proxy list file that would be used
for routing HTTP traffic. A proxy from the
list will be chosen at random for each
request. Slows total runtime
-c, --cookies TEXT Comma separated cookies to add to the
requests. Should be in the form of key:value
Example: PHPSESSID:12345,isMobile:false
--proxy TEXT Proxy address to route HTTP traffic through.
Slows total runtime
-w, --wordlist TEXT Path to wordlist that would be used for URL
fuzzing
-T, --threads INTEGER Number of threads to use for URL
Fuzzing/Subdomain enumeration. Default: 25
--ignored-response-codes TEXT Comma separated list of HTTP status code to
ignore for fuzzing. Defaults to:
302,400,401,402,403,404,503,504
--subdomain-list TEXT Path to subdomain list file that would be
used for enumeration
-sc, --scripts Run Nmap scan with -sC flag
-sv, --services Run Nmap scan with -sV flag
-f, --full-scan Run Nmap scan with both -sV and -sC
-p, --port TEXT Use this port range for Nmap scan instead of
the default
--vulners-nmap-scan Perform an NmapVulners scan. Runs instead of
the regular Nmap scan and is longer.
--vulners-path TEXT Path to the custom nmap_vulners.nse script.If
not used, Raccoon uses the built-in script it
ships with.
-fr, --follow-redirects Follow redirects when fuzzing. Default: False
(will not follow redirects)
--tls-port INTEGER Use this port for TLS queries. Default: 443
--skip-health-check Do not test for target host availability
--no-url-fuzzing Do not fuzz URLs
--no-sub-enum Do not bruteforce subdomains
--skip-nmap-scan Do not perform an Nmap scan
-q, --quiet Do not output to stdout
-o, --outdir TEXT Directory destination for scan output
--help Show this message and exit.

For Checking the version of the raccoon.

  • Type raccoon –version
[babysploit]> raccoon --version
raccoon, version 0.8.5

Raccoon Default Scan:-

  • For using raccoon type raccoon <Target URL>
  • For example – type raccoon testphp.vulnweb.com

===================SNIP======================

======================SNIP==================

  • In the above screen shots, the raccoon has found some the DNS queries, web application URL’s and the language on which the target web application has been used in development.
  • The above information can be used in other hacking activities. Getting an admin URL can make the brute force attack on the target website.

Raccoon Full Scan:-

  • Type racconn –full-scan testphp.vulnweb.com

=====================SNIP=====================

===================SNIP====================

  • After executing the above query, using “–full-scan” command will try to gather as much information as raccoon can. The above information could be used by remote attackers in other hacking activities.
  • Raccoon has found all the open ports of the target which makes an attacker to easily attack on the website.

RACCOON SKIP NMAP SCAN:-

  • Type raccoon –skip-nmap-scan

====================SNIP=====================

  • Using the “–skip-nmap-scan” will not use nmap queries to scan the target.  Raccoon will only use the URL fuzzer to grab all the target URL’s.
  • All grabbed URL’s by URL fuzzer can be used in creating the phishing pages to take credentials of the target’s clients.

NOW WE WIL TALK ABOUT SEARCHSPLOIT TOOL:-

Searchsploit will give you type of exploits that can be used in exploiting the operating systems. Searchsploit consists of big list as listed below.

  • Type searchsploit
  • Then select the platform (Windows, Mac, Linux).
  • In the below example Windows exploits has been selected.

 

[babysploit]> searchsploit
_____ __
/ ___/___ ____ ___________/ /_
\__ \/ _ \/ __ `/ ___/ ___/ __ \
___/ / __/ /_/ / / / /__/ / / /
/____/\___/\__,_/_/ \___/_/ /_/

Platform [Windows, Linux, MacOS, PHP, All]: Windows
Search: exploit
Running Search..
============================================== Result ==============================================
----------------------------------------------------------------------------------------------------
Title: (Gabriel's FTP Server) Open & Compact FTP Server 1.2 - 'PORT' Remote Denial of Service
Platform: windows
Path: /usr/share/exploitdb/exploits/windows/dos/12698.py
Author: Ma3sTr0-Dz
----------------------------------------------------------------------------------------------------
Title: (Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Authentication Bypass / Directory Traversal SAM Retrieval
Platform: windows
Path: /usr/share/exploitdb/exploits/windows/remote/27401.py
Author: Wireghoul
----------------------------------------------------------------------------------------------------
Title: (Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Full System Access
Platform: windows
Path: /usr/share/exploitdb/exploits/windows/remote/13932.py
Author: Serge Gorbunov
----------------------------------------------------------------------------------------------------
Title: (Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Universal Denial of Service
Platform: windows
Path: /usr/share/exploitdb/exploits/windows/dos/12741.py
Author: Dr_IDE
----------------------------------------------------------------------------------------------------
Title: (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Buffer Overflow (Metasploit)
Platform: windows
Path: /usr/share/exploitdb/exploits/windows/remote/11742.rb
Author: blake
----------------------------------------------------------------------------------------------------
Title: (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Crash (PoC)
Platform: windows
Path: /usr/share/exploitdb/exploits/windows/dos/11391.py
Author: loneferret
----------------------------------------------------------------------------------------------------
--------------------------SNIP OUTPUT-------------------------------------------------------

FIND WORDPRESS VULNERABILITIES:-

For finding the vulnerabilities

  • Type wpseku
  • By default wpseku select the target google.com. So for changing the target type N
  • Then enter your desired target <URL>
  • Type haqeacademy.com
[babysploit]> wpseku
== Current Configuration: ==
Target: google.com
[?] Is this configuration correct? [?]
[y\n] n
[?] Enter Target: [?]
> haqueacademy.edu.pk
[?] What type of scan would you like to perform: [?]
[bruteforce login | generic scan | wp plugin] generic scan
[!] Confirm Settings [!]
Target: haqueacademy.edu.pk
Scan Type: Generic
Press ENTER To Confirm
----------------------------------------
_ _ _ ___ ___ ___| |_ _ _
| | | | . |_ -| -_| '_| | |
|_____| _|___|___|_,_|___|
|_| v0.4.0

WPSeku - WordPress Security Scanner
by Momo Outaadi (m4ll0k)
----------------------------------------

[ + ] Target: http://haqueacademy.edu.pk
[ + ] Starting: 07:19:44

[ + ] Server: Apache
[ i ] Checking Full Path Disclosure...
[ + ] Full Path Disclosure: /home/content/21/11179421/html/wp-includes/rss-functions.php
[ i ] Checking wp-config backup file...
[ + ] wp-config.php available at: http://haqueacademy.edu.pk/wp-config.php
[ i ] Checking common files...
[ + ] robots.txt file was found at: http://haqueacademy.edu.pk/robots.txt
[ + ] sitemap.xml file was found at: http://haqueacademy.edu.pk/sitemap.xml
[ + ] readme.html file was found at: http://haqueacademy.edu.pk/readme.html
[ i ] Checking directory listing...
[ i ] Checking wp-loging protection...
[ i ] Checking robots paths...
[ + ] Robots was found at: http://haqueacademy.edu.pk/robots.txt
----------------------------------------
User-agent: *
Disallow: /worldsecuritynews/
Allow: /worldsecuritynews/admin-ajax.php

----------------------------------------
[ i ] Checking WordPress version...
[ + ] Running WordPress version: 4.9.8
| Not found vulnerabilities

[ i ] Passive enumeration themes...
[ + ] Name: haqueacademy
[ i ] Checking themes changelog...
[ i ] Checking themes full path disclosure...
[ i ] Checking themes license...
[ i ] Checking themes readme...
[ i ] Checking themes directory listing...
[ i ] Checking theme vulnerabilities...
| Not found vulnerabilities

[ i ] Passive enumeration plugins...
[ + ] Name: custom-facebook-feed-pro
[ i ] Checking plugins changelog...
[ i ] Checking plugins full path disclosure...
[ i ] Checking plugins license...
[ i ] Checking plugins readme...
[ i ] Checking plugins directory listing...
[ i ] Checking plugin vulnerabilities...
b'{"error":"Not found"}'
| Not found vulnerabilities

[ i ] Enumerating users...
-------------------------
| ID | Username | Login |
-------------------------
| 0 | admin | admin |
| 1 | admin | None |
| 2 | | admin |
-------------------------

CREATE PHISHING PAGES USING BLACKEYE TOOL:-

Normal user can easily create phishing pages using this tool. Blackeye.

  • For creating phishing page, type blackeye
  • Then select any of the listed social media platforms type <social media platform number>
  • In below example we have chosen facebook by typing 2
[babysploit]> blackeye

Availble Templates

[1] Instagram [2] Facebook [3] Snapchat
[4] Twitter [5] GitHub [6] Google
[7] Spotify [8] Netflix [9] PayPal
[10] Origin [11] Steam [12] Yahoo!
[13] LinkedIn [14] Protonmail [15] WordPress
[16] Microsoft [17] IGFollowers [18] eBay
[19] Pinterest [20] CryptoCurrency [21] Verizon
[22] DropBox [23] Adobe ID [24] Shopify
[25] FB Messenger [26] GitLab [27] Twitch
[28] MySpace [29] Badoo [30] VK
[31] Yandex [32] devianART [33] Custom

Please Choose A Number To Host Template:

[?]> 2
Loading facebook

Enter A Custom Subdomain
[?]> www.testing.com
Starting Server at www.testing.com.serveo.net...
Logs Can Be Found In sites/facebook/ip.txt and sites/facebook/usernames.txt
PHP 7.2.3-1 Development Server started at Sat Nov 24 07:42:12 2018
Listening on http://127.0.0.1:80
Document root is /root/BabySploit/sites/facebook
Press Ctrl-C to quit.
The authenticity of host 'serveo.net (159.89.214.31)' can't be established.
RSA key fingerprint is SHA256:07jcXlJ4SkBnyTmaVnmTpXuBiRx2+Q2adxbttO9gt0M.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'serveo.net,159.89.214.31' (RSA) to the list of known hosts.
Hi there
Press g to start a GUI session and ctrl-c to quit.
Warning: no TLS certificate available for www.testing.com.serveo.net. You won't be able to use HTTPS, only HTTP.
Forwarding HTTP traffic from http://www.testing.com.serveo.net
HTTP request from 120.59.146.150 to http://www.testing.com.serveo.net/
HTTP request from 120.59.146.150 to http://www.testing.com.serveo.net/robots.txt
[Sat Nov 24 07:42:52 2018] 127.0.0.1:51672 [302]: /
[Sat Nov 24 07:42:52 2018] 127.0.0.1:51674 [404]: /robots.txt - No such file or directory
HTTP request from 120.59.146.150 to http://www.testing.com.serveo.net/login.html
[Sat Nov 24 07:42:53 2018] 127.0.0.1:51676 [200]: /login.html
HTTP request from 120.59.146.150 to http://www.testing.com.serveo.net/
[Sat Nov 24 07:43:30 2018] 127.0.0.1:51678 [302]: /
HTTP request from 120.59.146.150 to http://www.testing.com.serveo.net/login.html
[Sat Nov 24 07:43:31 2018] 127.0.0.1:51680 [200]: /login.html
HTTP request from 120.59.146.150 to http://www.testing.com.serveo.net/osd.xml
[Sat Nov 24 07:43:49 2018] 127.0.0.1:51682 [404]: /osd.xml - No such file or directory
HTTP request from 120.59.146.150 to http://www.testing.com.serveo.net/login.html
[Sat Nov 24 07:44:20 2018] 127.0.0.1:51684 [200]: /login.html
HTTP request from 120.59.146.150 to http://www.testing.com.serveo.net/osd.xml
[Sat Nov 24 07:44:34 2018] 127.0.0.1:51686 [404]: /osd.xml - No such file or directory


  • After creating the subdomain, a fake phishing page has been created. The Most common attacks are done using phishing pages as per the research done by ethical hacking group of International Institute of Cyber Security.

  • In the above screen shot, a phishing has been created. These phishing are the most common attacks.
  • Most of the users get these phishing pages via their mails/mobile chatting applications.