Finding vulnerabilities takes time for pentester/ security researcher. There are many tools & techniques for finding bugs in any URL. Earlier we have shown many tools which are used in many phases of pentesting. Pentesting always begins with information gathering phase. According to ethical hacking researcher of international institute of cyber security, pentesting has really moved to a automated way. Pentesters uses tools to scan for open ports & services, we will show an small automation bot which is used for finding vulnerabilities in different types of CMS.
Vulnx is used to find vulnerabilities in different types of CMS. Vulnx scan for subdomains, port scan, IP address, country, region. Vulnx is designed to automate your pentesting.
- For testing we have used Kali Linux 2018.2. Make ensure python3 is installed.
- Type sudo apt-get update
- Type sudo apt-get install python3
- Type git clone https://github.com/anouarbensaad/vulnx.git
root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/anouarbensaad/vulnx.git Cloning into 'vulnx'… remote: Enumerating objects: 35, done. remote: Counting objects: 100% (35/35), done. remote: Compressing objects: 100% (28/28), done. remote: Total 1034 (delta 13), reused 17 (delta 7), pack-reused 999 Receiving objects: 100% (1034/1034), 505.30 KiB | 410.00 KiB/s, done. Resolving deltas: 100% (609/609), done.
- Type cd vulnx/
- Type ls
root@kali:/home/iicybersecurity/Downloads# cd vulnx/ root@kali:/home/iicybersecurity/Downloads/vulnx# ls CHANGELOG.md common docker LICENSE README.md shell vulnx.py cli.py config install.sh modules requirements.txt update.sh
- Type ./install.sh
root@kali:/home/iicybersecurity/Downloads/vulnx# ./install.sh
===== VULNX INSTALL =====
[+] Vulnx Will Be Installed In Your System
[+] Installing python3...
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3 is already the newest version (3.7.3-1).
0 upgraded, 0 newly installed, 0 to remove and 664 not upgraded.
Requirement already satisfied: requests in /usr/lib/python2.7/dist-packages (from -r ./requirements.txt (line 1)) (2.21.0)
Collecting bs4 (from -r ./requirements.txt (line 2))
Downloading https://files.pythonhosted.org/packages/10/ed/7e8b97591f6f456174139ec089c769f89a94a1a4025fe967691de971f314/bs4-0.0.1.tar.gz
Requirement already satisfied: beautifulsoup4 in /usr/lib/python2.7/dist-packages (from bs4->-r ./requirements.txt (line 2)) (4.8.0)
Building wheels for collected packages: bs4
Running setup.py bdist_wheel for bs4 ... done
Stored in directory: /root/.cache/pip/wheels/a0/b0/b2/4f80b9456b87abedbc0bf2d52235414c3467d8889be38dd472
Successfully built bs4
Installing collected packages: bs4
Successfully installed bs4-0.0.1
[+] Checking directories...
[+] Installing ...
[+] Creating Symbolic Link ...
[+] Tool Successfully Installed And Will Start In 5s!
[+] You can execute tool by typing vulnx
.:. .:,
xM; XK.
dx' .lO.
do ,0.
.c.lN' , '. .k0.:'
xMMk;d;''cOM0kWXl,',locMMX.
.NMK. :WMMMMMMMx dMMc
lMMO lWMMMMMMMMMO. lMMO
cWMxxMMMMMMMMMMMMKlWMk
.xWMMMMMMMMMMMMMMM0,
.,OMd,,,;0MMMO,.
.l0O.VXVXOX.VXVX0MOVXVX.0Kd,
lWMMO0VXVX0OX.VXVXlVXVX.VXNMMO
.MMX;.N0VXVX00X.VXVXVX0.0M:.OMMl
.OXc ,MMOVXVX0VX .VXVX00MMo ,0X'
0x. :XMMMkVXVX.XO.VXVXdMMMWo. :X'
.d 'NMMMMMMkVXVX..VXVX0.XMMMMWl ;c
'NNoMMMMMMxVXVXVXVXVX0.XMMk0Mc
.NMx OMMMMMMdVXVXVXlVXVX.NW.;MMc
:NMMd .NMMMMMMdVXVXdMd,,,,oc ;MMWx
.0MN, 'XMMMMMMoVXoMMMMMMWl 0MW,
.0. .xWMMMMM:lMMMMMM0, kc
,O. .:dOKXXXNKOxc. do
'0c -VulnX- ,Ol
;. :.
# Coded By Anouar Ben Saad - @anouarbensaad
- Type chmod 755 requirements.txt vulnx.py
root@kali:/home/iicybersecurity/Downloads/vulnx# chmod 755 requiremnets.txt vulnx.py
- Type python3 vulnx.py –help
root@kali:/home/iicybersecurity/Downloads/vulnx# python3 vulnx.py --help
.:. .:,
xM; XK.
dx' .lO.
do ,0.
.c.lN' , '. .k0.:'
xMMk;d;''cOM0kWXl,',locMMX.
.NMK. :WMMMMMMMx dMMc
lMMO lWMMMMMMMMMO. lMMO
cWMxxMMMMMMMMMMMMKlWMk
.xWMMMMMMMMMMMMMMM0,
.,OMd,,,;0MMMO,.
.l0O.VXVXOX.VXVX0MOVXVX.0Kd,
lWMMO0VXVX0OX.VXVXlVXVX.VXNMMO
.MMX;.N0VXVX00X.VXVXVX0.0M:.OMMl
.OXc ,MMOVXVX0VX .VXVX00MMo ,0X'
0x. :XMMMkVXVX.XO.VXVXdMMMWo. :X'
.d 'NMMMMMMkVXVX..VXVX0.XMMMMWl ;c
'NNoMMMMMMxVXVXVXVXVX0.XMMk0Mc
.NMx OMMMMMMdVXVXVXlVXVX.NW.;MMc
:NMMd .NMMMMMMdVXVXdMd,,,,oc ;MMWx
.0MN, 'XMMMMMMoVXoMMMMMMWl 0MW,
.0. .xWMMMMM:lMMMMMM0, kc
,O. .:dOKXXXNKOxc. do
'0c -VulnX- ,Ol
;. :.
# Coded By Anouar Ben Saad - @anouarbensaad
usage: vulnx.py [-h] [-u URL] [-D DORKS] [-o OUTPUT] [-t TIMEOUT]
[-c {user,themes,version,plugins,all}] [--threads NUMTHREAD]
[-n NUMBERPAGE] [-i INPUT_FILE]
[-l {wordpress,prestashop,joomla,lokomedia,drupal,all}]
[-p SCANPORTS] [-e] [--it] [-w] [-d] [--dns]
OPTIONS:
-h, --help show this help message and exit
-u URL, --url URL url target to scan
-D DORKS, --dorks DORKS
search webs with dorks
-o OUTPUT, --output OUTPUT
specify output directory
-t TIMEOUT, --timeout TIMEOUT
http requests timeout
-c {user,themes,version,plugins,all}, --cms-info {user,themes,version,plugins,all}
search cms info[themes,plugins,user,version..]
--threads NUMTHREAD number of threads
-n NUMBERPAGE, --number-pages NUMBERPAGE
search dorks number page limit
-i INPUT_FILE, --input INPUT_FILE
specify input file of domains to scan
-l {wordpress,prestashop,joomla,lokomedia,drupal,all}, --dork-list {wordpress,prestashop,joomla,lokomedia,drupal,all}
list names of dorks exploits
-p SCANPORTS, --ports SCANPORTS
ports to scan
-e, --exploit searching vulnerability & run exploits
--it interactive mode.
-w, --web-info web informations gathering
-d, --domain-info subdomains informations gathering
--dns dns informations gatherings
- Type python3 vulnx.py -u http://hack.me –dns -d -w -e –output ./hack.me
- –dns is used to gather dns information.
- -d is used to gather domain info.
- -w is used to gather web domain info.
- -e is used to search for vulnerabilities & exploits.
root@kali:/home/iicybersecurity/Downloads/vulnx# python3 vulnx.py -u http://hack.me --dns -d -w -e --output ./hack.me
.:. .:,
xM; XK.
dx' .lO.
do ,0.
.c.lN' , '. .k0.:'
xMMk;d;''cOM0kWXl,',locMMX.
.NMK. :WMMMMMMMx dMMc
lMMO lWMMMMMMMMMO. lMMO
cWMxxMMMMMMMMMMMMKlWMk
.xWMMMMMMMMMMMMMMM0,
.,OMd,,,;0MMMO,.
.l0O.VXVXOX.VXVX0MOVXVX.0Kd,
lWMMO0VXVX0OX.VXVXlVXVX.VXNMMO
.MMX;.N0VXVX00X.VXVXVX0.0M:.OMMl
.OXc ,MMOVXVX0VX .VXVX00MMo ,0X'
0x. :XMMMkVXVX.XO.VXVXdMMMWo. :X'
.d 'NMMMMMMkVXVX..VXVX0.XMMMMWl ;c
'NNoMMMMMMxVXVXVXVXVX0.XMMk0Mc
.NMx OMMMMMMdVXVXVXlVXVX.NW.;MMc
:NMMd .NMMMMMMdVXVXdMd,,,,oc ;MMWx
.0MN, 'XMMMMMMoVXoMMMMMMWl 0MW,
.0. .xWMMMMM:lMMMMMM0, kc
,O. .:dOKXXXNKOxc. do
'0c -VulnX- ,Ol
;. :.
# Coded By Anouar Ben Saad - @anouarbensaad
[Target] => http://hack.me
------------------------------------------------
[?] looking for cms
[+] CMS : Lokomedia
------------------------------------------------
------------------------------------------------
[~] Scanning Ports
PORTS STATUS PROTO
[?] 22 CLOSE SSH
-----------------------------------------------
[~] Starting DNS dump
[!] Retrieved token: 7lMSlFeGREkQtU4PxAkC9E7JuA0wsfXnLpLxG3izLIboqqtCEBFGs2YDRCIMsJLh
[?] Search for DNS Servers
[+] Host : ns-113.awsdns-14.com.
[+] IP : 205.251.192.113
[+] AS : AMAZON-02
----------------
[+] Host : ns-1428.awsdns-50.org.
[+] IP : 205.251.197.148
[+] AS : AMAZON-02
----------------
[+] Host : ns-1869.awsdns-41.co.uk.
[+] IP : 205.251.199.77
[+] AS : AMAZON-02
----------------
[+] Host : ns-881.awsdns-46.net.
[+] IP : 205.251.195.113
[+] AS : AMAZON-02
----------------
[?] Search for MX Records
[+] Host : 1 aspmx.l.google.com.
[+] IP : 172.217.197.27
[+] AS : GOOGLE
----------------
[+] Host : 10 alt3.aspmx.l.google.com.
[+] IP : 64.233.184.27
[+] AS : GOOGLE
----------------
[+] Host : 10 alt4.aspmx.l.google.com.
[+] IP : 172.217.218.26
[+] AS : GOOGLE
----------------
[+] Host : 5 alt1.aspmx.l.google.com.
[+] IP : 64.233.186.26
[+] AS : GOOGLE
----------------
[+] Host : 5 alt2.aspmx.l.google.com.
[+] IP : 209.85.202.26
[+] AS : GOOGLE
----------------
-----------------------------------------------
[~] Check Vulnerability- Above shows the CMS of the target URL. Then vulnx has scanned for opened ports & it has also retrieved token associated with DNS.
- Then it has retrieved DNS servers with their respective IP addresses & hosts. Such basic information can also be retrieved with nslookup.
- But here vulnx makes an automation for finding all the DNS servers.
- You can scan websites for different CMS in a similar way.
Cyber Security Researcher. Information security specialist, currently working as risk infrastructure specialist & investigator. He is a cyber-security researcher with over 25 years of experience. He has served with the Intelligence Agency as a Senior Intelligence Officer. He has also worked with Google and Citrix in development of cyber security solutions. He has aided the government and many federal agencies in thwarting many cyber crimes. He has been writing for us in his free time since last 5 years.
