xxMerge branch 'master' of https://github.com/Shiva108/WAES

Author: Shiva108

.idea/WAES.iml

@@ -1,47 +1,83 @@
-**Note:** Make sure directories are correct in supergobuster.sh
 
-## WAES
+![GitHub Logo](banner.png)
+
+## CPH:SEC WAES at a Glance
+
+Doing HTB or other CTFs enumeration against targets with HTTP(S) can become trivial.
+It can get tiresome to always run the same script/tests on every box eg. nmap, nikto, dirb and so on. A one-click on target with automatic reports coming solves the issue. Furthermore, with a script the enum process can be optimized while saving time for hacker. This is what **CPH:SEC WAES** or _Web Auto Enum & Scanner_ is created for. WAES runs 4 steps of scanning against target (see more below) to optimize the time spend scanning. While multi core or multi-threaded scanning could be implemented it will almost surely get boxes to hang and so is undesirable.
+* From current version and forward WAES will include an install script (see blow) as project moves from alpha to beta phase.
+* WAES could have been developed in python but good bash projects are need to learn bash.
+* WAES is currently made for CTF boxes but is moving towards online uses (see todo section)
+
+## To install:
+
+```
+1. $> git clone https://github.com/Shiva108/WAES.git
+2. $> cd WAES
+2. $> sudo ./install.sh
+```
+
+Make sure directories are set correctly in supergobuster.sh.
+Should be automatic with Kali & Parrot Linux.
+* Standard directories for lists    : SecLists/Discovery/Web-Content & SecLists/Discovery/Web-Content/CMS
+* Kali / Parrot directory list      : /usr/share/wordlists/dirbuster/
+
+
+## To run WAES
 Web Auto Enum & Scanner - Auto enums website(s) and dumps files as result.
 
-########################################################################
+##############################################################################
 
         Web Auto Enum & Scanner
 
         Auto enums website(s) and dumps files as result
 
-########################################################################
+##############################################################################
 
-Usage: waes.sh -u {url}
+Usage: waes.sh -u {IP}
        waes.sh -h
 
        -h shows this help
-       -u url to test without http or https e.g. google.com
+       -u IP to test eg. 10.10.10.123
+       -p port nummer (default=80)
 
+       Example: ./waes.sh -u 10.10.10.130 -p 8080
 
 
-### Method
+## Enumeration Process / Method
 
 WAES runs ..
 
-+ whatweb
-+ OSIRA (same author)
-+ nmap
-  - standard scripts (-sC)
-  - http-enum
-  - vulners.nse
-+ nikto
-+ uniscan
+Step 0 - Passive scan - (disabled in the current version)
+  + whatweb - aggressive mode
+  + OSIRA (same author) - looks for subdomains
+
+Step 1 - Fast scan
+  + wafw00 - firewall detection
+  + nmap with http-enum
+
+Step 2 - Scan - in-depth
+  + nmap - with NSE scripts: http-date,http-title,http-server-header,http-headers,http-enum,http-devframework,http-dombased-xss,http-stored-xss,http-xssed,http-cookie-flags,http-errors,http-grep,http-traceroute
+  + nmap with vulscan (CVSS 5.0+)
+  + nikto - with evasion A and all CGI dirs
+  + uniscan - all tests except stress test (qweds)
+
+Step 3 - Fuzzing
 + super gobuster
   - gobuster with multiple lists
   - dirb with multiple lists
-
++ xss scan (to come)
 
 .. against target while dumping results files in report/ folder.
 
 
-### To Do
-+ Simplify tools check
-+ Adding FD tools: https://github.com/chrispetrou/FDsploit
-
-
-
+## To Do
++ Implement domain as input
++ Add XSS scan
++ Add SSL/TLS scanning
++ Add domain scans
++ Add golismero
++ Add dirble
++ Add progressbar
++ Add CMS detection
++ Add CMS specific scans

.idea/dictionaries/e.xml

@@ -1,8 +1,13 @@
 #!/bin/bash
+
+# Standard directories for lists    : SecLists/Discovery/Web-Content & SecLists/Discovery/Web-Content/CMS
+# Kali / Parrot directory list      : /usr/share/wordlists/dirbuster/
+
 set -eu
 
 URL=$1
 
+<<<<<<< HEAD
 echo "super go bustering for super brute: -u $URL"
 
 gobuster  dir -u $URL -w /home/e/CTF-notes/SecLists/Discovery/Web-Content/tomcat.txt --wildcard
@@ -17,3 +22,19 @@ gobuster  dir -u $URL  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medi
 gobuster  dir -u $URL  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -x php --wildcard
 gobuster  dir -u $URL  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -x doc --wildcard
 gobuster  dir -u $URL  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -x docx --wildcard
+=======
+echo "super gobustering for super brute: $URL"
+
+gobuster -u $URL -l -s 200,204,301,302,307,403 -w SecLists/Discovery/Web-Content/tomcat.txt
+gobuster -u $URL -l -s 200,204,301,302,307,403 -w SecLists/Discovery/Web-Content/nginx.txt
+gobuster -u $URL -l -s 200,204,301,302,307,403 -w SecLists/Discovery/Web-Content/apache.txt
+gobuster -u $URL -l -s 200,204,301,302,307,403 -w SecLists/Discovery/Web-Content/RobotsDisallowed-Top1000.txt
+gobuster -u $URL -l -s 200,204,301,302,307,403 -w SecLists/Discovery/Web-Content/ApacheTomcat.fuzz.txt
+gobuster -u $URL -l -s 200,204,301,302,307,403 -w SecLists/Discovery/Web-Content/CMS/sharepoint.txt
+gobuster -u $URL -l -s 200,204,301,302,307,403 -w /usr/share/dirb/wordlists/vulns/iis.txt
+gobuster -u $URL -l -s 200,204,301,302,307,403 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+gobuster -u $URL -l -s 200,204,301,302,307,403 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -x txt
+gobuster -u $URL -l -s 200,204,301,302,307,403 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -x php
+gobuster -u $URL -l -s 200,204,301,302,307,403 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -x doc
+gobuster -u $URL -l -s 200,204,301,302,307,403 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -x docx
+>>>>>>> 56b17398b9ba8589c6a8aa43aee0262070e1629f

.idea/modules.xml

@@ -1,29 +1,35 @@
 #!/usr/bin/env bash
 # 2018-2019 by Shiva @ CPH:SEC
+<<<<<<< HEAD
 
 # WAES requires vulners.nse     : https://github.com/vulnersCom/nmap-vulners
 # WAES requires supergobuster   : https://gist.github.com/lokori/17a604cad15e30ddae932050bbcc42f9
 # WAEs requires SecLists        : https://github.com/danielmiessler/SecLists
 
+=======
+>>>>>>> 56b17398b9ba8589c6a8aa43aee0262070e1629f
 
 # Script begins
 #===============================================================================
 
+# set -x # Starts debugging
 
 # vars
-VERSION="0.0.3b"
-VULNERSDIR="nmap-vulners" # Where to find vulners.nse
+VERSION="0.0.36 alpha"
+VULNERSDIR="vulscan" # Where to find vulscan
 REPORTDIR="report" # /report directory
-TOOLS=( "nmap" "nikto" "uniscan" "gobuster" "dirb" "whatweb" )
-# SECLISTDIR="SecLists"
+TOOLS=( "nmap" "nikto" "uniscan" "gobuster" "dirb" "whatweb" "wafw00f" )
+HTTPNSE=( "http-date,http-title,http-server-header,http-headers,http-enum,http-devframework,http-dombased-xss,http-stored-xss,http-xssed,http-cookie-flags,http-errors,http-grep,http-traceroute" )
+PORT=80 # Setting std port
+COUNT=-1 # For tools loop
 
 #banner / help message
 echo ""
 echo -e "\e[00;32m#############################################################\e[00m"
 echo ""
 echo -e "	Web Auto Enum & Scanner $VERSION "
 echo ""
-echo -e "	Auto enums website(s) and dumps files as result"
+echo -e "	Auto enums HTTP port and dumps files as result"
 echo ""
 echo -e "\e[00;32m#############################################################\e[00m"
 echo ""
@@ -34,15 +40,28 @@ echo "Usage: ${0##*/} -u {url}"
 echo "       ${0##*/} -h"
 echo ""
 echo "       -h shows this help"
-echo "       -u url to test without http or https e.g. testsite.com"
+echo "       -u IP to test eg. 10.10.10.123"
+echo "       -p port number (default=80)"
+echo ""
+echo "       Example: ./waes.sh -u 10.10.10.130 -p 8080"
 echo ""
 }
 
+if [[ `id -u` -ne 0 ]] ; then echo -e "\e[01;31m[!]\e[00m This program must be run as root. Run again with 'sudo'" ; exit 1 ; fi
+
 # Checks for input parameters
 : ${1?"No arguments supplied - run waes -h for help or cat README.md"}
 
+# Showing parameters - for debugging only
+#echo "Positional Parameters"
+#echo '$0 = ' $0
+#echo '$1 = ' $1
+#echo '$2 = ' $2
+#echo '$3 = ' $3
+#echo '$4 = ' $4
 
-if [ $1 == "-h" ]
+# Parameters check
+if [[ $1 == "-h" ]]
   then
     usage
     exit 1
@@ -54,47 +73,93 @@ if [[ "$1" != "-u" && "$1" != "-h" ]]; then
    exit 1
 fi
 
-# Check for nmap
-which nmap>/dev/null
-if [ $? -eq 0 ]
-        then
-                echo ""
-else
-                echo ""
-       		echo -e "\e[01;31m[!]\e[00m Unable to find the required nmap program, install and try again"
-        exit 1
+if [[ "$3" = "-p" && "$4" != "" ]]; then
+        PORT="$4"
+        # echo "Port is set to: " $PORT
 fi
 
-#Check for nikto
-which nikto>/dev/null
-if [ $? -eq 0 ]
-        then
-                echo ""
-else
-                echo ""
-       		echo -e "\e[01;31m[!]\e[00m Unable to find the required nikto program, install and try again"
-        exit 1
-fi
+# Tools installed check
+while [[ "x${TOOLS[COUNT]}" != "x" ]]
+do
+   COUNT=$(( $COUNT + 1 ))
+   if ! hash ${TOOLS[COUNT]} /dev/null 2>&1
+    then
+        echo -e "\e[01;31m[!]\e[00m ${TOOLS[COUNT]} was not found in PATH"
+        echo "Run sudo ./install.sh to install tools"
+    fi
+done
 
-#Check for uniscan
-which uniscan>/dev/null
-if [ $? -eq 0 ]
-        then
-                echo ""
-else
-                echo ""
-       		echo -e "\e[01;31m[!]\e[00m Unable to find the required uniscan program, install and try again"
-        exit 1
-fi
+echo " "
+echo -e "Target: $2 port: $PORT"
 
-# Check if root
-if [[ $EUID -ne 0 ]]; then
-        echo ""
-        echo -e "\e[01;31m[!]\e[00m This program must be run as root. Run again with 'sudo'"
-        echo ""
-        exit 1
-fi
+# Todo: Implement progressbar (bartest.sh)
+
+passive() {
+
+    echo "Starting PASSIVE scans..."
+    # Whatweb
+    echo -e "\e[00;32m [+] Looking up "$2" with whatweb - only works for online targets" "\e[00m"
+    whatweb -a 3 $2":"$PORT | tee ${REPORTDIR}/$2_whatweb.txt
+
+    # OSIRA - For subdomain enum
+    echo -e "\e[00;32m [+] OSIRA against:" $2 " - looking for subdomains \e[00m"
+    OSIRA/osira.sh -u $2":"$PORT | tee ${REPORTDIR}/$2_osira.txt
+}
+
+fastscan() {
+
+    echo "Step 1: Starting fast scan... "
+    # wafw00f
+    echo -e "\e[00;32m [+] Detecting firewall "$2":"$PORT" with wafw00f" "\e[00m"
+    wafw00f -a -v $2":"$PORT | tee $REPORTDIR/$2_wafw00f.txt
+    # nmap http-enum
+    echo -e "\e[00;32m [+] nmap with HTTP-ENUM script against $2" "\e[00m"
+    nmap -sSV -Pn -T4 -p $PORT --script http-enum $2 -oA ${REPORTDIR}/$2_nmap_http-enum
+}
+
+scan() {
+
+    echo "Step 2: Starting more in-depth scan... "
+    # nmap
+    echo -e "\e[00;32m [+] nmap with various HTTP scripts against $2" "\e[00m"
+    nmap -sSV -Pn -T4 -p $PORT --script $HTTPNSE $2 -oA ${REPORTDIR}/$2_nmap_http-va
+    echo -e "\e[00;32m [+] nmap with vulscan on $2 with min CVSS 5.0" "\e[00m"
+    nmap -sSV -Pn -O -T4 --version-all -p $PORT --script ${VULNERSDIR}/vulscan.nse $2 --script-args mincvss=5-0 -oA ${REPORTDIR}/$2_nmap_vulners
+
+    # nikto
+    echo -e "\e[00;32m [+] nikto on $2" "\e[00m"
+    nikto -h $2 -port $PORT -C all -ask no -evasion A | tee $REPORTDIR/$2_nikto.txt
+
+    # uniscan
+    echo -e "\e[00;32m [+] uniscan of $2" "\e[00m"
+    uniscan -u $2":"$PORT -qweds | tee $REPORTDIR/$2_uniscan.txt
+}
+
+fuzzing() {
+
+    echo "Step 3: Starting fuzzing... "
+    # xsser
+    # echo -e "\e[00;32m [+] xsser on $2" "\e[00m"
+    # Todo: Implement Xsser (requires url not ip)
+
+    # Supergobuster: gobuster + dirb
+    echo -e "\e[00;32m [+] super go busting $2" "\e[00m"
+    ./supergobuster.sh "http://"$2":"$PORT | tee $REPORTDIR/$2_supergobust.txt
+}
+
+end() {
+    echo -e "\e[00;32m [+] WAES is done. Find results in:" ${REPORTDIR} "\e[00m"
+}
+
+# passive  $1 $2 $3 $4 # Uncomment to run, work online for online targets Todo: Add in next version
+fastscan $1 $2 $3 $4
+scan $1 $2 $3 $4
+fuzzing  $1 $2 $3 $4
+end $1 $2 $3 $4
+
+# Todo: Add from rapidscan / golismero and others
 
+<<<<<<< HEAD
 #
 echo -e "Target: $2 "
 
@@ -130,3 +195,6 @@ echo -e "\e[00;32m [+] super go busting $2" "\e[00m"
 ./supergobuster.sh $2 | tee $REPORTDIR/$2_supergobust.txt
 
 echo -e "\e[00;32m [+] WAES is done. Find results in:" ${REPORTDIR} "\e[00m"
+=======
+# set +x # Ends debugging
+>>>>>>> 56b17398b9ba8589c6a8aa43aee0262070e1629f