Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
skavngr
GitHub Repository: skavngr/rapidscan
 Path: blob/master/notes.md
63 views

Tool Deployment (on various OS flavours)

Ubuntu

  • apt-key update && apt-get update

  • apt-get install whois --force-yes

Features

  • 👍 ~WhatWeb X-XSS Protection Header Check: whatweb example.com -a 1 | X-XSS-Protection[1~

  • 👍 ~Nmap IIS WebDav: nmap -T4 -p80 --script=http-iis-webdav-vuln <host> | WebDAV is ENABLED~

  • 👍 ~Wapiti Checks: wapiti <host> -f txt -o temp_wapiti | Host:~

  • 👍 ~Nmap SMB UDP Check: nmap -p137,138 --open <host> | /open~

  • 👍 ~Nmap SMB TCP Check: nmap -p445,137-139 --open <host> | /open tcp~

  • 👍 ~ASP.Net Elmah AXD: wget -O temp_aspnet_elmah_axd /elmah.axd | Microsoft SQL Server Error Log~

  • 👍 ~Nmap SNMP Check: nmap -p161 -sU --open <host> | 161/open udp~

  • 👍 ~Nmap Full UDP Port Scan: nmap -p1-65535 -sU --open <host> | /open~

  • 👍 ~Nmap Full TCP Port Scan: nmap -p1-65535 --open <host> | /open tcp~

  • 👍 ~Nmap RDP TCP Check: nmap -p3389 --open -sT <host> | 3389/open tcp~

  • 👍 ~Nmap RDP UDP Check: nmap -p3389 --open -sU <host> | 3389/open udp~

  • 👍 ~Nmap ORACLE Check: nmap -p1521 --open <host> | 1521/open tcp~

  • 👍 ~Nmap MySQL Check: nmap -p3306 --open <host> | 3306/open tcp~

  • 👍 ~Nmap MS-SQL Server Check: nmap -p1433 --open <host> | 1433/open tcp~

  • 👍 ~Nmap TELNET Check: nmap -p23 --open <host> | 23/open tcp~

  • 👍 ~Nmap FTP Check: nmap -p21 --open <host> | 21/open tcp~

  • 👍 ~Nmap STUXNET Check: nmap --script stuxnet-detect -p 445 <host> | 445/open tcp~

  • 👍 ~Checks for WebDAV on home directory: davtest -url http://192.168.1.209 | SUCCEED~

  • 👍 ~Golismero Webservers Fingerprint: golismero -e fingerprint_web scan example.com | No vulnerabilities found.~

  • 👍 ~Uniscan File Brute Forcer: uniscan -w -u example.com | [+]~

  • 👍 ~Uniscan Directory Brute Forcer: uniscan -q -u example.com | [+]~

  • 👍 ~Uniscan Mini Stress Tester: uniscan -r -u example.com | [+]~

  • 👍 ~Uniscan Checks for LFI, RFI and RCE: uniscan -s -u example.com | [+]~

  • 👍 ~Uniscan Checks for XSS, SQLi, BSQLi & a few checks: uniscan -d -u example.com | [+]~

  • 👍 ~Nikto XSS Expect Header Check: nikto -Plugins "apache_expect_xss" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto Subdomain Bruter: nikto -Plugins "subdomain" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto ShellShock Bug Check: nikto -Plugins "shellshock" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto Internal IP Leak: nikto -Plugins "cookies" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto HTTP PUT DEL Test: nikto -Plugins "put_del_test" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto Headers Check: nikto -Plugins "headers" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto MS10-070 Check: nikto -Plugins "ms10-070" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto Server Issues: nikto -Plugins "msgs" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto Server Outdated Checks: nikto -Plugins "outdated" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto HTTP Options Checks: nikto -Plugins "httpoptions" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto CGI Directories Enum: nikto -Plugins "cgi" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto SSL Checks: nikto -Plugins "ssl" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto File Checks: nikto -Plugins "sitefiles" -host example.com | 0 item(s) reported~

  • 👍 ~Nikto Injectable Paths: nikto -Plugins "paths" -host example.com | 0 item(s) reported~

  • 👍 ~Subdomains brute force with DNSMap: dnsmap example.com | #1~

  • 👍 ~Check for open directories with Dirbuster: dirb http://example.com~

  • 👍 ~XSSer Checks: xsser --all=http://example.com | Could not find any vulnerability!~

  • 👍 ~Golismero SSL Scans: golismero -e sslscan scan example.com | Occurrence ID~

  • 👍 ~Golismero Zone Transfer: golismero -e zone_transfer scan example.com | DNS zone transfer successful~

  • 👍 ~Golismero Nikto Scan: golismero -e nikto scan example.com | Nikto found 0 vulnerabilities~

  • 👍 ~Bruteforcing DNS with Golismero(timeconsuming yellow): golismero scan example.com -e brute_dns | Possible subdomain leak~

  • 👍 ~Checking zone transfers with DNSenum: dnsenum google.com | corrupt (not successful)~

  • 👍 ~Subdomain BruteForcing with Fierce: fierce -dns example.com | Found 1 entries (usually www.example.com) will be included, so have to skip it.~

  • 👍 ~Check for emails with Dmitry: dmitry -e yahoo.com | Found 0 E-Mail(s)~

  • 👍 ~Check for subdomains with Dmitry: dmitry -s yahoo.com | Found 0 possible subdomain(s)~

  • 👍 ~Golismero Brute Force Directories: golismero -e brute_directories scan example.com | No vulnerabilities found.~

  • 👍 ~Golismero SQLMap: golismero -e sqlmap scan example.com | No vulnerabilities found.~

  • 👍 ~Golismero Brute URL Predictables: golismero -e brute_url_predictables scan example.com | No vulnerabilities found.~

  • 👍 ~Golismero HeartBleed Check: golismero -e heartbleed scan example.com | No vulnerabilities found.~

  • 👍 ~Checks if domain is spoofed/hijacked: golismero scan example.com -e dns_malware | No vulnerabilities found.~

  • 👍 ~SSL Compression Enabled: sslyze --compression target.com | Compression disabled~

  • 👍 ~Check for WordPress: Do a wget with wp-admin and grep the source (check for login/wp-login) curl -s http://somepage.com | grep whatever~

  • 👍 ~Check for Illegal Characters on ASP.Net: /%7C~.aspx~

  • 👍 ~Check for Joomla: Do a wget with administrator and search for joomla~

  • 👍 ~Check for Drupal: Do a wget with user and search for drupal~

  • 👍 ~SSL FREAK Check: nmap --script ssl-enum-ciphers -p 443 | least strength: broken~

  • 👍 ~SSL CCS Injection: nmap -p 443 --script ssl-ccs-injection | check for Vulnerable~

  • 👍 ~Slow-loris DoS Check: nmap -p80,443 --script http-slowloris --max-parallelism 500 | check for Vulnerable~

  • 👍 ~Poodle Vulnerability Check: nmap -sV --version-light --script ssl-poodle -p 443 | check for Vulnerable~

  • 👍 ~Heartbleed Check with NMap: nmap -p 443 --script ssl-heartbleed | check for VULNERABLE~

Dig Deeper

  • if snmp found, do braa

  • research dnsmap log for internal ip leak. [+] 20 (sub)domains and 20 IP address(es) found [+] 4 internal IP address(es) disclosed [+] completion time: 1568 second(s)

  • amap, xsser, golismero, sslyze, bed, doona, grabber, nikto -HELP,

  • Unavailable Tools: sublist3r, w3af, goofile, crowbar

  • blindElephant.py http://192.168.1.252/wp wordpress aftermath check

  • dmitry -n example.com not retrieving.

  • dirbuster -u http://example.com -H looks for a directory wordlist under the same directory.

  • dnsenum --enum --noreverse example.com google blocking your queries. (try somewhere else)

  • thc-ssl-dos -l 100 192.168.1.208 443 --accept gets only ips as input. write an alternative | dig +short example.com | grep -m 1 ""

  • doona -t example.com -k -m HTTP | 23/37 [POST / HTTP/1.0XAXAX] .........................................Problem (3) occured with POST / HTTP/1.0XAXAX (965)

Program Exceptions Checks

  • 👍 ~Clear process traces and Ctrl+C hold crashes.~

  • 👍 ~Implement Keyboard Interrupts and Instant Quit.~