-
Notifications
You must be signed in to change notification settings - Fork 36
/
Copy pathwaes.sh
executable file
·193 lines (155 loc) · 6.11 KB
/
waes.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
#!/usr/bin/env bash
# 2018-2019 by Shiva @ CPH:SEC
# WAES requires vulners.nse : https://github.com/vulnersCom/nmap-vulners
# WAES requires supergobuster : https://gist.github.com/lokori/17a604cad15e30ddae932050bbcc42f9
# WAEs requires SecLists : https://github.com/danielmiessler/SecLists
# Script begins
#===============================================================================
# set -x # Starts debugging
# vars
VERSION="0.0.37 alpha"
VULNERSDIR="vulscan" # Where to find vulscan
REPORTDIR="report" # /report directory
TOOLS=( "nmap" "nikto" "uniscan" "gobuster" "dirb" "whatweb" "wafw00f" )
HTTPNSE=( "http-date,http-title,http-server-header,http-headers,http-enum,http-devframework,http-dombased-xss,http-stored-xss,http-xssed,http-cookie-flags,http-errors,http-grep,http-traceroute" )
PORT=80 # Setting std port
COUNT=-1 # For tools loop
#banner / help message
echo ""
echo -e "\e[00;32m#############################################################\e[00m"
echo ""
echo -e " Web Auto Enum & Scanner $VERSION "
echo ""
echo -e " Auto enums HTTP port and dumps files as result"
echo ""
echo -e "\e[00;32m#############################################################\e[00m"
echo ""
usage ()
{
echo "Usage: ${0##*/} -u {url}"
echo " ${0##*/} -h"
echo ""
echo " -h shows this help"
echo " -u IP to test eg. 10.10.10.123"
echo " -p port number (default=80)"
echo ""
echo " Example: ./waes.sh -u 10.10.10.130 -p 8080"
echo ""
}
if [[ $(id -u) -ne 0 ]] ; then echo -e "\e[01;31m[!]\e[00m This program must be run as root. Run again with 'sudo'" ; exit 1 ; fi
# Checks for input parameters
: "${1?"No arguments supplied - run waes -h for help or cat README.md"}"
# Showing parameters - for debugging only
#echo "Positional Parameters"
#echo '$0 = ' $0
#echo '$1 = ' $1
#echo '$2 = ' $2
#echo '$3 = ' $3
#echo '$4 = ' $4
# Parameters check
if [[ $1 == "-h" ]]
then
usage
exit 1
fi
if [[ "$1" != "-u" && "$1" != "-h" ]]; then
usage
echo "Invalid parameter: $1"
exit 1
fi
if [[ "$3" = "-p" && "$4" != "" ]]; then
PORT="$4"
# echo "Port is set to: " $PORT
fi
# Tools installed check
while [[ "x${TOOLS[COUNT]}" != "x" ]]
do
COUNT=$(( $COUNT + 1 ))
if ! hash "${TOOLS[COUNT]}" /dev/null 2>&1
then
echo -e "\e[01;31m[!]\e[00m ${TOOLS[COUNT]} was not found in PATH"
echo "Run sudo ./install.sh to install tools"
fi
done
echo " "
echo -e "Target: $2 port: $PORT"
# Todo: Implement progressbar (bartest.sh)
passive() {
echo "Starting PASSIVE scans..."
# Whatweb
echo -e "\e[00;32m [+] Looking up ""$2"" with whatweb - only works for online targets" "\e[00m"
whatweb -a 3 "$2"":""$PORT" | tee ${REPORTDIR}/"$2"_whatweb.txt
# OSIRA - For subdomain enum
echo -e "\e[00;32m [+] OSIRA against:" "$2" " - looking for subdomains \e[00m"
OSIRA/osira.sh -u "$2"":""$PORT" | tee ${REPORTDIR}/"$2"_osira.txt
}
fastscan() {
echo "Step 1: Starting fast scan... "
# wafw00f
echo -e "\e[00;32m [+] Detecting firewall ""$2"":""$PORT"" with wafw00f" "\e[00m"
wafw00f -a -v "$2"":""$PORT" | tee $REPORTDIR/"$2"_wafw00f.txt
# nmap http-enum
echo -e "\e[00;32m [+] nmap with HTTP-ENUM script against $2" "\e[00m"
nmap -sSV -Pn -T4 -p "$PORT" --script http-enum "$2" -oA ${REPORTDIR}/"$2"_nmap_http-enum
}
scan() {
echo "Step 2: Starting more in-depth scan... "
# nmap
echo -e "\e[00;32m [+] nmap with various HTTP scripts against $2" "\e[00m"
nmap -sSV -Pn -T4 -p "$PORT" --script $HTTPNSE "$2" -oA ${REPORTDIR}/"$2"_nmap_http-va
echo -e "\e[00;32m [+] nmap with vulscan on $2 with min CVSS 5.0" "\e[00m"
nmap -sSV -Pn -O -T4 --version-all -p "$PORT" --script ${VULNERSDIR}/vulscan.nse $2 --script-args mincvss=5-0 -oA ${REPORTDIR}/$2_nmap_vulners
# nikto
echo -e "\e[00;32m [+] nikto on $2" "\e[00m"
nikto -h "$2" -port "$PORT" -C all -ask no -evasion A | tee $REPORTDIR/"$2"_nikto.txt
# uniscan
echo -e "\e[00;32m [+] uniscan of $2" "\e[00m"
uniscan -u "$2"":""$PORT" -qweds | tee $REPORTDIR/"$2"_uniscan.txt
}
fuzzing() {
echo "Step 3: Starting fuzzing... "
# xsser
# echo -e "\e[00;32m [+] xsser on $2" "\e[00m"
# Todo: Implement Xsser (requires url not ip)
# Supergobuster: gobuster + dirb
echo -e "\e[00;32m [+] super go busting $2" "\e[00m"
./supergobuster.sh "http://""$2"":""$PORT" | tee $REPORTDIR/"$2"_supergobust.txt
}
end() {
echo -e "\e[00;32m [+] WAES is done. Find results in:" ${REPORTDIR} "\e[00m"
}
# passive $1 $2 $3 $4 # Uncomment to run, work online for online targets Todo: Add in next version
fastscan "$1" "$2" "$3" "$4"
scan "$1" "$2" "$3" "$4"
fuzzing "$1" "$2" "$3" "$4"
end "$1" "$2" "$3" "$4"
# Todo: Add from rapidscan / golismero and others
#
echo -e "Target: $2 "
# Whatweb
echo -e "\e[00;32m [+] Looking up ""$2"" with whatweb" "\e[00m"
whatweb -a3 "$2" | tee ${REPORTDIR}/"$2"_whatweb.txt
# echo -e "\e[00;32m [+] OSIRA against:" $2 "\e[00m"
# OSIRA/osira.sh -u $2 | tee ${REPORTDIR}/$2_osira.txt
# mv $2.txt ${REPORTDIR}/$2_osira.txt
# nmap
echo -e "\e[00;32m [+] nmap with standard scripts (-sC) on $2" "\e[00m"
nmap -sSCV -Pn -T4 "$2" -oA ${REPORTDIR}/"$2"_nmap_sSCV
echo -e "\e[00;32m [+] nmap with http-enum against $2" "\e[00m"
nmap -sSV -Pn -T4 --script http-enum "$2" -oA ${REPORTDIR}/"$2"_nmap_http-enum
# echo -e "\e[00;32m [+] nmap with various HTTP scripts against $2" "\e[00m"
# nmap -sSV -Pn -T4 --script "http-*" $2 -oA ${REPORTDIR}/$2_nmap_http-va
# echo -e "\e[00;32m [+] nmap with vulners on $2" "\e[00m"
#echo ${VULNERSDIR}"/vulners.nse"
#nmap -sV -Pn -O -T4 --script ${VULNERSDIR}/vulners.nse $2 --script-args mincvss=5-0 -oA ${REPORTDIR}/$2_nmap_vulners
# nikto
echo -e "\e[00;32m [+] nikto on $2" "\e[00m"
nikto -h "$2" -C all -ask no -evasion A | tee $REPORTDIR/"$2"_nikto.txt
# uniscan
echo -e "\e[00;32m [+] uniscan of $2" "\e[00m"
uniscan -u "$2" -qweds | tee $REPORTDIR/"$2"_uniscan.txt
# Supergobuster: gobuster + dirb
echo -e "\e[00;32m [+] super go busting $2" "\e[00m"
./supergobuster.sh "$2" | tee $REPORTDIR/"$2"_supergobust.txt
echo -e "\e[00;32m [+] WAES is done. Find results in:" ${REPORTDIR} "\e[00m"
# set +x # Ends debugging