# Web Assessment
- Author: Aidan Marlin
- Date: 20220610
- Version: 1.0
- Description: Jupyter Notebook to automate the execution of web scans

In [None]:
target = "www.bing.com"
top_target = "bing.com"
ffuf_subdomain_target = "FUZZ.bing.com"
port = 443

### No need to modify from here
import socket
import os

os.environ["PATH"] = os.environ["PATH"] + ":/run/current-system/sw/bin"

target_ip = socket.gethostbyname(target) 
ffuf_subdomain_target_https = "https://" + ffuf_subdomain_target
ffuf_subdomain_target_http = "http://" + ffuf_subdomain_target
ffuf_directory_brute = target + ":" + str(port) + "/FUZZ"
http_target = "http://" + target
https_target = "https://" + target

!mkdir -p tools/amass
!mkdir -p tools/ctfr
!mkdir -p tools/ffuf_subdomain
!mkdir -p tools/ffuf_directory
!mkdir -p tools/nettacker
!mkdir -p tools/nikto
!mkdir -p tools/photon
!mkdir -p tools/puppeteer
!mkdir -p tools/subfinder
!mkdir -p tools/sn1per
!mkdir -p tools/testssl
!mkdir -p tools/theharvester

def read_file(location):
    try:
        with open(location) as f:
            text = f.read()
            print(text)
    except:
        print("No results.")


# Target

In [None]:
print(target)
print(target_ip)


## Whois

In [None]:
!dig {target}


# Pentester Details

## IP Address

In [None]:
!curl https://ifconfig.me/


## Start Time

In [None]:
!date


## Interface Info

In [None]:
!ip a


# Web

## Screenshot

In [None]:
import shutil
from pathlib import Path
home = str(Path.home())

os.system("docker run -u root --shm-size 1G --rm -v \"" + os.getcwd() + "/tools/puppeteer:/screenshots\" alekzonder/puppeteer:latest screenshot " + https_target + ":" + str(port) + " 1024x768")
if not os.path.isfile("tools/puppeteer/screenshot_1024_768.png"):
    shutil.copyfile(home + "/git/nixos/resources/404.png", "tools/puppeteer/screenshot_1024_768.png")


![Target screenshot](tools/puppeteer/screenshot_1024_768.png)


## Corsy

In [None]:
!python "/home/user/git/pentest-tools/Corsy/corsy.py" -u {https_target}:{port}


## WhatWeb

In [None]:
!docker run --rm guidelacour/whatweb ./whatweb {https_target}:{port}


## Nuclei

In [None]:
!docker run --rm -v "`pwd`:/mnt projectdiscovery/nuclei" -u {https_target}:{port}


# Discovery

## httpx

In [None]:
!echo {target} | httpx -silent -status-code -title -tech-detect -ip -asn


## Subfinder

In [None]:
!subfinder -d {top_target} -silent -active -oI -oJ -o tools/subfinder/results.txt 2>&1 >/dev/null


In [None]:
!cat tools/subfinder/results.txt | jq -r '"Domain:  \(.host)\nIP addr: \(.ip)\n"'


## amass

In [None]:
!amass enum -silent -nocolor -active -json tools/amass/results.txt -d {top_target} -p {port}


In [None]:
!cat tools/amass/results.txt | jq -r '"##### \(.name)\nIP addr: \(.addresses|.[].ip)\nCIDR: \(.addresses|.[].cidr)\nASN: \(.addresses|.[].asn)\nDesc: \(.addresses|.[].desc)\n"'


## theHarvester

In [None]:
!docker run --rm -v "`pwd`/tools/theharvester:/mnt" simonthomas/theharvester:latest theharvester -d $top_target -b all -f /mnt/results.html


## ctfr

In [None]:
!docker run --rm -v "`pwd`/tools/ctfr/:/mnt" unapibageek/ctfr -d $top_target -o /mnt/results.txt


## photon

In [None]:
!photon --keys -u {https_target} -l 3 -t 100 --wayback -o tools/photon/{target}


### external.txt

In [None]:
read_file("tools/photon/" + target + "/external.txt")


### files.txt

In [None]:
read_file("tools/photon/" + target + "/files.txt")


### fuzzable.txt

In [None]:
read_file("tools/photon/" + target + "/fuzzable.txt")


### intel.txt

In [None]:
read_file("tools/photon/" + target + "/intel.txt")


### internal.txt

In [None]:
!cat tools/photon/{target}/internal.txt | httpx -silent -status-code -location -title -tech-detect -cl -ct -fc 401,403,404


### scripts.txt

In [None]:
read_file("tools/photon/" + target + "/scripts.txt")


## ffuf (subdomains)

In [None]:
!echo https://{ffuf_subdomain_target}
!ffuf -s -of all -w /home/user/git/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u https://{ffuf_subdomain_target} -od tools/ffuf_subdomain
!echo "`find tools/ffuf_subdomain -type f | wc -l` responses worth investigating.."


## ffuf (directory brute)


In [None]:
!echo https://{ffuf_directory_brute}
!ffuf -s -ac -sf -of all -w /home/user/git/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -u https://{ffuf_directory_brute} -od tools/ffuf_directory
!echo "`find tools/ffuf_directory -type f | wc -l` responses worth investigating.."
!find tools/ffuf_directory -type f -exec grep -hE 'GET |^HTTP/' {} \; -exec echo \;


## hakrawler

In [None]:
!echo {https_target} | hakrawler | sort | uniq


## sn1per

In [None]:
!docker run -v "`pwd`/tools/sn1per:/usr/share/sniper/loot/workspace/" --rm -it xer0dayz/sn1per sniper -t {target} 2>&1 >/dev/null


In [None]:
!find "$PWD/tools/sn1per/"*"/output" -type f -exec cat {} \;


## Raccoon

In [None]:
!docker run --rm evyatarmeged/raccoon:latest {https_target} --ignored-response-codes "301,302,400,4[45/41163]
,404,503,504"


## Nikto

In [None]:
!docker run -it --rm --net=host -v "`pwd`/tools/nikto:/mnt/" sullo/nikto -ask No -nointeractive -Format json -output /mnt/nikto -h {https_target}


## Nettacker

In [None]:
!docker run -it --rm -v "`pwd`/tools/nettacker:/usr/src/owaspnettacker/.data/results/" nettacker python3 ./nettacker.py -m all -i {https_target}


In [7]:
!echo "Full Nettacker results in file://`pwd`/tools/nettacker"

Full Nettacker results in file:///home/user/jupyter/pentest/next/tools/nettacker


# Scanning

## TLS Scan

In [None]:
!testssl.sh -oA tools/testssl {target}:{port}


# Email Enumeration

In [None]:
!docker run --rm infoga --domain $top_target --source all --breach -v 2


# Manual

## OpenVAS

https://localhost:8030/login/login.html (admin / admin)

## Spiderfoot

http://localhost:8060/

# End Time

In [None]:
!date
