GithubHelp home page GithubHelp logo

ethkillmyself / crimson-recon Goto Github PK

View Code? Open in Web Editor NEW

This project forked from marklindsey11/crimson-recon

0.0 0.0 0.0 70.6 MB

License: Apache License 2.0

Shell 5.09% Python 94.55% PHP 0.01% Go 0.36%

crimson-recon's Introduction

Crimson v2

Crimson is a tool that automates ASSET DISCOVERY and VULNERABILITY SCANNING.
It uses many open source tools, most of them are available for download from github.

It consists of three partially interdependent modules:

  • crimson_recon - automates the process of subdomain reconnaissance and vulnerability scanning.
  • crimson_target - automates the process of single-domain reconnaissance and vulnerability scanning.
  • crimson_exploit - automates the process of bug founding in gathered URLS.

Installation & running

# 1. Pull docker container:
docker pull karmaz95/crimson:v2
# 2. First run of downloaded container:
docker run --net="host" --name crimson -it karmaz95/crimson:v2
# 3. After the first run, you can start the container by:
docker start crimson && docker attach crimson
# 4. If you need to copy output from container:
docker cp crimson:/root/bounty/domain.name <local-dest-path>

Additionally you can install Burp Suite and extensions listed below in section Burp Suite extensions.

Usage - commands issued inside a docker container

♦️ First module needs domain name♦️
crimson_recon -D "domain.com" 
                   
                   # Optional flags are shown below: 
                -x # Domain bruteforcing (with words/dns wordlist)
                -v # Virtual host discovering
                -p # TCP ports scanning (1-65535)
                -u # UDP ports scanning (nmap default ports)
                -b # Third level subdomain bruteforcing
                -y # Proxy urls.txt and live.txt to Burp (127.0.0.1:8080)
                -s # Find hidden subdomains and secrets within urls.txt with SubDomainizer (takes very long time)
♦️ Second module needs subdomain name♦️
crimson_target -D "example.domain.com" 
                    
                    # Optional flags are shown below:
                 -c "Cookie: auth1=123;"
                 -p # TCP (1-65535)   ports scanning
                 -u # UDP (nmap default) ports scanning
                 -a # Without this flag, you have to manually check for false-positives after bruteforcing
                 -y # Proxy urls.txt and ffuf.txt to Burp (127.0.0.1:8080)
                 -b # Parameter bruteforcing with Arjun
♦️ Third module needs subdomain name with your collaborator and vps ip♦️
crimson_exploit -D "example.domain.com" -d "collaborator.com" -i "ip"
                    
                    # Optional flags are shown below:
                  -c "Cookie: auth1=123;"
                  -x # fuzzing all.txt with bug wordlist
♦️ Before starting third module, run the listener on your vps machine on port 80 python -m http.server 80 and for ping payloads tcpdump -i eth0 icmp♦️

Usage - modules description

🔻 [I] crimson_recon

This module can help you if you have to test big infrastructure or you are trying to earn some bounties in *.scope.com domain.

### FUNCTIONS:
#
# 1. SUBDOMAIN ENUMERATION
# 2. LIVE SUBDOMAIN CHECK
# 3. TAKEOVER CHECK
# 4. SCREENSHOTS
# 5. CORS CHECK
# 6. IP RESOLVE
# 7. OPENED PORTS SCAN
# 8. URLS SCRAPING
# 9. API KEYS SCRAPING
# 10. VIRTUAL HOSTNAMES ENUMERATION
# 11. NUCLEI VULN SCAN
#
### LISTS (output):
#
# 1. live.txt           - LIVE SUBDOMAINS
# 2. ip.txt             - ALL IPs
# 3. ports.txt          - OPENED PORTS
# 4. subjack.txt        - VULNS [TAKEOVER]
# 5. screenshots        - STATUS CODES + SCREENS
# 6. cors_scan.txt      - VULNS [CORS]
# 7. urls.txt           - ALL CRAWLED AND LIVE URLS IN ONE FILE
# 8. status_live.txt    - HTTPS / HTTPS SUBDOMAINS STATUS CODES
# 9. ldns-walk.txt      - DOMAINS FROM DNSSEC
# 10. subdomainizer.txt - DETECTED API KEYS / AND MORE SUBDOMAINS
# 11. hosthunter.txt    - VIRTUAL HOSTNAMES
# 12. nuclei.txt        - CVE SCAN
#
### WORKFLOW
#
# 1. Start Burp Suite - optional step
# - Create new project - example.tld
# - Turn off interception
# 2. Start this script.
# 3. Check the output listed above (LISTS)
# 4. Select single domain and start crimson_target module
#
###

🔻 [II] crimson_target

This module covers one particular subdomain/domain for example : www.scope.tld.

### FUNCTIONS:
#
# 1. FULL RANGE PORT SCANING && NSE ON OPENED PORTS
# 2. VULNERABILITY SCANING
# 3. DOMAIN CRAWLING
# 4. DIRECTORY BRUTEFORCING
# 5. GATHERING SOURCE CODE OF SCRAPED / BRUTEFORCED URLS
# 6. EXTRACTING NEW PATHS, API KEYS, ENDPOINTS FROM GATHERED SOURCE CODE
# 7. MERGING PATHS WITH DOMAIN AND PROBING FOR NEW ENDPOINTS
# 8. PROXING LIVE RESULTS TO BURP SUITE  
# 9. PREPARING params.txt && dirs.txt FOR EXPLOIT MODULE
# 10. CHECK WAF && POTENTIAL BACKUP FILES && CMS
# 11. TESTING HOP-BY-HOP DELETION
#
### LISTS:
#
# 1) recon.txt          - FILE WITH RECON OUTPUT
# 2) urls.txt           - FILE WITH GATHERED URLS
# 3) status_params.txt  - STATUS CODES OF urls.txt
# 4) ffuf.txt           - DIR BRUTEFORCING OUTPUT
# 5) status_dir.txt     - STATUS CODE OF ffuf.txt
# 9) exp/params.txt     - FILE PREPARED FOR crimson_exploit WITH PARAMS
# 10) exp/dirs.txt      - FILE PREPARED FOR crimson_exploit WITH DIRECTORIES
# 11) backups.txt       - POTENTIALLY BACKUP FILES 
# 12) arjun.txt         - FILE WITH BRUTEFORCED PARAMETERS
# 13) nmap.txt          - FILE WITH TCP/UDP PORT SCANNING OUTPUT
# 15) exp/nmap.gnmap    - FILE WITH TCP/UDP PORT SCANNING OUTPUT IN GREPABLE FORMAT 
#
### WORKFLOW
#
# 0. Start Burp - optional step
#   - Create new project - www.example.tld
#   - Turn off interception
#   - Make active scan for proxied urls only in scope
# 1. Start the script
#   - If you didn't choose -a flag, go to /bounty/domain.tld/tested.domain.tld/temp and remove manually false positives entries in ferox.txt
# 2. Check the output listed above (LISTS)
# 3. Manually browse the application, click on all functionalities
# 4. Copy whole target scope from Burp after manually browsing the target
# 5. Paste it to exp/all.txt and run crimson_exploit
#
###

🔻 [III] crimson_exploit

This module uses a number of tools to automate the search for certain bugs in a list of urls.

### FUNCTIONS:
#
# 1. FUZZING PATHS IN URLS FROM dirs.txt WITH CUSTOM PAYLOADS
# 2. FUZZING PARAMS IN URLS FROM params.txt WITH CUSTOM PAYLOADS
# 3. TESTING FOR XSS
# 4. TESTING JAVASCRIPT SOURCE CODE
# 5. TESTING HTTP REQUEST SMUGGLING
# 6. TESTING PROTOTYPE POLLUTION
# 7. TESTING FOR BROKEN LINKS
# 8. TESTING SQLI
# 9. TESTING OUT-OF-BOUND RCE/SSRF
# 10. TESTING JAVA DESERIALIZATION
# 11. TESTING CRLF INJECTION
# 12. TESTING FOR OPEN REDIRECTION
# 13. TESTING WORDPRESS
# 14. TESTING CVES
# 15. TESTING HEADER INJECTIONS
#
### LISTS:
#
# 1. bug_params.txt         - Fuzzing output
# 2. bug_dirs.txt           - Fuzzing output
# 3. vuln_xss               - Output from XSSstrike with vulnerable urls ready to open in browser
# 4. codeql.txt             - Output from Codeql after testing the JavaScript source code.
# 5. smuggler.txt           - Output after testing for HTTP request smuggling.
# 6. prototype-pollution    - Potentailly vulneable params to prototype pollution.
# 7. broken_links.txt       - Output from BLC
# 8. sqli/                  - Output from sqlmap
# 9. oob.txt                - Log after OAST  
# 10. CRLF.txt              - Output from crlfuzz
# 11. OR.txt                - Potentailly vulnerable URLS to Open Redirect vulnerability
# 12. dalfox.txt            - Output from dalfox
# 13. ssti.txt              - Output from crimson_templator with SSTI vulnerable urls.
# 14. wp/                   - Output from WPSCAN
# 15. deserializator.txt    - Logs from crimson_deserializator 
# 16. semgrep.txt           - Output from semgrep after testing the JavaScript source code.
# 17. nuclei.txt            - Output from nuclei scanning
# 18. headi.txt             - Otput from headi
#
### WORKFLOW
#
# 0. Start BURP - optional step
# 1. Start vps listener and collaborator server
# 2. Start the script
# 3. Check the output listed above (LISTS)
# 5. Look for [ID] [TIME] in oob.txt and compare it to pings on your vps / collaborator
# 8. Check deserialization pings with manual payloads
# 9. Start manual testing 
#
###

Extras

There are some useful tools in the scripts directory that I have written that are worth checking out.

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

List of utilized tools

The following tools are used in crimson. I encourage you to study the links below, they will definitely help you in your work. Especially check Burp Suite extensions, because all gathered resources are proxied to Burp Suite, where they are further tested.

♦️ Domains enumeration:

♦️ IP && ports:

♦️ URLs:

♦️ Target visualisation:

♦️ Bug finding:

♦️ WordPress tools:

♦️ Additional tools:

♦️ Wordlists:

♦️ Burp Suite extensions:

♦️ OSINT:

♦️ TO DO:

HISTORY

If you are curious how it all started:

  • You can learn more about crimson_recon module by reading my article at medium
  • You can learn more about crimson_target module by reading my article at medium
  • You can learn more about crimson_exploit module by reading my article at medium

LICENSE

This program is free software: you can redistribute it and/or modify it under the terms of the Apache license. Crimson and any contributions are Copyright © by Karol Mazurek 2020-2022.

SUPPORT

You can support the project by buying me a coffee or via NFT which unlock the secret Crimson Web community.

Buy Me A Coffee

crimson-recon's People

Contributors

karmaz95 avatar kraczak avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.