Skip to content
/ webpwn Public

Cracking the Lenses of Perimeter Penetrationtests

Notifications You must be signed in to change notification settings

m-cetin/webpwn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

72 Commits
 
 
 
 
 
 
 
 

Repository files navigation

WebPwn - A Comprehensive Toolkit for Penetration Testers

WebPwn is an advanced and all-inclusive collection of tools specifically designed to assist penetration testers in obtaining a solid initial foothold into targeted systems. This powerful toolkit encompasses a wide array of functionalities, including but not limited to email address collection, subdomain enumeration, vulnerability scanning, and exploitation techniques. It is essential to note that WebPwn is intended solely for legal and ethical purposes within the field of penetration testing. Its application for any illegal activities is strictly prohibited.

By utilizing WebPwn, penetration testers can enhance their capabilities and streamline their assessment process, ensuring thorough and effective security evaluations. Whether you are conducting web application assessments, network penetration tests, or vulnerability analyses, WebPwn offers a comprehensive suite of tools to facilitate your objectives.

Please remember to exercise responsible usage and adhere to applicable laws and regulations while utilizing WebPwn. Our aim is to provide a valuable resource to penetration testers, fostering a safer and more secure digital landscape.

Tool Requirements (Linux-only)

General recommendations:

  • Install Go and place Go binaries in the "tools" folder.
  • Clone the entire repository.

For full functionality of the email gathering tool, you will need:

  • 1 XING account.

Although it may work without an account, we strongly recommend using one. Creating a temporary account for this purpose is suggested.

Installation

Install httpx, if not available:

wget https://github.com/projectdiscovery/httpx/releases/download/v1.3.3/httpx_1.3.3_linux_amd64.zip -O httpx.zip; unzip httpx.zip; sudo cp httpx /usr/bin

Get WebPwn:

git clone https://github.com/m-cetin/webpwn; cd webpwn

pip3 install -r requirements.txt

Usage

Just run:

python3 webpwn.py

The main menu will guide you through.

What you can do

Menu 1) - E-Mail Gathering

Gathering emails from Xing and LinkedIn. Enter your XING credentials, when asked.

image

The mails are saved under /recon in different formats. fullname-emails.txt has the format {firstname}.{lastname}@company.com, emails.txt has the format {f}.{lastname}@company.com, and other common mail pattern you can find there. There's also an option to bruteforce names with X certain letters, for example [email protected], etc.

Menu 1b) - E-Mail convention check

Enter the full name of the target person and their domain (@domain.com), to check against Microsoft Outlook and Azure, if the email exists. German umlauts (ä,ö,ü and ß) are automatically converted to their according usable form (ä -> ae, etc.). Furthermore, hyphe (-) signs work as well. If someone has the name "Anna-Lena Schmidt", versions like [email protected] and similiar are being considered.

image

Menu 2 - Subdomain Enumeration

Option 1):

Using AORT to do subdomain enum + active checks (WAF detection, zone transfer, etc.).

image

Results are saved under subdomains/domains.txt.

If you find any api keys (like Google Maps API), you can use KeyHacks to check how to use them.

Option 2):

Combination of the most commonly used tools to do subdomain enumeration. This is subdomain enumeration only.

image

Results are saved under subdomains/domains.txt.

image

Results are then checked against httpx for port 80,443,8080,8000,8443 and the live domains are saved under subdomains/live_domains.txt.

Option 3):

Coming soon. Hopefully.

Option 4):

Enumerate your target with waybackurls and gau to get endpoints from the past.

image

They'll be saved separately under subdomains/old_domains.txt.

Menu 3 - Enumerate NTLM endpoints with NTLMRecon

Checking common NTLM endpoints to do password spraying attacks. You can either use the previously created domains.txt or specify your own IP address, domain, a full range or just skip it. This is basically just the tool NTLMRecon, since I'm using it regularly.

image

Menu 4 - SQL Mass Injection

When you want to really test every parameter for SQL injections, some "mass" scanning might be useful. I've basically just took sqlmap with the ability to use custom flags. When scrolling a lot through a web page, you should have a huge Burp history file. Click on it, select "Show only in scope", mark all requests and save them as XML file. Then simply provide this file to the tool, to scan through everything and anything.

image

I usually use --tamper=space2comment,between as extra flag. This might take a while to run through. Let it run in the background and enjoy your SQL injections once identified.

Note

This tool is still in development and will probably further advanced. If you have any feedback or issues you experienced while using it, please let me know, so I can adjust it. I build it initially for myself to ease the usage of a lot of tools.

Credits

Google Dorking tools:

Recon (email gathering) tools being used:

Subdomain Enumeration tools:

Back to the future enumeration tools:

Check if domains are alive:

NTLM recon tool: