Usage
By using the --help/-h switch you can read the help menu in the CLI:
python nettacker.py --help
- Note: This example may not reflect the latest version.
______ __ _____ _____
/ __ \ \ / /\ / ____| __ \
| | | \ \ /\ / / \ | (___ | |__) |
| | | |\ \/ \/ / /\ \ \___ \| ___/
| |__| | \ /\ / ____ \ ____) | | Version 0.0.1
\____/ \/ \/_/ \_\_____/|_| SAME
_ _ _ _ _
| \ | | | | | | | |
github.com/zdresearch | \| | ___| |_| |_ __ _ ___| | _____ _ __
owasp.org | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
zdresearch.com | |\ | __/ |_| || (_| | (__| < __/ |
|_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|
usage: Nettacker [-L LANGUAGE] [-v VERBOSE_LEVEL] [-V] [-c] [-o LOG_IN_FILE]
[--graph GRAPH_FLAG] [-h] [-W] [--profile PROFILE]
[-i TARGETS] [-l TARGETS_LIST] [-m SCAN_METHOD]
[-x EXCLUDE_METHOD] [-u USERS] [-U USERS_LIST] [-p PASSWDS]
[-P PASSWDS_LIST] [-g PORTS] [-T TIMEOUT_SEC] [-w TIME_SLEEP]
[-r] [-s] [-t THREAD_NUMBER] [-M THREAD_NUMBER_HOST]
[-R SOCKS_PROXY] [--retries RETRIES] [--ping-before-scan]
[--method-args METHODS_ARGS] [--method-args-list]
[--start-api] [--api-host API_HOST] [--api-port API_PORT]
[--api-debug-mode] [--api-access-key API_ACCESS_KEY]
[--api-client-white-list]
[--api-client-white-list-ips API_CLIENT_WHITE_LIST_IPS]
[--api-access-log]
[--api-access-log-filename API_ACCESS_LOG_FILENAME]
[--api-cert API_CERT] [--api-cert-key API_CERT_KEY]
Engine:
Engine input options
-L LANGUAGE, --language LANGUAGE
select a language ['ru', 'fr', 'hy', 'nl', 'zh-cn',
'ko', 'de', 'tr', 'it', 'iw', 'id', 'fa', 'hi', 'en',
'vi', 'el', 'ur', 'ar', 'ja', 'es', 'ps']
-v VERBOSE_LEVEL, --verbose VERBOSE_LEVEL
verbose mode level (0-5) (default 0)
-V, --version show software version
-c, --update check for update
-o LOG_IN_FILE, --output LOG_IN_FILE
save all logs in file (results.txt, results.csv,
results.html, results.json)
--graph GRAPH_FLAG build a graph of all activities and information, you
must use HTML output. available graphs:
['jit_circle_v1_graph', 'd3_tree_v1_graph',
'd3_tree_v2_graph']
-h, --help Show Nettacker Help Menu
-W, --wizard start wizard mode
--profile PROFILE select profile ['info', 'vuln', 'joomla', 'wordpress',
'scan', 'vulnerability', 'information_gathering',
'wp', 'brute', 'all']
Target:
Target input options
-i TARGETS, --targets TARGETS
target(s) list, separate with ","
-l TARGETS_LIST, --targets-list TARGETS_LIST
read target(s) from file
Method:
Scan method options
-m SCAN_METHOD, --method SCAN_METHOD
choose scan method ['content_type_options_vuln',
'Bftpd_remote_dos_vuln',
'ProFTPd_bypass_sqli_protection_vuln',
'content_security_policy_vuln', 'CCS_injection_vuln',
'clickjacking_vuln', 'server_version_vuln',
'ProFTPd_memory_leak_vuln', 'xdebug_rce_vuln',
'ProFTPd_directory_traversal_vuln', 'heartbleed_vuln',
'x_powered_by_vuln', 'apache_struts_vuln',
'http_cors_vuln', 'Bftpd_parsecmd_overflow_vuln',
'self_signed_certificate_vuln',
'citrix_cve_2019_19781_vuln',
'Bftpd_double_free_vuln',
'weak_signature_algorithm_vuln',
'ssl_certificate_expired_vuln',
'wordpress_dos_cve_2018_6389_vuln',
'ProFTPd_restriction_bypass_vuln',
'wp_xmlrpc_bruteforce_vuln',
'ProFTPd_heap_overflow_vuln',
'ProFTPd_integer_overflow_vuln',
'ProFTPd_exec_arbitary_vuln', 'XSS_protection_vuln',
'Bftpd_memory_leak_vuln',
'options_method_enabled_vuln',
'wp_xmlrpc_pingback_vuln',
'ProFTPd_cpu_consumption_vuln', 'wp_xmlrpc_brute',
'ftp_brute', 'http_basic_auth_brute', 'smtp_brute',
'telnet_brute', 'http_ntlm_brute', 'ssh_brute',
'http_form_brute', 'joomla_template_scan',
'wp_theme_scan', 'wp_timthumbs_scan', 'pma_scan',
'shodan_scan', 'joomla_user_enum_scan',
'drupal_theme_scan', 'viewdns_reverse_ip_lookup_scan',
'joomla_version_scan', 'wordpress_version_scan',
'drupal_version_scan', 'wp_plugin_scan', 'icmp_scan',
'dir_scan', 'port_scan', 'wappalyzer_scan',
'subdomain_scan', 'wp_user_enum_scan',
'cms_detection_scan', 'admin_scan',
'drupal_modules_scan', 'sender_policy_scan', 'all']
-x EXCLUDE_METHOD, --exclude EXCLUDE_METHOD
choose scan method to exclude
['content_type_options_vuln', 'Bftpd_remote_dos_vuln',
'ProFTPd_bypass_sqli_protection_vuln',
'content_security_policy_vuln', 'CCS_injection_vuln',
'clickjacking_vuln', 'server_version_vuln',
'ProFTPd_memory_leak_vuln', 'xdebug_rce_vuln',
'ProFTPd_directory_traversal_vuln', 'heartbleed_vuln',
'x_powered_by_vuln', 'apache_struts_vuln',
'http_cors_vuln', 'Bftpd_parsecmd_overflow_vuln',
'self_signed_certificate_vuln',
'citrix_cve_2019_19781_vuln',
'Bftpd_double_free_vuln',
'weak_signature_algorithm_vuln',
'ssl_certificate_expired_vuln',
'wordpress_dos_cve_2018_6389_vuln',
'ProFTPd_restriction_bypass_vuln',
'wp_xmlrpc_bruteforce_vuln',
'ProFTPd_heap_overflow_vuln',
'ProFTPd_integer_overflow_vuln',
'ProFTPd_exec_arbitary_vuln', 'XSS_protection_vuln',
'Bftpd_memory_leak_vuln',
'options_method_enabled_vuln',
'wp_xmlrpc_pingback_vuln',
'ProFTPd_cpu_consumption_vuln', 'wp_xmlrpc_brute',
'ftp_brute', 'http_basic_auth_brute', 'smtp_brute',
'telnet_brute', 'http_ntlm_brute', 'ssh_brute',
'http_form_brute', 'joomla_template_scan',
'wp_theme_scan', 'wp_timthumbs_scan', 'pma_scan',
'shodan_scan', 'joomla_user_enum_scan',
'drupal_theme_scan', 'viewdns_reverse_ip_lookup_scan',
'joomla_version_scan', 'wordpress_version_scan',
'drupal_version_scan', 'wp_plugin_scan', 'icmp_scan',
'dir_scan', 'port_scan', 'wappalyzer_scan',
'subdomain_scan', 'wp_user_enum_scan',
'cms_detection_scan', 'admin_scan',
'drupal_modules_scan', 'sender_policy_scan']
-u USERS, --usernames USERS
username(s) list, separate with ","
-U USERS_LIST, --users-list USERS_LIST
read username(s) from file
-p PASSWDS, --passwords PASSWDS
password(s) list, separate with ","
-P PASSWDS_LIST, --passwords-list PASSWDS_LIST
read password(s) from file
-g PORTS, --ports PORTS
port(s) list, separate with ","
-T TIMEOUT_SEC, --timeout TIMEOUT_SEC
read password(s) from file
-w TIME_SLEEP, --time-sleep TIME_SLEEP
time to sleep between each request
-r, --range scan all IPs in the range
-s, --sub-domains find and scan subdomains
-t THREAD_NUMBER, --thread-connection THREAD_NUMBER
thread numbers for connections to a host
-M THREAD_NUMBER_HOST, --thread-hostscan THREAD_NUMBER_HOST
thread numbers for scan hosts
-R SOCKS_PROXY, --socks-proxy SOCKS_PROXY
outgoing connections proxy (socks). example socks5:
127.0.0.1:9050, socks://127.0.0.1:9050
socks5://127.0.0.1:9050 or socks4:
socks4://127.0.0.1:9050, authentication:
socks://username: password@127.0.0.1,
socks4://username:password@127.0.0.1,
socks5://username:password@127.0.0.1
--retries RETRIES Retries when the connection timeout (default 3)
--ping-before-scan ping before scan the host
--method-args METHODS_ARGS
enter methods inputs, example: ftp_brute_users=test,ad
min&ftp_brute_passwds=read_from_file:/tmp/pass.txt&ftp
_brute_port=21
--method-args-list list all methods args
API:
API options
--start-api start the API service
--api-host API_HOST API host address
--api-port API_PORT API port number
--api-debug-mode API debug mode
--api-access-key API_ACCESS_KEY
API access key
--api-client-white-list
just allow white list hosts to connect to the API
--api-client-white-list-ips API_CLIENT_WHITE_LIST_IPS
define white list hosts, separate with , (examples:
127.0.0.1, 192.168.0.1/24, 10.0.0.1-10.0.0.255)
--api-access-log generate API access log
--api-access-log-filename API_ACCESS_LOG_FILENAME
API access log filename
--api-cert API_CERT API CERTIFICATE
--api-cert-key API_CERT_KEY
API CERTIFICATE Key
[X] Cannot specify the target(s)
Please read license and agreements https://github.com/zdresearch/OWASP-Nettacker
You can choose from 21 languages when using Nettacker. Use the language flag:
$ nettacker -L fa
The -L is the language flag and in this case sets the output language to Farsi, indicated by the fa. Farsi and 20 other languages are available, as listed in the command line help: el, fr, en, nl, ps, tr, de, ko, it, ja, fa, hy, ar, zh-cn, vi, ru, hi, ur, id, es, iw.
- Your CLI must support Unicode to make use of multiple languages. Search the web for "How to use Farsi on cmd/terminal."
- You can fix Persian (Farsi) and other Unicode languages RTL and Chars with bicon in terminal/windows bash.
$ python nettacker.py --help -L fa
______ __ _____ _____
/ __ \ \ / /\ / ____| __ \
| | | \ \ /\ / / \ | (___ | |__) |
| | | |\ \/ \/ / /\ \ \___ \| ___/
| |__| | \ /\ / ____ \ ____) | | Version 0.0.1
\____/ \/ \/_/ \_\_____/|_| SAME
_ _ _ _ _
| \ | | | | | | | |
github.com/zdresearch | \| | ___| |_| |_ __ _ ___| | _____ _ __
owasp.org | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
zdresearch.com | |\ | __/ |_| || (_| | (__| < __/ |
|_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|
usage: Nettacker [-L LANGUAGE] [-v VERBOSE_LEVEL] [-V] [-c] [-o LOG_IN_FILE]
[--graph GRAPH_FLAG] [-h] [-W] [--profile PROFILE]
[-i TARGETS] [-l TARGETS_LIST] [-m SCAN_METHOD]
[-x EXCLUDE_METHOD] [-u USERS] [-U USERS_LIST] [-p PASSWDS]
[-P PASSWDS_LIST] [-g PORTS] [-T TIMEOUT_SEC] [-w TIME_SLEEP]
[-r] [-s] [-t THREAD_NUMBER] [-M THREAD_NUMBER_HOST]
[-R SOCKS_PROXY] [--retries RETRIES] [--ping-before-scan]
[--method-args METHODS_ARGS] [--method-args-list]
[--start-api] [--api-host API_HOST] [--api-port API_PORT]
[--api-debug-mode] [--api-access-key API_ACCESS_KEY]
[--api-client-white-list]
[--api-client-white-list-ips API_CLIENT_WHITE_LIST_IPS]
[--api-access-log]
[--api-access-log-filename API_ACCESS_LOG_FILENAME]
[--api-cert API_CERT] [--api-cert-key API_CERT_KEY]
انجین:
گزینه های ورودی انجین
-L LANGUAGE, --language LANGUAGE
یک زبان انتخاب کنید ['ru', 'fr', 'hy', 'nl', 'zh-cn',
'ko', 'de', 'tr', 'it', 'iw', 'id', 'fa', 'hi', 'en',
'vi', 'el', 'ur', 'ar', 'ja', 'es', 'ps']
-v VERBOSE_LEVEL, --verbose VERBOSE_LEVEL
سطح حالت پرگویی (0-5) (پیشفرض 0)
-V, --version نمایش ورژن نرم افزار
-c, --update چک کردن جهت آپدیت
-o LOG_IN_FILE, --output LOG_IN_FILE
ذخیره کردن کل لاگ ها در فایل (result.txt، result.html،
results.json)
--graph GRAPH_FLAG ساخت گراف از همه فعالیت ها و اطلاعات، شما باید از
خروجی HTML استفاده کنید. گراف های در دسترس:
['jit_circle_v1_graph', 'd3_tree_v1_graph',
'd3_tree_v2_graph']
-h, --help نشان دادن منوی کمک Nettacker
-W, --wizard شروع به حالت ویزارد مود
--profile PROFILE انتخاب پروفایل ['info', 'vuln', 'joomla', 'wordpress',
'scan', 'vulnerability', 'information_gathering',
'wp', 'brute', 'all']
هدف:
گزینه های ورودی هدف
-i TARGETS, --targets TARGETS
لیست هدف (ها)، با "," جدا کنید
-l TARGETS_LIST, --targets-list TARGETS_LIST
خواندن هدف (ها) از فایل
متود:
گزینه های متود های اسکن
-m SCAN_METHOD, --method SCAN_METHOD
متود اسکن را انتخاب کنید ['content_type_options_vuln',
'Bftpd_remote_dos_vuln',
'ProFTPd_bypass_sqli_protection_vuln',
'content_security_policy_vuln', 'CCS_injection_vuln',
'clickjacking_vuln', 'server_version_vuln',
'ProFTPd_memory_leak_vuln', 'xdebug_rce_vuln',
'ProFTPd_directory_traversal_vuln', 'heartbleed_vuln',
'x_powered_by_vuln', 'apache_struts_vuln',
'http_cors_vuln', 'Bftpd_parsecmd_overflow_vuln',
'self_signed_certificate_vuln',
'citrix_cve_2019_19781_vuln',
'Bftpd_double_free_vuln',
'weak_signature_algorithm_vuln',
'ssl_certificate_expired_vuln',
'wordpress_dos_cve_2018_6389_vuln',
'ProFTPd_restriction_bypass_vuln',
'wp_xmlrpc_bruteforce_vuln',
'ProFTPd_heap_overflow_vuln',
'ProFTPd_integer_overflow_vuln',
'ProFTPd_exec_arbitary_vuln', 'XSS_protection_vuln',
'Bftpd_memory_leak_vuln',
'options_method_enabled_vuln',
'wp_xmlrpc_pingback_vuln',
'ProFTPd_cpu_consumption_vuln', 'wp_xmlrpc_brute',
'ftp_brute', 'http_basic_auth_brute', 'smtp_brute',
'telnet_brute', 'http_ntlm_brute', 'ssh_brute',
'http_form_brute', 'joomla_template_scan',
'wp_theme_scan', 'wp_timthumbs_scan', 'pma_scan',
'shodan_scan', 'joomla_user_enum_scan',
'drupal_theme_scan', 'viewdns_reverse_ip_lookup_scan',
'joomla_version_scan', 'wordpress_version_scan',
'drupal_version_scan', 'wp_plugin_scan', 'icmp_scan',
'dir_scan', 'port_scan', 'wappalyzer_scan',
'subdomain_scan', 'wp_user_enum_scan',
'cms_detection_scan', 'admin_scan',
'drupal_modules_scan', 'sender_policy_scan', 'all']
-x EXCLUDE_METHOD, --exclude EXCLUDE_METHOD
انتخاب متود اسکن استثنا ['content_type_options_vuln',
'Bftpd_remote_dos_vuln',
'ProFTPd_bypass_sqli_protection_vuln',
'content_security_policy_vuln', 'CCS_injection_vuln',
'clickjacking_vuln', 'server_version_vuln',
'ProFTPd_memory_leak_vuln', 'xdebug_rce_vuln',
'ProFTPd_directory_traversal_vuln', 'heartbleed_vuln',
'x_powered_by_vuln', 'apache_struts_vuln',
'http_cors_vuln', 'Bftpd_parsecmd_overflow_vuln',
'self_signed_certificate_vuln',
'citrix_cve_2019_19781_vuln',
'Bftpd_double_free_vuln',
'weak_signature_algorithm_vuln',
'ssl_certificate_expired_vuln',
'wordpress_dos_cve_2018_6389_vuln',
'ProFTPd_restriction_bypass_vuln',
'wp_xmlrpc_bruteforce_vuln',
'ProFTPd_heap_overflow_vuln',
'ProFTPd_integer_overflow_vuln',
'ProFTPd_exec_arbitary_vuln', 'XSS_protection_vuln',
'Bftpd_memory_leak_vuln',
'options_method_enabled_vuln',
'wp_xmlrpc_pingback_vuln',
'ProFTPd_cpu_consumption_vuln', 'wp_xmlrpc_brute',
'ftp_brute', 'http_basic_auth_brute', 'smtp_brute',
'telnet_brute', 'http_ntlm_brute', 'ssh_brute',
'http_form_brute', 'joomla_template_scan',
'wp_theme_scan', 'wp_timthumbs_scan', 'pma_scan',
'shodan_scan', 'joomla_user_enum_scan',
'drupal_theme_scan', 'viewdns_reverse_ip_lookup_scan',
'joomla_version_scan', 'wordpress_version_scan',
'drupal_version_scan', 'wp_plugin_scan', 'icmp_scan',
'dir_scan', 'port_scan', 'wappalyzer_scan',
'subdomain_scan', 'wp_user_enum_scan',
'cms_detection_scan', 'admin_scan',
'drupal_modules_scan', 'sender_policy_scan']
-u USERS, --usernames USERS
لیست نام کاربری (ها)، با "," جدا شود
-U USERS_LIST, --users-list USERS_LIST
خواندن نام کاربری (ها) از لیست
-p PASSWDS, --passwords PASSWDS
لیست کلمه عبور (ها)، با "," جدا شود
-P PASSWDS_LIST, --passwords-list PASSWDS_LIST
خواندن کلمه عبور (ها) از فایل
-g PORTS, --ports PORTS
لیست درگاه (ها)، با "," جدا شود
-T TIMEOUT_SEC, --timeout TIMEOUT_SEC
خواندن کلمه عبور (ها) از فایل
-w TIME_SLEEP, --time-sleep TIME_SLEEP
زمان مکث بین هر درخواست
-r, --range اسکن تمام آی پی ها در رنج
-s, --sub-domains پیدا کردن و اسکن کردن ساب دامین ها
-t THREAD_NUMBER, --thread-connection THREAD_NUMBER
تعداد ریسه ها برای ارتباطات با یک هاست
-M THREAD_NUMBER_HOST, --thread-hostscan THREAD_NUMBER_HOST
تعداد ریسه ها برای اسکن هاست ها
-R SOCKS_PROXY, --socks-proxy SOCKS_PROXY
پراکسی ارتباطات خروجی (socks) مثال: 127.0.0.1:9050،
socks://127.0.0.1:9050، socks5:127.0.0.1:9050 یا
socks4: socks4://127.0.0.1:9050, احراز هویت:
socks://username:password@127.0.0.1,
socks4://username:password@127.0.0.1,
socks5://username:password@127.0.0.1
--retries RETRIES سعی مجدد وقتی که ارتباط قطع شد (پیشفرض 3)
--ping-before-scan پینگ کردن هست قبل از اسکن
--method-args METHODS_ARGS
ورودی های متود ها را وارد کنید، مثال: "ftp_brute_users
=test,admin&ftp_brute_passwds=read_from_file:/tmp/pass
.txt&ftp_brute_port=21"
--method-args-list لیست کردن کل args مربوط به متود ها
API:
API گزینه های
--start-api شروع سرویس API
--api-host API_HOST آدرس هاست API
--api-port API_PORT شماره درگاه API
--api-debug-mode حالت اشکال زدایی API
--api-access-key API_ACCESS_KEY
کلید دسترسی API
--api-client-white-list
اجازه دادن فقط به لیست سفید هاست ها برای ارتباط با API
--api-client-white-list-ips API_CLIENT_WHITE_LIST_IPS
تعریف کردن لیست سفید، با "," جدا کنید (مثال:
127.0.0.1, 192.168.1.1/24, 10.0.0.1-10.0.0.255)
--api-access-log تولید لیست دسترسی به API
--api-access-log-filename API_ACCESS_LOG_FILENAME
اسم فایل لیست دسترسی به API
--api-cert API_CERT API CERTIFICATE
--api-cert-key API_CERT_KEY
API CERTIFICATE Key
لطفا مجوز و موافقت نامه را مطالعه فرمایید https://github.com/zdresearch/OWASP-Nettacker
- OWASP Nettacker supports several types of targets, including
IPv4,IPv4_Range,IPv4_CIDR,DOMAIN, andHTTP(which may be useful for some of the modules).
192.168.1.1
192.168.1.1-192.168.255.255
192.168.1.1.1-192.255.255.255
192.168.1.1/24
owasp.org
http://owasp.org
https://owasp.org
- Targets can be read from a list by using the
-lor--target-listcommand or you can split them with a comma if you don't want to use a text list.
python nettacker.py -i 192.168.1.1,192.168.1.2-192.168.1.10,127.0.0.1,owasp.org,192.168.2.1/24 -m port_scan -g 20-100 -t 10
python nettacker.py -l targets.txt -m all -x port_scan -g 20-100 -t 5 -u root -p 123456,654321,123123
- Here are some more command line examples:
python nettacker.py -i 192.168.1.1/24 -m port_scan -t 10 -M 35 -g 20-100 --graph d3_tree_v2_graph -o result.html
python nettacker.py -i 192.168.1.1/24 -m port_scan -t 10 -M 35 -g 20-100 -o file.html --graph jit_circle_v1_graph
python nettacker.py -i 192.168.1.1/24 -m all -t 10 -M 35 -g 20-100 -o result.json -u root,user -P passwords.txt
python nettacker.py -i 192.168.1.1/24 -m all -x ssh_brute -t 10 -M 35 -g 20-100 -o file.txt -U users.txt -P passwords.txt -T 3 -w 2
- OWASP Nettacker can also scan subdomains by using this command:
-s
python nettacker.py -i owasp.org -s -m port_scan -t 10 -M 35 -g 20-100 --graph d3_tree_v2_graph
- If you use
-rcommand, it will scan the IP range automatically by getting the range from the RIPE database online.
python nettacker.py -i owasp.org -s -r -m port_scan -t 10 -M 35 -g 20-100 --graph d3_tree_v2_graph
python nettacker.py -i nettackerwebsiteblabla.com,owasp.org,192.168.1.1 -s -r -m all -t 10 -M 35 -g 20-100 -o file.txt -u root,user -P passwords.txt
- Note: If host scan finishes, and couldn't get any result nothing will be listed in the output file unless you change the verbosity mode to a value from 1 to 5.
python nettacker.py -i 192.168.1.1/24 -m all -t 10 -M 35 -g 20-100 -o file.txt -u root,user -P passwords.txt -v 1
The shodan scan module searches for domain Name, IP, CIDR. The shodan scan modules includes the following extraction: [ip+port,Data upto 200 bytes,Country name,Organisation name,cpe values,hostname, if any,CVEs and their cvss score].
Explanation of the working of shodan_scan module: This module will run by adding extra switch --method-args.
python nettacker.py -i pintasuper.com -m shodan_scan --method-args "shodan_api_key=XXX&shodan_query_override=country:in port:6443"
In the above example the nettacker will find all the open kubernetes services in india.
If no shodan_query_override is given in the --method-args option then shodan will run on -i switch's target. For ex:
python nettacker.py -i pintasuper.com -m shodan_scan --method-args "shodan_api_key=XXX"
In case of CIDR, Ex:
python nettacker.py -i 10.0.0.0/8 -m shodan_scan --method-args "shodan_api_key=XXX&shodan_query_override=country:in port:8080"
The above command will search for all tomacat servers running in india in the CIDR range of 10.0.0.0/8
In the above commands you can change the shodan_query_override value to the query you want to search in the Shodan Database. Ex:
shodan_query_override=access-control-allow-origin
shodan_query_override=Server:Apache
The results in nettacker will vary according to the given API(Different shodan API plans will differ the results in nettacker).
- Use
*pattern for selecting modules
python nettacker.py -i 192.168.1.1/24 -m *_scan
python nettacker.py -i 192.168.1.1/24 -m *_scan,*_vuln
- Use profiles for using all modules inside a given profile
python nettacker.py -i 192.168.1.1/24 --profile information_gathering
python nettacker.py -i 192.168.1.1/24 --profile information_gathering,vulnerabilities
python nettacker.py -i 192.168.1.1/24 --profile all
- Use
-W,--wizardto use the framework in an easy way! (Pressenterto choose default answer`)
$ python nettacker.py -W
______ __ _____ _____
/ __ \ \ / /\ / ____| __ \
| | | \ \ /\ / / \ | (___ | |__) |
| | | |\ \/ \/ / /\ \ \___ \| ___/
| |__| | \ /\ / ____ \ ____) | | Version 0.0.1
\____/ \/ \/_/ \_\_____/|_| SAME
_ _ _ _ _
| \ | | | | | | | |
github.com/viraintel | \| | ___| |_| |_ __ _ ___| | _____ _ __
owasp.org | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
viraintel.com | |\ | __/ |_| || (_| | (__| < __/ |
|_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|
[+] please enter the targets | Default[None] > 127.0.0.1
[+] please enter the thread number | Default[100] >
[+] please enter the thread numbers for scan hosts | Default[30] >
[+] please enter the output filename | Default[results/results_2018_01_15_13_04_49_zctsvejskf.html] >
[+] please enter the scan methods | choices[ftp_brute, smtp_brute, ssh_brute, dir_scan, subdomain_scan, tcp_connect_port_scan, viewdns_reverse_ip_lookup_scan, heartbleed_vuln, all] | Default[None] > tcp_connect_port_scan
[+] please enter the scan methods to exclude | choices[ftp_brute, smtp_brute, ssh_brute, dir_scan, subdomain_scan, tcp_connect_port_scan, viewdns_reverse_ip_lookup_scan, heartbleed_vuln] | Default[None] >
[+] please enter the usernames | Default[None] >
[+] please enter the passwords | Default[None] >
[+] please enter the timeout seconds | Default[3.0] >
[+] please enter the port numbers | Default[None] >
[+] please enter the verbose level | Default[0] >
[+] please enter the socks proxy | Default[None] >
[+] please enter the retries number | Default[3] >
[+] please enter a graph | choices[d3_tree_v1_graph, d3_tree_v2_graph, jit_circle_v1_graph] | Default[d3_tree_v1_graph] >
[+] Nettacker engine started ...
...
- Use socks proxy for outgoing connections (default socks version is 5)
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan -T 5 --socks-proxy socks://127.0.0.1:9050
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan -T 5 --socks-proxy socks4://127.0.0.1:9050
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan -T 5 --socks-proxy socks5://127.0.0.1:9050
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan -T 5 --socks-proxy socks://username:password@127.0.0.1:9050
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan -T 5 --socks-proxy socks4://username:password@127.0.0.1:9050
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan -T 5 --socks-proxy socks5://username:password@127.0.0.1:9050
- Separate inputs for every module by using
--method-args - Get the list with
--method-args-list
python nettacker.py --method-args-list
______ __ _____ _____
/ __ \ \ / /\ / ____| __ \
| | | \ \ /\ / / \ | (___ | |__) |
| | | |\ \/ \/ / /\ \ \___ \| ___/
| |__| | \ /\ / ____ \ ____) | | Version 0.0.1
\____/ \/ \/_/ \_\_____/|_| SAME
_ _ _ _ _
| \ | | | | | | | |
github.com/zdresearch | \| | ___| |_| |_ __ _ ___| | _____ _ __
owasp.org | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
zdresearch.com | |\ | __/ |_| || (_| | (__| < __/ |
|_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|
[+] Bftpd_remote_dos_vuln --> bftpd_vuln_ports
[+] drupal_theme_scan --> drupal_theme_ports
[+] content_security_policy_vuln --> csp_vuln_ports
[+] port_scan --> port_scan_ports, port_scan_stealth, udp_scan
[+] icmp_scan -->
[+] CCS_injection_vuln --> CCS_injection_vuln_ports
[+] smtp_brute --> smtp_brute_ports, smtp_brute_split_user_set_pass, smtp_brute_users, smtp_brute_split_user_set_pass_prefix, smtp_brute_passwds
[+] ProFTPd_restriction_bypass_vuln --> Proftpd_vuln_ports
[+] wp_xmlrpc_brute --> wp_users, wp_xmlrpc_brute_ports, wp_passwds
[+] x_powered_by_vuln --> xpb_vuln_ports
[+] heartbleed_vuln --> heartbleed_vuln_ports
[+] ProFTPd_integer_overflow_vuln --> Proftpd_vuln_ports
[+] admin_scan --> admin_scan_http_method, admin_scan_list, admin_scan_random_agent
[+] drupal_modules_scan --> drupal_modules_ports
[+] subdomain_scan --> subdomain_scan_use_ptrarchive, subdomain_scan_use_google_dig, subdomain_scan_use_cert_spotter, subdomain_scan_use_comodo_crt, subdomain_scan_use_dnsdumpster, subdomain_scan_use_virustotal, subdomain_scan_time_limit_seconds, subdomain_scan_use_netcraft, subdomain_scan_use_threatcrowd
[+] sender_policy_scan --> joomla_version_ports
[+] cms_detection_scan --> cms_detection_ports
[+] ProFTPd_heap_overflow_vuln --> Proftpd_vuln_ports
[+] joomla_template_scan --> joomla_template_ports
[+] ftp_brute --> ftp_brute_users, ftp_brute_passwds, ftp_brute_ports
[+] http_cors_vuln --> http_cors_vuln_ports
[+] joomla_version_scan --> joomla_version_ports
[+] server_version_vuln --> svd_vuln_ports
[+] wp_plugin_scan --> wp_plugin_scan_http_method, wp_plugin_scan_random_agent
[+] http_basic_auth_brute --> http_basic_auth_brute_ports, http_basic_auth_brute_users, http_basic_auth_brute_passwds
[+] ssl_certificate_expired_vuln --> SSL_certificate_vuln_ports
[+] telnet_brute --> telnet_brute_passwds, telnet_brute_ports, telnet_brute_users
[+] ProFTPd_directory_traversal_vuln --> Proftpd_vuln_ports
[+] ProFTPd_exec_arbitary_vuln --> Proftpd_vuln_ports
[+] drupal_version_scan --> drupal_version_ports
[+] wp_user_enum_scan --> wp_user_enum_ports
[+] shodan_scan --> shodan_api_key, shodan_results, shodan_query_override
[+] Bftpd_parsecmd_overflow_vuln --> bftpd_vuln_ports
[+] XSS_protection_vuln --> xss_vuln_ports
[+] wordpress_dos_cve_2018_6389_vuln --> wordpress_dos_cve_2018_6389_vuln_random_agent, wordpress_dos_cve_2018_6389_vuln_no_limit
[+] content_type_options_vuln --> cto_vuln_ports
[+] ssh_brute --> ssh_brute_users, ssh_brute_passwds, ssh_brute_ports
[+] self_signed_certificate_vuln --> self_signed_vuln_ports
[+] xdebug_rce_vuln --> xdebug_vuln_ports
[+] http_form_brute --> http_form_brute_ports, http_form_brute_users, http_form_brute_passwds
[+] ProFTPd_memory_leak_vuln --> Proftpd_vuln_ports
[+] clickjacking_vuln --> clickjacking_vuln_ports
[+] citrix_cve_2019_19781_vuln --> citrix_cve_2019_19781_vuln_ports
[+] ProFTPd_bypass_sqli_protection_vuln --> Proftpd_vuln_ports
[+] weak_signature_algorithm_vuln --> weak_encryption_vuln_ports
[+] Bftpd_memory_leak_vuln --> bftpd_vuln_ports
[+] wappalyzer_scan -->
[+] wp_xmlrpc_bruteforce_vuln --> xmlrpc_bruteforce_vuln_ports
[+] wp_xmlrpc_pingback_vuln --> xmlrpc_pingback_vuln_ports
[+] options_method_enabled_vuln --> ome_vuln_ports
[+] pma_scan --> pma_scan_random_agent, pma_scan_http_method, pma_scan_list
[+] joomla_user_enum_scan --> joomla_user_enum_ports
[+] Bftpd_double_free_vuln --> bftpd_vuln_ports
[+] wp_theme_scan --> wp_theme_scan_http_method, wp_theme_scan_random_agent
[+] apache_struts_vuln --> struts_vuln_ports
[+] wp_timthumbs_scan --> wp_timthumb_scan_random_agent, wp_timthumb_scan_http_method
[+] dir_scan --> dir_scan_random_agent, dir_scan_http_method, dir_scan_list
[+] wordpress_version_scan --> wordpress_version_ports
[+] viewdns_reverse_ip_lookup_scan -->
[+] ProFTPd_cpu_consumption_vuln --> Proftpd_vuln_ports
- and then use them.
- Note: Don't use
-gcommand in the command line if you want change ports.
python nettacker.py -i 127.0.0.1 -m tcp_connect_port_scan,dir_scan --method-args "dir_scan_ports=443"
python nettacker.py -i 127.0.0.1 -m tcp_connect_port_scan,dir_scan --method-args "dir_scan_list=read_from_file:/tmp/list.txt"
python nettacker.py -i 127.0.0.1 -m subdomain_scan,dir_scan --method-args "subdomain_scan_use_ptrarchive=False&subdomain_scan_use_netcraft=False&dir_scan_http_method=HEAD"
- Some more command line examples:
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan --profile vulnerabilities
python nettacker.py -W --profile information_gathering
- You may want to create a new profile. To do that, edit the
core/config.pyin the main directory and add your profiles to theget_profilesfunction in JSON style.
def get_profiles():
return {
"information_gathering": ["tcp_connect_port_scan"],
"vulnerabilities": ["heartbleed_vuln"],
"mycustomprofile": ["subdomain_scan", "dir_scan"]
}- You may want to change the default values (
timeout,socks proxy,target,ports) or anything that could be set with the command line.To do that, you will have to edit them in the config.pyget_configfunction in the main directory in JSON style.
def get_config():
return { # OWASP Nettacker Default Configuration
"language": "fa",
"verbose_level": 0,
"show_version": False,
"check_update": False,
"log_in_file": "results.json",
"graph_flag": None,
"help_menu_flag": False,
"targets": "127.0.0.1,192.168.1.1",
"targets_list": None,
"scan_method": None,
"exclude_method": None,
"users": "user1,user2",
"users_list": None,
"passwds": "pass1,pass2",
"passwds_list": None,
"ports": "1-65535",
"timeout_sec": 3.0,
"time_sleep": 0.0,
"check_ranges": True,
"check_subdomains": True,
"thread_number": 1000,
"thread_number_host": 30,
"socks_proxy": "socks://127.0.0.1:9050",
"retries": 3,
"ping_flag": True,
"methods_args": None,
"method_args_list": False,
"startup_check_for_update": True,
"wizard_mode": False,
"profile": "information_gathering"
}API and WebUI are new interfaces through which you can send your commands to Nettacker. Technically WebUI was developed based on the present API to demonstrate an example of the current API and can be used as another easier interface. To start using this feature, simply run python nettacker.py --start-api.
______ __ _____ _____
/ __ \ \ / /\ / ____| __ \
| | | \ \ /\ / / \ | (___ | |__) |
| | | |\ \/ \/ / /\ \ \___ \| ___/
| |__| | \ /\ / ____ \ ____) | | Version 0.0.1
\____/ \/ \/_/ \_\_____/|_| SAME
_ _ _ _ _
| \ | | | | | | | |
github.com/zdresearch | \| | ___| |_| |_ __ _ ___| | _____ _ __
owasp.org | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
zdresearch.com | |\ | __/ |_| || (_| | (__| < __/ |
|_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|
* API Key: ec5e067581f29a28d8c8bbfc6e548f02
* Serving Flask app "api.engine" (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
* Running on https://127.0.0.1:5000/ (Press CTRL+C to quit)
As you can see, the API key will be a random MD5 hash every time you run the API. You don't need to set the key. You can also add your own SSL certificate and the key to run the API on an https connection.
python nettacker.py --start-api --api-cert ~/cert.crt --api-cert-key ~/key.pem
You can modify the default API config by editing the core.config.py.
def _api_config():
"""
API Config (could be modified by the user)
Returns:
a JSON with API configuration
"""
return { # OWASP Nettacker API Default Configuration
"api_host": "127.0.0.1",
"api_port": 5000,
"api_debug_mode": False,
"api_access_key": "".join(random.choice("0123456789abcdef") for x in range(32)),
"api_client_white_list": {
"enabled": False,
"ips": ["127.0.0.1", "10.0.0.0/24", "192.168.1.1-192.168.1.255"]
},
"api_access_log": {
"enabled": False,
"filename": "nettacker_api_access.log"
},
} --start-api start the API service
--api-host API_HOST API host address
--api-port API_PORT API port number
--api-debug-mode API debug mode
--api-access-key API_ACCESS_KEY
API access key
--api-client-white-list
just allow white list hosts to connect to the API
--api-client-white-list-ips API_CLIENT_WHITE_LIST_IPS
define white list hosts, separate with , (examples:
127.0.0.1, 192.168.0.1/24, 10.0.0.1-10.0.0.255)
--api-access-log generate API access log
--api-access-log-filename API_ACCESS_LOG_FILENAME
API access log filename
--api-cert API_CERT API CERTIFICATE
--api-cert-key API_CERT_KEY
API CERTIFICATE Key
python nettacker.py --start-api --api-cert ~/cert.crt --api-cert-key ~/key.pem
python nettacker.py --start-api --api-access-key mysecretkey
python nettacker.py --start-api --api-client-white-list
python nettacker.py --start-api --api-client-white-list --api-client-white-list-ips 127.0.0.1,192.168.0.1/24,10.0.0.1-10.0.0.255
python nettacker.py --start-api --api-access-log
python nettacker.py --start-api --api-access-log --api-access-log-filename log.txt
python nettacker.py --start-api --api-access-key mysecretkey --api-client-white-list --api-access-log
python nettacker.py --start-api --api-access-key mysecretkey --api-client-white-list --api-access-log
python nettacker.py --start-api --api-access-key mysecretkey --api-host 192.168.1.2 --api-port 80
python nettacker.py --start-api --api-access-log --api-port 8080 --api-debug-mode
- For further information on how to use the RESTful API please visit the API page.
OWASP Nettacker, currently supports two databases:
- SQLite
- MySQL The default database is SQLite. You can, however, configure the db to your liking.
The SQLite database can be configured in core/config.py file under the _database_config() function. Here is a sample configuration:
return {
"DB": "sqlite",
"DATABASE": _paths()["home_path"] + "/nettacker.db", # This is the location of your db
"USERNAME": "",
"PASSWORD": "",
"HOST": "",
"PORT": ""
}
The MySQL database can be configured in core/config.py file under the _database_config() function. Here is a sample configuration:
return {
"DB": "mysql",
"DATABASE": "nettacker", # This is the name of your db
"USERNAME": "username",
"PASSWORD": "password",
"HOST": "localhost or some other host",
"PORT": "3306 or some other custom port"
}
After this configuration:
- Open the configuration file of mysql(
/etc/mysql/my.cnfin case of linux) as a sudo user - Add this to the end of the file :
[mysqld]
sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
- Restart MySQL
Nettacker currently supports local Maltego transforms. It has support for all the scanning, vulnerability scans and brute force transforms that are currently available in the Nettacker module. The usage is pretty easy and the transforms are pretty intuitive. Maltego is an awesome tool gathers information and displays it in a format, which is conducive to the human eyes pattern spotting. Maltego is based around entities (email address, domain name, person, phone number, etc) and transforms (queries) to pull information and match up the connections.
- To use Nettacker local transforms, we need the Maltego software. You can download it from the official website.
- In the
OWASP-Nettacker/lib/transactions/maltego/nettacker_transforms/src/nettacker_transforms.conffile please specify your directory forOWASP-Nettackerashome-directory. Here is an example:
home-directory = /home/wizard/OWASP-Nettacker/
- After this you need to import the entities into your Maltego software. Click here
. - After this in the menu select the
entities.mtzfile located inOWASP-Nettacker/lib/transactions/maltego/nettacker_transforms/src/nettacker_transforms/resources/maltego
- Once the entities are imported, you need to create all the entities. From the
OWASP-Nettacker/lib/transactions/maltego/nettacker_transforms/src/folder run the following commandcanari create-profile nettacker_transforms -w {ABSOLUTE PATH OF DIRECTORY}/OWASP-Nettacker/lib/transactions/maltego/nettacker_transforms/src. This will create anettacker_transforms.mtzfile insideOWASP-Nettacker/lib/transactions/maltego/nettacker_transforms/src/.
- After this import this file into the maltego software.
- Click here:
- Select the file:
- Select all the options or less if you want to exclude some modules
- Click finish to finish import.
- Click here:
- After this drag and drop the Nettacker scan or brute entity to an empty graph (can be opened by CTRL+T).
- Double click the entity to open this menu:
Enter the corresponding inputs into the menu. - Right click the graph to see this menu:
- Select whatever operation you want to perform and it will perform the operation for you.
- Here is an example of subdomain scan:
Let me know if you have any more questions.