-
Notifications
You must be signed in to change notification settings - Fork 2
136 lines (121 loc) · 4.74 KB
/
kali_tools_scans.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Custom DAST Scans
on:
push:
branches:
- master
- main
jobs:
scans:
runs-on: ubuntu-latest
steps:
#
# UPDATE AND INSTALL
#
- uses: actions/checkout@v2
- name: update and install
run: |
#
# UPDATE
#
sudo apt update -y
sudo apt upgrade -y
#
# INSTALL KALI TOOLS
#
sudo apt install -y dirb nikto whatweb zip wapiti
#
# INSTALL SKIPFISH
#
wget http://apt.nuxeo.org/nuxeo.key -O - | sudo apt-key add
sudo add-apt-repository "deb http://apt.nuxeo.org/ bionic releases"
sudo add-apt-repository "deb http://apt.nuxeo.org/ bionic fasttracks"
sudo apt install wget libc6 libpcre3 zlib1g debconf perl-base -y
wget -O libidn11.deb http://ubuntu.cs.utah.edu/ubuntu/pool/main/libi/libidn/libidn11_1.33-2.1ubuntu1_amd64.deb
wget -O debconf.deb http://archive.ubuntu.com/ubuntu/pool/main/d/debconf/debconf_1.5.66_all.deb
wget -O libssl.deb http://archive.ubuntu.com/ubuntu/pool/main/o/openssl1.0/libssl1.0.0_1.0.2n-1ubuntu5_amd64.deb
wget -O skipfish.deb http://archive.ubuntu.com/ubuntu/pool/universe/s/skipfish/skipfish_2.10b-1.1_amd64.deb
sudo dpkg -i debconf.deb
sudo dpkg -i libidn11.deb
sudo dpkg -i libssl.deb
sudo dpkg -i skipfish.deb
- name: Setup Python 3.11
uses: actions/setup-python@v2
with:
python-version: 3.11
#
# LAUNCH SERVICE
#
- name: Launch WebScripts
run: |
mkdir WebScripts/hardening
echo "{}" > WebScripts/hardening/logs_checks.json
echo "{}" > WebScripts/hardening/uploads_file_integrity.json
echo "{}" > WebScripts/hardening/webscripts_file_integrity.json
echo "{}" > WebScripts/hardening/audit.html
echo "{}" > WebScripts/hardening/audit.txt
echo "{}" > WebScripts/hardening/audit.json
python3.11 -c "import json as j,os;f=os.path.join('WebScripts','config','server.json');d=j.load(open(f));d['server']['force_file_permissions']=False;j.dump(d,open(f,'w'))"
python3.11 -c "import os;f=os.path.join('WebScripts','WebScripts.py');d=open(f).read().replace('force_file_permissions = secure','force_file_permissions=False');open(f,'w').write(d)"
python3.11 -m WebScripts --accept-unauthenticated-user --accept-unknow-user --blacklist-time 0 --auth-failures-to-blacklist 99999 &>output.txt &
sleep 15
#
# LAUNCH SCANS
#
- name: dirb scan
run: |
dirb http://127.0.0.1:8000/ -u Admin:Admin -o dirb.txt
- name: nikto scan
run: |
nikto -o nikto.html -Format html -Tuning x -evasion 12345678AB -id Admin:Admin -Display V -C all -h http://127.0.0.1:8000/web/auth/
- name: whatweb scan
run: |
whatweb -u Admin:Admin -v -a 4 http://127.0.0.1:8000/ --log-json=whatweb.json
- name: skipfish scan
run: |
skipfish -v -u -H Api-Key=AdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdmin -o skipfish http://127.0.0.1:8000/
zip -r skipfish.zip skipfish
- name: wapiti scan
run: |
wapiti --update
wapiti -u http://127.0.0.1:8000/ -m all -a Admin%Admin --auth-type basic -S insane -f html -o wapiti
- name: WebScripts logs
run: |
tar -czvf logs.tar.gz logs/
#
# UPLOAD REPORTS
#
- name: nikto uploads
uses: actions/upload-artifact@v1
with:
name: nikto_report
path: nikto.html
- name: skipfish uploads
uses: actions/upload-artifact@v1
with:
name: skipfish_report
path: skipfish/
- name: wapiti uploads
uses: actions/upload-artifact@v1
with:
name: wapiti_report
path: wapiti
- name: whatweb uploads
uses: actions/upload-artifact@v1
with:
name: whatweb_report
path: whatweb.json
- name: dirb uploads
uses: actions/upload-artifact@v1
with:
name: dirb_report
path: dirb.txt
- name: WebScripts logs uploads
uses: actions/upload-artifact@v1
with:
name: webscripts_logs
path: logs/
- name: WebScripts output uploads
uses: actions/upload-artifact@v1
with:
name: webscripts_output
path: output.txt