.. raw:: html
WARNING: Project is still in version 3 BETA. It is still under active development and bugs might be present.
Many tests are going on: see https://github.com/koutto/jok3r/blob/master/tests/TESTS.rst. Ideas, bug reports, contributions are welcome !
.. contents:: :local: :depth: 1
Jok3r is a Python3 CLI application which is aimed at helping penetration testers for network infrastructure and web black-box security tests.
The goal is to save as much time as possible during network/web pentests by automating as many security tests as possible in order to quickly identify low-hanging fruits vulnerabilities, and then spend more time on more interesting and tricky stuff !
It is based upon the observation that there are many hacking open-source tools/scripts (from various sources) targeting common network services available out there, that allow to perform various tasks from fingerprinting to exploitation. Therefore, the idea of Jok3r is to combine those open-source tools in a smart way to get the more relevant results.
.. image:: pictures/video-01.png :target: https://www.youtube.com/watch?v=FlbeBj5FPtI
.. image:: pictures/video-02.png :target: https://www.youtube.com/watch?v=z4cf_8EQ59Q
.. image:: ./pictures/visio/architecture/jok3r-architecture.png :alt: Jok3r architecture
.. image:: ./pictures/visio/flowchart/jok3r-flow-chart.svg :width: 700px :alt: Jok3r flowchart
IMPORTANT: The recommended way to use Jok3r is by pulling the Docker Image so you will not have to worry about dependencies issues and installing the various hacking tools of the toolbox. Everything is tested from the Docker container available on Docker Hub !
.. image:: https://raw.githubusercontent.com/koutto/jok3r/master/pictures/docker-logo.png
A Docker image is available on Docker Hub and automatically re-built at each update: https://hub.docker.com/r/koutto/jok3r/. It is initially based on official Kali Linux Docker image (kalilinux/kali-linux-docker).
.. image:: https://images.microbadger.com/badges/image/koutto/jok3r.svg :target: https://microbadger.com/images/koutto/jok3r :alt: Docker Image size
Pull Jok3r Docker Image:
.. code-block:: console
sudo docker pull koutto/jok3rRun fresh Docker container:
.. code-block:: console
sudo docker run -i -t --name jok3r-container -w /root/jok3r -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix --shm-size 2g --net=host koutto/jok3rNotes:
-e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix is required in order to be able to start GUI applicationfrom the Docker container (e.g. open web browser to read reports). It requires running xhost +local:root on the host.
--shm-size 2g is used to increase the size of the shared memory, it is required to avoid crashs of web browser when reading reports from the Docker container.
--net=host is required to share host's interface. It is needed for reverse connections (e.g. Ping to container when testing for RCE, Getting a reverse shell)
To re-run a stopped container:
.. code-block:: console
sudo docker start -i jok3r-containerTo open multiple shells inside the container:
.. code-block:: console
sudo docker exec -it jok3r-container bashIn order to update, just pull the latest Docker Image from Docker Hub and run a fresh container from this new image:
.. code-block:: console
sudo docker pull koutto/jok3r
sudo docker run -i -t --name jok3r-container-updated -w /root/jok3r -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix --shm-size 2g --net=host koutto/jok3rNote: Of course, you can retrieve your local database local.db (with your saved missions, targets...) from an old container by using the command sudo docker cp.
.. code-block:: console
python3 jok3r.py toolbox --show-all.. code-block:: console
python3 jok3r.py toolbox --install-all --auto.. code-block:: console
python3 jok3r.py toolbox --update-all.. code-block:: console
python3 jok3r.py toolbox --update-all --auto.. code-block:: console
python3 jok3r.py info --services.. code-block:: console
python3 jok3r.py info --checks <service>.. code-block:: console
python3 jok3r.py info --attack-profiles <service>.. code-block:: console
python3 jok3r.py info --productsCreate a new mission in local database:
.. code-block:: console
python3 jok3r.py db
jok3rdb[default]> mission -a mayhem
[+] Mission "mayhem" successfully added
[*] Selected mission is now mayhem
jok3rdb[mayhem]> Single target:
.. code-block:: console
python3 jok3r.py attack -t https://www.example.com/ --add2db mayhem.. code-block:: console
python3 jok3r.py attack -t 192.168.1.42:1433 -s mssql --add2db mayhem --fast.. code-block:: console
python3 jok3r.py attack -t 192.168.1.142:21 -s ftp --cat-only recon,vulnscan --add2db mayhemMultiple targets:
.. code-block:: console
python3 jok3r.py attack -m mayhem --profile red-team --fast.. code-block:: console
python3 jok3r.py attack -m mayhem --fast.. code-block:: console
python3 jok3r.py attack -m mayhem -f "port=21,2121;service=ftp" --fast.. code-block:: console
python3 jok3r.py attack -m mayhem -f "port=2121;service=ftp" -f "ip=192.168.1.42;service=http".. code-block:: console
python3 jok3r.py db
jok3rdb[default]> mission mayhem
[*] Selected mission is now mayhem.. code-block:: console
jok3rdb[mayhem]> nmap results.xml.. code-block:: console
jok3rdb[mayhem]> shodan ip.. code-block:: console
jok3rdb[mayhem]> services
jok3rdb[mayhem]> hosts
jok3rdb[mayhem]> products
jok3rdb[mayhem]> creds.. code-block:: console
jok3rdb[mayhem]> results --search '<search_string>'.. code-block:: console
jok3rdb[mayhem]> vulns.. code-block:: console
jok3rdb[mayhem]> reportYou begin a pentest with several servers in the scope. Here is a typical example of usage of JoK3r:
You run Nmap scan on the servers in the scope.
You create a new mission (let's say "mayhem") in the local database:
.. code-block:: console
python3 jok3r.py db
jok3rdb[default]> mission -a mayhem
[+] Mission "mayhem" successfully added
[*] Selected mission is now mayhem
jok3rdb[mayhem]> .. code-block:: console
jok3rdb[mayhem]> nmap results.xml.. code-block:: console
jok3rdb[mayhem]> hosts
[...]
jok3rdb[mayhem]> services
[...].. code-block:: console
python3 jok3r.py attack -m mayhem -f "service=java-rmi" --fast.. code-block:: console
jok3rdb[mayhem]> results.. code-block:: console
jok3rdb[mayhem]> products
[...]
jok3rdb[mayhem]> creds
[...]
jok3rdb[mayhem]> vulns
[...].. code-block:: console
jok3rdb[mayhem]> reportDocumentation writing in progress...
Updated on: 12/07/2019
Lots of checks remain to be implemented and services must be added !! Work in progress ...
AJP (default 8009/tcp)_FTP (default 21/tcp)_HTTP (default 80/tcp)_Java-RMI (default 1099/tcp)_JDWP (default 9000/tcp)_MSSQL (default 1433/tcp)_MySQL (default 3306/tcp)_Oracle (default 1521/tcp)_PostgreSQL (default 5432/tcp)_RDP (default 3389/tcp)_SMB (default 445/tcp)_SMTP (default 25/tcp)_SNMP (default 161/udp)_SSH (default 22/tcp)_Telnet (default 21/tcp)_VNC (default 5900/tcp)_.. code-block:: console
+------------------------+--------------+--------------------------------------------------------------------------+-------------------+
| Name | Category | Description | Tool used |
+------------------------+--------------+--------------------------------------------------------------------------+-------------------+
| nmap-recon | recon | Recon using Nmap AJP scripts | nmap |
| tomcat-version | recon | Fingerprint Tomcat version through AJP | ajpy |
| vulners-lookup | vulnlookup | Vulnerabilities lookup on Vulners.com (requires product name+version) | vulners-lookup |
| cvedetails-lookup | vulnlookup | Vulnerabilities lookup on Cvedetails.com (requires product name+version) | cvedetails-lookup |
| default-creds-tomcat | defaultcreds | Check default credentials for Tomcat Application Manager through AJP | ajpy |
| deploy-webshell-tomcat | exploit | Deploy a webshell on Tomcat through AJP and list applications | ajpy |
+------------------------+--------------+--------------------------------------------------------------------------+-------------------+.. code-block:: console
+-------------------+--------------+--------------------------------------------------------------------------+-------------------+
| Name | Category | Description | Tool used |
+-------------------+--------------+--------------------------------------------------------------------------+-------------------+
| nmap-recon | recon | Recon using Nmap FTP scripts | nmap |
| ftpmap-scan | vulnscan | Identify FTP server soft/version and check for known vulns | ftpmap |
| vulners-lookup | vulnlookup | Vulnerabilities lookup on Vulners.com (requires product name+version) | vulners-lookup |
| cvedetails-lookup | vulnlookup | Vulnerabilities lookup on Cvedetails.com (requires product name+version) | cvedetails-lookup |
| default-creds | defaultcreds | Check default/common credentials on FTP server | hydra |
| bruteforce-creds | bruteforce | Bruteforce FTP accounts | hydra |
| ftp-dirlisting | postexploit | List directories/files on FTP server (maxdepth=4) | lftp |
+-------------------+--------------+--------------------------------------------------------------------------+-------------------+.. code-block:: console
+------------------------------------------+--------------+------------------------------------------------------------------------------------------------+-------------------------------+
| Name | Category | Description | Tool used |
+------------------------------------------+--------------+------------------------------------------------------------------------------------------------+-------------------------------+
| nmap-recon | recon | Recon using Nmap HTTP scripts | nmap |
| load-balancing-detection | recon | HTTP load balancer detection | halberd |
| waf-detection | recon | Identify and fingerprint WAF products protecting website | wafw00f |
| waf-detection2 | recon | Identify and fingerprint WAF products protecting website | identifywaf |
| cloudmare-recon | recon | CloudFlare real IP catcher | cloudmare |
| fingerprinting-multi-whatweb | recon | Identify CMS, blogging platforms, JS libraries, Web servers | whatweb |
| fingerprinting-appserver | recon | Fingerprint application server (JBoss, ColdFusion, Weblogic, Tomcat, Railo, Axis2, Glassfish) | clusterd |
| webdav-detection-msf | recon | Detect WebDAV on webserver | metasploit |
| fingerprinting-multi-wig | recon | Fingerprint several CMS and web/application servers | wig |
| fingerprinting-cms-cmseek | recon | Detect CMS (130+ supported), detect version on Drupal, advanced scan on Wordpress/Joomla | cmseek |
| fingerprinting-cms-fingerprinter | recon | Fingerprint precisely CMS versions (based on files checksums) | fingerprinter |
| fingerprinting-drupal | recon | Fingerprint Drupal 7/8: users, nodes, default files, modules, themes enumeration | drupwn |
| fingerprinting-domino | recon | Fingerprint IBM/Lotus Domino software | domiowned |
| crawling-fast | recon | Crawl website quickly, analyze interesting files/directories | dirhunt |
| crawling-fast2 | recon | Crawl website and extract URLs, files, intel & endpoints | photon |
| vulners-lookup | vulnlookup | Vulnerabilities lookup (language, framework, jslib, cms, server, appserver) on Vulners.com | vulners-lookup |
| cvedetails-lookup | vulnlookup | Vulnerabilities lookup (language, framework, jslib, cms, server, appserver) on Cvedetails.com | cvedetails-lookup |
| default-creds-web-multi | defaultcreds | Check for default credentials on various web interfaces | changeme |
| default-creds-appserver | defaultcreds | Check for default/common credentials on appservers | web-brutator |
| ssl-check | vulnscan | Check for SSL/TLS configuration | testssl |
| headers-analysis | vulnscan | Check HTTP headers | h2t |
| vulnscan-multi-nikto | vulnscan | Check for multiple web vulnerabilities/misconfigurations | nikto |
| webdav-scan-davscan | vulnscan | Scan HTTP WebDAV | davscan |
| webdav-internal-ip-disclosure | vulnscan | Check for WebDAV internal IP disclosure | metasploit |
| webdav-website-content | vulnscan | Detect webservers disclosing its content through WebDAV | metasploit |
| http-put-check | vulnscan | Detect the support of dangerous HTTP PUT method | metasploit |
| apache-optionsbleed-check | vulnscan | Test for the Optionsbleed bug in Apache httpd (CVE-2017-9798) | optionsbleed |
| shellshock-scan | vulnscan | Detect if web server is vulnerable to Shellshock (CVE-2014-6271) | shocker |
| iis-shortname-scan | vulnscan | Scan for IIS short filename (8.3) disclosure vulnerability | iis-shortname-scanner |
| iis-internal-ip-disclosure | vulnscan | Check for IIS internal IP disclosure | metasploit |
| tomcat-user-enum | vulnscan | Enumerate users on Tomcat 4.1.0-4.1.39, 5.5.0-5.5.27 and 6.0.0-6.0.18 | metasploit |
| jboss-vulnscan-multi | vulnscan | Scan JBoss application server for multiple vulnerabilities | metasploit |
| jboss-status-infoleak | vulnscan | Queries JBoss status servlet to collect sensitive information (JBoss 4.0, 4.2.2 and 4.2.3) | metasploit |
| jenkins-infoleak | vulnscan | Enumerate a remote Jenkins-CI installation in an unauthenticated manner | metasploit |
| cms-multi-vulnscan-cmsmap | vulnscan | Check for vulnerabilities in CMS Wordpress, Drupal, Joomla | cmsmap |
| wordpress-vulnscan | vulnscan | Scan for vulnerabilities in CMS Wordpress | wpscan |
| wordpress-vulnscan2 | vulnscan | Scan for vulnerabilities in CMS Wordpress | wpseku |
| joomla-vulnscan | vulnscan | Scan for vulnerabilities in CMS Joomla | joomscan |
| joomla-vulnscan2 | vulnscan | Scan for vulnerabilities in CMS Joomla | joomlascan |
| joomla-vulnscan3 | vulnscan | Scan for vulnerabilities in CMS Joomla | joomlavs |
| drupal-vulnscan | vulnscan | Scan for vulnerabilities in CMS Drupal | droopescan |
| magento-vulnscan | vulnscan | Check for misconfigurations in CMS Magento (working partially) | magescan |
| silverstripe-vulnscan | vulnscan | Scan for vulnerabilities in CMS Silverstripe | droopescan |
| vbulletin-vulnscan | vulnscan | Scan for vulnerabilities in CMS vBulletin | vbscan |
| liferay-vulnscan | vulnscan | Scan for vulnerabilities in CMS Liferay | liferayscan |
| angularjs-csti-scan | vulnscan | Scan for AngularJS Client-Side Template Injection | angularjs-csti-scanner |
| jquery-fileupload-rce-cve2018-9206 | exploit | Exploit arbitrary file upload in jQuery File Upload widget <= 9.22 (CVE-2018-9206) | jqshell |
| struts2-rce-cve2017-5638 | exploit | Exploit Apache Struts2 Jakarta Multipart parser RCE (CVE-2017-5638) | jexboss |
| struts2-rce-cve2017-9791 | exploit | Exploit Apache Struts2 Plugin Showcase OGNL RCE (CVE-2017-9791) | metasploit |
| struts2-rce-cve2017-9805 | exploit | Exploit Apache Struts2 REST Plugin XStream RCE (CVE-2017-9805) | struts-pwn-cve2017-9805 |
| struts2-rce-cve2018-11776 | exploit | Exploit Apache Struts2 misconfiguration RCE (CVE-2018-11776) | struts-pwn-cve2018-11776 |
| rails-rce-cve2019-5420 | exploit | Exploit File Content Disclosure (CVE-2019-5418) + RCE (CVE-2019-5420) On Ruby on Rails | jok3r-pocs |
| appserver-auth-bypass | exploit | Attempt to exploit authentication bypass on appservers | clusterd |
| tomcat-rce-cve2017-12617 | exploit | Exploit for Apache Tomcat JSP Upload Bypass RCE (CVE-2017-12617) | jok3r-pocs |
| jboss-misconfig-exploit | exploit | Try exploit misconfig on JBoss appserver pre-auth (jmx|web|admin-console,JMXInvokerServlet) | jexboss |
| jboss-path-traversal-cve2014-7816 | exploit | Exploit path traversal on Jboss Wildfly 8.1.0 (only Windows) (CVE-2014-7816) | metasploit |
| jboss-deserialize-cve2015-7501 | exploit | Exploit for JBoss Deserialize RCE (CVE-2015-7501) | jok3r-pocs |
| glassfish-path-traversal-cve2017-1000028 | exploit | Exploit path traversal on Glassfish <= 4.1 (CVE-2017-1000028) | metasploit |
| jenkins-unauthenticated-console | exploit | Detect and exploit unauthenticated Jenkins-CI script console | metasploit |
| jenkins-cli-deserialize-cve2015-8103 | exploit | Exploit Java deserialization (unauthenticated) in Jenkins CLI RMI (CVE-2015-8103) | jexboss |
| jenkins-cli-deserialize2-cve2015-8103 | exploit | Exploit Java deserialization (unauthenticated) in Jenkins CLI RMI (CVE-2015-8103) | jok3r-pocs |
| jenkins-groovy-xml-rce-cve2016-0792 | exploit | Exploit Jenkins Groovy XML RCE (CVE-2016-0792) | jok3r-pocs |
| jenkins-deserialize-cve2017-1000353 | exploit | Exploit Jenkins Java Deserialize RCE (CVE-2017-1000353) | jok3r-pocs |
| jenkins-rce-cve2018-1000861 | exploit | Exploit Jenkins unauthenticated RCE via method invokation (CVE-2018-1000861) | jok3r-pocs |
| weblogic-t3-open-jdbc-datasource | exploit | List JNDIs available thru Weblogic T3(s) and attempt to get SQL shell via open JDBC datasource | jndiat |
| weblogic-t3-deserialize-cve2015-4852 | exploit | Exploit Java deserialization (unauthenticated) in Weblogic T3(s) (CVE-2015-4852) | jok3r-pocs |
| weblogic-t3-deserialize-cve2016-3510 | exploit | Exploit Java deserialization (unauthenticated) in Weblogic T3 (CVE-2016-3510) | jok3r-pocs |
| weblogic-t3-deserialize-cve2017-3248 | exploit | Exploit Java deserialization (unauthenticated) in Weblogic T3(s) (CVE-2017-3248) | exploit-weblogic-cve2017-3248 |
| weblogic-t3-deserialize-cve2018-2628 | exploit | Exploit Java deserialization (unauthenticated) in Weblogic T3(s) (CVE-2018-2628) | jok3r-pocs |
| weblogic-t3-deserialize-cve2018-2893 | exploit | Exploit Java deserialization (unauthenticated) in Weblogic T3(s) (CVE-2018-2893) | jok3r-pocs |
| weblogic-rce-cve2018-2894 | exploit | Exploit vulnerability in Weblogic allowing webshell deploiement (CVE-2018-2894) | jok3r-pocs |
| weblogic-wls-wsat-cve2017-10271 | exploit | Exploit WLS-WSAT (unauthenticated) in Weblogic (CVE-2017-10271) | jok3r-pocs |
| websphere-deserialize-cve2015-7450 | exploit | Exploit Java deserialization (unauthenticated) in Websphere (CVE-2015-7450) | jok3r-pocs |
| coldfusion-xxe-cve2009-3960 | exploit | Exploit XXE in Coldfusion 7/8/9 (CVE-2009-3960) | metasploit |
| coldfusion-path-traversal-cve2010-2861 | exploit | Exploit path traversal in Coldfusion (CVE-2010-2861) | metasploit |
| coldfusion-path-traversal-cve2013-3336 | exploit | Exploit path traversal in Coldfusion 9/10 and extract creds (CVE-2013-3336) | metasploit |
| iis-webdav-win2003-bof | exploit | Exploit Buffer overflow in WebDAV in IIS 6.0 on Windows 2003 R2 (CVE-2017-7269) | metasploit |
| drupal-sqli-drupalgeddon | exploit | Exploit Drupalgeddon SQLi to add an admin in CMS Drupal 7.x <= 7.31 (CVE-2014-3704) | jok3r-pocs |
| drupal-rce-drupalgeddon2 | exploit | Exploit Drupalgeddon2 RCE in CMS Drupal 7.x < 7.58 & 8.x < 8.1 (CVE-2018-7600) | drupwn |
| drupal-rce-rest-cve2019-6340 | exploit | Exploit REST RCE in CMS Drupal 8.5.x < 8.5.11 & 8.6.x < 8.6.10 (CVE-2019-6340) | drupwn |
| joomla-comfields-sqli-rce | exploit | Exploit SQL injection to RCE in com_fields component in Joomla >= 3.7.0 (CVE-2017-8917) | metasploit |
| bruteforce-htaccess | bruteforce | Bruteforce HTTP authentication (htaccess) if 401 Unauthorized returned | web-brutator |
| bruteforce-appserver | bruteforce | Bruteforce authentication on appserver (if no lockout by default) | web-brutator |
| bruteforce-domino | bruteforce | Bruteforce authentication on IBM/Lotus Domino software | domiowned |
| bruteforce-wordpress | bruteforce | Bruteforce Wordpress accounts (require detected username(s)) | wpseku |
| bruteforce-joomla | bruteforce | Bruteforce Joomla "admin" account | xbruteforcer |
| bruteforce-drupal | bruteforce | Bruteforce Drupal "admin" account | xbruteforcer |
| bruteforce-opencart | bruteforce | Bruteforce Opencart "admin" account | xbruteforcer |
| bruteforce-magento | bruteforce | Bruteforce Magento "admin" account | xbruteforcer |
| discovery-server | discovery | Bruteforce web paths specific to detected web/application servers | dirsearch |
| discovery-cms | discovery | Bruteforce web paths specific to detected CMS | dirsearch |
| discovery-language-directories | discovery | Bruteforce web paths specific to detected language and directories | dirsearch |
| discovery-general | discovery | Bruteforce web paths related to config, database, static files, misc... | dirsearch |
| appserver-postauth-deploy | postexploit | Deploy a webshell on appserver (require credentials) | clusterd |
| wordpress-shell-upload | postexploit | Upload shell on Wordpress (require admin credentials) | wpforce |
+------------------------------------------+--------------+------------------------------------------------------------------------------------------------+-------------------------------+.. code-block:: console
+--------------------------------+--------------+-------------------------------------------------------------------------------------------------------+------------+
| Name | Category | Description | Tool used |
+--------------------------------+--------------+-------------------------------------------------------------------------------------------------------+------------+
| nmap-recon | recon | Attempt to dump all objects from Java-RMI service | nmap |
| rmi-enum | recon | Enumerate RMI services | barmie |
| jmx-info | recon | Get information about JMX and the MBean server | twiddle |
| jmx-default-creds | defaultcreds | Check default/common credentials on JMX | jmxbf |
| jmx-bruteforce-creds | bruteforce | Bruteforce creds to connect to JMX registry | jmxbf |
| exploit-rmi-default-config | exploit | Exploit default config in RMI Registry to load classes from any remote URL (not working against JMX) | metasploit |
| exploit-jmx-insecure-config | exploit | Exploit JMX insecure config. Auth disabled: should be vuln. Auth enabled: vuln if weak config | metasploit |
| jmx-auth-disabled-deploy-class | exploit | Deploy malicious MBean on JMX service with auth disabled (alternative to msf module) | sjet |
| tomcat-jmxrmi-deserialize | exploit | Exploit JMX-RMI deserialize in Tomcat (CVE-2016-3427, CVE-2016-8735), req. JmxRemoteLifecycleListener | jexboss |
| rmi-deserialize-all-payloads | exploit | Attempt to exploit Java deserialize against Java RMI Registry with all ysoserial payloads | ysoserial |
| tomcat-jmxrmi-manager-creds | postexploit | Retrieve Manager creds on Tomcat JMX (req. auth disabled or creds known on JMX) | jmxploit |
+--------------------------------+--------------+-------------------------------------------------------------------------------------------------------+------------+.. code-block:: console
+------------+----------+-----------------------------------------------------+-----------------+
| Name | Category | Description | Tool used |
+------------+----------+-----------------------------------------------------+-----------------+
| nmap-recon | recon | Recon using Nmap JDWP scripts | nmap |
| jdwp-rce | exploit | Gain RCE on JDWP service (show OS/Java info as PoC) | jdwp-shellifier |
+------------+----------+-----------------------------------------------------+-----------------+.. code-block:: console
+-------------------------+--------------+--------------------------------------------------------------------------------------------------------------+-------------------+
| Name | Category | Description | Tool used |
+-------------------------+--------------+--------------------------------------------------------------------------------------------------------------+-------------------+
| nmap-recon | recon | Recon using Nmap MSSQL scripts | nmap |
| mssqlinfo | recon | Get technical information about a remote MSSQL server (use TDS protocol and SQL browser Server) | msdat |
| vulners-lookup | vulnlookup | Vulnerabilities lookup on Vulners.com (requires product name+version) | vulners-lookup |
| cvedetails-lookup | vulnlookup | Vulnerabilities lookup on Cvedetails.com (requires product name+version) | cvedetails-lookup |
| default-creds | defaultcreds | Check default/common credentials on MSSQL server | msdat |
| bruteforce-creds | bruteforce | Bruteforce MSSQL accounts ("sa" or known users) | msdat |
| postauth-audit | postexploit | Check permissive privileges, methods allowing command execution, weak accounts after authenticating on MSSQL | msdat |
| postauth-rce-xpcmdshell | postexploit | Try to execute system command via xp_cmdshell (whoami && net user) | msdat |
+-------------------------+--------------+--------------------------------------------------------------------------------------------------------------+-------------------+.. code-block:: console
+----------------------------------+--------------+--------------------------------------------------------------------------+-------------------+
| Name | Category | Description | Tool used |
+----------------------------------+--------------+--------------------------------------------------------------------------+-------------------+
| nmap-recon | recon | Recon using Nmap MySQL scripts | nmap |
| vulners-lookup | vulnlookup | Vulnerabilities lookup on Vulners.com (requires product name+version) | vulners-lookup |
| cvedetails-lookup | vulnlookup | Vulnerabilities lookup on Cvedetails.com (requires product name+version) | cvedetails-lookup |
| mysql-auth-bypass-cve2012-2122 | exploit | Exploit password bypass vulnerability in MySQL - CVE-2012-2122 | metasploit |
| default-creds | defaultcreds | Check default/common credentials on MySQL server | hydra |
| bruteforce-creds | bruteforce | Bruteforce MySQL accounts ("root" or known users) | hydra |
| mysql-hashdump | postexploit | Retrieve usernames and password hashes from MySQL database (req. creds) | metasploit |
| mysql-interesting-tables-columns | postexploit | Search for interesting tables and columns in database | jok3r-scripts |
+----------------------------------+--------------+--------------------------------------------------------------------------+-------------------+.. code-block:: console
+--------------------------+--------------+--------------------------------------------------------------------------------------------------------------+-------------------+
| Name | Category | Description | Tool used |
+--------------------------+--------------+--------------------------------------------------------------------------------------------------------------+-------------------+
| tnscmd | recon | Connect to TNS Listener and issue commands Ping, Status, Version | odat |
| vulners-lookup | vulnlookup | Vulnerabilities lookup on Vulners.com (requires product name+version) | vulners-lookup |
| cvedetails-lookup | vulnlookup | Vulnerabilities lookup on Cvedetails.com (requires product name+version) | cvedetails-lookup |
| tnspoisoning | vulnscan | Test if TNS Listener is vulnerable to TNS Poisoning (CVE-2012-1675) | odat |
| default-creds | defaultcreds | Check default/common credentials on Oracle server | odat |
| bruteforce-creds | bruteforce | Bruteforce Oracle accounts (might block some accounts !) | odat |
| postauth-audit | postexploit | Check for privesc vectors, config leading to command execution, weak accounts after authenticating on Oracle | odat |
| search-columns-passwords | postexploit | Search for columns storing passwords in the database | odat |
+--------------------------+--------------+--------------------------------------------------------------------------------------------------------------+-------------------+.. code-block:: console
+------------------------------------+--------------+-------------------------------------------------------------------------------+-------------------+
| Name | Category | Description | Tool used |
+------------------------------------+--------------+-------------------------------------------------------------------------------+-------------------+
| vulners-lookup | vulnlookup | Vulnerabilities lookup on Vulners.com (requires product name+version) | vulners-lookup |
| cvedetails-lookup | vulnlookup | Vulnerabilities lookup on Cvedetails.com (requires product name+version) | cvedetails-lookup |
| dbname-flag-injection-cve2013-1899 | vulnscan | Check for command-line flag injection on PostgreSQL 9.0|1|2 (CVE-2013-1899) | metasploit |
| default-creds | defaultcreds | Check default/common credentials on PostgreSQL server | hydra |
| bruteforce-creds | bruteforce | Bruteforce PostgreSQL accounts | hydra |
| postauth-rce-cve2019-9193 | postexploit | Try to execute system command post-authentication by exploiting CVE-2019-9193 | psql |
+------------------------------------+--------------+-------------------------------------------------------------------------------+-------------------+.. code-block:: console
+----------+----------+-----------------------------------------------------------------------+------------+
| Name | Category | Description | Tool used |
+----------+----------+-----------------------------------------------------------------------+------------+
| ms12-020 | vulnscan | Check for MS12-020 RCE vulnerability (any Windows before 13 Mar 2012) | metasploit |
+---------+----------+-----------------------------------------------------------------------+------------+.. code-block:: console
+-----------------------------------+-------------+----------------------------------------------------------------------------------------------+------------+
| Name | Category | Description | Tool used |
+-----------------------------------+-------------+----------------------------------------------------------------------------------------------+------------+
| nmap-recon | recon | Recon using Nmap SMB scripts and check for vulns (MS17-010, MS10-061, MS10-054, MS08-067...) | nmap |
| anonymous-enum-smb | recon | Attempt to perform enum (users, shares...) without account | nullinux |
| detect-ms17-010 | vulnscan | Detect MS17-010 SMB RCE | metasploit |
| samba-rce-cve2015-0240 | vulnscan | Detect RCE vuln (CVE-2015-0240) in Samba 3.5.x and 3.6.X | metasploit |
| exploit-rce-ms08-067 | exploit | Exploit for RCE vuln MS08-067 on SMB | metasploit |
| exploit-rce-ms17-010-eternalblue | exploit | Exploit for RCE vuln MS17-010 EternalBlue on SMB | metasploit |
| exploit-sambacry-rce-cve2017-7494 | exploit | Exploit for SambaCry RCE on Samba <= 4.5.9 (CVE-2017-7494) (no creds if guest account) | metasploit |
| auth-enum-smb | postexploit | Authenticated enumeration (users, groups, shares) on SMB | nullinux |
| auth-shares-perm | postexploit | Get R/W permissions on SMB shares | smbmap |
| smb-exec | postexploit | Attempt to get a remote shell (psexec-like, requires Administrator creds) | impacket |
+-----------------------------------+-------------+----------------------------------------------------------------------------------------------+------------+.. code-block:: console
+----------------+----------+--------------------------------------------------------------------------------------------+----------------+
| Name | Category | Description | Tool used |
+----------------+----------+--------------------------------------------------------------------------------------------+----------------+
| smtp-cve | vulnscan | Scan for vulnerabilities (CVE-2010-4344, CVE-2011-1720, CVE-2011-1764, open-relay) on SMTP | nmap |
| smtp-user-enum | vulnscan | Attempt to perform user enumeration via SMTP commands EXPN, VRFY and RCPT TO | smtp-user-enum |
+----------------+----------+--------------------------------------------------------------------------------------------+----------------+.. code-block:: console
+--------------------------+-------------+---------------------------------------------------------------------+------------+
| Name | Category | Description | Tool used |
+--------------------------+-------------+---------------------------------------------------------------------+------------+
| common-community-strings | bruteforce | Check common community strings on SNMP server | metasploit |
| snmpv3-bruteforce-creds | bruteforce | Bruteforce SNMPv3 credentials | snmpwn |
| enumerate-info | postexploit | Enumerate information provided by SNMP (and check for write access) | snmp-check |
+--------------------------+-------------+---------------------------------------------------------------------+------------+.. code-block:: console
+----------------------------------+--------------+--------------------------------------------------------------------------------------------+------------------------------+
| Name | Category | Description | Tool used |
+----------------------------------+--------------+--------------------------------------------------------------------------------------------+------------------------------+
| vulns-algos-scan | vulnscan | Scan supported algorithms and security info on SSH server | ssh-audit |
| vulners-lookup | vulnlookup | Vulnerabilities lookup on Vulners.com (requires product name+version) | vulners-lookup |
| cvedetails-lookup | vulnlookup | Vulnerabilities lookup on Cvedetails.com (requires product name+version) | cvedetails-lookup |
| user-enum-timing-attack | exploit | Try to perform OpenSSH (versions <= 7.2 and >= 5.*) user enumeration timing attack OpenSSH | osueta |
| user-enum-cve2018-15473 | exploit | Attempt to exploit OpenSSH <= 7.7 user enumeration (CVE-2018-15473) | ssh-user-enum-cve-2018-15473 |
| auth-bypass-libssh-cve2018-10933 | exploit | Attempt authentication bypass (CVE-2018-10933) in libssh 0.6+ (fixed in 0.7.6 and 0.8.4) | libssh-scanner |
| default-ssh-key | defaultcreds | Try to authenticate on SSH server using known SSH keys | changeme |
| default-creds | defaultcreds | Check default/common credentials on SSH | hydra |
| bruteforce-creds | bruteforce | Bruteforce SSH accounts | hydra |
+----------------------------------+--------------+--------------------------------------------------------------------------------------------+------------------------------+.. code-block:: console
+-------------------------+------------+----------------------------------------------------------------------------------+-----------+
| Name | Category | Description | Tool used |
+-------------------------+------------+----------------------------------------------------------------------------------+-----------+
| nmap-recon | recon | Recon using Nmap Telnet scripts | nmap |
| default-creds | bruteforce | Check default credentials on Telnet (dictionary from https://cirt.net/passwords) | patator |
| bruteforce-root-account | bruteforce | Bruteforce "root" account on Telnet | patator |
+-------------------------+------------+----------------------------------------------------------------------------------+-----------+.. code-block:: console
+-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+
| Name | Category | Description | Tool used |
+-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+
| nmap-recon | recon | Recon using Nmap VNC scripts | nmap |
| vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |
| bruteforce-pass | bruteforce | Bruteforce VNC password | patator |
+-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+See Changelog <https://github.com/koutto/jok3r/blob/master/CHANGELOG.rst>_