/ExtPenPy

ExtPenPy is a tool that will help you finalizing your recon phase faster.

Primary LanguagePython

ExtPenPy is a tool that will help you finalizing your recon phase faster.

ExtPenPy consists of three modes:

  1. Passive:
    • Collecting Subdomains (without brute forcing)
    • Whois database check
    • Zone Transfer
    • DNS records check
    • Reverse DNS Lookup
    • IP addresses range
    • Regex to Google Dork
  2. Active:
    • Cloud storage enumeration
    • Identifying known paths (.git, .htaccess, etc)
    • Intersting Headers
    • Taking screenshots of validated subdomains
    • All the passive stuff
    • Validating hosts running HTTP[S]
    • Gathering included paths (without bruteforcing)
    • Collecting subdomains (with brute forcing)
  3. APK:
    • Collecting URL"s
    • Root Detection Check
    • SDK Version Check
    • Decompiling APK to smali and java
    • Extracting Sensitive information like API keys, passwords, etc..
    • Debuggable mode Check
    • Checking permissions
    • Checking activities and (Exported Activities)
    • Check if backup is allowed
    • collecting strings.xml files

Sample Run

Sample_run.mp4

Chrome Installation (Must be installed for screenshots module to work)

Windows

Install chrome for windows

linux

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo dpkg -i ./google-chrome-stable_current_amd64.deb

Installation:

pipx installation:

pip3 install pipx
pipx install extpenpy==1.3
git clone https://github.com/maliktawfiq/ExtPenPy.git
cd ExtPenPy
pip install -r requierments.txt
sudo apt install apktool
python3 ExtPen.py -h

Docker:

git clone https://github.com/maliktawfiq/ExtPenPy.git
cd ExtPenPy
docker build -t extpenpy .
#linux
docker run -it -v $PWD:/app extpenpy -h
#windows
docker run -it -v "%cd%":/app extpenpy -h

Usage:

  • Passive

python3 ExtPenPy -h

help

python3 ExtPenPy passive -d careem.com

passsive

  • Whois databse and zone trasfer attempt

passive2

  • -p or —pip allows piping the subdomain output to a file, tool..etc as shown below
python3 ExtPen.py passive -d $Domain -p | tee test.txt

passive3

  • you can add —csv to save the subdomains in csv file.
python3 passive -d $domain --csv ./subdomains

  • Active:

python3 ExtPen.py active --help

Active

python3 ExtPen.py active -d $domain

Active1

  • Example of cloud storage enumeration

Active2

  • Example of web enumeration

Active3

  • APK (currently only for linux):

After running the APK analysis two directories will be created.

  1. Javacode: which will contain the decompiled code
  2. apk_decomiled: which holds the data before decompiling
python3 ExtPen.py apk -h

APK

  • The activities and the permissions the applications uses

APK2

  • Certificate check and identifying sensitive strings found

APK3

  • Exporting links found in the APK

APK4

  • Disclaimer

ExtPenPy was made to help security researchers speed up the reconnaissance phase, it is intended for legal and ethical penetration testing only. Unauthorized use is prohibited and may be illegal. Users must ensure compliance with all relevant laws and regulations. The developers are not liable for any misuse or damages.