- What it does
- Dependencies
- DNS and route mapping
- OSINT
- Technologies discovery
- Network and services
- SSL
- URL and path discovery
- Vulnerabity check
- Web scanners
- Configuration
- Known caveats
- Contributing
Table of contents generated with markdown-toc
A web pentest kickstarter.
It's a simple script that executes tools and record their execution in separate files, some of them suitable to import on Faraday, Dradis, PCF, etc.
It aims to be simple and readable rather than fancy, so it can be easily understood and extended.
The script saves ouput from commands so if for some reason you get erros on some steps it can be executed again without goint through all steps. It kind of "save state" for executed commands so to speak...
Given de DNS site name and domain, it runs tools against them, taking a web pentest starter approach.
Do not try to trick the script, it's not that smart yet!
Proper execution:
./webtaz.sh -t site.doman.com -d domain.com
Not recommended execution
./webtaz.sh -t site.domain.com -d otherdom.com ### No anticipated behavior...
There's an "-i" option for passing target IP address but it's not tested for the time being.
It relies on system and external tools to do it's job, at this moment there's no proper check for availability of needed tools on the system, it's a TODO feature with some other important improvements, check TODO file for more information.
Some tools are available on Kali Linux and other pentesting Linux distros, some you'll need to install from github, links are provided bellow.
By the end of the script you can comment/disable some "steps" if needed.
- dig direct ip resolution and nameserver mapping
- whois summary information
- hping3 traceroute via TCP port
- nmap detect open ports (-sT), then proceed to verify eatch port, if it listens HTTP the command is customized
cargo install spider_cli
- one liner cors check
- one liner crlf check
- ppmap search for prototype pollution flaws
In the script header there are some important variables to edit, so it runs properly.
Some of them may seem redundant, but it's an early release ;)
#PROXY=""
PROXY="127.0.0.1:8082"
USE_PROXY="true"
USE_PROXY_CHAINS="true"
- /etc/proxychains.conf --> Because we will use nmap with SUDO.
Minimal proxychains for use with ZAP and/or BurpSuite.
Remember to add the found HTTP IPs to ZAP Scope!
# ---
# strict chain
# [ProxyList]
# http 127.0.0.1 8082
# ---
Ex: CORS check.
PENTESTER_URL="https://evil.com"
Maybe implement random user agent in the future, for now just put it here.
USER_AGENT="Mozilla/5.0"
We can automate it, but as we are doing a "web pentest", 443/TCP is a good default.
Also, specify "max pkts" which is kind of "max hops", so it does not hang for a long time.
TRACEROUTE_PORT=443
TRACEROUTE_MAX_PKTS=10
shcheck.py you cann install with "pip install shcheck"
SHCHECK_BIN="/home/micron/.local/bin/shcheck.py"
Output format and cookie file, this cookie var probably will change in future releases and used with other tools.
WAPITI_OUTPUT_FMT="html"
WAPITI_COOKIE_FILE="cookie.txt"
NUCLEI_BIN="/home/micron/go/bin/nuclei"
Just the prefix, something like "./reports" "../webtaz" "/home/user/work/webtaz"
LOG_DIR_PREFIX="outputs/"
- Some tools work with proxychains, others work with ZAP and BurpSuite chained, others just with BurpSuite, others with own options (-p, --proxy)
- Unfortunately I couldn't get some tools to work with any proxy yet, some may not make sense like SSL and Waf checks
Fell free to sugest features, improvements and tips.