Webnuke is a console based python application useful when pentesting web based applications.
To run:
python console.py
Detect technologies in use not by parsing files or applying regex to file names but from Javascript variables and html elements on the page.
The jsconsole option allows you to execute javascript or run internal webnuke javascript.
Enter the Javascript to run and start a new line with @@@ to execute in the browser
var msg="hello world";
alert(msg);
@@@
quit()
@@@
wn_help() - Shows WebNuke Help
wn_findMethodsOfThis() - print javascript methods
wn_getMethodsPlusCode() - print javascript methods and code
wn_getFunctions() - returns array of javascript functions
wn_listFunctions() - print javascript function names
wn_findStringsWithUrls() - Try and locate urls within Javascript strings
wn_showHiddenFormElements() - Show hidden form elements in the browser
wn_showPasswordFieldsAsText() - Show password fields as text in the browser
wn_showAllHTMLElements() - Set CSS visibility to visible on all HTML elements in the browser
wn_showAngularAppName() - Show AngularJS Main Application Name
wn_showAngularDeps() - Show AngularJS Main Dependencies
wn_showAngularMainClasses() - Show AngularJS Main Classes
wn_showAngularAllClasses() - Show AngularJS All Classes
wn_testNgResourceClasses() - Test ngResource Classes
wn_showAngularRoutes() - Show AngularJS URL Routes
The HTML tools can be used to expose hidden form elements and can also control the browser by clicking every HTML elements on the page.
The click every element option can take abit of time to complete but can be helpful flushing out urls for the site.
The type 'test' option is useful when dealing with Ajax calls.
- Show hidden form elements
- Turn password fields into text
- Turn css visibility on for all HTML elements
- Click every element on the page
- Type 'test' into every text box
- Find URLS within Javascript Global Properties
- Show Javascript functions of Document
- Run all js functions without args
The main advantage of the AngularJS option is the ability to try and attempt data extraction from any service or api defined using the AngularJS ngResource class within the AngularJS web application.
- Show Main Application Name
- Show Routes (Urls to things!)
- Show Dependencies
- Show Main Classes
- Show All Classes
- Test classes relying on ngResource
Spider will crawl the current url using the awesome KitchenSinks resource by FuzzDB
- Set Url to spider
- Run Kitchensinks in foreground
The followme option is useful for testing authenicated access, this option will open another browser instance and visit the urls being visited by the orinigal browser instance.
- login as an a user
- activate followme
- click around the web application using the browser thats currently logged in
- Urls visited will be loaded in the unauthenicated second browser instance
The brute option will attempt to brute force login screens, first the user has to identify the login and password fields by supplying nukeuser into the username field amd nukepass into the password field.
The username and password list is limited and left to the user to supply/code.
The aws option will attempt to detect if any image files, css files, javascript files, meta tags and link tags reference a url that points to an AWS S3 Bucket.