Crimson v3

Crimson is a tool that automates ASSET DISCOVERY and VULNERABILITY SCANNING.

The container is built on top of the Kali distro.

It consists of fourth partially interdependent modules:

• crimson_IPcon - tests the single IP or range of IP addresses. Automates the process of infrastructure reconnaissance & vulnerability scanning.
• crimson_recon - tests the single domain. Automate the infrastructure reconnaissance process, subdomains enumeration, and vulnerability scanning if you .
• crimson_target - tests single web application. Automates the process of a single-domain reconnaissance and vulnerability scanning.
• crimson_exploit - automates the process of bug founding in gathered URLs.

Installation & running

1. Pull docker container:

docker pull karmaz95/crimson:v3

2. First run of downloaded container:

docker run --net="host" --name crimson -it karmaz95/crimson:v3

3. After the first run, you can start the container by:

docker start crimson && docker attach crimson

4. If you need to copy output from the container:

docker cp crimson:/root/bounty/domain.name LOCAL_DEST_PATH

Usage

Commands issued inside a docker container.

:diamonds: crimson_IPcon :diamonds:

:diamonds: Module zero needs IP ADDRESS or list_with_ip.txt :diamonds:

# The most optimal use:
c_0 -l ip.txt -t -u -p -k '' -v -b

crimson_IPcon -i IPADDRESS
        
        # Optional flags are shown below:
        -l ip.txt               # Only IPs, one per line.
        -o /root/bounty/        # The default directory is /root/bounty/$(date +%Y_%m_%d_%H_%M)
        -t                      # TCP SCAN ON (FULL RANGE) 
        -u                      # UDP SCAN ON (TOP 1000 PORTS)
        -p                      # PING SWEEP ON
        -k ''                   # 1. user enum
                                # 2. pass spraying
                                # 3. ASREPROAST (no pass)
        -v                      # VULNERABILITY SCANNING
        -b                      # BRUTE FORCE

• Check the MEDIUM ARTICLE, which explains the crimson_IPcon module deeper.

:diamonds: crimson_recon :diamonds:

:diamonds: First module needs domain name :diamonds:

# The most optimal use (-x for domain bruteforcing):
c_1 -d "DOMAIN" -v -x

crimson_recon -d "domain.com" 
                   
                   # Optional flags are shown below: 
                -x # Domain brute-forcing
                -v # Virtual host discovering
                -b # Third-level subdomain brute-forcing
                -y # Proxy urls.txt and live.txt to Burp (127.0.0.1:8080)
                -j "burp.collaborator.domain" # Scan for log4j vulnerability on all URLs & live domains

• Check the MEDIUM ARTICLE, which explains the crimson_recon module deeper.

:diamonds: crimson_target :diamonds:

:diamonds: Second module needs subdomain name :diamonds:

# The most optimal use:
c_2 -d "DOMAIN" -c "Cookie: auth1=123;" -a -v -h
# Then check urls.txt and use crimson_backuper manually on selected URLs to save time:
python "/root/tools/crimson/scripts/crimson_backuper.py" -w urls.txt -e "/root/tools/crimson/words/BCK_EXT" -c "$cookie" -o backups.txt

crimson_target -d "example.domain.com" 
                
                # Optional flags are shown below:
                -c "Cookie: auth1=123;"
                -j "burp.collaborator.domain" # SSRF check with quickpress
                -v # Virtual host discovering
                -a # Without this flag, you have to check for false-positives after brute-forcing manually
                -y # Proxy urls.txt and ffuf.txt to Burp (host.docker.internal:8080)
                -p # Parameter brute-forcing with Arjun (WARNING - it takes a lot of time, better use Burp Param Miner)
                -h # Test HOP-BY-HOP header deletion at the end
                -b # Check backup files on all live URLs (status code != 404) 
                   # Can take a few hours...
                -n # Use this option to skip the directory brute-forcing phase
                -k # Test HTTP inseated of HTTPS

• Check the MEDIUM ARTICLE, which explains the crimson_target module deeper.

:diamonds: crimson_exploit :diamonds:

:diamonds: The third module needs two files in the current directory, dirs.txt and paramst.txt. These files are created by the crimson_target module in the exp directory :diamonds:

# The most optimal use - go to "exp" directory and run:
c_3 -d "BURP_DOMAIN" -i "VPS_IP"  

Usage: prepare two files in the current directory and use the crimson_exploit command:
    
    [*] dirs.txt - file with directories to check:
        https://target/directory1/
        https://target/directory2/
        https://target/
    
    [*] params.txt - file with parameters to check:
        https://target/example?a=1b=2
        https://target?param=asd

        # Optional flags are shown below:
        -c "Cookie: auth1=123;"
        -i 123.123.123.123 # IP for OAST testing - run the below commands on the VPS server
                              # > start: sudo tcpdump -i eth0 icmp
                              # > start: sudo python3 -m http.server 80
        -d domain.burp.com # DOMAIN for OAST testing
                              # > You can use Burp collaborator server
        -x "/root/wordlist"# Fuzzing all.txt with a given wordlist
                              # > Use '' for a default one /root/tools/crimson/words/bug
        -n                 # Turn on NUCLEI scan on all URLs
        -o                 # Test open redirection vulnerabilities on all URLs

:diamonds: Before starting third module, run the listener on your vps machine on port 80 python -m http.server 80 and for ping payloads tcpdump -i eth0 icmp :diamonds:

• Check the MEDIUM ARTICLE, which explains the crimson_exploit module deeper.

Usage - modules description

:small_red_triangle_down: [] crimson_IPcon

Module for initial testing of the infrastructure using only IP addresses. Useful before starting Nessus.

## FUNCTIONS:
#
# 1. PING SWEEP
# 2. PORT SCANNING (TCP & UPD)
# 3. HOSTNAME ENUMERATION
# 4. ENUM4LINUX
# 5. USER ENUM - if 88 open  
# 6. AREPROAST CHECK - if 88 open
# 7. PASS SPRAYING - using username as a password with the below combinations:
#    - user
#    - USER
#    - User
#    - null (no password)
# 8. NSE SCAN
# 9. NUCLEI SCAN
# 10. SSH AUDIT
# 11. MISCONFIGURED SPF & DMARC
# 12. BRUTEFORCING (Brutespray + Kerbrute)
# 
## LISTS (output):
#
# 1.  ping_sweep.txt            - List of IP that responds to ICMP packets
# 2.    crimson_{IPADDRESS}/      - Directory with the results for the given IP ADDRESS
# 3.  *.png               - Screenshots of the main page from the nuclei scan for the web services
# 4.  discovery_scan.           - Port scan with banners (-sV)
# 5.    enum4linux.txt              - Output from enum4linux and CME
# 6.    hostnames.txt               - Hostnames from the hosthunter
# 7.    users.txt                   - Users from Kerberos user enum
# 8.    nse_scan                    - Output from nmap vulnerability scan
# 9.    nuclei.txt                  - Output from nuclei scan
# 10.   ssh-audit.txt               - Output from SSH scans
# 11.   spf_dmarc.txt               - Misconfigured spf & dmarc records
# 12.   kerbrute_valid_creds.txt    - Valid credentials from password spraying Kerberos
# 13.   kerbrute_bruteforce.txt     - Valid credentials from brute-forcing Kerberos
# 13.   brutespray-output/          - Directory with brutespray output
#
## WORKFLOW
#
# 1. Start the script
# 2. If any hostnames is resolved, you can further enumerate it using crimson_recon 
# 3. Check the output.
#
##

:small_red_triangle_down: [I] crimson_recon

Subdomain enumeration and vulnerability scanning for big scope like: *.scope.com.

## FUNCTIONS:
#
# 1. SUBDOMAIN ENUMERATION
# 2. VIRTUAL HOSTNAMES ENUMERATION
# 3. RESOLVING DOMAINS IP ADDRESSES
# 4. URLS SCRAPING
# 5. SCREENSHOTS
# 6. DOMAIN TAKEOVER CHECK
# 7  CORS CHECK
# 8. NUCLEI SCAN
# 9. LOG4J SCAN
# 10.ZONE TRANSFER CHECK  
#
## LISTS (output):
#
# 1.    live.txt            - LIVE SUBDOMAINS
# 2     status_live.txt     - STATUS CODE OF HTTP SERVICES FROM (80/443) live.txt
# 3     hosthunter.txt      - VIRTUAL HOSTNAMES
# 4     ip.txt              - IPs AND THE CORRESPONDING DOMAINS
# 5     urls.txt            - ALL CRAWLED AND LIVE URLS IN ONE FILE
# 6     status_live.txt     - HTTPS / HTTPS SUBDOMAINS STATUS CODES
# 7.    screenshots         - STATUS CODES + SCREENS
# 8.    subjack.txt         - [VULN] DOMAIN TAKEOVER ON ALL LIVE SUBDOMAINS
# 9.    cors_scan.txt       - [VULN] MISCONFIGURED CORS
# 10.   nuclei.txt          - [VULN] TEMPLATE SCAN
# 11.   log4j.txt           - [VULN] LOG4J VULN SCAN
# 12.   dnsrecon.txt        - [VULN] ZONE TRANSFER
#
## WORKFLOW
#
# 1. Start Burp Suite
#   - Create a new project - example.tld
#   - Turn off an interception
# 2. Start this script.
# 3. Check the output listed above (LISTS)
# 4. Select the single domain and start the crimson_target module
#
##

:small_red_triangle_down: [II] crimson_target

This module covers one particular subdomain/domain for example : www.scope.tld.

## FUNCTIONS:
# 1. PARSING robots.txt AND sitemap.xml
# 2. ENUMERATING WAF
# 3. ENUMERATING FRAMEWORKS & CMS
# 2. VULNERABILITY SCANNING
# 3. DOMAIN CRAWLING
# 4. DIRECTORY BRUTEFORCING
# 5. GATHERING SOURCE CODE OF JS FILES
# 6. EXTRACTING NEW ENDPOINTS FROM GATHERED SOURCE CODE
# 7. MERGING PATHS WITH DOMAIN AND PROBING FOR NEW ENDPOINTS
# 8. PROXYING LIVE RESULTS TO BURP SUITE  
# 9. PREPARING params.txt && dirs.txt FOR EXPLOIT MODULE
# 10. CHECKING POTENTIAL BACKUP FILES
# 11. TESTING HOP-BY-HOP DELETION
#
## LISTS:
#
# 1) recon.txt          - FILE WITH RECON OUTPUT
# 2) urls.txt           - FILE WITH GATHERED URLs
# 3) status_params.txt  - STATUS CODES OF urls.txt
# 4) ffuf.txt           - DIR BRUTEFORCING OUTPUT
# 5) status_dir.txt     - STATUS CODE OF ffuf.txt
# 6) exp/params.txt     - FILE PREPARED FOR crimson_exploit WITH PARAMS
# 7) exp/dirs.txt      - FILE PREPARED FOR crimson_exploit WITH DIRECTORIES
# 8) backups.txt       - POTENTIALLY BACKUP FILES 
# 9) arjun.txt         - FILE WITH BRUTEFORCED PARAMETERS
# 10) all_source_code/  - DIRECTORY WITH JS SOURCE CODES
# 11) testssl.txt       - OUTPUT FROM testssl
# 12) jwt.txt           - OUTPUT FROM jwt_tool
# 13) wp/               - DIRECTORY WITH OUTPUT FROM WordPress tools
#
## WORKFLOW
#
# 0. Start Burp - optional step
#   - Create new project - www.example.tld
#   - Turn off an interception
#   - Make active scan for proxied URLs only in scope
# 1. Start the script
#   - If you did not choose -a flag, go to /bounty/tested.domain.tld/temp and remove manually false positives entries in ferox.txt
# 2. Check the output listed above (LISTS)
# 3. Manually browse the application, click on all functionalities
# 4. Copy the whole target scope from Burp after manually browsing the target
# 5. Paste it to exp/all.txt and run crimson_exploit
#
##

:small_red_triangle_down: [III] crimson_exploit

This module uses several tools to automate the search for certain bugs in a list of URLs.

## FUNCTIONS:
#
# 1. FUZZING PATHS IN URLS FROM dirs.txt WITH CUSTOM PAYLOADS
# 2. FUZZING PARAMS IN URLS FROM params.txt WITH CUSTOM PAYLOADS
# 3. TESTING FOR XSS
# 4. TESTING HTTP REQUEST SMUGGLING
# 5. TESTING PROTOTYPE POLLUTION
# 6. TESTING FOR BROKEN LINKS
# 7. TESTING SQLI
# 8. TESTING OUT-OF-BOUND RCE/SSRF
# 9. TESTING JAVA DESERIALIZATION
# 10. TESTING CRLF INJECTION
# 11. TESTING FOR OPEN REDIRECTION
# 12. TESTING CVES
# 13. TESTING HEADER INJECTIONS
#
## LISTS:
#
# 1. bug_params.txt         - Fuzzing output
# 2. bug_dirs.txt           - Fuzzing output
# 3. vuln_xss               - Output from XSSstrike with vulnerable URLs ready to open in browser
# 4. nuclei.txt             - Output from nuclei scanning
# 5. smuggler.txt           - Output after testing for HTTP request smuggling.
# 6. prototype-pollution.txt- Potentially vulnerable params to prototype pollution.
# 7. broken_links.txt       - Output from BLC
# 8. sqli/                  - Output from sqlmap
# 9. oob.txt                - Log after OAST  
# 10. CRLF.txt              - Output from crlfuzz
# 11. OR.txt                - Potentially vulnerable URLs to Open Redirect vulnerability
# 12. dalfox.txt            - Output from dalfox
# 13. SSTI.txt              - Output from crimson_templator with SSTI vulnerable urls.
# 14. SSTImap.txt           - Output from SSTImap
# 15. headi.txt             - Output from headi
#
## WORKFLOW
#
# 0. Start BURP - optional step
#   - Create new project - www.example.tld
#   - Turn off an interception
# 1. Start VPS listener and collaborator server
# 2. Start the script
#   - You will be asked to remove false positives from exp/dirs.txt and exp/params.txt
#   - Remove them and rerun the script as before.
# 3. Check the output listed above (LISTS)
# 4. Look for [ID] [TIME] in oob.txt and compare it to pings on your VPS / collaborator
#
##

Extras

There are some valuable tools in the scripts directory that I have written that are worth checking out.

Contributing

Pull requests are welcome. Please open an issue to discuss what you want to change for significant changes.

List of utilized tools

The following tools are used in crimson. I encourage you to study the links below. They will help you in your work. Especially check Burp Suite extensions because all gathered resources are proxied to Burp Suite, where they are further tested.

:diamonds: OSINT:

• spiderfoot
• theHarvester

:diamonds: IP && ports:

• nmap
• masscan
• rustscan
• enum4linux
• KERBRUTE
• SSH-AUDIT
• BruteSpray

:diamonds: Domains enumeration:

• Amass
• subfinder
• massdns
• dnsx
• assetfinder
• puredns
• sudomy
• altdns
• HostHunter
• mailspoof
• dns-wildcard-removal
• DNSRecon

:diamonds: URLs:

• waybackurls
• Paramspider
• getallurls
• wfuzz
• ffuf
• feroxbuster
• sitemap-urls
• gospider
• hakrawler
• galer
• getJS
• httpx
• zile
• crimson_backuper
• cariddi

:diamonds: Target visualisation:

• WhatWeb
• gowitness
• wafw00f
• Ultimate Nmap Parser

:diamonds: Bug finding:

• nikto
• CorsMe
• subjack
• XSStrike
• Smuggler
• hbh-header-abuse-test
• broken-link-checker
• sqlmap
• CRLFuzz
• ysoserial
• ysoserial.net
• jwt-tool
• dalfox
• testssl.sh
• crimson_templator
• nuclei
• headi
• codeql
• semgrep
• gmapiscanner
• log4j-scan
• GOAST
• CMSEEK
• PLUTION
• SSTIMAP
• INQL

:diamonds: WordPress tools:

• wpscan
• WPluginScanner
• quickpress
• wpBullet

:diamonds: Additional tools:

• qsreplace
• anew
• unfurl
• Search-That-Hash
• clever_ffuf
• crimson_opener
• crimson_paramjuggler
• tldextract
• PyWhat
• Ciphey

:diamonds: Wordlists:

• SecLists
• PayloadsAllTheThings
• fresh-resolvers

:diamonds: Burp Suite extensions:

• ActiveScan++
• Anonymous Cloud, Configuration and Subdomain Takeover Scanner
• Attack Surface Detector
• Auth Analyzer
• AWS Security Checks
• Backslash Powered Scanner
• Burp Bounty Pro
• Cloud Storage Tester
• Collaborator Everywhere
• CSRF Scanner
• Detect Dynamic JS
• Error Message Checks
• Freddy, Deserialization Bug Finder
• HTTP Request Smuggler
• InQL - Introspection GraphQL Scanner
• J2EEScan
• Java Deserialization Scanner
• JS Link Finder
• NGINX Alias Traversal
• NoSQLi Scanner
• Param Miner
• PHP Object Injection Check
• Reflected Parameters
• Retire.js
• Similar Request Excluder
• Software Version Reporter
• Software Vulnerability Scanner
• Taborator
• Turbo Intruder
• UploadScanner
• Web Cache Deception Scanner
• Hackvertor
• burp-copy-as-ffuf

HISTORY

If you are curious how it all started:

• Medium article - crimson_recon
• Medium article - crimson_target
• Medium article - crimson_exploit

LICENSE

This program is free software: you can redistribute it and/or modify it under the terms of the Apache license. Crimson and any contributions are Copyright © by Karol Mazurek 2020-2022.

SUPPORT

You can support the project by buying me a coffee or via NFT which unlock the secret Crimson Web community or by buying me a coffee below: