crimson: Automated Scanner for Pentesters and Bug Bounty Hunters

Crimson is a complete pentest suite, with a wide variety of programs and options, that meets the needs of even the most demanding hacker. It has programs from different categories such as network scan, phishing, exploitation etc.

It is an open source program, written in python.

crimson logo

Installation


Use

crimson_recon -D "domain.com" 
                   
                   # Optional flags are shown below: 
                - # Domain bruteforcing (with words / dns wordlist)
                -v # Virtual host discovery
                -p # TCP ports scanning (1-65535)
                -u #  ports scanning (nmap default ports)
                -b # Third level subdomain bruteforcing
                -y # Proxy urls.txt and live.txt to Burp (127.0.0.1:8080)
                -s # Find hidden subdomains and secrets within urls.txt with SubDomainizer (takes very long time)

crimson_target -D "example.domain.com" 
                    
                    # Optional flags are shown below:
                 -c "Cookie: auth1 = 123;"
                 -p # TCP (1-65535) ports scanning
                 -u # UDP (nmap default) ports scanning
                 -a # Without this flag, you have to manually check for false-positives after bruteforcing
                 -y # Proxy urls.txt and ffuf.txt to Burp (127.0.0.1:8080)
                 -b # Parameter bruteforcing with Arjun

crimson_exploit -D "example.domain.com" -d "collaborator.com" -i "ip"
                    
                    # Optional flags are shown below:
                  -c "Cookie: auth1 = 123;"
                  -x # fuzzing all.txt with bug wordlist

Modules

### FUNCTIONS: # # 1. SUBDOMAIN ENUMERATION # 2. LIVE SUBDOMAIN CHECK # 3. TAKEOVER CHECK # 4. SCREENSHOTS # 5. CORS CHECK # 6. IP RESOLVE # 7. OPENED PORTS SCAN # 8. URLS SCRAPING # 9. API KEYS SCRAPING # 10. VIRTUAL HOSTNAMES ENUMERATION # ### LISTS (output): # # 1. live.txt - LIVE SUBDOMAINS # 2. ip.txt - ALL IPs # 3. ports.txt - OPENED PORTS # 4. subjack .txt - VULNS [TAKEOVER] # 5. screenshots - STATUS CODES + SCREENS # 6. cors_scan.txt - VULNS [CORS] # 7. urls.txt - ALL CRAWLED AND LIVE URLS IN ONE FILE # 8. status_live.txt - HTTPS / HTTPS SUBDOMAINS STATUS CODES # 9. ldns-walk.txt - DOMAINS FROM DNSSEC # 10. subdomainizer.txt - DETECTED API KEYS / AND MORE SUBDOMAINS # 11. hosthunter.txt - VIRTUAL HOSTNAMES # 12. nucleve.t ### WORKFLOW # # 1. Start Burp Suite - optional step # - Create new project - example.tld # - Turn off interception # 2. Start this script. # 3. Check the output listed above (LISTS) # 4. Select single domain and start crimson_target module # ###
### FUNCTIONS: # # 1. FULL RANGE PORT SCANNING && NSE ON OPENED PORTS # 2. VULNERABILITY SCANNING # 3. DOMAIN 
# 4. DIRECTORY BRUTEFORCING
# 5. GATHERING SOURCE CODE OF SCRAPED / BRUTEFORCED URLS
# 6. EXTRACTING NEW PATHS, API KEYS, ENDPOINTS FROM GATHERED SOURCE CODE
# 7. MERGING PATHS WITH DOMAIN AND PROBING FOR NEW ENDPOINTS
# 8. PROXING LIVE RESULTS TO BURP SUITE  
# 9. PREPARING params.txt && dirs.txt FOR  MODULE
# 10. CHECK WAF && POTENTIAL BACKUP FILES && CMS
# 11. TESTING HOP-BY-HOP DELETION
#
### LISTS:
#
# 1) recon.txt          - FILE WITH RECON OUTPUT
# 2) urls.txt           - FILE WITH GATHERED URLS
# 3) status_params.txt  - STATUS CODES OF urls.txt
# 4) ffuf.txt           - DIR BRUTEFORCING OUTPUT
# 5) status_dir.txt     - STATUS CODE OF ffuf.txt
# 9) exp/params.txt     - FILE PREPARED FOR crimson_exploit WITH PARAMS
# 10) exp/dirs.txt      - FILE PREPARED FOR crimson_exploit WITH DIRECTORIES
# 11) backups.txt       - POTENTIALLY BACKUP FILES 
# 12) arjun.txt         - FILE WITH BRUTEFORCED PARAMETERS
# 13) nmap.txt          - FILE WITH TCP/UDP PORT SCANNING OUTPUT
# 15) exp/nmap.gnmap    - FILE WITH TCP/UDP PORT SCANNING OUTPUT IN GREPABLE FORMAT 
#
### WORKFLOW
#
# 0. Start Burp - optional step
#   - Create new project - www.example.tld
#   - Turn off interception
#   - Make active scan for proxied urls only in scope
# 1. Start the script
#   - If you didn't choose -a flag, go to /bounty/domain.tld/tested.domain.tld/temp and remove manually false positives entries in ferox.txt
# 2. Check the output listed above (LISTS)
# 3. Manually browse the application, click on all functionalities
# 4. Copy whole target scope from Burp after manually  the target # 5. Paste it to exp/all.txt and run crimson_exploit # ###
### FUNCTIONS: # # 1. FUZZING PATHS IN URLS FROM dirs.txt WITH CUSTOM PAYLOADS # 2. FUZZING PARAMS IN URLS FROM params.txt WITH CUSTOM PAYLOADS # 3. TESTING FOR XSS # 4. TESTING JAVASCRIPT SOURCE CODE # 5. TESTING HTTP REQUEST SMUGGLING # 6. TESTING PROTOTYPE POLLUTION # 7. TESTING FOR BROKEN LINKS # 8. TESTING SQLI # 9. TESTING OUT-OF-BOUND RCE/SSRF # 10. TESTING JAVA DESERIALIZATION # 11. TESTING CRLF INJECTION # 12. TESTING FOR OPEN REDIRECTION # 13. TESTING WORDPRESS # 14. TESTING CVES # 15. TESTING HEADER 

# ### LISTS: # # 1. bug_params.txt - Fuzzing output # 2. bug_dirs.txt - Fuzzing output # 3. vuln_xss - Output from XSStrike with vulnerable urls ready to open in browser # 4. codeql.txt - Output from Codeql after testing the JavaScript source code. # 5. smuggler.txt - Output after testing for HTTP request smuggling. # 6. prototype-pollution - Potentially vulnerable params to prototype pollution. # 7. broken_links.txt - Output from BLC # 8. sqli/ - Output from sqlmap # 9. oob.txt - Log after OAST # 10. CRLF.txt - Output from crlfuzz # 11. OR.txt - Potentially vulnerable URLS to Open Redirect vulnerability # 12. dalfox.txt - Output from dalfox # 13. ssti.txt - Output from crimson_templator with SSTI vulnerable urls. # 14. wp/ - Output from WPSCAN # 15. deserializator.txt - Logs from crimson_deserializator # 16. semgrep.txt - Output from semgrep after testing the JavaScript source code. # 17. nuclei.txt - Output from nuclei scanning # 18. headi.txt - Otput from headi # ### WORKFLOW # # 0. Start BURP - optional step # 1. Start vps listener and collaborator server # 2. Start the script # 3. Check the output listed above (LISTS) # 5. Look for [ID] [TIME] in oob.txt and compare it to pings on your vps / collaborator # 8. Check deserialization pings with manual payloads # 9. Start manual testing # ###

Specifications

Domain enumeration:

 IP && ports:

 URLs:

 Target visualization:

 Bug finding:

 WordPress tools:

 Additional tools:

 Wordlists:

 Burp Suite extensions:

 

You can download the program from here.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
Scanner, Pentesters, Bug Bounty Hunters, iguru

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).