webcopilot
v2.0-beta
Características • Instalação • Utilização • WebCopilot • Ferramentas Utilizadas • Reconhecimento
WebCopilot é uma ferramenta de automação projetada para enumerar subdomínios do alvo e detectar bugs usando diferentes ferramentas de código aberto.
O script primeiro enumera todos os subdomínios de um determinado domínio de destino usando assetfinder, sublister, subfinder, amass, findomain, hackertarget, riddler e crt, em seguida, faz a enumeração de subdomínios ativos usando gobuster da lista de palavras do SecLists, em seguida, filtra todos os subdomínios ativos usando dnsx e depois extrai títulos dos subdomínios usando httpx e verifica o controle de subdomínios usando subjack. Em seguida, ele usa gau/gauplus, waybackurls ou waymore para rastrear todos os pontos de extremidade dos subdomínios fornecidos e, em seguida, usa padrões gf para filtrar os parâmetros xss, lfi, ssrf, sqli, redirecionamento aberto e rce desses subdomínios e, em seguida, verifica para vulnerabilidades nos subdomínios usando diferentes ferramentas de código aberto (como kxss, dalfox, openredirex, núcleos, etc). Em seguida, ele imprimirá o resultado da verificação e salvará toda a saída em um diretório especificado.
g ! 2m0: ~ webcopilot -h ──────▄▀▄─────▄▀▄
─────▄█░░▀▀▀▀▀░░█▄
─▄▄──█░░░░░░░░░░░█──▄▄
█▄▄█─█░░▀░░┬░░▀░░█─█▄▄█
██╗░░░░░░░██╗███████╗██████╗░░█████╗░░█████╗░██████╗░██╗██╗░░░░░░█████╗░████████╗
░██║░░██╗░░██║██╔════╝██╔══██╗██╔══██╗██╔══██╗██╔══██╗██║██║░░░░░██╔══██╗╚══██╔══╝
░╚██╗████╗██╔╝█████╗░░██████╦╝██║░░╚═╝██║░░██║██████╔╝██║██║░░░░░██║░░██║░░░██║░░░
░░████╔═████║░██╔══╝░░██╔══██╗██║░░██╗██║░░██║██╔═══╝░██║██║░░░░░██║░░██║░░░██║░░░
░░╚██╔╝░╚██╔╝░███████╗██████╦╝╚█████╔╝╚█████╔╝██║░░░░░██║███████╗╚█████╔╝░░░██║░░░
░░░╚═╝░░░╚═╝░░╚══════╝╚═════╝░░╚════╝░░╚════╝░╚═╝░░░░░╚═╝╚══════╝░╚════╝░░░░╚═╝░░░
[ ● ] Version: 2.0 .0
[ ● ] @ h4r5h1t | G ! 2 m0
[ ] Warning: Use with caution . You are responsible for your own actions .
[ ] Developers assume no liability and are not responsible for any misuse or damage cause by this tool .
Usage :
webcopilot - d < target >
webcopilot - d < target > - a
webcopilot [ - d target ] [ - o output destination ] [ - t threads ] [ - b blind server URL ] [ - x exclude domains ] [ - f subdomains file ] [ - a ] [ - v ] [ - h ]
Flags :
- d Add your target [ Optional ]
- o To save outputs in folder [ Default : webcopilot - < timestamp > ]
-t Number of threads [Default: 100]
-b Add your server for BXSS [Default: False]
-x Exclude out of scope domains [Default: False]
-f Specify a file containing subdomains, this will skip subdomain enumeration [Optional]
-a Run all Enumeration by default it will run only subdomain enumeration [Default: False][Time Consuming]
-v Show version of the tool
-h Show this help message
Example:./webcopilot -d domain.com -a -o domain -t 333 -x exclude.txt -b testServer.oast.fun
You can use https://app.interactsh.com/ to get your serverO WebCopilot requer que o git seja instalado com sucesso. Execute o seguinte comando como root para instalar o webcopilot
git clone https://github.com/h4r5h1t/webcopilot && cd webcopilot/ && chmod +x webcopilot install.sh && mv webcopilot /usr/bin/ && ./install.sh [ * ] Installing Tools
[ * ] Creating Directories
[ * ] Installing Dependencies and Checking is Installed or Not
[ * ] git is already installed
[ * ] python3 is already installed
[ * ] python3 - pip is already installed
[ * ] ruby is already installed
[ * ] golang - go is already installed
[ * ] snapd could not be found [ * ] Installing snapd
[ * ] snapd is not installed successfully , Please install it manually
[ * ] cmake is already installed
[ * ] jq is already installed
[ * ] gobuster is already installed
[ * ] chromium is already installed
[ * ] parallel is already installed
[ * ] Installing Python Tools
[ * ] Sublist3r could not be found [ * ] Installing Sublist3r
[ * ] Sublist3r is installed successfully
[ * ] sqlmap is already installed
[ * ] urldedupe is already installed
[ * ] openredirex is already installed
[ * ] waymore is already installed
[ * ] findomain is already installed
[ * ] uro is already installed
[ * ] Installing Wordlists and Payloads
[ * ] Skipping payloads / lfi . txt , already exists .
[ * ] Skipping resolvers . txt , already exists .
[ * ] Skipping subdomains . txt , already exists .
[ * ] Skipping fuzz . txt , already exists .
[ * ] Skipping dicc . txt , already exists .
[ * ] Skipping big . txt , already exists .
[ * ] Skipping dns . txt , already exists .
[ * ] Installing Go Tools
[ * ] anew is already installed
[ * ] gf is already installed
[ * ] aquatone could not be found [ * ] Installing aquatone
[ * ] aquatone is not installed successfully , Please install it manually
[ * ] assetfinder is already installed
[ * ] gau is already installed
[ * ] waybackurls is already installed
[ * ] httpx could not be found [ * ] Installing httpx
[ * ] httpx is not installed successfully , Please install it manually
[ * ] amass could not be found [ * ] Installing amass
[ * ] amass is not installed successfully , Please install it manually
[ * ] kxss is already installed
[ * ] subjack is already installed
[ * ] qsreplace is already installed
[ * ] dnsx could not be found [ * ] Installing dnsx
[ * ] dnsx is not installed successfully , Please install it manually
[ * ] dalfox is already installed
[ * ] crlfuzz is already installed
[ * ] nuclei could not be found [ * ] Installing nuclei
[ * ] nuclei is not installed successfully , Please install it manually
[ * ] subfinder could not be found [ * ] Installing subfinder
[ * ] subfinder is not installed successfully , Please install it manually
[ * ] Configuring Tools and Setting Up Environment
[ * ] All Tools are installed successfullySubFinder • Sublist3r • Findomain • gf • OpenRedireX • dnsx • sqlmap • gobuster • assetfinder • httpx • kxss • qsreplace • Núcleos • dalfox • anew • jq • aquatone • urldedupe • Amass • gauplus • waybackurls • crlfuzz • gau • waymore • SUBLIST3R_V2. 0 • uro
Para executar a ferramenta em um destino, basta usar o seguinte comando.
g ! 2m0: ~ webcopilot -d example.com O comando -o pode ser usado para especificar um diretório de saída.
g ! 2m0: ~ webcopilot -d example.com -o example O comando -a pode ser usado para executar todas as enumerações (Enumeração de Subdomínio + Verificação de Vulnerabilidades).
g ! 2m0: ~ webcopilot -d example.com -o example -a O comando -t pode ser usado para adicionar threads à sua varredura para obter resultados mais rápidos.
g ! 2m0: ~ webcopilot -d example.com -o example -t 333 O comando -b pode ser usado para blind xss (OOB), você pode obter seu servidor de interação
g ! 2m0: ~ webcopilot -d example.com -o example -t 333 -b eeuyhzfnsezrraragtd70ex5oc2hsw.oast.fun O comando -x pode ser usado para excluir domínios fora do escopo.
g ! 2m0: ~ echo out.example.com > excludeDomain.txt
g ! 2m0: ~ webcopilot -d example.com -o example -t 333 -x excludeDomain.txt -b eeuyhzfnsezrraragtd70ex5oc2hsw.oast.fun O comando -f pode ser usado para passar arquivos contendo subdomínios (usando esta enumeração de subdomínio ativo + passivo)
g ! 2m0: ~ webcopilot -d example.com -o example -f /home/ubuntu/subdomains.txt -aAs opções padrão são assim:
g ! 2m0: ~ webcopilot -d http://testphp.vulnweb.com/ -a -b eeuyhzfpwgnsezrraragtd70ex5oc2hsw.oast.fun ──────▄▀▄─────▄▀▄
─────▄█░░▀▀▀▀▀░░█▄
─▄▄──█░░░░░░░░░░░█──▄▄
█▄▄█─█░░▀░░┬░░▀░░█─█▄▄█
██╗░░░░░░░██╗███████╗██████╗░░█████╗░░█████╗░██████╗░██╗██╗░░░░░░█████╗░████████╗
░██║░░██╗░░██║██╔════╝██╔══██╗██╔══██╗██╔══██╗██╔══██╗██║██║░░░░░██╔══██╗╚══██╔══╝
░╚██╗████╗██╔╝█████╗░░██████╦╝██║░░╚═╝██║░░██║██████╔╝██║██║░░░░░██║░░██║░░░██║░░░
░░████╔═████║░██╔══╝░░██╔══██╗██║░░██╗██║░░██║██╔═══╝░██║██║░░░░░██║░░██║░░░██║░░░
░░╚██╔╝░╚██╔╝░███████╗██████╦╝╚█████╔╝╚█████╔╝██║░░░░░██║███████╗╚█████╔╝░░░██║░░░
░░░╚═╝░░░╚═╝░░╚══════╝╚═════╝░░╚════╝░░╚════╝░╚═╝░░░░░╚═╝╚══════╝░╚════╝░░░░╚═╝░░░
[ ● ] Version: 2.0 .0
[ ● ] @ h4r5h1t | G ! 2 m0
[ ] Warning: Use with caution . You are responsible for your own actions .
[ ] Developers assume no liability and are not responsible for any misuse or damage cause by this tool .
Target : http: //testphp.vulnweb.com/
Output: / home / ubuntu / github / webcopilot / webcopilot - 1714304809
Threads: 100
Server: eeuyhzfpwgnsezdyeragtd70ex5oc2hsw . oast . fun
Exclude: False
Mode: Running all Enumeration
Time : 28 - 04 - 2024 17 : 16 : 49
[ ! ] Please wait while scanning . . .
[ ● ] Passive Subdomain Scanning is in progress :
[ ● ] Subdomain Scanned - [ assetfinder✔ ] Subdomain Found : 0
[ ● ] Subdomain Scanned - [ SUBLIST3R_V2 .0 ✔ ] Subdomain Found : 0
[ ● ] Subdomain Scanned - [ subfinder✔ ] Subdomain Found : 1
[ ● ] Subdomain Scanned - [ amass✔ ] Subdomain Found : 0
[ ● ] Subdomain Scanned - [ findomain✔ ] Subdomain Found : 1
[ ● ] Subdomain Scanned - [ crt . sh✔ ] Subdomain Found : 0
[ ● ] Subdomain Scanned - [ hackertarget✔ ] Subdomain Found : 1
[ ● ] Subdomain Scanned - [ riddler✔ ] Subdomain Found : 0
[ ● ] Subdomain Scanned - [ certspotter✔ ] Subdomain Found : 0
[ ● ] Active Subdomain Scanning is in progress :
[ ! ] Please be patient . This may take a while ...
[ ● ] Active Subdomain Scanned - [ gobuster✔ ] Subdomain Found : 0
[ ● ] Active Subdomain Scanned - [ amass✔ ] Subdomain Found : 0
[ ● ] Subdomain Filtering : Filtering Alive subdomains
[ ● ] Subdomain Filtering - Filtering alive subdomains is completed . Check : / subdomains / alivesub . txt
[ ● ] Subdomain Scanning : Getting titles of valid subdomains
[ ● ] Visual inspection of Subdomains is completed . Check : / subdomains / aquatone /
[ ● ] Subdomain Enumeration Completed . Total : 1 | Alive : 1
[ ● ] Endpoints Scanning Completed . Total : 0
[ ● ] Vulnerabilities Scanning is in progress : Getting all vulnerabilities of
[ ● ] Vulnerabilities Scanning is in progress :
[ ● ] Vulnerabilities Scanned - [ XSS✔ ] Found : 0
[ ● ] Vulnerabilities Scanned - [ SQLi✔ ] Found : 0
[ ● ] Vulnerabilities Scanned - [ LFI✔ ] Found : 0
[ ● ] Vulnerabilities Scanned - [ CRLF✔ ] Found : 0
[ ● ] Vulnerabilities Scanned - [ SSRF✔ ] Found : 0
[ ● ] Vulnerabilities Scanned - [ Open redirect✔ ] Found : 0
[ ● ] Vulnerabilities Scanned - [ Subdomain Takeover✔ ] Found : 0
[ ● ] Vulnerabilities Scanned - [ Nuclie✔ ] Found : 0
[ ● ] Vulnerabilities Scanning Completed . Check : / vulnerabilities /
▒█▀▀█ █▀▀ █▀▀ █░░█ █░░ ▀▀█▀▀
▒█▄▄▀ █▀▀ ▀▀█ █░░█ █░░ ░░█░░
▒█░▒█ ▀▀▀ ▀▀▀ ░▀▀▀ ▀▀▀ ░░▀░░
[ + ] Subdomains of http : //testphp.vulnweb.com/
[ + ] Subdomains Found : 1
[ + ] Subdomains Alive : 1
[ + ] Endpoints : 0
[ + ] XSS : 0
[ + ] SQLi : 0
[ + ] Open Redirect : 0
[ + ] SSRF : 0
[ + ] CRLF : 0
[ + ] LFI : 0
[ + ] Subdomain Takeover : 0
[ + ] Nuclei : 0WebCopilot é inspirado em Garud & Pinaak da ROX4R.
@aboul3la @tomnomnom @lc @hahwul @projectdiscovery @maurosoria @shelld3v @devanshbatham @michenriksen @defparam @projectdiscovery @bp0lr @ameenmaali @sqlmapproject @dwisiswant0 @OWASP @OJ @Findomain @danielmiessler @1ndianl33t @ROX4R @xnl-h4ck3r @hxl xmjxbbxs @s0md3v
| Aviso: Os desenvolvedores não assumem nenhuma responsabilidade e não são responsáveis por qualquer uso indevido ou dano causado por esta ferramenta. Portanto, tenha cuidado porque você é responsável por suas próprias ações. |
