Advanced Web Vulnerability Scanner

Introduction

This script is designed to perform comprehensive vulnerability scanning on web applications. It utilizes various tools to help identify security weaknesses, making it essential for ethical hackers and security professionals.

Installation Requirements

To effectively run the scanner, ensure the following tools are installed:

• Nmap - Network scanner for open ports and services.
• Sublist3r - Subdomain enumeration tool.
• Amass - DNS enumeration and asset discovery tool.
• Nikto - Web server vulnerability scanner.
• WhatWeb - Web application fingerprinting tool.
• WPScan - Vulnerability scanner for WordPress sites.
• SSLyze - Analyzes SSL/TLS configurations.
• Arachni - Web application security scanner.
• SQLmap - Automated SQL injection testing tool.
• Gobuster - Directory brute-forcing tool.
• OpenVAS or Nessus - Comprehensive vulnerability analysis tools.

Most tools can be installed using Docker. To install Docker, execute:

sudo apt update
sudo apt install docker.io

Installation on Linux

Follow these steps to install the required tools on a typical Linux distribution:

1. Update your package list:

2. sudo apt update

3. Install the necessary packages:

4. sudo apt install nmap sublist3r amass nikto whatweb wpscan sslyze sqlmap gobuster

5. If using Docker, install it:

6. sudo apt install docker.io

7. Start and enable Docker service:

8. sudo systemctl start docker
   sudo systemctl enable docker

Installation on Termux

To set up the tools on Termux (Android), follow these steps:

1. Update the package list:

2. pkg update

3. Install required packages:

4. pkg install nmap git python

5. Clone the Sublist3r repository:

6. git clone https://github.com/aboul3la/Sublist3r.git

7. Navigate to the cloned directory and install dependencies:

8. cd Sublist3r
   pip install -r requirements.txt

Repeat the cloning and installation process for other tools as needed.

Tool Functionality

Here’s a brief overview of the tools used in this script and their purposes:

• Nmap: Scans networks to discover hosts and services. Provides information about open ports, services running, and potential vulnerabilities.
• Sublist3r: Enumerates subdomains for a given domain, assisting in identifying additional targets for testing.
• Amass: Gathers information on DNS and external assets to build a comprehensive map of the target’s surface area.
• Nikto: Scans web servers for known vulnerabilities, misconfigurations, and security issues.
• WhatWeb: Identifies technologies used in a web application, providing insights into potential vulnerabilities based on detected technologies.
• WPScan: Specifically targets WordPress sites to find known vulnerabilities and weak configurations.
• SSLyze: Analyzes SSL/TLS configurations to identify security weaknesses in the web server’s implementation.
• Arachni: A comprehensive web application scanner designed to find security issues in web apps.
• SQLmap: Automates the process of detecting and exploiting SQL injection vulnerabilities.
• Gobuster: Brute-forces directories and files on web servers to uncover hidden endpoints.
• OpenVAS/Nessus: Provides detailed vulnerability assessment and management capabilities for networks and systems.

Advanced Script

The following script automates the scanning process:

#!/bin/bash

# Check for domain input
if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <domain>"
    exit 1
fi

DOMAIN=$1
SUBDOMAINS="$DOMAIN-subdomains.txt"
RESULTS_DIR="results_$DOMAIN"
mkdir -p $RESULTS_DIR

# Function to find subdomains
find_subdomains() {
    echo "==> Finding subdomains for $DOMAIN using Sublist3r and Amass..."
    
    # Using Sublist3r
    sublist3r -d "$DOMAIN" -o "$SUBDOMAINS"
    
    # Using Amass for more comprehensive subdomain collection
    amass enum -d "$DOMAIN" >> "$SUBDOMAINS"
    
    echo "Subdomains saved to $SUBDOMAINS"
}

# Function for port and service scanning
scan_ports() {
    local target=$1
    echo "==> Scanning open ports on $target..."
    nmap -p- --open --min-rate=1000 -T4 "$target" -oN "$RESULTS_DIR/nmap_$target.txt" --script vuln
}

# Function for SSL/TLS scanning
scan_ssl() {
    local target=$1
    echo "==> Scanning SSL/TLS configuration on $target..."
    sslyze --regular "$target" > "$RESULTS_DIR/sslyze_$target.txt"
}

# Function for vulnerability scanning
scan_vulnerabilities() {
    local target=$1
    echo "==> Scanning $target for vulnerabilities..."

    # Running WhatWeb to identify software used
    echo "Running WhatWeb on $target..."
    whatweb "$target" > "$RESULTS_DIR/whatweb_$target.txt"

    # Running Nikto for general vulnerabilities
    echo "Running Nikto on $target..."
    nikto -h "$target" -output "$RESULTS_DIR/nikto_$target.txt"
    
    # Running WPScan if the target is a WordPress site
    if [[ "$target" == *".wordpress.com" ]]; then
        echo "Running WPScan on $target..."
        wpscan --url "$target" --output "$RESULTS_DIR/wpscan_$target.txt"
    fi
}

# Function for directory brute-forcing
directory_bruteforce() {
    local target=$1
    echo "==> Running directory brute-forcing on $target..."
    gobuster dir -u "$target" -w /usr/share/wordlists/dirb/common.txt -o "$RESULTS_DIR/gobuster_$target.txt"
}

# Main execution
find_subdomains

# Scan each found subdomain
while read -r sub; do
    echo "==> Processing subdomain: $sub"
    scan_ports "$sub"
    scan_ssl "$sub"
    scan_vulnerabilities "$sub"
    directory_bruteforce "$sub"
done < "$SUBDOMAINS"

echo "==> Scanning complete. Results stored in $RESULTS_DIR"