Advanced Web Vulnerability Scanner

This script provides advanced features for vulnerability scanning, including deep scans, integration with security systems, and improved reporting.

Installation

To install the necessary tools on Linux, run the following commands:

sudo apt update
sudo apt install nmap sublist3r amass nikto sqlmap arachni sslyze wpscan ffuf openvas

Make sure you also have a valid API key for Shodan.

Installation on Linux

To install the necessary tools on a Linux system, execute the following commands:

sudo apt update
sudo apt install nmap sublist3r amass nikto sqlmap arachni sslyze wpscan ffuf openvas

Make sure you also have a valid API key for Shodan. After installation, you may need to configure certain tools, such as OpenVAS, to set up the environment for vulnerability scanning.

Installation on Termux

For users on Termux, follow these steps to install the required tools:

pkg update
pkg install nmap sublist3r amass nikto sqlmap ffuf

Note that some tools may require additional setup or dependencies specific to Android's environment. Refer to each tool's documentation for detailed instructions.

Usage of the Program

Run the script with the domains you want to scan as arguments:

chmod +x advanced_web_vuln_scan.sh
./advanced_web_vuln_scan.sh example.com otherdomain.com

Program Functionality

The script is designed to automate the process of vulnerability scanning across multiple domains. Here's a detailed breakdown of its functionality:

1. Input Validation:

   The script starts by checking if at least one domain is provided as an argument. If not, it displays usage instructions and exits.

2. Domain Processing:

   It creates a results directory based on the current timestamp to store all output files. Subdomains for each specified domain are then gathered using tools like Sublist3r and Amass.

3. Subdomain Enumeration:

   Sublist3r and Amass are used to find subdomains, and results are combined and saved in a file. Additionally, Shodan is queried to gather information related to the domain.

4. Vulnerability Scanning:

   For each discovered subdomain, a series of scans are executed using:

   • nmap: For port scanning and vulnerability detection.
   • nikto: For identifying web server vulnerabilities.
   • sslyze: For analyzing SSL/TLS configurations.
   • sqlmap: For testing SQL injection vulnerabilities.
   • wpscan: For checking WordPress vulnerabilities if applicable.
   • arachni: For more in-depth web application scanning.
5. Fuzz Testing:

   The script employs ffuf to run fuzzing tests against specified endpoints, attempting to discover hidden resources or vulnerabilities.

6. Report Generation:

   After scans are completed, the results are compiled into CSV and HTML reports for easy review and analysis. This includes all findings from the various scanning tools.

7. Scan Scheduling:

   The script includes functionality to schedule scans using cron jobs, allowing for periodic vulnerability assessments.

Usage

Run the script with the domains you want to scan as arguments:

chmod +x advanced_web_vuln_scan.sh
./advanced_web_vuln_scan.sh example.com otherdomain.com

Script Code

#!/bin/bash

# Check domain and subdomain input
if [ "$#" -lt 1 ]; then
    echo "Usage: $0 <domain1> [<domain2> ... <domainN>]"
    exit 1
fi

# Initial configuration
DOMAINS=("$@")
RESULTS_DIR="advanced_scan_results_$(date +'%Y%m%d_%H%M%S')"
SUBDOMAINS_FILE="$RESULTS_DIR/subdomains.txt"
mkdir -p "$RESULTS_DIR"

# Function to find subdomains
find_subdomains() {
    for DOMAIN in "${DOMAINS[@]}"; do
        echo "==> Finding subdomains for $DOMAIN using Sublist3r, Amass, and Shodan..."
        
        # Sublist3r
        sublist3r -d "$DOMAIN" -o "$RESULTS_DIR/sublist3r_$DOMAIN.txt"
        
        # Amass
        amass enum -d "$DOMAIN" -o "$RESULTS_DIR/amass_$DOMAIN.txt"
        
        # Shodan
        shodan domain "$DOMAIN" > "$RESULTS_DIR/shodan_$DOMAIN.txt"
        
        # Combine results
        cat "$RESULTS_DIR/sublist3r_$DOMAIN.txt" "$RESULTS_DIR/amass_$DOMAIN.txt" | sort -u >> "$SUBDOMAINS_FILE"
    done
    echo "==> Subdomains collected in $SUBDOMAINS_FILE"
}

# Function to scan vulnerabilities
scan_vulnerabilities() {
    local target=$1
    
    echo "==> Scanning vulnerabilities on $target..."
    
    # Nmap for port and vulnerability identification
    nmap -p- --open --min-rate=1000 -T4 "$target" -oN "$RESULTS_DIR/nmap_$target.txt" --script vuln
    
    # Nikto for general vulnerabilities
    nikto -h "$target" -output "$RESULTS_DIR/nikto_$target.txt"
    
    # SSLyze for SSL/TLS analysis
    sslyze --regular "$target" > "$RESULTS_DIR/sslyze_$target.txt"
    
    # OpenVAS for comprehensive vulnerability analysis
    gvm-cli tls --hostname <IP_OPENVAS> --xml "<CREATE_TASK_XML>" > "$RESULTS_DIR/openvas_$target.txt"
    
    # SQLmap for SQL injection testing
    sqlmap -u "$target" --batch --output-dir="$RESULTS_DIR/sqlmap_$target"
    
    # WPScan for WordPress vulnerabilities
    if whatweb "$target" | grep -q "WordPress"; then
        echo "Running WPScan on $target..."
        wpscan --url "$target" --enumerate vp --output "$RESULTS_DIR/wpscan_$target.txt"
    fi
    
    # Arachni for deeper vulnerability analysis
    arachni "$target" --report-save-path "$RESULTS_DIR/arachni_$target.afr"
}

# Function for fuzz testing
fuzz_test() {
    local target=$1
    echo "==> Running fuzzing tests on $target..."
    ffuf -u "$target/FUZZ" -w /usr/share/wordlists/dirb/common.txt -o "$RESULTS_DIR/fuzzing_$target.json"
}

# Function for scheduling scans
schedule_scan() {
    local target=$1
    local time_interval=$2
    echo "==> Scheduling scan for $target every $time_interval..."
    
    # Add cron job for scheduled scans
    (crontab -l ; echo "*/$time_interval * * * * $0 $target") | crontab -
}

# Function for report management
generate_report() {
    echo "==> Generating reports in different formats..."
    
    # Convert results to CSV
    echo "Generating CSV report..."
    cat "$SUBDOMAINS_FILE" | while read -r subdomain; do
        grep "$subdomain" "$RESULTS_DIR/nmap_$subdomain.txt" >> "$RESULTS_DIR/report.csv"
    done
    
    # Convert results to HTML
    echo "Generating HTML report..."
    echo "<html><body><h1>Vulnerability Report for $DOMAIN</h1>" > "$RESULTS_DIR/report.html"
    for file in "$RESULTS_DIR/"*.txt; do
        echo "<h2>$file</h2><pre>" >> "$RESULTS_DIR/report.html"
        cat "$file" >> "$RESULTS_DIR/report.html"
        echo "</pre>" >> "$RESULTS_DIR/report.html"
    done
    echo "</body></html>" >> "$RESULTS_DIR/report.html"
}

# Main scanning function
main_scan() {
    find_subdomains
    
    while read -r SUBDOMAIN; do
        echo "==> Starting scan for $SUBDOMAIN..."
        
        # Scan ports and services
        scan_vulnerabilities "$SUBDOMAIN" &
        
        # Perform fuzzing
        fuzz_test "$SUBDOMAIN" &
        
        wait
    done < "$SUBDOMAINS_FILE"
}

# Execute scans
main_scan

# Generate reports
generate_report

echo "==> Vulnerability scanning completed. Reports saved in $RESULTS_DIR."

Advanced Features

• Multi-domain support for simultaneous scanning.
• Integration with Shodan for IP and service information.
• OpenVAS for deeper vulnerability scanning.
• Fuzzing to check sensitive inputs.
• Advanced reporting in various formats (CSV, HTML).
• Scan scheduling using Cron jobs.

Important Notes