Search the Community

Jok3r v3 Network & Web Pentest Automation Framework About Overview Jok3r is a framework that aids penetration testers for network infrastructure and web security assessments. Its goal is to automate as much stuff as possible in order to quickly identify and exploit "low-hanging fruits" and "quick win" vulnerabilities on most common TCP/UDP services and most common web technologies (servers, CMS, languages...). Combine Pentest Tools Do not re-invent the wheel. Combine the most useful hacking tools/scripts available out there from various sources, in an automatic way. Automate Attacks Automatically run security checks adapted to the targeted services. Reconnaissance, CVE lookup, vulnerability scanning, exploitation, bruteforce... Centralize Mission Data Store data related to targets in a local database. Keep track of all the results from security checks and continuously update the database. Features Key Features Pentest Toolbox Management Selection of Tools Compilation of 50+ open-source tools & scripts, from various sources. Docker-based Application packaged in a Docker image running Kali OS, available on Docker Hub. Ready-to-use All tools and dependencies installed, just pull the Docker image and run a fresh container. Updates made easy Easily keep the whole toolbox up-to-date by running only one command. Easy Customization Easily add/remove tools from a simple configuration file. Network Infrastructure Security Assessment Many supported Services Target most common TCP/UDP services (HTTP, FTP, SSH, SMB, Oracle, MS-SQL, MySQL, PostgreSQL, VNC, etc.). Combine Power of Tools Each security check is performed by a tool from the toolbox. Attacks are performed by chaining security checks. Context Awareness Security checks to run are selected and adapted according to the context of the target (i.e. detected technologies, credentials, vulnerabilities, etc.). Reconnaissance Automatic fingerprinting (product detection) of targeted services is performed. CVE Lookup When product names and their versions are detected, a vulnerability lookup is performed on online CVE databases (using Vulners & CVE Details). Vulnerability Scanning Automatically check for common vulnerabilities and attempt to perform some exploitations (auto-pwn). Brute-force Attack Automatically check for default/common credentials on the service and perform dictionnary attack if necessary. Wordlists are optimized according to the targeted services. Post-authentication Testing Automatically perform some post-exploitation checks when valid credentials have been found. Web Security Assessment Large Focus on HTTP More than 60 different security checks targeting HTTP supported for now. Web Technologies Detection Fingerprinting engine based on Wappalyzer is run prior to security checks, allowing to detect: Programming language, Framework, JS library, CMS, Web & Application Server. Server Exploitation Automatically scan and/or exploit most critical vulnerabilities (e.g. RCE) on web and application servers (e.g. JBoss, Tomcat, Weblogic, Websphere, Jenkins, etc.). CMS Vulnerability Scanning Automatically run vulnerability scanners on most common CMS (Wordpress, Drupal, Joomla, etc.). Local Database & Reporting Local Database Data related to targets is organized by missions (workspaces) into a local Sqlite database that is kept updated during security testings. Metasploit-like Interactive Shell Access the database through an interactive shell with several built-in commands. Import Targets from Nmap Add targets to a mission either manually or by loading Nmap results. Access all Results All outputs from security checks, detected credentials and vulnerabilities are stored into the database and can be accessed easily. Reporting Generate full HTML reports with targets summary, web screenshots and all results from security testing. Architecture Framework Architecture General Architecture graph Flowchart Demo Demonstration Videos Download Get Jok3r Jok3r is open-source. Contributions, ideas and bug reports are welcome ! [Hide] [Hidden Content]]

Overview Jok3r is a Python3 CLI application which is aimed at helping penetration testers for network infrastructure and web black-box security tests. The goal is to save as much time as possible during network/web pentests by automating as many security tests as possible in order to quickly identify low-hanging fruits vulnerabilities, and then spend more time on more interesting and tricky stuff ! It is based upon the observation that there are many hacking open-source tools/scripts (from various sources) targeting common network services available out there, that allow to perform various tasks from fingerprinting to exploitation. Therefore, the idea of Jok3r is to combine those open-source tools in a smart way to get the more relevant results. Features Pentest Toolbox management Selection of Tools: Compilation of 50+ open-source tools & scripts, from various sources. Docker-based: Application packaged in a Docker image running Kali OS, available on Docker Hub. Ready-to-use: All tools and dependencies installed, just pull the Docker image and run a fresh container. Updates made easy: Easily keep the whole toolbox up-to-date by running only one command. Easy Customization: Easily add/remove tools from a simple configuration file. Network Infrastructure Security Assessment Many supported Services: Target most common TCP/UDP services (HTTP, FTP, SSH, SMB, Oracle, MS-SQL, MySQL, PostgreSQL, VNC, etc.). Combine Power of Tools: Each security check is performed by a tool from the toolbox. Attacks are performed by chaining security checks. Context Awareness: Security checks to run are selected and adapted according to the context of the target (i.e. detected technologies, credentials, vulnerabilities, etc.). Reconnaissance: Automatic fingerprinting (product detection) of targeted services is performed. CVE Lookup: When product names and their versions are detected, a vulnerability lookup is performed on online CVE databases (using Vulners & CVE Details). Vulnerability Scanning: Automatically check for common vulnerabilities and attempt to perform some exploitations (auto-pwn). Brute-force Attack: Automatically check for default/common credentials on the service and perform dictionnary attack if necessary. Wordlists are optimized according to the targeted services. Post-authentication Testing: Automatically perform some post-exploitation checks when valid credentials have been found. Web Security Assessment Large Focus on HTTP: More than 60 different security checks targeting HTTP supported for now. Web Technologies Detection: Fingerprinting engine based on Wappalyzer is run prior to security checks, allowing to detect: Programming language, Framework, JS library, CMS, Web & Application Server. Server Exploitation: Automatically scan and/or exploit most critical vulnerabilities (e.g. RCE) on web and application servers (e.g. JBoss, Tomcat, Weblogic, Websphere, Jenkins, etc.). CMS Vulnerability Scanning: Automatically run vulnerability scanners on most common CMS (Wordpress, Drupal, Joomla, etc.). Local Database & Reporting Local Database: Data related to targets is organized by missions (workspaces) into a local Sqlite database that is kept updated during security testings. Metasploit-like Interactive Shell: Access the database through an interactive shell with several built-in commands. Import Targets from Nmap: Add targets to a mission either manually or by loading Nmap results. Access all Results: All outputs from security checks, detected credentials and vulnerabilities are stored into the database and can be accessed easily. Reporting: Generate full HTML reports with targets summary, web screenshots and all results from security testing. [HIDE][Hidden Content]]

[HIDhttps://github.com/koutto/jok3r#jok3r---network-and-web-pentest-frameworkE][/HIDE] Jok3r - Network and Web Pentest Framework Jok3r is a Python3 CLI application which is aimed at helping penetration testers for network infrastructure and web black-box security tests. Its main goal is to save time on everything that can be automated during network/web pentest in order to enjoy more time on more interesting and challenging stuff. To achieve that, it combines open-source Hacking tools to run various security checks against all common network services. Main features Toolbox management: Install automatically all the hacking tools used by Jok3r, Keep the toolbox up-to-date, Easily add new tools. Attack automation: Target most common network services (including web), Run security checks by chaining hacking tools, following standard process (Reconaissance, Vulnerability scanning, Exploitation, Account bruteforce, (Basic) Post-exploitation). Let Jok3r automatically choose the checks to run according to the context and knowledge about the target, Mission management / Local database: Organize targets by missions in local database, Fully manage missions and targets (hosts/services) via interactive shell (like msfconsole db), Access results from security checks. Jok3r has been built with the ambition to be easily and quickly customizable: Tools, security checks, supported network services... can be easily added/edited/removed by editing settings files with an easy-to-understand syntax.