Skip to content
dreizehnutters edited this page Mar 19, 2024 · 2 revisions

vide.sh

Tool to probe and crawl targets and enumerate their attack surface using varous engines. Inputs can be:

  • .xml files generated by nmap
    • vide.sh nmap -sc -sp -eu -ew
  • a list of targets
    • vide.sh scope.txt -sp -sc -ev
  • stdin
    • echo example.com | vide.sh -sp -es --config custom.sh
  • direct
    • vide.sh "10.0.13.37:8443" -el
      _______________
  ==c(___(o(______(_()
          \=\
           )=\    ┌─────────────────────────~vide~────┐
          //|\\   │ attack surface enumeration        │
         //|| \\  │ version: 2.2                      │
        // ||. \\ └─────────────────@dreizehnutters───┘
      .//  ||   \\ .
      //  .      \\ 

This is yet another ctf/engagement automation tool, born out of curiosity and boredom. This tool was inspired by six2dez/reconftw.


Usage

Usage: vide.sh input [mods] [options] [misc]

Required:
    input   Specify an input format (e.g., file/path, string or stdin)

Mods:
    -sp     Skip probing with httpx
    -sc     Skip crawling with katana

Options:
    -es     Enable screenshot
    -ew     Enable whatweb scans
    -ea     Enable wanalyze scans
    -en     Enable nmap script scans
    -eu     Enable nuclei scans
    -ei     Enable nikto scans
    -ef     Enable ffuf brute forcing
    -ev     Enable virtual host header fuzzing
    -ej     Enable js crawl
    -eb     Enable bypass scans
    -el     Enable testssl.sh scans
    -eh     Enable ssh-audit scans

Misc:
    -h|--help                  Show this message
    -c|--config  <config.sh>   Config file to pass (default: custom.sh)
    -o|--out-dir <path>        Out-dir to work in (default: $PWD)
    --verify                   Check configuration file (default: config.sh)

Example:
    # skip crawl, skip probing, do virtual host header scan on a list of targets
    vide.sh scope.txt -sp -sc -ev
    # skip crawl, do nuclei, do whatweb on nmap output directory
    vide.sh nmap -sc -eu -ew
    # with config skip probing, do screenshot on stdin (default to HTTP)
    echo example.com | vide.sh -sp -es --config custom.sh
    # ssl scan on target
    vide.sh '10.0.13.37:8443' -el
    # verify current config.sh
    vide.sh --verify

Example

CLI demo

# skip crawling, do httpX screenshots and WhatWeb scans on nmap -oX data
$ vide.sh nmap -sc -es -ew
[...]

$ tree .
├── nmap
│   └── init.xml
└── vide_runs
    └── vide_22.02_23301708641003
        ├── host_port.txt
        ├── http_servers.txt
        ├── https_servers.txt
        ├── httpx
        │   └── scan.log
        ├── screenshots
        │   ├── response
        │   │   ├── 192.168.42.131
        │   │   │   └── 628362c5635403dbffbf03eb624e464b50915bc4.txt
        │   │   └── index.txt
        │   └── screenshot
        │       ├── 192.168.42.131
        │       │   └── 628362c5635403dbffbf03eb624e464b50915bc4.png
        │       ├── index_screenshot.txt
        │       └── screenshot.html
        ├── vide.log
        ├── vide_targets.txt
        └── whatweb
            ├── brief_all.log
            ├── brief.log
            ├── deep_all.log
            └── deep.log

Installation

The installtion and maintance of used modules by vide.sh is left to the user

$ git clone https://github.com/dreizehnutters/vide
$ cd vide
$ ln -s $(pwd)/vide.sh ~/.local/bin/vide.sh
$ vide.sh --verify

Configuration

One has to edit the config.sh to adjust the location of used binaries and configure extra parameter about each engine

cat config.sh| head -n15
# ---= bins =--- #CHANGE ME
NMAP=/usr/bin/nmap
XMLS=/usr/bin/xmlstarlet
NIKTO=/usr/bin/nikto
WW=/usr/bin/whatweb
WA=/usr/local/bin/webanalyze
SMBMAP=/usr/bin/smbmap
ENUM4LINUX=$PY_PATH/enum4linux-ng.py
FFUF=$GO_PATH/bin/ffuf
BYP4=$GO_PATH/bin/byp4xx
SUBJS=$GO_PATH/bin/subjs
HTTPX=$HOME/.pdtm/go/bin/httpx
NUCLEI=$HOME/.pdtm/go/bin/nuclei
KATANA=$HOME/.pdtm/go/bin/katana
# check the current configuration
$ vide.sh --verify

Scanning Engines

Software Version Install
xmlstarlet >= 1.6.1 XML parsing
httpx >= 1.2.5 server probing
katana >= 1.0.0 crwaling
whatweb >= 0.5.5 tech discovery
webanalyze >= 0.3.8 tech discovery
nuclei >= 2.8.9 web server scanning
nikto >= 2.5.0 web server scanning
ffuf >= 2.0.0 directory brute forcing
byp4xx >= b337580 bypass checks
subjs >= 1.0.0 crawling js
enum4linux-ng.py >= 1.3.1 windows enumeration
smbmap >= 1.9.1 smb enumeration
nmap >= 7.94 extended script scans
testssl.sh >= 3.2rc3 SSL compliance scans
ssh-audit >= 3.1.0 SSH compliance scans
Clone this wiki locally