Home / Hacking Tools / Automated Penetration Testing with APT2 Toolkit

Automated Penetration Testing with APT2 Toolkit

APT2 is an Automated Penetration Testing Toolkit. This tool will perform an NMap scan, or import the results of a scan from Nexpose, Nessus, or NMap. The processesd results will be used to launch exploit and enumeration modules according to the configurable Safe Level and enumerated service information. All module results are stored on localhost and are part of APT2’s Knowledge Base (KB). The KB is accessible from within the application and allows the user to view the harvested results of an exploit module.

APT2 Help

root@kali:~# apt2 -h
usage: apt2 [-h] [-C ] [-f [<\input file> [<\input file> ...]]]
            [--target] [--ip ] [-v] [-s SAFE_LEVEL]
            [-x EXCLUDE_TYPES] [-b] [--listmodules]

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbosity       increase output verbosity
  -s SAFE_LEVEL, --safelevel SAFE_LEVEL
                        set min safe level for modules. 0 is unsafe and 5 is
                        very safe. Default is 4
  -x EXCLUDE_TYPES, --exclude EXCLUDE_TYPES
                        specify a comma seperatec list of module types to
                        exclude from running
  -b, --bypassmenu      bypass menu and run from command line arguments

inputs:
  -C        config file
  -f [<\input file> [<\input file> ...]]
                        one of more input files seperated by spaces
  --target              initial scan target(s)

advanced:
  --ip        defaults to 192.168.103.227

misc:
  --listmodules         list out all current modules and exit
root@kali:~#
root@kali:~#
root@kali:~# apt2 --listmodules | grep '|' | sort | grep -v 'Module.*Type.*Description'
[*] | anonftp                   | action |      4 | Test for Anonymous FTP                                                                    |
[*] | anonldap                  | action |      5 | Test for Anonymous LDAP Searches                                                          |
[*] | apt2_ipwhois              | action |      5 | run ipwhois                                                                               |
[*] | apt2_shodan               | action |      5 | run shodan                                                                                |
[*] | apt2_whois                | action |      5 | run whois                                                                                 |
[*] | crackPasswordHashJohnTR   | action |      5 | Attempt to crack any password hashes                                                      |
[*] | dictload                  | input  |      None  | Load DICT Input File                                                                      |
[*] | gethostname               | action |      5 | Determine the hostname for each IP                                                        |
[*] | httpoptions               | action |      5 | Get HTTP Options                                                                          |
[*] | httpscreenshot            | action |      5 | Get Screen Shot of Web Pages                                                              |
[*] | httpserverversion         | action |      5 | Get HTTP Server Version                                                                   |
[*] | hydrasmbpassword          | action |      2 | Attempt to bruteforce SMB passwords                                                       |
[*] | impacketsecretsdump       | action |      5 | Test for NULL Session                                                                     |
[*] | msf_dumphashes            | action |      4 | Gather hashes from MSF Sessions                                                           |
[*] | msf_gathersessioninfo     | action |      4 | Get Info about any new sessions                                                           |
[*] | msf_javarmi               | action |      5 | Attempt to Exploit A Java RMI Service                                                     |
[*] | msf_jboss_maindeployer    | action |      3 | Attempt to gain shell via Jboss                                                           |
[*] | msf_jboss_vulnscan        | action |      4 | Attempt to determine if a jboss instance has default creds                                |
[*] | msf_ms08_067              | action |      4 | Attempt to exploit MS08-067                                                               |
[*] | msf_openx11               | action |      5 | Attempt Login To Open X11 Service                                                         |
[*] | msf_psexec_pth            | action |      4 | Attempt to authenticate via PSEXEC PTH                                                    |
[*] | msf_smbuserenum           | action |      5 | Get List of Users From SMB                                                                |
[*] | msf_snmpenumshares        | action |      5 | Enumerate SMB Shares via LanManager OID Values                                            |
[*] | msf_snmpenumusers         | action |      5 | Enumerate Local User Accounts Using LanManager/psProcessUsername OID Values               |
[*] | msf_snmplogin             | action |      5 | Attempt Login Using Common Community Strings                                              |
[*] | msf_tomcat_mgr_login      | action |      4 | Attempt to determine if a tomcat instance has default creds                               |
[*] | msf_tomcat_mgr_upload     | action |      3 | Attempt to gain shell via Tomcat                                                          |
[*] | msf_vncnoneauth           | action |      5 | Detect VNC Services with the None authentication type                                     |
[*] | nmaploadxml               | input  |      None  | Load NMap XML File                                                                        |
[*] | nmapms08067scan           | action |      4 | NMap MS08-067 Scan                                                                        |
[*] | nmapnfsshares             | action |      5 | NMap NFS Share Scan                                                                       |
[*] | nmapsmbshares             | action |      5 | NMap SMB Share Scan                                                                       |
[*] | nmapsmbsigning            | action |      5 | NMap SMB-Signing Scan                                                                     |
[*] | nmapsslscan               | action |      5 | NMap SSL Scan                                                                             |
[*] | nmapvncbrute              | action |      5 | NMap VNC Brute Scan                                                                       |
[*] | nullsessionrpcclient      | action |      5 | Test for NULL Session                                                                     |
[*] | nullsessionsmbclient      | action |      5 | Test for NULL Session                                                                     |
[*] | openx11                   | action |      5 | Attempt Login To Open X11 Servicei and Get Screenshot                                     |
[*] | reportgen                 | report |      None  | Generate HTML Report                                                                      |
[*] | responder                 | action |      3 | Run Responder and watch for hashes                                                        |
[*] | searchftp                 | action |      4 | Search files on FTP                                                                       |
[*] | searchnfsshare            | action |      4 | Search files on NFS Shares                                                                |
[*] | searchsmbshare            | action |      4 | Search files on SMB Shares                                                                |
[*] | snmpwalk                  | action |      5 | Run snmpwalk using found community string                                                 |
[*] | sslsslscan                | action |      5 | Determine SSL protocols and ciphers                                                       |
[*] | ssltestsslserver          | action |      5 | Determine SSL protocols and ciphers                                                       |
[*] | userenumrpcclient         | action |      5 | Get List of Users From SMB                                                                |
root@kali:~#

APT2 Usage Example

root@kali:~# msfdb start
[+] Starting database
root@kali:~#
root@kali:~# msfconsole -q -x 'load msgrpc User=msf Pass=msfpass ServerPort=55552'
/usr/share/metasploit-framework/lib/msf/core/opt.rb:55: warning: constant OpenSSL::SSL::SSLContext::METHODS is deprecated
[*] MSGRPC Service:  127.0.0.1:55552
[*] MSGRPC Username: msf
[*] MSGRPC Password: msfpass
[*] Successfully loaded plugin: msgrpc
msf >


root@kali:~# apt2 -s 0 -b --target 192.168.103.128
[*]
[*]       dM.    `MMMMMMMb. MMMMMMMMMM      
[*]      ,MMb     MM    `Mb /   MM   \      
[*]      d'YM.    MM     MM     MM   ____  
[*]     ,P `Mb    MM     MM     MM  6MMMMb  
[*]     d'  YM.   MM    .M9     MM MM'  `Mb
[*]    ,P   `Mb   MMMMMMM9'     MM      ,MM
[*]    d'    YM.  MM            MM     ,MM'
[*]   ,MMMMMMMMb  MM            MM   ,M'    
[*]   d'      YM. MM            MM ,M'      
[*] _dM_     _dMM_MM_          _MM_MMMMMMMM
[*]
[*]
[*] An Automated Penetration Testing Toolkit
[*] Written by: Adam Compton & Austin Lane
[*] Verion: 1.0.0
[!] Module 'apt2_shodan' disabled:
[!]      API key is missing
[!] Module 'searchnfsshare' disabled:
[!]      Module Manually Disabled !!!
[*] Input Modules Loaded:   2
[*] Action Modules Loaded:  43
[*] Report Modules Loaded:  1
[*]
[*] The KnowledgeBase will be auto saved to : /root/.apt2/proofs/KB-egghavrdqa.save
[*] Local IP is set to : 192.168.103.227
[*]       If you would rather use a different IP, then specify it via the [--ip ] argument.
[*] Scan file saved to [/root/.apt2/proofs/NMAP-nmapScan192.168.103.128-fvqoswtplf]
[*] Use the following controls while scans are running:
[*] Starting responder...
[*] - p - pause/resume event queueing
[!] VULN [NULLSession] Found on [192.168.103.128]
[*] Current # of Active Threads = [10]
[*]     ==> Responder, GetHostname, MSFJbossVulnscan, MSFTomcatMgrLogin, MSFJbossVulnscan, MSFTomcatMgrLogin, NmapMS08067Scan, NmapSMBSigning, NmapSMBShareScan, MSFSMBUserEnum
[*] Current # of Active Threads = [10]
[*]     ==> Responder, GetHostname, MSFJbossVulnscan, MSFTomcatMgrLogin, MSFJbossVulnscan, MSFTomcatMgrLogin, NmapMS08067Scan, NmapSMBSigning, NmapSMBShareScan, MSFSMBUserEnum
[*] Current # of Active Threads = [9]
[*]     ==> Responder, MSFJbossVulnscan, MSFTomcatMgrLogin, MSFJbossVulnscan, MSFTomcatMgrLogin, NmapMS08067Scan, NmapSMBSigning, NmapSMBShareScan, MSFSMBUserEnum
[*] Scan file saved to [/root/.apt2/proofs/NMAP-192.168.103.128_MS08067SCAN-ughssbeike]
[*] Scan file saved to [/root/.apt2/proofs/NMAP-192.168.103.128_SMBSINGINGSCAN-mcjojhzjny]
[*] Scan file saved to [/root/.apt2/proofs/NMAP-192.168.103.128_SMBSHARESCAN-idhndqdplo]
[*] Current # of Active Threads = [6]
[*]     ==> Responder, MSFJbossVulnscan, MSFTomcatMgrLogin, MSFJbossVulnscan, MSFTomcatMgrLogin, MSFSMBUserEnum
[*] Current # of Active Threads = [6]
[*]     ==> Responder, MSFJbossVulnscan, MSFTomcatMgrLogin, MSFJbossVulnscan, MSFTomcatMgrLogin, MSFSMBUserEnum
[*] Current # of Active Threads = [6]
[*]     ==> Responder, MSFJbossVulnscan, MSFTomcatMgrLogin, MSFJbossVulnscan, MSFTomcatMgrLogin, MSFSMBUserEnum
[*] Current # of Active Threads = [1]
[*]     ==> Responder
[*] Current # of Active Threads = [1]
[*]     ==> Responder
[*] Current # of Active Threads = [1]
[*]     ==> Responder
[*] Generating Reports
[*] Report file located at /root/.apt2/reports/reportGenHTML_shfrqjwgxs.html
[*]
[*] Good Bye!
root@kali:~#
root@kali:~#
root@kali:~# tree  /root/.apt2/
/root/.apt2/
├── logs
│   └── processlog.txt
├── proofs
│   ├── httpOptions_192.168.103.128_80_vnkzicnlst
│   ├── HTTPServerVersion_192.168.103.128_443_tzeexsuztp
│   ├── HTTPServerVersion_192.168.103.128_80_awllaokxlc
│   ├── KB-egghavrdqa.save
│   ├── MSFJbossVulnscan_192.168.103.128_bcchobmmzp
│   ├── MSFJbossVulnscan_192.168.103.128_mbpdgqtezt
│   ├── MSFSMBUserEnum_192.168.103.128_krcyxrdotc
│   ├── MSFTomcatMgrLogin_192.168.103.128_pqvkxxjweb
│   ├── MSFTomcatMgrLogin_192.168.103.128_stccicqbwu
│   ├── NMAP-192.168.103.128_MS08067SCAN-ughssbeike.gnmap
│   ├── NMAP-192.168.103.128_MS08067SCAN-ughssbeike.nmap
│   ├── NMAP-192.168.103.128_MS08067SCAN-ughssbeike.xml
│   ├── NMAP-192.168.103.128_SMBSHARESCAN-idhndqdplo.gnmap
│   ├── NMAP-192.168.103.128_SMBSHARESCAN-idhndqdplo.nmap
│   ├── NMAP-192.168.103.128_SMBSHARESCAN-idhndqdplo.xml
│   ├── NMAP-192.168.103.128_SMBSINGINGSCAN-mcjojhzjny.gnmap
│   ├── NMAP-192.168.103.128_SMBSINGINGSCAN-mcjojhzjny.nmap
│   ├── NMAP-192.168.103.128_SMBSINGINGSCAN-mcjojhzjny.xml
│   ├── NMAP-nmapScan192.168.103.128-fvqoswtplf.gnmap
│   ├── NMAP-nmapScan192.168.103.128-fvqoswtplf.nmap
│   ├── NMAP-nmapScan192.168.103.128-fvqoswtplf.xml
│   ├── nmblookup_192.168.103.128_fkiytphaty
│   ├── nmblookup_192.168.103.128_jhklrjsumn
│   ├── nmblookup_192.168.103.128_pcbiyotbkm
│   ├── NULLSessionRpcClient_192.168.103.128_lfidievfys
│   ├── NULLSessionSmbClient_192.168.103.128_kgixcdjuse
│   ├── Responder_rlxujzjrqo
│   ├── Responder_tgtekbrxou
│   └── UserEnumRpcClient_192.168.103.128_nehnpiwedo
├── reports
│   └── reportGenHTML_shfrqjwgxs.html
└── tmp

4 directories, 31 files
root@kali:~#
root@kali:~#
root@kali:~# firefox /root/.apt2/reports/reportGenHTML_shfrqjwgxs.html

Source:

Author: Adam Compton & Austin Lane

License: MIT

Check Also

Unicornscan

SecLists – Security Tester’s Companion

SecLists is the security tester’s companion. It’s a collection of multiple types of lists used …

Unicornscan

Forging ARP, UDP, ICMP or custom packets with packetforge-ng

The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for …

Use WordPress.com, Twitter, Facebook, or Google+ accounts to comment (anonymous comments allowed)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.