[Linux] Bluebox-ng - Pentesting framework (Raw)

1. [Linux]
2. Bluebox-ng - Pentesting framework using Node.js powers, focused in VoIP.
3.  
4. DISCLAIMER: Pointing this tool at other people's servers is NOT legal in most countries.
5. * Auto VoIP/UC penetration test
6. * Report generation
7. * Performance
8. * RFC compliant
9. * SIP TLS and IPv6 support
10. * SIP over websockets (and WSS) support (RFC 7118)
11. * SHODAN, exploitsearch.net and Google Dorks
12. * SIP common security tools (scan, extension/password bruteforce, etc.)
13. * Authentication and extension brute-forcing through different types of SIP requests
14. * SIP Torture (RFC 4475) partial support
15. * SIP SQLi check
16. * SIP denial of service (DoS) testing
17. * Web management panels discovery
18. * DNS brute-force, zone transfer, etc.
19. * Other common protocols brute-force: Asterisk AMI, MySQL, MongoDB, SSH, (S)FTP, HTTP(S), TFTP, LDAP, SNMP
20. * Some common network tools: whois, ping (also TCP), traceroute, etc.
21. * Asterisk AMI post-explotation
22. * Dumb fuzzing
23. * Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)
24. * Automatic vulnerability searching (CVE, OSVDB, NVD)
25. * Geolocation
26. * Command completion
27. * Cross-platform support
28.  
29. Install
30. Install Node.js: https://nodejs.org/download
31. npm i -g bluebox-ng
32.  
33. Kali GNU/Linux
34. curl -sL https://raw.githubusercontent.com/jesusprubio/bluebox-ng/master/artifacts/installScripts/kali2.sh | sudo bash -
35.  
36. Use
37. Console: To start the console client.
38. bluebox-ng
39.  
40. Programatically: To run it from other Node code.
41. const Bluebox = require('bluebox-ng');
42.  
43. const box = new Bluebox();
44.  
45. box.run('gather/network/geo', { rhost: '8.8.8.8' })
46. .then(res => {
47. console.log('Result:');
48. console.log(res);
49. })
50. .catch(err => {
51. console.log('Error:');
52. console.log(err);
53. });
54.  
55. Developer guide
56. Use GitHub pull requests.
57.  
58. Environment: Get a copy of the code and install the dependencies.
59. git clone https://github.com/jesusprubio/bluebox-ng
60. cd bluebox-ng
61. npm i # or use yarn
62.  
63. Debug: We use the visionmedia module, so you have to use this environment variable:
64. DEBUG=bluebox-ng* npm start
65.  
66. New modules: You can add your own features to this environment following this tips:
67. * Add a new file inside /modules and it should appear in the pentesting environment.
68. * Use the most similar among the actual ones as boilerplate.
69.  
70. Tests
71. We still don't have a proper Docker setup. So, for now, the test have to be run locally. Please check its code before it, they often need a valid target service.
72. ./node_modules/.bin/tap test/wifi
73. node test/wifi/*
74. ./node_modules/.bin/tap test/wifi/scanAps.js
75. node test/wifi/scanAps.js
76.  
77. Conventions
78. * We use ESLint and Airbnb style guide.
79. * Please run to be sure your code fits with it and the tests keep passing: npm run posttest
80.  
81. Contributors: https://github.com/jesusprubio/bluebox-ng/graphs/contributors
82.  
83. Thanks to
84. * Our mentors: @antonroman, @sandrogauci (SIPVicious was our inspiration), @pepeluxx, @markcollier46 ("Hacking VoIP Exposed").
85. * Quobis, some hours of work through personal projects program.
86. * Kamailio community (@kamailioproject), our favourite SIP Server.
87. * Tom Steele (@_tomsteele) and the rest of exploitsearch.net team.
88. * All developers who have written the Node.js modules used in the project.
89. * All VoIP, free software and security hackers that we read everyday.
90. * Our friend Carlos Pérez, the logo designer.
91.  
92. Download Bluebox-ng: https://github.com/jesusprubio/bluebox-ng