Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Proposal: A Node.js penetration test framework

Proposal: Node.js penetration test framework

Hi guys! Since I started to write Bluebox-ng I've been tracking the different security projects I found written in Node.js. Now we've published the first stable version we think it's the right moment to speak among us (and, of course, everyone interested in it :).

Why?

  • I think we're rewriting the same stuff in our respective projects again and again. For example, almost any tool supports IPv6 because the functions we need are still not present in the Node core and the libraries I found (IMHO) were not enough.
  • There're different projects implementing exactly the same thing, ie: port scanners.
  • We're working in a too new environment, so we need to make it together.
  • Our 2 cents to make Node still more awesome. Now we have io.js whose main idea is to gain commiters.

To clarify: We've NO interest in keeping the project name or something similar, our only idea is to code in a bigger community.

@jesusprubio

This comment has been minimized.

Copy link
Owner Author

@jesusprubio jesusprubio commented Jan 9, 2015

At first I was only thinking about a penetration test framework because I'm not a reverser/exploiter. But maybe it would be interesting to consider it since I've also found some projects like these:

@joridos

This comment has been minimized.

Copy link

@joridos joridos commented Jan 9, 2015

I think a good idea, because it is difficult to do alone, with a larger community is much easier project grow. 👍

@vertexclique

This comment has been minimized.

Copy link

@vertexclique vertexclique commented Jan 13, 2015

I have time to take a look at projects, we could do something great with larger community and i want to be part of it.

@jesusprubio

This comment has been minimized.

Copy link
Owner Author

@jesusprubio jesusprubio commented Jan 13, 2015

Nice :). So, for now, we have:

If you agree we think we should wait this week to see if anyone else joins the project.

@jpenalbae

This comment has been minimized.

Copy link

@jpenalbae jpenalbae commented Jan 13, 2015

Count on me.

You can add chita and r2pipe to the list. Also I have some other small security tools which I could publish to add them to the list.

Maybe we should create an IRC channel or something like to discuss about this.

@jesusprubio

This comment has been minimized.

Copy link
Owner Author

@jesusprubio jesusprubio commented Jan 13, 2015

Added. I'm often in Freenode. You can create a new channel or I'm always alone xD in #breakingvoip if you prefer until we've a name.

@jesusprubio

This comment has been minimized.

Copy link
Owner Author

@jesusprubio jesusprubio commented Jan 13, 2015

The whole list of modules we've implemented in Bluebox until now. A lot of them are only a wrapper to somebody's modules, but we can have an idea of what is already implemented. Neither of them use external (no-JavaScript) tools, except the system ones (ie: ping)

amiBrute
Try to brute-force valid credentials for the Asterisk Manager service (AMI)
amiCommand
Use the Asterisk Manager service (AMI) to run a command
amiCommandList
List the Asterisk Manager service (AMI) supported commands
amiCoreSetting
Use the Asterisk Manager service (AMI) to get the core settings of the server
amiCoreShowChannels
Use the Asterisk Manager service (AMI) to get channels of the server
amiCoreStatus
Use the Asterisk Manager service (AMI) to get the actual status of the (core) server
amiGetConfig
Use the Asterisk Manager service (AMI) to change a config file
amiDadhiShowChannels
Use the Asterisk Manager service (AMI) to get channels (DADHI) of the server
amiExtensionState
Use the Asterisk Manager service (AMI) to get actual state of an extension
amiGetConfig
Use the Asterisk Manager service (AMI) to get a config file
amiGetVar
Use the Asterisk Manager service (AMI) to get the value of a setup variable
amiReload
Use the Asterisk Manager service (AMI) to reload the server config
amiSetVar
Use the Asterisk Manager service (AMI) to set the value of a setup variable
amiShowDialPlan
Use the Asterisk Manager service (AMI) to get the dialplan of the server
amiSipPeers
Use the Asterisk Manager service (AMI) to get SIP Peers of the server
amiSipShowRegistry
Use the Asterisk Manager service (AMI) to get SIP Registry of the server
amiStatus
Use the Asterisk Manager service (AMI) to get the actual status of the server
amiVoiceMailUsersList
Use the Asterisk Manager service (AMI) to locate voicemail users
auto
Automated VoIP/UC pentesting.
defaultCredentials
Show common VoIP system default credentials
dnsBrute
DNS brute force
dnsResolve
Resolve common VoIP DNS registers (SRV, NAPTR) for an specific domain
dnsReverse
DNS inverse resolution of an IP address
dumbFuzz
Really stupid app layer fuzzer (underlying support: UDP, TCP, TLS, [secure] websockects)
exploitSearch
Find vulnerabilities and exploit for an specifig service version (using exploitsearch.net API)
ftpBrute
Try to brute-force valid credentials for the FTP protocol
geoLocate
Geolozalization (freegeoip.net)
getExtIp
Get your external IP address
googleDorks
Find potential targets using a Google dork
httpBrute
Try to brute-force valid credentials for the HTTP protocol
httpBruteDir
Try to brute-force valid files/directories in a web server
httpBrute
Try to brute-force valid credentials for a LDAP/Active Directory server
mongoBrute
MongoDB credentials brute-force
mysqlBrute
Try to brute-force valid credentials for a MySQL database
networkScan
Host/port network scanner (Evilscanner, only full TCP for now)
ping
Ping protocol client
pingTcp
Ping client (TCP protocol)
shodanExploits
Find vulnerabilities and exploit for an specifig service version (using SHODAN API)
shodanHost
Look if the target is indexed by SHODAN computer search engine
shodanPopular
Quick access to popular SHODAN related queries
shodanSearch
Find potential targets in SHODAN computer search engine
sipBruteExt100
SIP extension brute-forcer (CVE-2011-2536 / AST-2011-011)
sipBruteExt404
SIP extension brute-forcer (CVE-2009-3727 / AST-2009-008)
sipBrutePass
SIP credentials brute-force
sipBruteSlow
To check if the server is blocking slow brute-force attacks.
sipDos
DoS protection mechanisms stress test (it waits for a response)
sipScan
SIP host/port scanner
sipSqli
To check if the server blocks SIP SQLi attacks
sipTorture
SIP Torture stress test (crafted packets)
sipUnauthCall
To check if a server allows unauthenticated calls
tftpBrute
Try to brute-force valid communities for the SNMP protocol
sshBrute
Try to brute-force valid credentials for the SSH protocol
tftpBrute
Try to brute-force valid credentials for the TFTP protocol
traceroute
Display the route of your packages
version
Version of Bluebox-ng
whois
WHOIS protocol client
wifiScan
Wifi access point scanner

@ckarande

This comment has been minimized.

Copy link

@ckarande ckarande commented Jan 14, 2015

Great Idea! Together we can focus our diverted efforts and make something bigger and better than we individually could achieve. I would love to be part of it.

@Random1984

This comment has been minimized.

Copy link

@Random1984 Random1984 commented Jan 14, 2015

What about wireshark? A nice packet dissection could retrieve useful info.
https://github.com/joeferner/node-shark

@sergiogr

This comment has been minimized.

Copy link

@sergiogr sergiogr commented Jan 14, 2015

That's one of the ideas we had in mind. We agree it would be great to be able to get a PCAP file out of the tests we do to analize later with Wireshark or another external tool.

@jpenalbae

This comment has been minimized.

Copy link

@jpenalbae jpenalbae commented Jan 14, 2015

I will be at #breakingvoip on freenode with Jesus and Sergio. We all should meet there to discuss about this.

@jesusprubio

This comment has been minimized.

Copy link
Owner Author

@jesusprubio jesusprubio commented Jan 14, 2015

The resume of the improvised-meeting is that, for now, we need a community related with security tools written in Node. So, first of all we need:

  • A Name.
  • A/some communication channel: IRC, maillist (vs Google group), some GitHub based system like Ost.io ...
  • A site, with links to: projects, useful libraries and communication mechanisms. Moreover, in the future, we would like some kind of automation to allow anybody to upload his project.

This way we could:

  • Have a repository with useful resources to use in our projects.
  • Ask any member to publish a part of his code as a NPM module and send some PR, instead of code it from scratch.
  • Contribute to the same libraries to achieve a common goal.
  • etc.

About the framework we think that it's better to create a subproject inside the community. We have been speaking about some ideas of what we want (and we don't!) and how we could design it. But we can talk about it once the community is created.

Ideas, opinions, suggestions ? :)

@multitic

This comment has been minimized.

Copy link

@multitic multitic commented Jan 16, 2015

It is a great idea and an excelent project!!!

To accelerate this we need speak about it in diferent sites, blogs,....

I think that first we must work in a pentest focus on VoIP and later do it more general, but anything will be great contribution!!!

At moment, we can speak here about it, but other plataforms will be great!!!

But FIRST we need a NAME, for example, i think that a expressive/explicit name is better:

PENTESTJS, PTJS,
PenTestVoip, PENTESTVO,
PenTestVoipAsAService,
frameworkVoIP
.......
..............

Its a simple ideas to push the choice of name; the FIRST step!!!

@multitic

This comment has been minimized.

Copy link

@multitic multitic commented Jan 16, 2015

yes, we can install bluebox-ng in bugtraq2 and in VAST with the same method than with Kali:

https://multitic.wordpress.com/2015/01/16/serie-pentesting-voip-2/

@vertexclique

This comment has been minimized.

Copy link

@vertexclique vertexclique commented Jan 16, 2015

https://gitter.im/ for talks maybe...

@Random1984

This comment has been minimized.

Copy link

@Random1984 Random1984 commented Jan 17, 2015

This project could be called like a powerful car with an V8 engine.
"Nuevo Seat Panda - A tu ritmo"

@multitic

This comment has been minimized.

Copy link

@multitic multitic commented Jan 17, 2015

jajajajaj,
common rails 4x4 !!!

---> V8IP !!!

@jesusprubio

This comment has been minimized.

Copy link
Owner Author

@jesusprubio jesusprubio commented Jan 18, 2015

multitic-celtica

  • Thanks, but we've a lot to do ;)
  • For sure we'll have to speak about it, but I think that, for now, we we don't know exactly what we want.
  • Yep, we need a name!
  • I think that we should not focus specially in VoIP. This was the original idea of Bluebox. But we started this because we want to join to everyone who was developing something related with Node and pentesting/exploiting.

vertexclique

  • I think Gitter could fit

Moreover I'm writing a first website draft, I hope to have it finished in a couple of days. Until then, here there is my proposal for a temporal logo. I have to clear that I'm not a graphical artist, I'm only playing with Inkscape.

About the name I should not use anything with "pentest" or "exploit" and derived ones. My main reason is to be opened to as many people as possible. My 2 cents:

  • ninja.js - JavaScript Ninja
  • abusive.js - Abusive JavaScript / Abusive Node
  • warfare.js, offensive.js, unpleasant.js, violent.js, etc.
  • "Bringing pentest/exploit stuff to Node!"

To resume, our goal:

  • Have a repository with useful resources to use in our projects.
  • Ask any member to publish a part of his code as a NPM module and send some PR, instead of code it from scratch.
  • Contribute to the same libraries to achieve a common goal.
  • Subproject: Complete framework

About the communication I think we only need for now:

  • IRC channel on Freenode. Remember, we're in #breakingvoip until we choose a name.
  • GitHub repo.
  • A mail with GPG key.
  • Mail list: Google group. But we can configure our GitHub account to send the notifications by mail, so maybe we can avoid it.
  • Twitter: If anybody wants to manage it, I've no time :(.
  • A federated social network like Quitter or Identi.ca: They have Twitter integration so we can publish in both networks at the same time.

We need an IRC meeting to vote about everything, any preference? Until then we can comment here to keep pushing.

@vertexclique

This comment has been minimized.

Copy link

@vertexclique vertexclique commented Jan 21, 2015

I can make the logo. 👍 for warfare.js and i can offer weird names

  • assault.js, ravage.js etc.
  • related with biology: coacervate(initial component of cell), protocell (before the cellular structure) / why? because pentesting and exploiting is generally in low-level.
@jesusprubio

This comment has been minimized.

Copy link
Owner Author

@jesusprubio jesusprubio commented Jan 22, 2015

I like assault.js too. We need a Doodle, please add more here and I'll add them:

It seems that the logo was not correctly uploaded, but I've fixed it now. You can upload your proposals, we need ideas :)

3 votes each one? :)

@sergiogr

This comment has been minimized.

Copy link

@sergiogr sergiogr commented Jan 23, 2015

If I had to pick only one I would go for assault.js, but I like warfare.js as well. My third option would be ninja.js which would be easier to design a logo for, but it's also more generic, I think.

@vertexclique

This comment has been minimized.

Copy link

@vertexclique vertexclique commented Jan 23, 2015

Guys, there is already a project with that name btw http://ninjaui.com/

@jesusprubio

This comment has been minimized.

Copy link
Owner Author

@jesusprubio jesusprubio commented Jan 25, 2015

Hi, I've published a draft of the future web. I've used the most voted name for now. It's implemented using Polymer. I think I've already added all interested one projects. Ideas? :)

https://jesusprubio.github.io/

@Random1984

This comment has been minimized.

Copy link

@Random1984 Random1984 commented Jan 27, 2015

I think assault.js is the coolest name it could have.

@jesusprubio

This comment has been minimized.

Copy link
Owner Author

@jesusprubio jesusprubio commented Jan 31, 2015

I aggree, I think we have a name. See you on #assaultjs at Freenode :). New links:

@jpenalbae

This comment has been minimized.

Copy link

@jpenalbae jpenalbae commented Feb 6, 2015

Does this fit somewhere within the project?

https://gist.github.com/jpenalbae/80b697dc25b5ec4ac8dd

@joridos

This comment has been minimized.

Copy link

@joridos joridos commented Mar 27, 2015

LOL, just now I see this, good name.

@ellerbrock

This comment has been minimized.

Copy link

@ellerbrock ellerbrock commented Jun 8, 2016

hey guys,

is the project still active? i would love to join in! I basically had the same plan to write some pentesting stuff in node but was looking for few people to join. you can get in touch with me on gitter: https://gitter.im/frapsoft/penetration-testing ...

@cpruijsen

This comment has been minimized.

Copy link

@cpruijsen cpruijsen commented Aug 18, 2016

👍 on the above - are we still alive? Would be cool to get involved.

@SJCaldwell

This comment has been minimized.

Copy link

@SJCaldwell SJCaldwell commented Mar 3, 2017

This still active?

I'd be interested in contributing!

@maikelSec

This comment has been minimized.

Copy link

@maikelSec maikelSec commented Apr 13, 2017

Is this still happening ?

@pdparchitect

This comment has been minimized.

Copy link

@pdparchitect pdparchitect commented Apr 27, 2017

Hi everyone,

I am surprised to see this community page. It is awesome!

I started a nodejs security project called pownjs. You can learn more about what it is and the philosophy behind it over here https://github.com/pownjs/pown.

So far I have contributed a few modules including a LMNR spoofer, simple captcha breaking tool, pcap2 based sniffing tool, offline hacking tips browser and a few more modules. I am also toying with many ideas that I would like to eventually implement such as UPNP discovery and hacking toolkit, a proxy, arp spoofing etc, TV hacking toolkit, web security tools, recon tools, more responders (mdns, dns, dhcp etc), exploit development modules, etc.

I would love to get your opinion and also, if interested, get you involved.

The best part is that pownjs is decentralised project because it is based around npm and practically anyone can make their own distributions of the toolkit. This is part of the philosophy - i.e modules are framework agnostic and everyone is a contributor even the indirectly sometimes (check $ pown credits to see).

Let me know if you have any questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment