The command attack is where security checks against targets are started.
usage: python3 jok3r.py attack <args> optional arguments: -h, --help show this help message and exit Single target: Quickly define a target to run checks against it. -t, --target <ip[:port] | url> Target IP[:PORT] (default port if not specified) or URL -s, --service <service> Target service --add <mission> Add/update the target into a given mission scope --disable-banner-grab Disable banner grabbing with Nmap at start Multiple targets from a mission scope: Select targets from the scope of an existing mission. -m, --mission <mission> Load targets from the specified mission -f, --filter <filter> Set of conditions to select a subset of targets (e.g "ip=192.168.1.0/24,10.0.0.4;port=80,8000-8100;service=http"). Available filter options: ip, host, port, service, url, os Several sets can be combined (logical OR) by using the option multiple times Selection of checks: Select only some categories/checks to run against the target(s). --cat-only <cat1,cat2...> Run only tools in specified category(ies) (comma-separated) --cat-exclude <cat1,cat2...> Do not run tools in specified category(ies) (comma-separated) --checks <check1,check2...> Run only the specified check(s) (comma-separated) Running option: --fast Fast mode, disable prompts Authentication: Define authentication option if some credentials or single usernames are known. Options can be used multiple times. For multiple targets, the service for which the creds/users will be used should be specified. --cred [<svc>[.<type>]] <user> <pass> Credentials (username + password) --user [<svc>[.<type>]] <user> Single username Context-specific options: Define manually some known info about the target(s). <opt1=val1 opt2=val2 ...> Context-specific options, format name=value (space-separated)
There are 2 modes of attacks:
- Single target
- Multiple targets from a mission sccope in database
Single Target Mode¶
This mode is used to run security checks against only one target.
- Example to run checks against MSSQL service running on port 1433/tcp on 192.168.1.42:
python3 jok3r.py attack -t 192.168.1.42:1433 -s mssql
- Example to run checks against web application located at https://www.example.com/webapp/:
python3 jok3r.py attack -t https://www.example.com/webapp/
By default, Jok3r is run in interactive mode and so, will stop before running each
check/command to ask for confirmation. It is usually useful when you want to have time
to examine each result in live and decide whether it is needed to run the next check or
if it can be skipped. However, you will often want to let Jok3r running all the checks
without any user interaction, for better productivity, and check for the results at the
end. To do so, add the option
--fast to the command-line.
Run checks against web application located at https://www.example.com/webapp/ without user interaction:
python3 jok3r.py attack -t https://www.example.com/webapp/ --fast
When doing a pentest, the proper way is to create a mission in the local database
(See Command db), and then if you run Jok3r against a single target that is in
the scope of this mission, you should use the
--add <missionname> option in order
to push the target information and all the outputs from the security checks into the
database under the specified mission.
Multiple Targets Mode¶
This mode is designed to work with the local database: First you create a mission to define the scope of the pentest in the database (see Command db), and then you run security checks against all or a subset a targets from the scope:
- Example to run checks against all targets from the mission “MayhemProject”, using fast mode (i.e. without asking for any confirmation before targets and checks):
python3 jok3r.py attack -m MayhemProject --fast
- Example to run checks against only FTP services running on ports 21/tcp and 2121/tcp from the mission “MayhemProject”, using fast mode:
python3 jok3r.py attack -m MayhemProject -f "port=21,2121;service=ftp" --fast
- Example to run checks against only FTP services running on ports 2121/tcp and all HTTP services on 192.168.1.42:
python3 jok3r.py attack -m MayhemProject -f "port=2121;service=ftp" -f "ip=192.168.1.42;service=http"
The local database is automatically updated with the results from the security checks run by Jok3r.
Selection of Checks¶
When running the
attack command, it is possible to make a selection of checks to run:
--checks <check1,check2...>: Run only the given checks against targets. It might even be a single check. Use
python3 info --checks <service>in order to get the list of available checks for the targeted service (see Command info).
--cat-only <cat1,cat2...>: Run only checks that are classified under one or several categories (e.g. “recon”).
--cat-exclude <cat1,cat2...>: Run all categories of checks except the one(s) specified.
It is also possible to define some authentication options if credentials - or only valid usernames - are known on the targets.
Let’s take several examples:
- When you want to run attack against all targets in the scope of mission “MayhemProject” and you already know credentials of all MSSQL instances in the scope:
python3 jok3r.py attack -m MayhemProject --cred mssql sa password --fast
- When you want to scan a web application running on a JBoss server (and add the target to the mission “MayhemProject”), and you already know JBoss credentials:
python3 jok3r.py attack -t http://www.example.com --cred http.jboss manager password --add MayhemProject --fast
- When you want to scan a Wordpress website, and you know a valid admin username (but no valid password):
python3 jok3r.py attack -t http://www.targetwordpress.com --user http.wordpress wordpressadmin --fast
In Jok3r, Context-specific options are options that give specifications about a service.
Usually, you don’t have to bother specifying context-specific options manually in Jok3r command-line because it does its best to set and update them using SmartModules. However, you might still want to force the value of some of them in some situations.
Available context-specific options depends on the service.
There are 3 supported types of context-specific options:
- Value from a given list,
To better understand, here are some example of supported context-specific options for HTTP:
https(boolean): Set to true when SSL/TLS is used.
webdav(boolean): Set to true when WebDav is supported.
language: Allows to set the language of the targeted web application, can be one of the value in the list defined in
http.confsettings file (e.g. java, php, asp, angularjs, coldfusion).
cms: Allows to set the name of the CMS in use if relevant (wordpress, joomla, drupal, mambo, silverstripe, vbulletin, magento…)
server: Allows to set the name of the server (iis, glassfish, jboss, jenkins, tomcat, weblogic…)