Command db¶
The command db spawns an interactive shell giving access to the Jok3r’s local database. The local database stores the missions, targets info & attacks results. It is very similar to the database that can be used in Metasploit.
The goal is to allow the pentester to create a new mission at the beginning of a pentest, and to fill it with the targets (i.e. network services/URLs) that are in scope. Most of the time, he will just import Nmap results from scans he has previously done, but he can also add some targets manually by using the shell. He will be able to visualize and organize target information (ip, hotsname, port, banner…).
After running some security checks against targets in the mission, results from the tools - and potentially credentials that might be found - are stored in the database and can be viewed from the shell.
Here are the supported commands in the jok3rdb interactive shell:
jok3rdb[default]> help
Documented commands (type help <topic>):
Attacks results
================================================================================
results Attacks results
Import
================================================================================
nmap Import Nmap results
Missions data
================================================================================
creds Credentials in the current mission scope
hosts Hosts in the current mission scope
mission Missions management
services Services in the current mission scope
Other
================================================================================
alias Define or display aliases
help Display this help message
history View, run, edit, and save previously entered commands.
quit Exits this application.
set Sets a settable parameter or shows current settings of parameters.
shell Execute a command as if at the OS prompt.
unalias Unsets aliases
Command mission¶
This command allows to create a new mission, rename or delete an existing one. It also allow to change the current mission (the mission named default is selected by default).
Here are the supported options:
jok3rdb[default]> mission -h
usage: mission [-h] [-a <name>] [-c <name> <comment>] [-d <name>] [-D]
[-r <old> <new>] [-S <string>]
[<name>]
Manage missions
positional arguments:
<name> Switch mission
optional arguments:
-h, --help show this help message and exit
-a, --add <name> Add mission
-c, --comment <name> <comment> Change the comment of a mission
-d, --del <name> Delete mission
-D, --reset Delete all missions
-r, --rename <old> <new> Rename mission
-S, --search <string> Search string to filter by
When creating a new mission, the following command must be issued:
jok3rdb[default]> mission -a missionname
[+] Mission "missionname" successfully added
[*] Selected mission is now missionname
jok3rdb[missionname]>
The newly created mission is automatically selected as the new current mission.
Command hosts¶
This command allows to view and to manage hosts in the current mission.
jok3rdb[default]> hosts -h
usage: hosts [-h] [-c <comment> | -d] [-o <column>] [-S <string>]
[<addr1> <addr2> ... [<addr1> <addr2> ... ...]]
Hosts in the current mission scope
optional arguments:
-h, --help show this help message and exit
Manage hosts:
-c, --comment <comment> Change the comment of selected host(s)
-d, --del Delete selected host(s) (instead of displaying)
Filter hosts:
-o, --order <column> Order rows by specified column
-S, --search <string> Search string to filter by
<addr1> <addr2> ... IPs/CIDR ranges/hostnames to select
Command services¶
This command allows to view and to manage all services in the current mission. Running this command without any option will display all services added into the current mission.
For better readability, there are a lot of supported filtering options in order to select only a subset of services to display.
Those filtering options can also be used to add special comments, usernames, credentials (couples username+password) manually to one particular service or a subset of services.
jok3rdb[default]> services -h
usage: services [-h]
[-a <host> <port> <service> | -u <url> | -d | -c <comment> | --https]
[--addcred <user> <pass> | --addcred-http <user> <pass> <auth-type> | --adduser <user> | --adduser-http <user> <auth-type>]
[-H <hostname1,hostname2...>] [-I <ip1,ip2...>]
[-p <port1,port2...>] [-r <protocol>] [-U] [-o <column>]
[-S <string>]
[<name1> <name2> ... [<name1> <name2> ... ...]]
Services in the current mission scope
optional arguments:
-h, --help show this help message and exit
Manage services:
-a, --add <host> <port> <service> Add a new service
-u, --url <url> Add a new URL
-d, --del Delete selected service(s) (instead of displaying)
-c, --comment <comment> Change the comment of selected service(s)
--https Switch between HTTPS and HTTP protocol for URL of selected service(s)
Manage services credentials:
--addcred <user> <pass> Add new credentials (username+password) for selected service(s)
--addcred-http <user> <pass> <auth-type> Add new credentials (username+password) for the specified authentication type on selected HTTP service(s)
--adduser <user> Add new username (password unknown) for selected service(s)
--adduser-http <user> <auth-type> Add new username (password unknown) for the specified authentication type on selected HTTP service(s)
Filter services:
-H, --hostname <hostname1,hostname2...> Search for a list of hostnames (comma-separated)
-I, --ip <ip1,ip2...> Search for a list of IPs (single IP/CIDR range comma-separated)
-p, --port <port1,port2...> Search for a list of ports (single/range comma-separated)
-r, --proto <protocol> Only show [tcp|udp] services
-U, --up Only show services which are up
-o, --order <column> Order rows by specified column
-S, --search <string> Search string to filter by
<name1> <name2> ... Services to select
Command creds¶
This command is used to manage the credentials store, i.e. credentials for targets in the current mission. This store is filled by two means:
- When a security check run by Jok3r finds new valid credentials,
- When the user explicitly provides credentials.
Running this command without any options will display currently saved credentials.
jok3rdb[default]> creds -h
usage: creds [-h]
[--addcred <service-id> <user> <pass> | --addcred-http <service-id> <user> <pass> <auth-type> | --adduser <service-id> <user> | --adduser-http <service-id> <user> <auth-type> | -c <comment> | -d]
[-U <string>] [-P <string>] [-b | -u]
[-H <hostname1,hostname2...>] [-I <ip1,ip2...>]
[-p <port1,port2...>] [-s <svc1,svc2...>] [-o <column>]
[-S <string>]
Credentials in the current mission scope
optional arguments:
-h, --help show this help message and exit
Manage credentials:
--addcred <service-id> <user> <pass> Add new credentials (username+password) for the given service
--addcred-http <service-id> <user> <pass> <auth-type>
Add new credentials (username+password) for the specified authentication type on HTTP service
--adduser <service-id> <user> Add new username (password unknown) for the given service
--adduser-http <service-id> <user> <auth-type>
Add new username (password unknown) for the specified authentication type on HTTP service
-c, --comment <comment> Change the comment of selected cred(s)
-d, --del Delete selected credential(s) (instead of displaying)
Filter credentials:
-U, --username <string> Select creds with username matching this string
-P, --password <string> Select creds with password matching this string
-b, --both Select creds where username and password are both set (no single username)
-u, --onlyuser Select creds where only username is set
-H, --hostname <hostname1,hostname2...> Select creds for a list of hostnames (comma-separated)
-I, --ip <ip1,ip2...> Select creds for a list of IPs (single IP/CIDR range comma-separated)
-p, --port <port1,port2...> Select creds a list of ports (single/range comma-separated)
-s, --service <svc1,svc2...> Select creds for a list of services (comma-separated)
-o, --order <column> Order rows by specified column
-S, --search <string> Search string to filter by
Note: you can also use "services --addcred/--addonlyuser" to add new creds
Command nmap¶
After creating a new mission into the database, it is necessary to add some targets
(services). It can be done either manually - using services --add <host> <port> <service>
or services --url <url>
- or automatically from the results of a Nmap scan with the
nmap
command.
jok3rdb[default]> nmap -h
usage: nmap [-h] [-n] <xml-results>
Import Nmap results
positional arguments:
<xml-results> Nmap XML results file
optional arguments:
-h, --help show this help message and exit
-n, --no-http-recheck Do not recheck for HTTP services
Just issue the following command in order to import into the currently selected mission all the services supported by Jok3r from results of a Nmap scan (in XML format):
jok3rdb[missionname]> nmap results.xml
Note
When importing Nmap results, services HTTPS/HTTP are both added as HTTP services, and the distinction between cleartext and encrypted versions is done internally by using Context-specific option (https). It is the same for SMTPS/SMTP, FTPS/FTP and so on.
When importing Nmap results, Jok3r will recheck - by default - for HTTP/HTTPS services on all detected open ports that were not fingerprinted as such. This feature has been added because - by experience - Nmap does not always detect all services serving web content when they are on exotic ports.
Command results¶
This command allows to view the outputs from tools run during security checks against the various targets in the currently selected mission.
jok3rdb[default]> results -h
usage: results [-h] [-s <check-id>] [<service-id>]
Attacks results
positional arguments:
<service-id> Service id
optional arguments:
-h, --help show this help message and exit
-s, --show <check-id> Show results for specified check
For example, if you want to view the results for checks against the service with id 108
(refer to the column id in the output of the services
command):
- First, issue the following command to get the list of checks that have been run against this particular service:
jok3rdb[missionname]> results 108
[>] Attacks results:
[>] Target: host=192.168.1.53 | port=16000/tcp | service http
+----------+------------+------------------------------+------------+
| Check id | Category | Check | # Commands |
+----------+------------+------------------------------+------------+
| 211 | recon | nmap-recon | 1 |
| 212 | recon | fingerprinting-app-server | 1 |
| 213 | recon | fingerprinting-cms-wig | 1 |
| 214 | recon | fingerprinting-cms-cmseek | 1 |
| 215 | recon | crawling-fast | 1 |
| 216 | recon | crawling-fast2 | 1 |
| 217 | vulnscan | nmap-vuln-lookup | 1 |
| 218 | vulnscan | vulnscan-multi-nikto | 1 |
| 219 | vulnscan | default-creds-web-multi | 1 |
| 220 | vulnscan | http-put-check | 1 |
| 221 | vulnscan | shellshock-scan | 1 |
| 222 | vulnscan | jboss-vulnscan-multi | 1 |
| 223 | vulnscan | jboss-status-infoleak | 1 |
| 224 | exploit | jboss-deploy-shell | 1 |
| 225 | exploit | struts2-rce-cve2017-5638 | 1 |
| 226 | exploit | struts2-rce-cve2017-9805 | 1 |
| 227 | exploit | struts2-rce-cve2018-11776 | 1 |
| 235 | bruteforce | web-path-bruteforce-targeted | 1 |
| 236 | bruteforce | web-path-bruteforce-opendoor | 1 |
+----------+------------+------------------------------+------------+
- Then, you can display the outputs corresponding to a given check by specifying the id of the check as follows:
jok3rdb[missionname]> results -s 235
[>] Results for check web-path-bruteforce-targeted:
[>] Target: host=192.168.1.53 | port=16000/tcp | service http
[>] cd /home/jbr/bitbucket/joker/toolbox/http/dirsearch; python3 dirsearch.py -u http://192.168.1.53:16000 -e jsp,java,do,txt,html,log -w /home/jbr/bitbucket/joker/wordlists/services/http/discovery/raft-large-directories.txt -f --exclude-status=400,404,500,000
_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )
Extensions: jsp, java, do, txt, html, log | Threads: 10 | Wordlist size: 532797
Error Log: /home/jbr/bitbucket/joker/toolbox/http/dirsearch/logs/errors-18-10-02_14-17-17.log
Target: http://192.168.1.53:16000
[14:17:17] Starting:
[14:17:20] 200 - 3KB - /test/
[14:17:20] 200 - 474B - /download.html
[14:17:23] 200 - 7KB - /tools/
[14:17:27] 200 - 8KB - /index.html
[14:19:11] 200 - 26B - /robots.txt
Task Completed