dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,861
- Solutions
- 4
- Reputation
- 32
- Reaction score
- 45,552
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
Jok3r v3
Network & Web Pentest Automation Framework
About
Overview
Jok3r is a framework that aids penetration testers for network infrastructure and web security assessments. Its goal is to automate as much stuff as possible in order to quickly identify and exploit "low-hanging fruits" and "quick win" vulnerabilities on most common TCP/UDP services and most common web technologies (servers, CMS, languages...).
Combine Pentest Tools
Do not re-invent the wheel. Combine the most useful hacking tools/scripts available out there from various sources, in an automatic way.
Automate Attacks
Automatically run security checks adapted to the targeted services. Reconnaissance, CVE lookup, vulnerability scanning, exploitation, bruteforce...
Centralize Mission Data
Store data related to targets in a local database. Keep track of all the results from security checks and continuously update the database.
Features
Key Features
Pentest Toolbox Management
Selection of Tools
Compilation of 50+ open-source tools & scripts, from various sources.
Docker-based
Application packaged in a Docker image running Kali OS, available on Docker Hub.
Ready-to-use
All tools and dependencies installed, just pull the Docker image and run a fresh container.
Updates made easy
Easily keep the whole toolbox up-to-date by running only one command.
Easy Customization
Easily add/remove tools from a simple configuration file.
Network Infrastructure Security Assessment
Many supported Services
Target most common TCP/UDP services (HTTP, FTP, SSH, SMB, Oracle, MS-SQL, MySQL, PostgreSQL, VNC, etc.).
Combine Power of Tools
Each security check is performed by a tool from the toolbox. Attacks are performed by chaining security checks.
Context Awareness
Security checks to run are selected and adapted according to the context of the target (i.e. detected technologies, credentials, vulnerabilities, etc.).
Reconnaissance
Automatic fingerprinting (product detection) of targeted services is performed.
CVE Lookup
When product names and their versions are detected, a vulnerability lookup is performed on online CVE databases (using Vulners & CVE Details).
Vulnerability Scanning
Automatically check for common vulnerabilities and attempt to perform some exploitations (auto-pwn).
Brute-force Attack
Automatically check for default/common credentials on the service and perform dictionnary attack if necessary. Wordlists are optimized according to the targeted services.
Post-authentication Testing
Automatically perform some post-exploitation checks when valid credentials have been found.
Web Security Assessment
Large Focus on HTTP
More than 60 different security checks targeting HTTP supported for now.
Web Technologies Detection
Fingerprinting engine based on Wappalyzer is run prior to security checks, allowing to detect: Programming language, Framework, JS library, CMS, Web & Application Server.
Server Exploitation
Automatically scan and/or exploit most critical vulnerabilities (e.g. RCE) on web and application servers (e.g. JBoss, Tomcat, Weblogic, Websphere, Jenkins, etc.).
CMS Vulnerability Scanning
Automatically run vulnerability scanners on most common CMS (Wordpress, Drupal, Joomla, etc.).
Local Database & Reporting
Local Database
Data related to targets is organized by missions (workspaces) into a local Sqlite database that is kept updated during security testings.
Metasploit-like Interactive Shell
Access the database through an interactive shell with several built-in commands.
Import Targets from Nmap
Add targets to a mission either manually or by loading Nmap results.
Access all Results
All outputs from security checks, detected credentials and vulnerabilities are stored into the database and can be accessed easily.
Reporting
Generate full HTML reports with targets summary, web screenshots and all results from security testing.
Architecture
Framework Architecture
General Architecture graph
Flowchart
Demo
Demonstration Videos
Download
Get Jok3r
Jok3r is open-source. Contributions, ideas and bug reports are welcome !
Network & Web Pentest Automation Framework
About
Overview
Jok3r is a framework that aids penetration testers for network infrastructure and web security assessments. Its goal is to automate as much stuff as possible in order to quickly identify and exploit "low-hanging fruits" and "quick win" vulnerabilities on most common TCP/UDP services and most common web technologies (servers, CMS, languages...).
Combine Pentest Tools
Do not re-invent the wheel. Combine the most useful hacking tools/scripts available out there from various sources, in an automatic way.
Automate Attacks
Automatically run security checks adapted to the targeted services. Reconnaissance, CVE lookup, vulnerability scanning, exploitation, bruteforce...
Centralize Mission Data
Store data related to targets in a local database. Keep track of all the results from security checks and continuously update the database.
Features
Key Features
Pentest Toolbox Management
Selection of Tools
Compilation of 50+ open-source tools & scripts, from various sources.
Docker-based
Application packaged in a Docker image running Kali OS, available on Docker Hub.
Ready-to-use
All tools and dependencies installed, just pull the Docker image and run a fresh container.
Updates made easy
Easily keep the whole toolbox up-to-date by running only one command.
Easy Customization
Easily add/remove tools from a simple configuration file.
Network Infrastructure Security Assessment
Many supported Services
Target most common TCP/UDP services (HTTP, FTP, SSH, SMB, Oracle, MS-SQL, MySQL, PostgreSQL, VNC, etc.).
Combine Power of Tools
Each security check is performed by a tool from the toolbox. Attacks are performed by chaining security checks.
Context Awareness
Security checks to run are selected and adapted according to the context of the target (i.e. detected technologies, credentials, vulnerabilities, etc.).
Reconnaissance
Automatic fingerprinting (product detection) of targeted services is performed.
CVE Lookup
When product names and their versions are detected, a vulnerability lookup is performed on online CVE databases (using Vulners & CVE Details).
Vulnerability Scanning
Automatically check for common vulnerabilities and attempt to perform some exploitations (auto-pwn).
Brute-force Attack
Automatically check for default/common credentials on the service and perform dictionnary attack if necessary. Wordlists are optimized according to the targeted services.
Post-authentication Testing
Automatically perform some post-exploitation checks when valid credentials have been found.
Web Security Assessment
Large Focus on HTTP
More than 60 different security checks targeting HTTP supported for now.
Web Technologies Detection
Fingerprinting engine based on Wappalyzer is run prior to security checks, allowing to detect: Programming language, Framework, JS library, CMS, Web & Application Server.
Server Exploitation
Automatically scan and/or exploit most critical vulnerabilities (e.g. RCE) on web and application servers (e.g. JBoss, Tomcat, Weblogic, Websphere, Jenkins, etc.).
CMS Vulnerability Scanning
Automatically run vulnerability scanners on most common CMS (Wordpress, Drupal, Joomla, etc.).
Local Database & Reporting
Local Database
Data related to targets is organized by missions (workspaces) into a local Sqlite database that is kept updated during security testings.
Metasploit-like Interactive Shell
Access the database through an interactive shell with several built-in commands.
Import Targets from Nmap
Add targets to a mission either manually or by loading Nmap results.
Access all Results
All outputs from security checks, detected credentials and vulnerabilities are stored into the database and can be accessed easily.
Reporting
Generate full HTML reports with targets summary, web screenshots and all results from security testing.
Architecture
Framework Architecture
General Architecture graph
Flowchart
Demo
Demonstration Videos
Download
Get Jok3r
Jok3r is open-source. Contributions, ideas and bug reports are welcome !