11 Years of Service
18%
The TIDoS Framework
The Offensive Web Application Penetration Testing Framework.
Highlights :-
Here is some light on what the framework is all about:
- - [x] A complete versatile framework to cover up everything from Reconnaissance to Vulnerability Analysis.
- - [x] Has 5 main phases, subdivided into __14 sub-phases__ consisting a total of __108 modules__.
- - [x] Reconnaissance Phase has 50 modules of its own (including active and passive recon, information disclosure modules).
- - [x] Scanning & Enumeration Phase has got 16 modules (including port scans, WAF analysis, etc)
- - [x] Vulnerability Analysis Phase has 37 modules (including most common vulnerabilites in action).
- - [x] Exploits Castle has only 1 exploit. `(purely developmental)`
- - [x] And finally, Auxillaries have got 4 modules. `more under development`
- - [x] All four phases each have a `Auto-Awesome` module which automates every module for you.
- - [x] You just need the domain, and leave everything is to this tool.
- - [x] TIDoS has full verbose out support, so you'll know whats going on.
- - [x] Fully user friendly interaction environment. `(no shits)`
TIDoS is built to be a comprehensive, flexible and versatile framework where you just have to select and use modules.
So to get started, you need to set your own `API KEYS` for various OSINT & Scanning and Enumeration purposes. To do so, open up `API_KEYS.py` under `files/` directory and set your own keys and access tokens for `SHODAN`, `CENSYS`, `FULL CONTACT`, `GOOGLE` and `WHATCMS`.
Finally, as the framework opens up, enter the website name `eg. http://www.example.com` and let TIDoS lead you. Thats it! Its as easy as that.> __GOOD NEWS__:
>
> The latest release of TIDoS includes all API KEYS and ACCESS TOKENS for `SHODAN`, `CENSYS`, `FULL CONTACT`, `GOOGLE` and `WHATCMS` by default. I found these tokens on various repositories on GitHub itself. __You can now use all the modules__ which use the API KEYS.
To update this tool, use `tidos_updater.py` module under `tools/` folder.
Flawless Features :-
TIDoS Framework presently supports the following:
* __Reconnaissance + OSINT__
+ __Passive Reconnaissance:__
- Nping Enumeration `Via external APi`
- WhoIS Lookup `Domain info gathering`
- GeoIP Lookup `Pinpoint physical location`
- DNS Configuration Lookup `DNSDump`
- Subdomains Lookup `Indexed ones`
- Reverse DNS Lookup `Host Instances`
- Reverse IP Lookup `Hosts on same server`
- Subnets Enumeration `Class Based`
- Domain IP History `IP Instances`
- Web Links Gatherer `Indexed ones`
- Google Search `Manual search`
- Google Dorking (multiple modules) `Automated`
- Email to Domain Resolver `Email WhoIs`
- Wayback Machine Lookups `Find Backups`
- Breached Email Check `Pwned Email Accounts`
- Enumeration via Google Groups `Emails Only`
- Check Alias Availability `Social Networks`
- Find PasteBin Posts `Domain Based`
- LinkedIn Gathering `Employees & Company`
- Google Plus Gathering `Domain Profiles`
- Public Contact Info Scraping `FULL CONTACT`
- Censys Intel Gathering `Domain Based`
- Threat Intelligence Gathering `Bad IPs`
+ __Active Reconnaissance:__
- Ping Enumeration `Advanced`
- CMS Detection `(185+ CMSs supported)` `IMPROVED`
- Advanced Traceroute `IMPROVED`
- `robots.txt` and `sitemap.xml` Checker
- Grab HTTP Headers `Live Capture`
- Find HTTP Methods Allowed `via OPTIONS`
- Detect Server Type `IMPROVED`
- Examine SSL Certificate `Absolute`
- Apache Status Disclosure Checks `File Based`
- WebDAV HTTP Enumeration `PROFIND & SEARCH`
- PHPInfo File Enumeration `via Bruteforce`
- Comments Scraper `Regex Based`
- Find Shared DNS Hosts `Name Server Based`
- Alternate Sites Discovery `User-Agent Based`
- Discover Interesting Files `via Bruteforce`
- Common Backdoor Locations `shells, etc.`
- Common Backup Locations `.bak, .db, etc.`
- Common Password Locations ` .pgp, .skr, etc.`
- Common Proxy Path Configs. `.pac, etc.`
- Multiple Index Paths `index, index1, etc.`
- Common Dot Files `.htaccess, .apache, etc`
- Common Logfile Locations `.log, .changelog, etc`
+ __Information Disclosure:__
- Credit Cards Disclosure `If Plaintext`
- Email Harvester `IMPROVED`
- Fatal Errors Enumeration `Includes Full Path Disclosure`
- Internal IP Disclosure `Signature Based`
- Phone Number Havester `Signature Based`
- Social Security Number Harvester `US Ones`
* __Scanning & Enumeration__
+ Remote Server WAF Enumeration `Generic` `54 WAFs`
+ Port Scanning `Ingenious Modules`
- Simple Port Scanner `via Socket Connections`
- TCP SYN Scan `Highly reliable`
- TCP Connect Scan `Highly Reliable`
- XMAS Flag Scan `Reliable Only in LANs`
- FIN Flag Scan `Reliable Only in LANs`
- Port Service Detector
+ Web Technology Enumeration `Absolute`
+ Complete SSL Enumeration `Absolute`
+ Operating System Fingerprinting `IMPROVED`
+ Banner Grabbing of Services `via Open Ports`
+ Interactive Scanning with NMap `16 preloaded modules`
+ Internet Wide Servers Scan `Using CENSYS Database`
+ Web and Links Crawlers
- Depth 1 `Indexed Uri Crawler`
- Depth 2 `Single Page Crawler`
- Depth 3 `Web Link Crawler`
+ __Vulnerability Analysis__
__Web-Bugs & Server Misconfigurations__
+ Insecure CORS `Absolute`
+ Same-Site Scripting `Sub-domain based`
+ Zone Transfer `DNS Server based`
+ Clickjacking
- Frame-Busting Checks
- `X-FRAME-OPTIONS` Header Checks
+ Security on Cookies
- `HTTPOnly` Flag
- `Secure` Flag on Cookies
+ Cloudflare Misconfiguration Check
- DNS Misconfiguration Checks
- Online Database Lookup `For Breaches`
+ HTTP Strict Transport Security Usage
- HTTPS Enabled but no HSTS
+ Domain Based Email Spoofing
- Missing `SPF` Records
- Missing `DMARC` Records
+ Host Header Injection
- Port Based `Web Socket Based`
- `X-Forwarded-For` Header Injection
+ Security Headers Analysis `Live Capture`
+ Cross-Site Tracing `HTTP TRACE Method`
+ Session Fixation `via Cookie Injection`
+ Network Security Misconfig.
- Checks for `TELNET` Enabled `via Port 23`
__Serious Web Vulnerabilities__
+ File Inclusions
- Local File Inclusion (LFI) `Param based`
- Remote File Inclusion (RFI) `IMPROVED`
- Parameter Based
- Pre-loaded Path Based
+ OS Command Injection `Linux & Windows (RCE)`
+ Path Traversal `(Sensitive Paths)`
+ Cross-Site Request Forgery `Absolute`
+ SQL Injection
+ Error Based Injection
- Cookie Value Based
- Referer Value Based
- User-Agent Value Based
- Auto-gathering `IMPROVED`
+ Blind Based Injection `Crafted Payloads`
- Cookie Value Based
- Referer Value Based
- User-Agent Value Based
- Auto-gathering `IMPROVED`
+ LDAP Injection `Parameter Based`
+ HTML Injection `Parameter Based`
+ Bash Command Injection `ShellShock`
+ Apache Struts Shock `Apache RCE`
+ XPATH Injection `Parameter Based`
+ Cross-Site Scripting `IMPROVED`
- Cookie Value Based
- Referer Value Based
- User-Agent Value Based
- Parameter Value Based `Manual`
+ Unvalidated URL Forwards `Open Redirect`
+ PHP Code Injection `Windows + Linux RCE`
+ CRLF Injection `HTTP Response Splitting`
- User-Agent Value Based
- Parameter value Based `Manual`
+ Sub-domain Takeover `50+ Services`
- Single Sub-domain `Manual`
- All Subdomains `Automated`
__Other__
+ PlainText Protocol Default Credential Bruteforce
- FTP Protocol Bruteforce
- SSH Protocol Bruteforce
- POP 2/3 Protocol Bruteforce
- SQL Protocol Bruteforce
- XMPP Protocol Bruteforce
- SMTP Protocol Bruteforce
- TELNET Protocol Bruteforce
- __Auxillary Modules__
+ Hash Generator `MD5, SHA1, SHA256, SHA512`
+ String & Payload Encoder `7 Categories`
+ Forensic Image Analysis `Metadata Extraction`
+ Web HoneyPot Probability `ShodanLabs HoneyScore`
- __Exploitation__ `purely developmental`
+ ShellShock
+ __Passive Reconnaissance:__
- Nping Enumeration `Via external APi`
- WhoIS Lookup `Domain info gathering`
- GeoIP Lookup `Pinpoint physical location`
- DNS Configuration Lookup `DNSDump`
- Subdomains Lookup `Indexed ones`
- Reverse DNS Lookup `Host Instances`
- Reverse IP Lookup `Hosts on same server`
- Subnets Enumeration `Class Based`
- Domain IP History `IP Instances`
- Web Links Gatherer `Indexed ones`
- Google Search `Manual search`
- Google Dorking (multiple modules) `Automated`
- Email to Domain Resolver `Email WhoIs`
- Wayback Machine Lookups `Find Backups`
- Breached Email Check `Pwned Email Accounts`
- Enumeration via Google Groups `Emails Only`
- Check Alias Availability `Social Networks`
- Find PasteBin Posts `Domain Based`
- LinkedIn Gathering `Employees & Company`
- Google Plus Gathering `Domain Profiles`
- Public Contact Info Scraping `FULL CONTACT`
- Censys Intel Gathering `Domain Based`
- Threat Intelligence Gathering `Bad IPs`
+ __Active Reconnaissance:__
- Ping Enumeration `Advanced`
- CMS Detection `(185+ CMSs supported)` `IMPROVED`
- Advanced Traceroute `IMPROVED`
- `robots.txt` and `sitemap.xml` Checker
- Grab HTTP Headers `Live Capture`
- Find HTTP Methods Allowed `via OPTIONS`
- Detect Server Type `IMPROVED`
- Examine SSL Certificate `Absolute`
- Apache Status Disclosure Checks `File Based`
- WebDAV HTTP Enumeration `PROFIND & SEARCH`
- PHPInfo File Enumeration `via Bruteforce`
- Comments Scraper `Regex Based`
- Find Shared DNS Hosts `Name Server Based`
- Alternate Sites Discovery `User-Agent Based`
- Discover Interesting Files `via Bruteforce`
- Common Backdoor Locations `shells, etc.`
- Common Backup Locations `.bak, .db, etc.`
- Common Password Locations ` .pgp, .skr, etc.`
- Common Proxy Path Configs. `.pac, etc.`
- Multiple Index Paths `index, index1, etc.`
- Common Dot Files `.htaccess, .apache, etc`
- Common Logfile Locations `.log, .changelog, etc`
+ __Information Disclosure:__
- Credit Cards Disclosure `If Plaintext`
- Email Harvester `IMPROVED`
- Fatal Errors Enumeration `Includes Full Path Disclosure`
- Internal IP Disclosure `Signature Based`
- Phone Number Havester `Signature Based`
- Social Security Number Harvester `US Ones`
* __Scanning & Enumeration__
+ Remote Server WAF Enumeration `Generic` `54 WAFs`
+ Port Scanning `Ingenious Modules`
- Simple Port Scanner `via Socket Connections`
- TCP SYN Scan `Highly reliable`
- TCP Connect Scan `Highly Reliable`
- XMAS Flag Scan `Reliable Only in LANs`
- FIN Flag Scan `Reliable Only in LANs`
- Port Service Detector
+ Web Technology Enumeration `Absolute`
+ Complete SSL Enumeration `Absolute`
+ Operating System Fingerprinting `IMPROVED`
+ Banner Grabbing of Services `via Open Ports`
+ Interactive Scanning with NMap `16 preloaded modules`
+ Internet Wide Servers Scan `Using CENSYS Database`
+ Web and Links Crawlers
- Depth 1 `Indexed Uri Crawler`
- Depth 2 `Single Page Crawler`
- Depth 3 `Web Link Crawler`
+ __Vulnerability Analysis__
__Web-Bugs & Server Misconfigurations__
+ Insecure CORS `Absolute`
+ Same-Site Scripting `Sub-domain based`
+ Zone Transfer `DNS Server based`
+ Clickjacking
- Frame-Busting Checks
- `X-FRAME-OPTIONS` Header Checks
+ Security on Cookies
- `HTTPOnly` Flag
- `Secure` Flag on Cookies
+ Cloudflare Misconfiguration Check
- DNS Misconfiguration Checks
- Online Database Lookup `For Breaches`
+ HTTP Strict Transport Security Usage
- HTTPS Enabled but no HSTS
+ Domain Based Email Spoofing
- Missing `SPF` Records
- Missing `DMARC` Records
+ Host Header Injection
- Port Based `Web Socket Based`
- `X-Forwarded-For` Header Injection
+ Security Headers Analysis `Live Capture`
+ Cross-Site Tracing `HTTP TRACE Method`
+ Session Fixation `via Cookie Injection`
+ Network Security Misconfig.
- Checks for `TELNET` Enabled `via Port 23`
__Serious Web Vulnerabilities__
+ File Inclusions
- Local File Inclusion (LFI) `Param based`
- Remote File Inclusion (RFI) `IMPROVED`
- Parameter Based
- Pre-loaded Path Based
+ OS Command Injection `Linux & Windows (RCE)`
+ Path Traversal `(Sensitive Paths)`
+ Cross-Site Request Forgery `Absolute`
+ SQL Injection
+ Error Based Injection
- Cookie Value Based
- Referer Value Based
- User-Agent Value Based
- Auto-gathering `IMPROVED`
+ Blind Based Injection `Crafted Payloads`
- Cookie Value Based
- Referer Value Based
- User-Agent Value Based
- Auto-gathering `IMPROVED`
+ LDAP Injection `Parameter Based`
+ HTML Injection `Parameter Based`
+ Bash Command Injection `ShellShock`
+ Apache Struts Shock `Apache RCE`
+ XPATH Injection `Parameter Based`
+ Cross-Site Scripting `IMPROVED`
- Cookie Value Based
- Referer Value Based
- User-Agent Value Based
- Parameter Value Based `Manual`
+ Unvalidated URL Forwards `Open Redirect`
+ PHP Code Injection `Windows + Linux RCE`
+ CRLF Injection `HTTP Response Splitting`
- User-Agent Value Based
- Parameter value Based `Manual`
+ Sub-domain Takeover `50+ Services`
- Single Sub-domain `Manual`
- All Subdomains `Automated`
__Other__
+ PlainText Protocol Default Credential Bruteforce
- FTP Protocol Bruteforce
- SSH Protocol Bruteforce
- POP 2/3 Protocol Bruteforce
- SQL Protocol Bruteforce
- XMPP Protocol Bruteforce
- SMTP Protocol Bruteforce
- TELNET Protocol Bruteforce
- __Auxillary Modules__
+ Hash Generator `MD5, SHA1, SHA256, SHA512`
+ String & Payload Encoder `7 Categories`
+ Forensic Image Analysis `Metadata Extraction`
+ Web HoneyPot Probability `ShodanLabs HoneyScore`
- __Exploitation__ `purely developmental`
+ ShellShock
Other Tools:
- net_info.py - Displays information about your network. Located under `tools/`.
- tidos_updater.py - Updates the framework to the latest release via signature matching. Located under `tools/`.
TIDoS In Action:
Lets see some screenshots of TIDoS in real world pentesting action:
Version:
v1.7 [latest release] [#stable]
Upcoming:
These are some modules which I have thought of adding:
- Some more of Enumeraton & Information Disclosure modules.
- Lots more of OSINT & Stuff (let that be a suspense).
- More of Auxillary Modules.
- Some Exploits are too being worked on.
More info & Download: