HawkScan: Reconnaissance and Information Gathering

Security Tool for Reconnaissance and Information Gathering on a website. (python 2.x & 3.x)

This script use “WafW00f” to detect the WAF in the first step (here)

This script use “Sublist3r” to scan subdomains (here)

This script use “waybacktool” to check in waybackmachine (here)

Features

• URL fuzzing and dir/file detection
• Test backup/old file on all the files found (index.php.bak, index.php~ …)
• Check header information
• Check DNS information
• Check whois information
• User-agent random or personal
• Extract files
• Keep a trace of the scan
• Check @mail in the website and check if @mails leaked
• CMS detection + version and vulns
• Subdomain Checker
• Backup system (if the script stopped, it take again in same place)
• WAF detection
• Add personal prefix
• Auto update script
• Auto or personal output of scan (scan.txt)
• Check Github
• Recursif dir/file
• Scan with an authenfication cookie
• Option –profil to pass profil page during the scan
• HTML report
• Work it with py2 and py3
• Add option rate-limit if app is unstable (–timesleep)
• Check in waybackmachine
• Response error to WAF
• Check if DataBase firebaseio existe and accessible
• Automatic threads depending response to website (and reconfig if WAF detected too many times). Max: 30
• Search S3 buckets in source code page
• Testing bypass of waf if detected
• Testing if it’s possible scanning with “localhost” host
• Dockerfile
• Try differents bypass for 403 code error
• JS parsing and analysis
• Google Dork

Installation

git clone https://github.com/c0dejump/HawkScan.git && sudo python HawkScan/setup.py

pip(3) install -r requirements.txt 

If problem with pip3:

sudo python3 -m pip install -r requirements.txt

Usage:

hawkscan.py [-h] [-u URL] [-w WORDLIST] [-s SUBDOMAINS] [-t THREAD] [-a USER_AGENT] [--redirect] [-r] [-p PREFIX] [-o OUTPUT] [--cookie COOKIE_] [--exclude EXCLUDE] [--timesleep TS] [--auto] [--js]

optional arguments: 
 -h, --help         show this help message and exit
 -u URL             URL to scan [required]
 -w WORDLIST        Wordlist used for URL Fuzzing. Default: dico.txt
 -s SUBDOMAINS      Subdomain tester
 -t THREAD          Number of threads to use for URL Fuzzing. Default: 20
 -a USER_AGENT      Choice user-agent 
 --redirect         For scan with redirect response (301/302) 
 -r                 Recursive dir/files      
 -p PREFIX          Add prefix in wordlist to scan      
 -o OUTPUT          Output to site_scan.txt (default in website directory)       
 -b                 Add a backup file scan like 'exemple.com/~exemple/, exemple.com/ex.php.bak...' but longer             
 -H HEADER_         modify HEADER              
 --exclude EXCLUDE  To define a page or response code status type to exclude during scan                                            
 --timesleep TS     To define a timesleep/rate-limit if app is unstable during scan                                 
 --auto             Automatic threads depending response to website. Max: 30      
 --update           For automatic update
 --js               For try to found keys or token in the javascript page  

Exemples

//Basic
python hawkscan.py -u https://www.exemple.com/

//With specific dico
python hawkscan.py -u https://www.exemple.com/ -w dico_extra.txt

//with 30 threads
python hawkscan.py -u https://www.exemple.com/ -t 30

//With backup files scan
python hawkscan.py -u https://www.exemple.com/ -b

//With an exclude page
python hawkscan.py -u https://www.exemple.com/ --exclude https://www.exemple.com/profile.php?id=1

//With an exclude response code
 python hawkscan.py -u https://www.exemple.com/ --exclude 403