Skip to content

0x0d3ad/Kn0ck

Repository files navigation

ABOUT:

Kn0ck is an automated scanner that can be used during a penetration testing to enumerate and scan for vulnerabilities.

KN0CK COMMUNITY FEATURES:

  • Automatically collects basic recon
  • Automatically launches Google hacking queries against a target domain
  • Automatically enumerates open ports via NMap port scanning
  • Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
  • Automatically checks for sub-domain hijacking
  • Automatically runs targeted NMap scripts against open ports
  • Automatically runs targeted Metasploit scan and exploit modules
  • Automatically scans all web applications for common vulnerabilities
  • Automatically brute forces ALL open services
  • Automatically test for anonymous FTP access
  • Automatically runs WPScan, Arachni and Nikto for all web services
  • Automatically enumerates NFS shares
  • Automatically test for anonymous LDAP access
  • Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
  • Automatically enumerate SNMP community strings, services and users
  • Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
  • Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
  • Automatically tests for open X11 servers
  • Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
  • Performs high level enumeration of multiple hosts and subnets
  • Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
  • Automatically gathers screenshots of all web sites
  • Create individual workspaces to store all scan output

AUTO-PWN:

  • Apache Struts CVE-2018-11776 RCE exploit
  • Android Insecure ADB RCE auto exploit
  • Apache Tomcat CVE-2017-12617 RCE exploit
  • Oracle WebLogic WLS-WSAT Component Deserialisation RCE CVE-2017-10271 exploit
  • Drupal Drupalgedon2 RCE CVE-2018-7600
  • GPON Router RCE CVE-2018-10561
  • Apache Struts 2 RCE CVE-2017-5638
  • Apache Struts 2 RCE CVE-2017-9805
  • Apache Jakarta RCE CVE-2017-5638
  • Shellshock GNU Bash RCE CVE-2014-6271
  • HeartBleed OpenSSL Detection CVE-2014-0160
  • Default Apache Tomcat Creds CVE-2009-3843
  • MS Windows SMB RCE MS08-067
  • Webmin File Disclosure CVE-2006-3392
  • Anonymous FTP Access
  • PHPMyAdmin Backdoor RCE
  • PHPMyAdmin Auth Bypass
  • JBoss Java De-Serialization RCEs

ACTIVED YOUR API-KEY & SECRET-KEY ACCOUNT CENSYS:

->  knock.conf
	CENSYS_APP_ID="REDACTED"
	CENSYS_API_SECRET="REDACTED"

KALI LINUX INSTALL:

chmod +x install.sh
./install.sh

DEBIAN OR UBUNTU INSTALL:

chmod +x install_for_debian_ubuntu.sh
./install_for_debian_ubuntu.sh

USAGE:

[*] NORMAL MODE
knock -t <TARGET>

[*] NORMAL MODE + OSINT + RECON
knock -t <TARGET> | -o (Osint) | -re (Recon)

[*] STEALTH MODE + OSINT + RECON
knock -t <TARGET> | -m stealth | -o (Osint) | -re (Recon)

[*] DISCOVER MODE
knock -t <Target> | -m discover | -w <WORSPACE_ALIAS>

[*] SCAN ONLY SPECIFIC PORT
knock -t <TARGET> | -m port | -p <portnum>

[*] FULLPORTONLY SCAN MODE
knock -t <TARGET> | -fp (Fullportonly)

[*] PORT SCAN MODE
knock -t <TARGET> | -m port -p <PORT_NUM>

[*] WEB MODE - PORT 80 + 443 ONLY!
knock -t <TARGET> | -m web

[*] HTTP WEB PORT MODE
knock -t <TARGET> | -m webporthttp | -p <port>

[*] HTTPS WEB PORT MODE
knock -t <TARGET> | -m webporthttps | -p <port>

[*] ENABLE BRUTEFORCE
knock -t <TARGET> | -b (Bruteforce)

[*] LIST WORKSPACES
knock --list

[*] DELETE WORKSPACE
knock -w <WORKSPACE_ALIAS> -d

[*] DELETE HOST FROM WORKSPACE
knock -w <WORKSPACE_ALIAS> -t <TARGET> -dh

[*] GET knock SCAN STATUS
knock --status

[*] LOOT REIMPORT FUNCTION
knock -w <WORKSPACE_ALIAS> --reimport

MODE:

  • NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.
  • STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.
  • DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a knock scan against each host. Useful for internal network scans.
  • PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
  • FULLPORTONLY: Performs a full detailed port scan and saves results to XML.
  • WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
  • WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.
  • WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.