Crimson

Crimson is a tool that automates some of the Pentester or Bug Bounty Hunter tasks.
It uses many open source tools, most of them are available for download from github.

It consists of three partially interdependent modules:

• crimson_recon - automates the process of domain reconnaissance.
• crimson_target - automates the process of urls reconnaissance.
• crimson_exploit - automates the process of bug founding.

🔻crimson_recon

This module can help you if you have to test big infrastructure or you are trying to earn some bounties in *.scope.com domain. It includes many web scraping and bruteforcing tools.

🔻crimson_target

This module covers one particular domain chosen by you for testing.
It uses a lot of vulnerability scanners, web scrapers and bruteforcing tools.

🔻crimson_exploit

This module uses a number of tools to automate the search for certain bugs in a list of urls.

Installation

Tested on Linux Mint and Kali Linux.

git clone https://github.com/Karmaz95/crimson.git 
cd crimson
chmod +x install.sh
./install.sh

Add below line to your .bashrc / .zshrc etc.

export GOPATH=$HOME/go
export PATH="$HOME/bin:$HOME/.local/bin:$HOME/go/bin:$HOME/tools:$PATH"

Install Burp Suite and extensions listed below in section Burp Suite extensions.

Usage

♦️ First module needs domain name to work properly, f.e. google.com ♦️

./crimson_recon "domain.com"

• If you are interested in how this module works, I encourage you to study the source code.
• I tried to describe in the comments how the individual tools works.
• Additionally, you can learn more about crimson_recon module by reading my article at medium

♦️ Second module needs subdomain name. You can additionally put authorization cookie ♦️

./crimson_target -d "example.domain.com" -c "Cookie: auth1=123;"

• If you are interested in how this module works, I encourage you to study the source code.
• I tried to describe in the comments how the individual tools works.
• Additionally, you can learn more about crimson_target module by reading my article at medium

♦️ Third module needs subdomain name with your collaborator and vps ip. You can additionally put authorization cookie and if you want to fuzz all the urls use the -x flag. ♦️

./crimson_exploit -D "example.domain.com" -c "Cookie: auth1=123;" -d "collaborator.com" -i "ip" -x

• If you are interested in how this module works, I encourage you to study the source code.
• I tried to describe in the comments how the individual tools works.
• Additionally, you can learn more about crimson_exploit module by reading my article at medium

♦️ Before starting the script run the listener on your vps machine on port 80 ♦️

Extras

There are some useful tools in the scripts directory that I have written that are worth checking out.

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

List of utilized tools

The following tools are used in crimson. I encourage you to study the links below, they will definitely help you in your work. Especially check Burp Suite extensions, because all gathered resources are proxied to Burp Suite, where they are further tested.

♦️ Domains enumeration:

• Amass
• subfinder
• massdns
• dnsx
• assetfinder
• SubDomainizer
• puredns
• sudomy
• altdns
• HostHunter

♦️ IP && ports:

• nmap
• masscan

♦️ URLs:

• waybackurls
• Paramspider
• getallurls
• wfuzz
• ffuf
• feroxbuster
• sitemap-urls
• gospider
• hakrawler
• galer
• getJS
• httpx
• zile
• relative-url-extractor
• crimson_backuper

♦️ Target visualisation:

• webtech
• WhatWeb
• gowitness
• wafw00f

♦️ Bug finding:

• nikto
• wapiti
• CorsMe
• subjack
• XSRFPROBE
• DirDar
• XSStrike
• Smuggler
• hbh-header-abuse-test
• broken-link-checker
• sqlmap
• CRLFuzz
• ysoserial
• ysoserial.net
• jwt-tool
• dalfox
• metasploit
• testssl.sh
• crimson_deserializator
• crimson_oobtester
• crimson_rewriter
• crimson_templator

♦️ WordPress tools:

• wpscan
• WPluginScanner
• quickpress
• wpBullet

♦️ Additional tools:

• qsreplace
• anew
• unfurl
• wine
• exploit-database
• Search-That-Hash
• clever_ffuf
• crimson_opener
• crimson_paramjuggler
• tldextract

♦️ Wordlists:

• SecLists
• PayloadsAllTheThings
• fresh-resolvers

♦️ Burp Suite extensions:

• .NET Beautifier
• ActiveScan++
• Additional Scanner Checks
• Anonymous Cloud, Configuration and Subdomain Takeover Scanner
• Attack Surface Detector
• Auth Analyzer
• Autowasp
• AWS Security Checks
• Backslash Powered Scanner
• Cloud Storage Tester
• Collaborator Everywhere
• CSP-Bypass
• CSRF Scanner
• Detect Dynamic JS
• Error Message Checks
• ExifTool Scanner
• Freddy, Deserialization Bug Finder
• HTTP Request Smuggler
• InQL - Introspection GraphQL Scanner
• J2EEScan
• Java Deserialization Scanner
• JS Link Finder
• Logger++
• NGINX Alias Traversal
• NoSQLi Scanner
• Paramalyzer
• Param Miner
• PHP Object Injection Check
• Reflected Parameters
• Retire.js
• Same Origin Method Execution
• SameSite Reporter
• Similar Request Excluder
• Software Version Reporter
• Software Vulnerability Scanner
• Taborator
• Turbo Intruder
• UploadScanner
• ViewState Editor
• Wayback Machine
• Web Cache Deception Scanner

LICENSE

This program is free software: you can redistribute it and/or modify it under the terms of the Apache license. Crimson and any contributions are Copyright © by Karol Mazurek 2020-2021.