badKarma: Advanced Network Reconnaissance Assistant
The search for vulnerabilities on a host (the host can be a website, a web server, a network device (router and others), an end-user computer) begins with the Information Gathering. This information includes finding hosts (if we are examining a subnet), scanning their ports for open ones, determining which services are running on these ports, determining the versions of services and finding vulnerabilities for these versions, checking for weak passwords (brute-force), starting additional scans by various tools, depending on the detected network services.
This is usually a fairly typical set of actions, which varies from network services running on the host. Therefore, there are already various automation tools that can scan the IP range of the network and, for example, run brute-force of the found services.
I want to talk about another tool - this is badKarma, Advanced Network Reconnaissance Toolkit.
This program has a graphical interface in which it is enough to click with the mouse - it is not necessary to enter commands (although they can be corrected for fine tuning).
How to install badKarma
Installing badKarma is easy. But the fact is that this is just a graphical shell for running tools. That is, you need to install all the tools that the program uses. Therefore, I recommend working with badKarma in Kali Linux or BlackArch, in which (almost) everything you need is already present.
To install badKarma on Kali Linux, run the following commands:
sudo apt install python3-pip python3-gi phantomjs mitmproxy ffmpeg gir1.2-gtk-vnc-2.0 gir1.2-gtksource-3.0 gir1.2-vte-2.91 gir1.2-osmgpsmap-1.0 gir1.2-webkit2-4.0 knockpy ncat gobuster git clone https://github.com/r3vn/badKarma.git cd badKarma sudo pip3 install -r requirements.txt chmod +x badkarma.py ./badkarma.py
To install badKarma on BlackArch, run the following commands:
sudo pacman -S badkarma gobject-introspection python-gobject osm-gps-map cd /usr/share/badkarma/ sudo pip3 install -r requirements.txt
How to use badKarma
Start by entering a target. You can specify the site address, IP address or range of IP addresses:
You can also select a scan profile. The following options are available:
- nmap_default — normal scan with Nmap,
- nmap_intense_scan - intensive scanning with Nmap, using -T4 -A -v -oX options
- nmap_intense_scan_all_tcp - intensive scanning of all TCP ports with Nmap, using the -p 1-65535 -T4 -A -v -oX options
- nmap_intense_scan_no_ping - intensive scanning with Nmap without checking if the host is available (without ping), using the -T4 -A -v -Pn -oX options
- masscan_full_tcp - full scan with Masscan, using -p0-65535 --rate 10000 --banner options
- get-from-shodan - do not scan, and get data from shodan. For this to work, you must pre-specify your API key from shodan. In Kali Linux API, the key from shodan needs to be written in the ~/bin/badKarma/conf/shodan.conf file. And in BlackArch API, the key from shodan needs to be written in the /usr/share/badkarma/conf/shodan.conf file.
I will add a local network as a goal through which I access the Internet: 192.168.50.0/24
The scan results will be presented in the form of a list of available hosts:
If you click on a host, it will show open ports and running network services:
Under the list of running services, there is other additional information (if gathered) about the operating system, location, MAC address, and so on:
Now we have two options: you can continue to explore the host as a whole, or focus on its individual services. To view the available options for working with the host, click on it with the right mouse button:
There are various types of scanning available using Nmap, various options for finding subdomains, DNS lookup records and other ways to get information on a host.
By right clicking on the services running on the host, you can see the actions available to them:
For example, for SSH, you can run brute force:
You can run an exploit search with nmap, searchsploit, or sploitus:
In this case, the exact version number of the service will be determined (if it hasn’t been done before), and exploits will be searched for it in popular databases.
Especially a lot of different options for web services:
You can take a screenshot, clone a page, perform scanning with popular tools to search for vulnerabilities, run a search for users, hosts, directories, subdomains, etc.
there is a WebSession (works with mitmproxy):
The data received during operation is not only displayed on the screen, but is also stored in the session file /tmp/badkarma.sqlite. If you want to save this file, after completing the work, be sure to copy it to a safe place, since the /tmp folder is automatically cleared every time you restart your computer.
You can also save the project and load a previously saved project.
The Session file is a sqlite database, it contains all the information gained during the activity, real-time updated it can be exported or/and imported from badKarma's GUI. By default the database is located inside the "/tmp" directory, this means that you have to save it in a different location before rebooting your computer.
Inside the database there are four tables: hosts, ports, activity_log and notes.
You can specify session file while launching the program:
badkarma.py [-h] [--session SESSION]
Available optional arguments:
-h, --help show this help message and exit --session SESSION Open a session file
badKarma is modular, the extensions are full-interactive and they allow the penetration tester to tune tasks options, since output is logged under the session file, their output can be exported as a raw txt from the "Logs" tab.
Extensions can be found under the "extension" directory, they are sorted in two categories: importers and workspace. Importers extensions aim to identify tools output files, parse them and import the results into the session file.
Current available workspace's extensions are:
- Shell: this is the main module of the toolkit since it allow the tester to execute preconfigured shell tasks. Shell commands are located under the "conf" directory.
- Bruter: as the name says, bruter is the brute-force extension. It allow the tester to send a target directly to Hydra and configure the parameters through a GUI. Default hydra parameters can be modified from conf/bruter.conf.
- Screenshot: this extension allow the tester to take screenshots of possible http, rdp, rtsp, vnc and x11 servers, screenshots will be stored in the session file as base64 and can be shown from badKarma.
- WebSession: a fast and ready to use webview in tailing with mitmproxy, it allow to browse a target's website and read, edit or resend HTTP requests. Some common payloads are available as well, just click on a payload to copy it on the clipboard. Since full dumps are too big to be imported inside the session file, only mitmdump's default output is imported.
- Browser: just an "open in browser" for http menu item, take it as an example to build your own extensions.
badKarma as a whole is an interesting assistant program, with which you can quickly perform routine actions and keep the results in one place, convenient for visual perception.
The program is under heavy development. In general, most of the functionality works, although some commands were not run due to incorrectly used options, some due to their absence in the system - even in Kali Linux. Some necessary utilities can be installed from standard repositories, but some (for example, dirsearch and WAFW00F) are missing there and you need to install them correctly (so that they are available to call by the program name, and not by specifying the path to the file).
Conveniently, the program centrally stores the results.
As you can understand when working with the program, a set of operations for each service is chosen intellectually, depending on the type of service. If tyour favorite tool is absent in this list, then this is not a problem: badKarma is a modular program and you can add your own module.
- TIDoS-Framework: Web Application Information Gathering and Manual Scanning Platform (95.6%)
- How to search subdomains and build graphs of network structure with Amass (72.4%)
- How to discover subdomains without brute-force (62.6%)
- How to bypass Cloudflare, Incapsula, SUCURI and another WAF (58.2%)
- How to find out hostnames for many IP addresses (54.7%)
- How to find all passwords (web browsers, email programs, etc.) in Windows and Linux (RANDOM - 2.5%)