All of us know that a typical penetration testing engagement begins with reconnaissance (run nmap, etc.), testing for services & their default passwords then moving onto launching common exploits (Metasploit, etc.), getting access and then lateral movement. This is okay on small networks, but tends to be slow on large networks. Fortunately, we have APT2 to help us!
What is APT2?
APT2 is an open source, multi threaded and automated toolkit which uses tools like Nmap, Metasploit, etc. to help you perform penetration tests. It starts by performing an NMap scan and then the processed results are used to launch exploit and enumeration modules according to the your configuration. It can even import the results of a previous scan from Nexpose, Nessus, or NMap.
APT2 is a framework consisting of modules, event queues and a knowledge base (KB), where events created based on the discovered ports and services to which specific modules respond. These modules can further create new events as per their discovery. All module results are stored on localhost and are part of the KB, which is accessible from within the application and allows the user to view the harvested results of an exploit module.
Simply put, this what APT2 can do:
Identify services & operating systems.
Screenshot web applications, X11, VNC, etc.
Analyze FTP and file shares.
Brute force accounts.
Run Metasploit modules.
Compile hashes -> John the Ripper/HashCat.
Current list of APT2 modules:
- nmaploadxml – Load NMap XML File
- hydrasmbpassword – Attempt to bruteforce SMB passwords
- nullsessionrpcclient – Test for NULL Session
- msf_snmpenumshares – Enumerate SMB Shares via LanManager OID Values
- nmapbasescan – Standard NMap Scan
- impacketsecretsdump – Test for NULL Session
- msf_dumphashes – Gather hashes from MSF Sessions
- msf_smbuserenum – Get List of Users From SMB
- anonftp – Test for Anonymous FTP
- searchnfsshare – Search files on NFS Shares
- crackPasswordHashJohnTR – Attempt to crack any password hashes
- msf_vncnoneauth – Detect VNC Services with the None authentication type
- nmapsslscan – NMap SSL Scan
- nmapsmbsigning – NMap SMB-Signing Scan
- responder – Run Responder and watch for hashes
- msf_openx11 – Attempt Login To Open X11 Service
- nmapvncbrute – NMap VNC Brute Scan
- msf_gathersessioninfo – Get Info about any new sessions
- nmapsmbshares – NMap SMB Share Scan
- userenumrpcclient – Get List of Users From SMB
- httpscreenshot – Get Screen Shot of Web Pages
- httpserverversion – Get HTTP Server Version
- nullsessionsmbclient – Test for NULL Session
- openx11 – Attempt Login To Open X11 Servicei and Get Screenshot
- msf_snmplogin – Attempt Login Using Common Community Strings
- msf_snmpenumusers – Enumerate Local User Accounts Using LanManager/psProcessUsername OID Values
- httpoptions – Get HTTP Options
- nmapnfsshares – NMap NFS Share Scan
- msf_javarmi – Attempt to Exploit A Java RMI Service
- anonldap – Test for Anonymous LDAP Searches
- ssltestsslserver – Determine SSL protocols and ciphers
- gethostname – Determine the hostname for each IP
- sslsslscan – Determine SSL protocols and ciphers
- nmapms08067scan – NMap MS08-067 Scan
- msf_ms08_067 – Attempt to exploit MS08-067
- Shodan – Get information from Shodan
- JBoss – Attempt to determine if a JBoss instance has default credentials.
Problems with this APT2 is that the tools that you try to integrate should be non-interactive and different tools have different rate limiting factors. Also, the way in which this tool has been written, non-standard ports and service names may mess up a few things in a scan.
It is currently tested only on *NIX based operating systems and needs tools such as convert, dirb, hydra, java, john, ldapsearch, msfconsole, nmap, nmblookup, phantomjs, responder, rpcclient, secretsdump.py, smbclient, snmpwalk, sslscan, xwd to be already installed. If you are working on Kali Linux you should be more than halfway there.
Download APT2 v1.0-20161004 here.