Pentest Management (ptM)

ptM is a frontend which gives the user the ability to manage different pentest projects. A limited set of popular tools like massdns, nmap or wpscan can be executed with a click.

Important - Read first!

This tool is designed to execute shell commands on the underlying ubuntu web server! Its also necessary to install different python and ruby tools as root user via git. You have to know what you are doing! Therefore my recommendation is not to install this kind of tool on systems/servers where other websites are located. Buy a cheap vps!

Also: read this install from top to bottom!

Security

Since this tool works a lot with shell commands and its possible to execute different commands, I recommend to protect this tool via htaccess and/or "allow from YOURIP"! Please don't report issues like "RCE" - thats by design ;) This is basically a pretty bash shell!

Features

• Login/Logout as admin
• Simple user management
• Adding "projects" (domains and some basic stuff) and scanning those with different tools (massdns, sublister, axfr, ...)
• Adding subdomains to a project and scanning those with dirsearch, nmap, wpscan (more to come...)
• Adding notes, http status, headers, redirects, cname, ips, ... (this data will be gathered automatically)
• Observing system queue and interacting with it - "tsp" is necessary!
• Observing ps aux and interacting with it
• Remove current jobs/failed jobs
• Brute forcing subdomains via artisan command
• Brute forcing htaccess
• Automated regular searched for new subdomains within active projects
• AXFR and CT Scans (using Facebook CT) for new subdomains
• Automated archiving of invalid domains
• dirsearch on multiple targets based on rules
• screenshot making using phantomjs

Preinstall

This tool was developed under Ubuntu 16.04, mysql 5.7, nginx and PHP 7.2 - since I decided to use nullable types and void as return type, PHP >= 7.1 is necessary!

-> After Installing mysql 5.7 , Create Database dedicated to this application and Create a user with all permissions granted to database.

You also need:

1. Python 2.7
2. Python 3
3. Ruby2

Please use "whereis" to get the absolute paths!

For the heavy load stuff, I'm using "tsp", this also needs to be installed:

sudo apt-get install task-spooler

nmap

Dead simple installation using apt-get:

sudo apt-get install nmap

git

sudo apt-get install git

pip and pip3

sudo apt-get install python-pip python3-venv python3-pip

dig

dig is usually preinstalled on all ubuntu servers.

supervisor

sudo apt-get install supervisor

Please take a look at the Laravel Docs for more info about supervisor!

npm & yarn & composer

• NPM/NodeJS Installation
• yarn Installation
• composer Installation

redis

If you like to use redis as the queue handler, you have to install redis as well - do not forget to alter you .env file accordingly:

sudo apt-get install redis-server 

phantomjs

I'm using a simple js script and phantomjs to make screenshots of websites.

wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2
bzip2 -d phantomjs-2.1.1-linux-x86_64.tar.bz2
tar -xvf phantomjs-2.1.1-linux-x86_64.tar
cp phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/bin/phantomjs

or (but this didnt work for me!):

sudo apt-get install phantomjs

Third party tools

I'm using different third party tools, some of them require you to install different dependencies as root user. Please take a look at the repositories.

Every tool needs to be located within the "toolset" folder in the base path.

• massdns -> Github
• sublist3r -> Github
• dirsearch -> Github
• wpscan -> Github
• ctfr -> Github

1. Install Laravel 5.6

This tool is based on "Laravel 5.6" - take a look at the official website to get an idea whats important when installing Laravel.

The steps are quite simple:

1. Clone this repo into you folder
2. Edit example.env and rename it to ".env"
3. It's important to edit the database credentials, updating the url and setting the "TOOLSET_BIN_*" variables - just use "whereis" to get the full paths of PHP 7.2, Ruby2 and Python 2/3.
4. Under normal circumstances you won't need to change the "TOOLSET_PATH_*" Variables! So just ensure everything is there ;)

Installing Laravel:

composer install

Compiling assets via Laravel mix:

yarn install && npm run prod

Regenerate app key:

php artisan key:generate

Migrate database and seed data

php artisan migrate:fresh --seed

Create symbolic link to storage

If you get Error while creating symbolic link to storage, first remove storage folder in public then run the below command

php artisan storage:link

chmod storage and cache-folder

chmod -R 777 bootstrap/cache
chmod -R 777 storage

Configure webserver

Take a look at the Laravel documentation

Configure supervisor

Supervisor manages the laravel workers which process the laravel queue. I'm using it for simple quick jobs like crawling urls or fetching dns data for a subdomain. Heavy load is send to task spooler since its ay more robust (in my case) when combined with massdns etc. I assume, supervisor is installed!

nano /etc/supervisor/conf.d/laravel-worker-low.conf

Content of this file (!! update paths and user !!):

[program:laravel-worker-low]
process_name=%(program_name)s_%(process_num)02d
command=php /home/vagrant/ptm/artisan queue:work --queue=default,low --sleep=3
autostart=true
autorestart=true
user=vagrant
numprocs=6
redirect_stderr=true
stdout_logfile=/home/vagrant/ptm/storage/logs/low-worker.log

If your vps/server is not that strong you may set the numprocs to 2-3, if you have a strong server... 10 may be fine ;)

IMPORTANT:

Now reread and restart supervisor:

/etc/init.d/supervisor restart
sudo supervisorctl reread
sudo supervisorctl update
sudo supervisorctl start laravel-worker-low:*

Configure schedule system

Laravel has a unique and very simple schedule system. Specific jobs (in my case its "updateDnsAndHttpData" for new subdomains) will be put in the "low" queue by the schedule system and executed by the queue workers (supervised by supervisor). To activate this system, which is a cronjob, you have to add it to your cronjob file (I'm using crontab -e):

* * * * * /usr/bin/php7.2 /path-to-your-project/artisan schedule:run >> /dev/null 2>&1

2. Install dirsearch, massdns, sublist3r and wpscan

sh install-third-party.sh

ATTENTION: This clones all repos, installs every ruby and python2/3 dependency and also important ubuntu build tools. You will have to allow some of the steps!

3. Rights...

Depending on which user you use to install all deps and scripts, it may be necessary to chmod some folders:

chmod -R 777 toolset/dirsearch/logs/
chmod -R 777 toolset/dirsearch/reports/

Login

• Login: mail [at] damianschwyrz.de
• Passwort: 123456

From now on, you can change the credentials or add new users.

What about own wordlists

Take a look at folder toolset/wordlists. There are some predefined wordlists for massdns/subbrute and some for dirsearch. You may just add new one and the frontend will find them automatically. The predefined are taken from:

1. https://github.com/danielmiessler/SecLists/
2. https://github.com/jhaddix

Screenshots

TODO

1. User Management
2. Extended User Management -> Superadmin, Admin, Spectator
3. Tests & Refactoring...
4. CMS Enumeration
5. aquatone integration
6. other tools
7. activate more options for attacking sites (via wpscan, ...)