CRIMSON v3.0

CHANELLOG

MAJOR CHANGES

• Changed operation system from UBUNTU to Kali
• Changed .bashrc aliases.
• All modules were rebuilt.
• Added new module crimson_IPcon - for IP-only assessment.
• Active Directory enumeration & vulnerability scanning was added in crimson_IPcon.
• No more port scanning on crimson_recon and crimson_target. If you need this functionality, use crimson_IPcon.
• No more Python 2.7 code ( there are still some scripts in the /scripts/ directory, but the modules do not use them. I decided to leave them there, so I can rewrite the code if needed to python3 or GO in the future)
• testssl, wpscan and jwt_tool transferred from crimson_exploit to crimson_target
• testssl transferred from crimson_exploirt to crimson_target
• crimson_exploit does not need domain anymore, just the params.txt | all.txt | dirs.txt files
• Added sstimap.py to the SSTI testing in the crimson_exploit module
• It is possible now to use the crimson_exploit module without a domain name. Just place the dirs.txt and params.txt in the current directory and run the script.

MINOR CHANGES

• crimson_faker.py script => Template for generating fake data for API testing.
• crimson_target - dig_for_secret functions were moved out. It will be a part of the 5th module for the static code analysis in the next patch.
• New for flag crimson_target -n to skip brute-forcing directories.
• All banners were removed from modules
• Nuclei run with headless mode
• You can use c_0, c_1, c_2, and c_3 aliases instead of crimson_MODULE-NAME
• Removed some static_code analysis functions from modules and placed them in the future c_4 module named crimson_lang.

NEW .BASHRC

### PATHS 
export GOROOT=/usr/lib/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
export CRIMSON_PATH=/root/tools/crimson

### CRIMSON
alias crimson="cd $CRIMSON_PATH"
alias c_0="$CRIMSON_PATH/crimson_IPcon"
alias c_1="$CRIMSON_PATH/crimson_recon"
alias c_2="$CRIMSON_PATH/crimson_target"
alias c_3="$CRIMSON_PATH/crimson_exploit"

### TOOLS
alias bat="batcat"
alias fd="fdfind"
alias cme="crackmapexec"
alias quickpress="/root/tools/quickpress/quickpress"
alias sss="python3 -m http.server 80"
alias psbase64_encode="iconv -t utf-16le | base64 -w 0"
alias parse_nmap="ultimate-nmap-parser.sh *.gnmap --all"
alias grep_domain="awk -F/ '{print $3}' | sort -u"
alias ferox="feroxbuster -C 400,404 --auto-tune  -nEgBekr --wordlist $HOME/tools/crimson/words/dir -o ferox.txt -I 3gp,aac,apng,avif,bmp,class,com,css,cur,doc,flac,gif,gz,ico,jar,jfif,jpeg,jpg,m4a,m4p,m4v,mov,mp3,mp4,mpeg,mpg,oga,ogg,ogv,pdf,pif,pjp,pjpeg,png,ram,scr,snp,svg,swf,tgz,tif,tiff,wav,webm,webp,woff,xls -u"


### FUNCTIONS
function gen_net_ysoserial() {
    # GENERATE YSOSERIAL PAYLOADS USING GADGETS FROM $HOME/tools/crimson/words/exp/netgadgets
    # ARG[1] is the collaborator domain
    # EXAMPLE: gen_net_ysoserial DOMAIN.BRUP.COM
    for gadget in $(cat "$HOME/tools/crimson/words/exp/netgadgets")
    do 
        wine "$HOME/tools/crimson/scripts/GOAST/net-ysoserial-135/ysoserial.exe" -f BinaryFormatter -g "$gadget" -o base64 -c "ping $1" /nogui >> net_deserialization_payloads.txt
    done
}
function gen_java_ysoserial() {
    # GENERATE YSOSERIAL PAYLOADS USING GADGETS FROM $HOME/tools/crimson/words/exp/jargadgets
    # ARG[1] is the collaborator domain
    # EXAMPLE: gen_java_ysoserial DOMAIN.BRUP.COM
    for gadget in $(cat "$HOME/tools/crimson/words/exp/jargadgets")
    do 
        java -jar "$HOME/tools/ysoserial/ysoserial.jar" $gadget "$1" | base64 -w0 >> temp_payloads.txt && echo >> temp_payloads.txt
    done
    sed '/^$/d' temp_payloads.txt > java_deserialization_payloads.txt
    rm temp_payloads.txt
}

function rr {
        ulimit -n 5000
        rustscan -a "$1" -- -n -A -Pn --script discovery,vuln --append-output -oA scan
}

function sqli {
        sqlmap -b -o -v 0 --banner -u "$1"
}

function words {
    # Java deserialization payload URLDNS (* swap the java path if does not work)
    java -jar "$HOME"/tools/crimson/scripts/GOAST/ysoserial.jar URLDNS "http://$1" | base64 -w0 |sed "s/$/\n/g" > oob.fuzz
    # Preparing OOB payloadlist and copying it to the clipboard
    cat "$HOME"/tools/crimson/words/exp/OOB | sed "s/domain_collab/$1/g" |sed "s/vps_ip/$2/g" >> oob.fuzz1
    cat oob.fuzz1 | sed "s/$2:80/$2:$3/g" >> oob.fuzz && rm oob.fuzz1
    cat "$HOME"/tools/crimson/words/exp/BLIND_XSS | sed "s/domain_collab/$1/g" >> oob.fuzz
    cat oob.fuzz | clip.exe
    # Preparing other wordlists and files to upload
    cat "$HOME"/tools/crimson/words/bug >> bug.fuzz
    cat "$HOME"/tools/crimson/words/exp/http_leaks | sed "s/domain_collab/$1/g" >> http_leaks
    cat "$HOME"/tools/crimson/words/exp/bypass_ext >> bypass_ext
    cat "$HOME"/tools/crimson/words/exp/BLIND_XSS | sed "s/domain_collab/$1/g" >> BLIND_XSS
    cat "$HOME"/tools/crimson/words/exp/headers | sed "s/domain_collab/$1/g" >> headers.fuzz
    # Preparing upload
    mkdir upload
    cd upload
    cp "$HOME"/tools/crimson/upload/* .
    cat exiftool.jpg | sed "s/domain_collab/$1/g" >> 123 && mv 123 exiftooldomain.jpg
    cat exiftool.jpg | sed "s/domain_collab/$2:$3/g" >> 123 && mv 123 exiftoolvps.jpg
    cat formula_injections.txt | sed "s/domain_collab/$1/g" |sed "s/vps_ip/$2/g" >> formula_injections1
    cat formula_injections1 | sed "s/$2:80/$2:$3/g" >> formula_injections.txt && rm formula_injections1
    cd ..
}

WHAT IS NEXT?

• crimson_lang module is on the way.
• New module will cover Whitebox testing for many different programming languages.

CRIMSON v2.1

CHANGES:

1. Narrowed down the "OR" list.
2. Open Redirection testing now is only possible with the “-x” flag.
   • This is due to Burp Suite, which will find most OR vulns.
3. GOAST - small code changes. Bugs patched and added concurrency.
4. HBH testing function was removed from the default crimson_target workflow.
   • You can add those functions manually if you want.
5. get_the_robots() output bug patched.
6. Removed crimson_deserializator from crimson_exploit workflow
7. Removed codeql function, if you want to use it, you have to manually add it to the workflow.
8. No more prompt after the first run of the docker on CMSEEK
9. New aliases in .bashrc
10. Preinstalled fd and batcat

Addition in .bashrc:

### WORKING PATH
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/root/go/bin:/root/tools/codeql:/root/tools/CRIMSON/:"
### PYTHON ALIAS
alias python="python2"
### CARGO
. /root/.cargo/env
### CRIMSON MANUAL - words [domain] [vps_ip] [port]
function words {
    # Java deserialization payload URLDNS (* swap the java path if does not work)
    java -jar /root/tools/CRIMSON/scripts/GOAST/ysoserial.jar URLDNS "http://$1" | base64 -w0 |sed "s/$/\n/g" > oob.fuzz
    # Preparing OOB payloadlist and copying it to the clipboard
    cat /root/tools/CRIMSON/words/exp/OOB | sed "s/domain_collab/$1/g" |sed "s/vps_ip/$2/g" >> oob.fuzz1
    cat oob.fuzz1 | sed "s/$2:80/$2:$3/g" >> oob.fuzz && rm oob.fuzz1
    cat /root/tools/CRIMSON/words/exp/BLIND_XSS | sed "s/domain_collab/$1/g" >> oob.fuzz
    # Preparing other wordlists and files to upload
    cat /root/tools/CRIMSON/words/bug >> bug.fuzz
    cat /root/tools/CRIMSON/words/exp/http_leaks | sed "s/domain_collab/$1/g" >> http_leaks
    cat /root/tools/CRIMSON/words/exp/bypass_ext >> bypass_ext
    cat /root/tools/CRIMSON/words/exp/BLIND_XSS | sed "s/domain_collab/$1/g" >> BLIND_XSS
    cat /root/tools/CRIMSON/words/exp/headers | sed "s/domain_collab/$1/g" >> headers.fuzz
    # Preparing upload
    mkdir upload
    cd upload
    cp /root/tools/CRIMSON/upload/* .
    cat exiftool.jpg | sed "s/domain_collab/$1/g" >> 123 && mv 123 exiftooldomain.jpg
    cat exiftool.jpg | sed "s/domain_collab/$2:$3/g" >> 123 && mv 123 exiftoolvps.jpg
    cat formula_injections.txt | sed "s/domain_collab/$1/g" |sed "s/vps_ip/$2/g" >> formula_injections1
    cat formula_injections1 | sed "s/$2:80/$2:$3/g" >> formula_injections.txt && rm formula_injections1
    cd ..
}
### FEROX ALIAS
alias ferox="feroxbuster ---extract-links --no-recursion --redirects --wordlist /root/tools/CRIMSON/words/dir -k -u"
### fdfind alias
alias fd="fdfind"
### batcat
alias bat="batcat"
### CD TO CRIMSON
alias crimson="cd /root/tools/CRIMSON"

crimson 2.0

CRIMSON v2.0

• From now on, Crimson acts as a docker container and the install.sh script is no longer supported
  (Although, it should still works on Linux Mint)
• Much of the code has been rewritten and improved.
• Added project_valuation.sh, crimson_mass_nmap.py script to scripts directory
• Added Ciphey tool
• words directory has been improved
• Added new options to all three modules to make them more "elastic".
• Added rustscan in place of masscan

crimson_recon:

• Added optional flags to this module, which are shown below:
• -x # Domain bruteforcing (with words/dns wordlist)
• -v # Virtual host discovering
• -p # TCP ports scanning (1-65535)
• -u # UDP ports scanning (nmap default ports)
• -b # Third level subdomain bruteforcing
• -y # Proxy urls.txt and live.txt to Burp (127.0.0.1:8080)

crimson_target

• Added optional flags to this module, which are shown below:
• -p # TCP (1-65535) / UDP (nmap default) ports scanning
• -a # Automatic deletion of possible false-positive endpoints after brutefrocing with ffuf (this option needs more tests)
• -y # Proxy urls.txt and ffuf.txt to Burp (127.0.0.1:8080)
• A lot of modifications in the script
• New workflow - check the documentation guidelines.

crimson_exploit

• The script was rewritten
• New tools being added, check scripts directory!
• Faster CVE scanning

crimson 1.4

Changes

• Faster port scanning with "rustscan"
• Patched jsextractor bug
• “upload" directory created with file for manual upload testing
• "pywhat" and "gmapiscanner" was added to installator
• Minor changes and bug fixes

crimson 1.3

Changes

• Added new wordlists
• Minor changes in scripts/
• New functionalities in crimson_exploit
• Updated README.md
• Updated install.sh
• Fixed bugs

installator patch

Changes

• Updated README.md
• Updated install.sh
• Fixed bugs
• -x parameter was added to third module

crimson 1.1

Crimson v1.1 patch

Most of bug were patched, has been tested on two distributions (Kali and Mint).
In the third module, the fuzzer lasts too long, this will be corrected in the next patch

Changes in first module:

• cookie bug was patched
• Added log clearing

Changes in second module:

• cookie bug was patched
• Added log clearing

Changes in third module:

• Added crimson_templator
• Added testssl.sh
• Minor bugs were patched

Other changes

• Updated README.md
• Updated install.sh
• Added new README.md for every directory
• Fixed bugs from 1st and 2nd module
• Added Burp Extensions for further testing

README patch

Changes in third module:

• Added SSTI
• Rebuild scripts in scripts/ directory for third module

Other changes

• Updated README.md
• Updated install.sh
• Added new README.md for every directory
• Fixed bugs from 1st and 2nd module

crimson_target patch

Changes in second module:

• Implementation of crimson_backuper.py
• Added nmap grep output
• Added authorization header / cookie
• Properly configured Wapiti scan
• Minor changes to spiders
• Minor changes to bruteforcing
• Implementation CorsMe in place of CORScanner
• Arjun implementation
• Bugs has been patched

Other changes

• Updated README.md
• Updated install.sh
• Article from medium about automation II was added in README.md

crimson 1.2 - installator patch

Changes

• Updated README.md
• Updated install.sh
• Fixed bugs
• -x parameter was added to third module