Jok3r: A Framework for Automated Network and Web Penetration Testing
Reading time: 8 minutesThe use of tools is important in every industry. Finance professionals use spreadsheets and graphing tools to gather and visualize data. Software developers use a wide range of tools to create websites and applications.
The information security industry is no different. Gradually, tools have been built and improved upon to make the lives of researchers, pentesters and others easier.
Today we'll be reviewing one such tool: Jok3r. This open source multi-purpose infosec utility is geared towards helping researchers and "red-teamers", and builds upon or works in tandem with other great infosec tools (like Nmap).
What is Jok3r?
Jok3r is an automated framework designed to help penetration testers investigating flaws in network infrastructure or website/web-applications.
The primary goal of Jok3r is to automate the bulk of tasks during identification/exploitation of 'basic' vulnerabilities found on the most common TCP/UDP services as well as on the most common web application software (such as Apache, Nginx, WordPress, Joomla, Node.JS, Ruby on Rails, and more).
Jok3r adopts the philosophy of "not reinventing the wheel" and combines over 50+ existing tools and scripts for pentesting.
Main features
- Multiple TCP/UDP protocol support, including HTTP, FTP, SSH, MS-SQL, VNC and more
- Security checks based on the software detected, so that unneeded scans are not run
- Web technology reconnaissance and CMS detection to detect which products and their versions are being used (application, server, database, programming language and more)
- CVE lookup is performed during reconnaissance to find existing vulnerabilities
- Vulnerability scanning against the most popular CMSs
- Automatically run vulnerability scanners on most common CMSs
- Common exploit checks are run automatically to test their success
- Brute-forcing attacks are also possible by running targeted lists with default credentials
- Storage and visualization of results in a database with full HTML report generation
Who is Jok3r for?
While Jok3r is a useful tool for anybody working in penetration testing or a "red team" environment, here are scenarios where it may benefit its users the most:
- Junior infosec professionals - Jok3r is a great tool for graduates or people at the beginning of their infosec careers.
- SME software companies - If you build software for others or run any type of software-as-a-service (SaaS) offering and work with software developers or developer operations employees interested in information security, Jok3r is excellent for running tests against your applications and products to find common vulnerabilities.
Installing Jok3r on Linux
Jok3r recommends that you use Docker and the Jok3r Docker Image to install the software. If you are not familiar with Docker or prefer to install everything yourself, 2 scripts are provided that handle the installation process for Debian-based Linux distros.
We should first audit the 2 scripts to make sure that it's safe to install Jok3r via the scripts.
-
Main Script: This script is basic and easy to understand. It merely acts as a manager script for the main install script, shown below.
-
Install Script: This script does a lot, so let's break it down in order:
- Kali repositories are added
- Various packages are installed
- Security-specific packages are installed
- Python2 and Python3 packages are installed
- Some common Python libraries are installed after that
- Jython, Ruby, Perl, PHP and Java are then installed
- Firefox and GeckoDriver are installed
Keep in mind that Kali Linux is not the type of distro one should use for normal usage, which is why the makers of Jok3r recommend using Docker. When installing on Linux, you should use a VM or other container solution as a protection mechanism for your main operating system.
We will need git and wget to handle cloning and other matters, so we'll install those first:
sudo apt update
sudo apt upgrade
sudo apt install git wget
And then we'll clone the repository:
git clone https://github.com/koutto/jok3r
cd jok3r/
We then make the scripts executable:
chmod +x install-dependencies.sh install-all.sh
We discovered a bug during our own install process—an old version of the kali-archive-keyring package (2015.2) containing the old archive key which expired in early 2018. So we should update that:
sudo wget https://archive.kali.org/archive-key.asc -O /etc/apt/trusted.gpg.d/kali-archive-key.asc
After adding the updated keyring, the next thing to run is:
sudo ./install-all.sh
You'll get a few prompts during the install. We chose 'yes' for all of them. Depending on the speed of your internet connection, the installation process may take anywhere from a few minutes to a few hours.
Once the install is completed, you'll get an output looking something like this:
Testing
The pictures above show that Jok3r has a lot of tools available, but don't let this overwhelm you. Most of the tools are self-explanatory, so all you have to do is apply the appropriate tool during the investigation.
We can also take a look at which services are running on which (default) ports and how many tools are available per service, by running:
python3 jok3r.py info --services
Now we'll conduct an investigation against 'https://docs.securitytrails.com'. First, we'll create a local database:
python3 jok3r.py db
# create database
mission -a securitytrails
Now hit ctrl+D to exit the shell and we can run an Nmap scan on the SecurityTrails documentation site:
nmap -oX stresults.xml docs.securitytrails.com
Now let's add the results to the database to see what we discover:
python3 jok3r.py db
mission securitytrails
nmap stresults.xml
After running the Nmap command that adds the results to the 'securitytrails' database, you should see output as follows:
And here's what we found:
Knowing that we're only dealing with ports 80, 443, 8080 and 8443, the next step would be to run the http service to discover any weaknesses:
python3 jok3r.py attack -m mayhem -f "service=http" --fast
The duration of the scan took 2 hours and we skipped a number of scans that either stopped completely or were lagging long enough for us to assume they had stopped. A few errors did occur during the scan, but that may have had something to do with our installation (which is a bit buggy).
We will now test another service and run an 'attack' on the SSH port available on the sandbox learning website https://overthewire.org/ and add the information to a database for analysis.
python3 jok3r.py db
mission -a otwssh
python3 jok3r.py attack -t bandit.labs.overthewire.org:2220 -s ssh --add2db otwssh --fast (*)
(*)If you intend to use this example on your own, you are reminded to cancel the bruteforce-login tests.
See below for the results of both investigations.
Analyzing the results
Going back into the database, our results show no vulnerabilities found:
python3 jok3r.py db
mission securitytrails
vulns
Checking the results for each ID, 23 commands were run on each port.
Although we didn't expect to find any threats on https://docs.securitytrails.com, running Jok3r against the subdomain has been valuable.
In our second investigation, we made some interesting discoveries. This was helped by the fact that this learning server is vulnerable by design.
Here are the results for 'hosts', 'services' and 'products':
We also have two vulnerabilities — let's see what they are:
We discovered two known CVE threats through this scan. The CVEs are dated 2017 and 2018 respectively, so known exploits of these two threats probably exist.
Conclusion
Jok3r is a great tool for the recommended targets we mentioned above, but we also have a few (minor) criticisms of the software. We suspect that installation via Docker is much simpler than the process we went through, and this is what the authors of the product recommend. The Docker image and the local Linux installation are quite large at 8-10GB. If you have a fast internet connection this isn't an issue, but you should probably leave the download for overnight if your connection is slower.
Even though Jok3r isn't described as 'easy' to use, you need at least some knowledge of the command line and Linux to navigate your way around. Going into the db mode and then trying to escape it would be non-obvious to beginners.
Exporting the entire results was not possible. You need the database and the underlying software to run/view the results in a browser. We feel that being able to export the results into standalone files would be a great enhancement to the tool.
However, Jok3r is an open source product and still in Beta. Based on these two factors and the substantial value the product offers, we rate it 9/10 for all that it does.
Here at SecurityTrails we have a similar—yet robust—product called SurfaceBrowser™, which features a lot of the same reconnaissance and scanning capabilities that Jok3r does. The added benefit is that you don't need to run scans on your own or perform any installation at all. It's all ready for you!! Our systems run millions of scans daily and already track the open ports, IPs, current and historical DNS results, WHOIS history and more.
