WebPwn is an advanced and all-inclusive collection of tools specifically designed to assist penetration testers in obtaining a solid initial foothold into targeted systems. This powerful toolkit encompasses a wide array of functionalities, including but not limited to email address collection, subdomain enumeration, vulnerability scanning, and exploitation techniques. It is essential to note that WebPwn is intended solely for legal and ethical purposes within the field of penetration testing. Its application for any illegal activities is strictly prohibited.

By utilizing WebPwn, penetration testers can enhance their capabilities and streamline their assessment process, ensuring thorough and effective security evaluations. Whether you are conducting web application assessments, network penetration tests, or vulnerability analyses, WebPwn offers a comprehensive suite of tools to facilitate your objectives.

Please remember to exercise responsible usage and adhere to applicable laws and regulations while utilizing WebPwn. Our aim is to provide a valuable resource to penetration testers, fostering a safer and more secure digital landscape.

General recommendations:

• Install Go and place Go binaries in the "tools" folder.
• Clone the entire repository.

For full functionality of the email gathering tool, you will need:

• 1 XING account.

Although it may work without an account, we strongly recommend using one. Creating a temporary account for this purpose is suggested.

Install httpx, if not available:

wget https://github.com/projectdiscovery/httpx/releases/download/v1.3.3/httpx_1.3.3_linux_amd64.zip -O httpx.zip; unzip httpx.zip; sudo cp httpx /usr/bin

Get WebPwn:

git clone https://github.com/m-cetin/webpwn; cd webpwn

pip3 install -r requirements.txt

Just run:

python3 webpwn.py

The main menu will guide you through.

Gathering emails from Xing and LinkedIn. Enter your XING credentials, when asked.

The mails are saved under /recon in different formats. fullname-emails.txt has the format {firstname}.{lastname}@company.com, emails.txt has the format {f}.{lastname}@company.com, and other common mail pattern you can find there. There's also an option to bruteforce names with X certain letters, for example [email protected], etc.

Enter the full name of the target person and their domain (@domain.com), to check against Microsoft Outlook and Azure, if the email exists. German umlauts (ä,ö,ü and ß) are automatically converted to their according usable form (ä -> ae, etc.). Furthermore, hyphe (-) signs work as well. If someone has the name "Anna-Lena Schmidt", versions like [email protected] and similiar are being considered.

Using AORT to do subdomain enum + active checks (WAF detection, zone transfer, etc.).

Results are saved under subdomains/domains.txt.

If you find any api keys (like Google Maps API), you can use KeyHacks to check how to use them.

Combination of the most commonly used tools to do subdomain enumeration. This is subdomain enumeration only.

Results are saved under subdomains/domains.txt.

Results are then checked against httpx for port 80,443,8080,8000,8443 and the live domains are saved under subdomains/live_domains.txt.

Coming soon. Hopefully.

Enumerate your target with waybackurls and gau to get endpoints from the past.

They'll be saved separately under subdomains/old_domains.txt.

Checking common NTLM endpoints to do password spraying attacks. You can either use the previously created domains.txt or specify your own IP address, domain, a full range or just skip it. This is basically just the tool NTLMRecon, since I'm using it regularly.

When you want to really test every parameter for SQL injections, some "mass" scanning might be useful. I've basically just took sqlmap with the ability to use custom flags. When scrolling a lot through a web page, you should have a huge Burp history file. Click on it, select "Show only in scope", mark all requests and save them as XML file. Then simply provide this file to the tool, to scan through everything and anything.

I usually use --tamper=space2comment,between as extra flag. This might take a while to run through. Let it run in the background and enjoy your SQL injections once identified.

This tool is still in development and will probably further advanced. If you have any feedback or issues you experienced while using it, please let me know, so I can adjust it. I build it initially for myself to ease the usage of a lot of tools.

Google Dorking tools:

• Pagodo by opsdisk

Recon (email gathering) tools being used:

• XingDumper by l4rm4nd
• CrossLinked by m8r0wn

Subdomain Enumeration tools:

• amass by OWASP
• Subfinder by projectdiscovery
• Sublist3r by aboul3la
• Turbolist3r by fleetcaptain
• assetfinder by tomnomnom
• knockknock by harleo
• aort by D3Exter
• reverseip by novsession

Back to the future enumeration tools:

• waybackurls by tomnomnom
• gau by lc

Check if domains are alive:

• httpx by projectdiscover

NTLM recon tool:

• NTLMRecon by pwnfoo