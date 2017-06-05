Pentesting framework using Node.js powers. Focused in VoIP.

DISCLAIMER: Pointing this tool at other people's servers is NOT legal in most countries.

Auto VoIP/UC penetration test

Report generation

Performance

RFC compliant

SIP TLS and IPv6 support

SIP over websockets (and WSS) support (RFC 7118)

SHODAN, exploitsearch.net and Google Dorks

SIP common security tools (scan, extension/password bruteforce, etc.)

Authentication and extension brute-forcing through different types of SIP requests

SIP Torture (RFC 4475) partial support

SIP SQLi check

SIP denial of service (DoS) testing

Web management panels discovery

DNS brute-force, zone transfer, etc.

Other common protocols brute-force: Asterisk AMI, MySQL, MongoDB, SSH, (S)FTP, HTTP(S), TFTP, LDAP, SNMP

Some common network tools: whois, ping (also TCP), traceroute, etc.

Asterisk AMI post-explotation

Dumb fuzzing

Automatic exploit searching (Exploit DB, PacketStorm, Metasploit)

Automatic vulnerability searching (CVE, OSVDB, NVD)

Geolocation

Command completion

Cross-platform support

Install

npm i -g bluebox-ng

Kali GNU/Linux

curl -sL https://raw.githubusercontent.com/jesusprubio/bluebox-ng/master/artifacts/installScripts/kali2.sh | sudo bash -

Use

Console

To start the console client.

bluebox-ng

Programatically

To run it from other Node code.

const Bluebox = require ( 'bluebox-ng' ); const box = new Bluebox(); box.run( 'gather/network/geo' , { rhost : '8.8.8.8' }) .then( res => { console .log( 'Result:' ); console .log(res); }) .catch( err => { console .log( 'Error:' ); console .log(err); });

Developer guide

Use GitHub pull requests.

Environment

Get a copy of the code and install the dependencies.

git clone https://github.com/jesusprubio/bluebox-ng cd bluebox-ng npm i

Debug

We use the visionmedia module, so you have to use this environment variable:

DEBUG=bluebox-ng* npm start

New modules

You can add your own features to this environment following this tips:

Add a new file inside /modules and it should appear in the pentesting environment.

and it should appear in the pentesting environment. Use the most similar among the actual ones as boilerplate.

Tests

We still don't have a proper Docker setup. So, for now, the test have to be run locally. Please check its code before it, they often need a valid target service.

./node_modules/.bin/tap test /wifi node test /wifi/* ./node_modules/.bin/tap test /wifi/scanAps.js node test /wifi/scanAps.js

Conventions

We use ESLint and Airbnb style guide.

Please run to be sure your code fits with it and the tests keep passing:

npm run posttest

Commit messages rules

It should be formed by a one-line subject, followed by one line of white space. Followed by one or more descriptive paragraphs, each separated by one￼￼￼￼ line of white space. All of them finished by a dot.

If it fixes an issue, it should include a reference to the issue ID in the first line of the commit.

It should provide enough information for a reviewer to understand the changes and their relation to the rest of the code.

Contributors

Thanks to