.TH POCSUITE "1" "July 2022" "Manual page for pocsuite" .\" .\" July 6, 2022 .\" Man page author: .\" Tian Qiao .\" .SH NAME .I pocsuite3 \- open-sourced remote vulnerability testing framework. .SH Legal Disclaimer Usage of pocsuite3 for attacking targets without prior mutual consent is illegal. pocsuite3 is for security testing purposes only. .SH SYNOPSIS .B pocsuite \-h[elp] .br .B pocsuite [options] .br .SH DESCRIPTION .I pocsuite3 is an open-sourced remote vulnerability testing and proof-of-concept development framework developed by the Knownsec 404 Team. It comes with a powerful proof-of-concept engine, many nice features for the ultimate penetration testers and security researchers. .SH OPTIONS .SS "optional arguments:" .TP \fB\-h\fR, \fB\-\-help\fR show this help message and exit .TP \fB\-\-version\fR Show program's version number and exit .TP \fB\-\-update\fR Update Pocsuite3 .TP \fB\-n\fR, \fB\-\-new\fR Create a PoC template .TP \fB\-v\fR {0,1,2,3,4,5,6} Verbosity level: 0\-6 (default 1) .SS "Target:" .IP At least one of these options has to be provided to define the target(s) .TP \fB\-u\fR URL [URL ...], \fB\-\-url\fR URL [URL ...] Target URL/CIDR (e.g. "http://www.site.com/vuln.php?id=1") .TP \fB\-f\fR URL_FILE, \fB\-\-file\fR URL_FILE Scan multiple targets given in a textual file (one per line) .TP \fB\-p\fR PORTS, \fB\-\-ports\fR PORTS add additional port to each target (e.g. 8080,8443) .TP \fB\-r\fR POC [POC ...] Load POC file from local or remote from seebug website .TP \fB\-k\fR POC_KEYWORD Filter PoC by keyword, e.g. ecshop .TP \fB\-c\fR CONFIGFILE Load options from a configuration INI file .SS "Mode:" .IP Pocsuite running mode options .TP \fB\-\-verify\fR Run poc with verify mode .TP \fB\-\-attack\fR Run poc with attack mode .TP \fB\-\-shell\fR Run poc with shell mode .SS "Request:" .IP Network request options .TP \fB\-\-cookie\fR COOKIE HTTP Cookie header value .TP \fB\-\-host\fR HOST HTTP Host header value .TP \fB\-\-referer\fR REFERER HTTP Referer header value .TP \fB\-\-user\-agent\fR AGENT HTTP User\-Agent header value (default random) .TP \fB\-\-proxy\fR PROXY Use a proxy to connect to the target URL (protocol://host:port) .TP \fB\-\-proxy\-cred\fR PROXY_CRED Proxy authentication credentials (name:password) .TP \fB\-\-timeout\fR TIMEOUT Seconds to wait before timeout connection (default 10) .TP \fB\-\-retry\fR RETRY Time out retrials times (default 0) .TP \fB\-\-delay\fR DELAY Delay between two request of one thread .TP \fB\-\-headers\fR HEADERS Extra headers (e.g. "key1: value1\enkey2: value2") .SS "Account:" .IP Account options .TP \fB\-\-ceye\-token\fR CEYE_TOKEN CEye token .TP \fB\-\-oob\-server\fR OOB_SERVER Interactsh server to use (default "interact.sh") .TP \fB\-\-oob\-token\fR OOB_TOKEN Authentication token to connect protected interactsh server .TP \fB\-\-seebug\-token\fR SEEBUG_TOKEN Seebug token .TP \fB\-\-zoomeye\-token\fR ZOOMEYE_TOKEN ZoomEye token .TP \fB\-\-shodan\-token\fR SHODAN_TOKEN Shodan token .TP \fB\-\-fofa\-user\fR FOFA_USER fofa user .TP \fB\-\-fofa\-token\fR FOFA_TOKEN fofa token .TP \fB\-\-quake\-token\fR QUAKE_TOKEN quake token .TP \fB\-\-hunter\-token\fR HUNTER_TOKEN hunter token .TP \fB\-\-censys\-uid\fR CENSYS_UID Censys uid .TP \fB\-\-censys\-secret\fR CENSYS_SECRET Censys secret .SS "Modules:" .IP Modules options .TP \fB\-\-dork\fR DORK Zoomeye dork used for search .TP \fB\-\-dork\-zoomeye\fR DORK_ZOOMEYE Zoomeye dork used for search .TP \fB\-\-dork\-shodan\fR DORK_SHODAN Shodan dork used for search .TP \fB\-\-dork\-fofa\fR DORK_FOFA Fofa dork used for search .TP \fB\-\-dork\-quake\fR DORK_QUAKE Quake dork used for search .TP \fB\-\-dork\-hunter\fR DORK_HUNTER Hunter dork used for search .TP \fB\-\-dork\-censys\fR DORK_CENSYS Censys dork used for search .TP \fB\-\-max\-page\fR MAX_PAGE Max page used in search API .TP \fB\-\-search\-type\fR SEARCH_TYPE search type used in search API, web or host .TP \fB\-\-vul\-keyword\fR VUL_KEYWORD Seebug keyword used for search .TP \fB\-\-ssv\-id\fR SSVID Seebug SSVID number for target PoC .TP \fB\-\-lhost\fR CONNECT_BACK_HOST Connect back host for target PoC in shell mode .TP \fB\-\-lport\fR CONNECT_BACK_PORT Connect back port for target PoC in shell mode .TP \fB\-\-tls\fR Enable TLS listener in shell mode .TP \fB\-\-comparison\fR Compare popular web search engines .TP \fB\-\-dork\-b64\fR Whether dork is in base64 format .SS "Optimization:" .IP Optimization options .TP \fB\-o\fR OUTPUT_PATH, \fB\-\-output\fR OUTPUT_PATH Output file to write (JSON Lines format) .TP \fB\-\-plugins\fR PLUGINS Load plugins to execute .TP \fB\-\-pocs\-path\fR POCS_PATH User defined poc scripts path .TP \fB\-\-threads\fR THREADS Max number of concurrent network requests (default 150) .TP \fB\-\-batch\fR BATCH Automatically choose defalut choice without asking .TP \fB\-\-requires\fR Check install_requires .TP \fB\-\-quiet\fR Activate quiet mode, working without logger .TP \fB\-\-ppt\fR Hiden sensitive information when published to the network .TP \fB\-\-pcap\fR use scapy capture flow .TP \fB\-\-rule\fR export rules, default export request and response .TP \fB\-\-rule\-req\fR only export request rule .TP \fB\-\-rule\-filename\fR RULE_FILENAME Specify the name of the export rule file .SS "Poc options:" .IP definition options for PoC .TP \fB\-\-options\fR Show all definition options .SH EXAMPLES .PP .br Run poc with verify mode, poc will be only used for vulnerability scanning. .PP .br \fI% pocsuite -r poc_example.py -u http://example.com/ --verify\fR .PP .br Run poc with attack mode, and it may allow hackers/researchers break into labs. .PP .br \fI% pocsuite -r poc_example.py -u http://example.com/ --attack\fR .PP .br Run poc with shell mode, if executed successfully, pocsuite will drop into interactive shell. .PP .br \fI% pocsuite -r poc_example.py -u http://example.com/ --shell\fR .PP .br Using multiple threads, the default number of threads is 150. .PP .br \fI% pocsuite -r poc_example.py -u http://example.com/ --verify --threads 20\fR .PP .br Scan multiple targets given in a textual file. .PP .br \fI% pocsuite -r poc_example.py -f url.txt --verify\fR .PP .br .SH "SEE ALSO" The full documentation for .B pocsuite3 is maintained at: .br .I https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md .PP .SH VERSION This manual page documents pocsuite3 version 1.9.6 .SH AUTHOR .br (c) 2014-2022 by Knownsec 404 Team .br <404-team@knownsec.com> .LP This program is free software; you may redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2 with the clarifications and exceptions described below. This guarantees your right to use, modify, and redistribute this software under certain conditions. If you wish to embed pocsuite3 technology into proprietary software, we sell alternative licenses (contact 404-team@knownsec.com). .PP Manual page started by Tian Qiao .PP