crimson v3.0 releases: automates some of the Pentester or Bug Bounty Hunter tasks

Bug Bounty Hunter tasks

Crimson

Crimson is a tool that automates some of the Pentester or Bug Bounty Hunter tasks.
It uses many open source tools, most of them are available for download from github.Bug Bounty Hunter tasks

It consists of three partially interdependent modules:

  • crimson_recon – automates the process of domain reconnaissance.
  • crimson_target – automates the process of urls reconnaissance.
  • crimson_exploit – automates the process of bug founding.

🔻crimson_recon

This module can help you if you have to test big infrastructure or you are trying to earn some bounties in *.scope.com domain. It includes many web scraping and bruteforcing tools.

🔻crimson_target

This module covers one particular domain chosen by you for testing.
It uses a lot of vulnerability scanners, web scrapers and bruteforcing tools.

🔻crimson_exploit

This module uses a number of tools to automate the search for certain bugs in a list of urls.

Changelog v3.0

MAJOR CHANGES

  • Changed operation system from UBUNTU to Kali
  • Changed .bashrc aliases.
  • All modules were rebuilt.
  • Added new module crimson_IPcon – for IP-only assessment.
  • Active Directory enumeration & vulnerability scanning was added in crimson_IPcon.
  • No more port scanning on crimson_recon and crimson_target. If you need this functionality, use crimson_IPcon.
  • No more Python 2.7 code ( there are still some scripts in the /scripts/ directory, but the modules do not use them. I decided to leave them there, so I can rewrite the code if needed to python3 or GO in the future)
  • testssl, wpscan and jwt_tool transferred from crimson_exploit to crimson_target
  • testssl transferred from crimson_exploirt to crimson_target
  • crimson_exploit does not need domain anymore, just the params.txt | all.txt | dirs.txt files
  • Added sstimap.py to the SSTI testing in the crimson_exploit module
  • It is possible now to use the crimson_exploit module without a domain name. Just place the dirs.txt and params.txt in the current directory and run the script.

MINOR CHANGES

  • crimson_faker.py script => Template for generating fake data for API testing.
  • crimson_target – dig_for_secret functions were moved out. It will be a part of the 5th module for the static code analysis in the next patch.
  • New for flag crimson_target -n to skip brute-forcing directories.
  • All banners were removed from modules
  • Nuclei run with headless mode
  • You can use c_0, c_1, c_2, and c_3 aliases instead of crimson_MODULE-NAME
  • Removed some static_code analysis functions from modules and placed them in the future c_4 module named crimson_lang.

Install & Use

Copyright (C) 2021 Karmaz95