NAME

pocsuite3 - open-sourced remote vulnerability testing framework.

Legal Disclaimer

Usage of pocsuite3 for attacking targets without prior mutual consent is illegal. pocsuite3 is for security testing purposes only.

SYNOPSIS

pocsuite -h[elp]
pocsuite [options]

DESCRIPTION

pocsuite3 is an open-sourced remote vulnerability testing and proof-of-concept development framework developed by the Knownsec 404 Team. It comes with a powerful proof-of-concept engine, many nice features for the ultimate penetration testers and security researchers.

OPTIONS

optional arguments:

-h, --help: show this help message and exit
--version: Show program's version number and exit
--update: Update Pocsuite3
-n, --new: Create a PoC template
-v {0,1,2,3,4,5,6}: Verbosity level: 0-6 (default 1)

Target:

: At least one of these options has to be provided to define the target(s)

-u URL [URL ...], --url URL [URL ...]: Target URL/CIDR (e.g. "http://www.site.com/vuln.php?id=1")
-f URL_FILE, --file URL_FILE: Scan multiple targets given in a textual file (one per line)
-p PORTS, --ports PORTS: add additional port to each target (e.g. 8080,8443)
-r POC [POC ...]: Load POC file from local or remote from seebug website
-k POC_KEYWORD: Filter PoC by keyword, e.g. ecshop
-c CONFIGFILE: Load options from a configuration INI file

Mode:

: Pocsuite running mode options

--verify: Run poc with verify mode
--attack: Run poc with attack mode
--shell: Run poc with shell mode

Request:

: Network request options

--cookie COOKIE: HTTP Cookie header value
--host HOST: HTTP Host header value
--referer REFERER: HTTP Referer header value
--user-agent AGENT: HTTP User-Agent header value (default random)
--proxy PROXY: Use a proxy to connect to the target URL (protocol://host:port)
--proxy-cred PROXY_CRED: Proxy authentication credentials (name:password)
--timeout TIMEOUT: Seconds to wait before timeout connection (default 10)
--retry RETRY: Time out retrials times (default 0)
--delay DELAY: Delay between two request of one thread
--headers HEADERS: Extra headers (e.g. "key1: value1\nkey2: value2")

Account:

: Account options

--ceye-token CEYE_TOKEN: CEye token
--oob-server OOB_SERVER: Interactsh server to use (default "interact.sh")
--oob-token OOB_TOKEN: Authentication token to connect protected interactsh server
--seebug-token SEEBUG_TOKEN: Seebug token
--zoomeye-token ZOOMEYE_TOKEN: ZoomEye token
--shodan-token SHODAN_TOKEN: Shodan token
--fofa-user FOFA_USER: fofa user
--fofa-token FOFA_TOKEN: fofa token
--quake-token QUAKE_TOKEN: quake token
--hunter-token HUNTER_TOKEN: hunter token
--censys-uid CENSYS_UID: Censys uid
--censys-secret CENSYS_SECRET: Censys secret

Modules:

: Modules options

--dork DORK: Zoomeye dork used for search
--dork-zoomeye DORK_ZOOMEYE: Zoomeye dork used for search
--dork-shodan DORK_SHODAN: Shodan dork used for search
--dork-fofa DORK_FOFA: Fofa dork used for search
--dork-quake DORK_QUAKE: Quake dork used for search
--dork-hunter DORK_HUNTER: Hunter dork used for search
--dork-censys DORK_CENSYS: Censys dork used for search
--max-page MAX_PAGE: Max page used in search API
--search-type SEARCH_TYPE: search type used in search API, web or host
--vul-keyword VUL_KEYWORD: Seebug keyword used for search
--ssv-id SSVID: Seebug SSVID number for target PoC
--lhost CONNECT_BACK_HOST: Connect back host for target PoC in shell mode
--lport CONNECT_BACK_PORT: Connect back port for target PoC in shell mode
--tls: Enable TLS listener in shell mode
--comparison: Compare popular web search engines
--dork-b64: Whether dork is in base64 format

Optimization:

: Optimization options

-o OUTPUT_PATH, --output OUTPUT_PATH: Output file to write (JSON Lines format)
--plugins PLUGINS: Load plugins to execute
--pocs-path POCS_PATH: User defined poc scripts path
--threads THREADS: Max number of concurrent network requests (default 150)
--batch BATCH: Automatically choose defalut choice without asking
--requires: Check install_requires
--quiet: Activate quiet mode, working without logger
--ppt: Hiden sensitive information when published to the network
--pcap: use scapy capture flow
--rule: export rules, default export request and response
--rule-req: only export request rule
--rule-filename RULE_FILENAME: Specify the name of the export rule file

Poc options:

: definition options for PoC

--options: Show all definition options

EXAMPLES

Run poc with verify mode, poc will be only used for vulnerability scanning.

% pocsuite -r poc_example.py -u http://example.com/ --verify

Run poc with attack mode, and it may allow hackers/researchers break into labs.

% pocsuite -r poc_example.py -u http://example.com/ --attack

Run poc with shell mode, if executed successfully, pocsuite will drop into interactive shell.

% pocsuite -r poc_example.py -u http://example.com/ --shell

Using multiple threads, the default number of threads is 150.

% pocsuite -r poc_example.py -u http://example.com/ --verify --threads 20

Scan multiple targets given in a textual file.

% pocsuite -r poc_example.py -f url.txt --verify

VERSION

This manual page documents pocsuite3 version 1.9.6

AUTHOR

This program is free software; you may redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2 with the clarifications and exceptions described below. This guarantees your right to use, modify, and redistribute this software under certain conditions. If you wish to embed pocsuite3 technology into proprietary software, we sell alternative licenses (contact 404-team@knownsec.com).

Manual page started by Tian Qiao <abcnsxyz@gmail.com>

July 2022

Manual page for pocsuite