- Passive:
- Collecting Subdomains (without brute forcing)
- Whois database check
- Zone Transfer
- DNS records check
- Reverse DNS Lookup
- IP addresses range
- Regex to Google Dork
- Active:
- Collecting subdomains (with brute forcing)
- All the passive stuff
- Cloud enumeration
- TODO:
- Web Crawling
- Headers check
- Taking screenshots
- TODO:
- APK:
- Collecting URL"s
- Root Detection Check
- SDK Version Check
- Decompiling APK to smali and java
- Extracting Sensitive information like API keys, passwords, etc..
- Debuggable mode Check
- Checking permissions
- Checking activities and (Exported Activities)
- Check if backup is allowed
- collecting strings.xml files
git clone https://github.com/maliktawfiq/ExtPenPy.git
cd ExtPenPy
pip install -r requierments.txt
sudo apt install apktool
python3 ExtPen.py -h
git clone https://github.com/maliktawfiq/ExtPenPy.git
cd ExtPenPy
docker build -t extpenpy .
docker run -it -v $PWD:/app extpenpy -h
- Passive
python3 ExtPenPy -h
python3 ExtPenPy passive -d uber.com
- -p or —pip allows piping the subdomain output to a file, tool..etc as shown below
python3 ExtPen.py passive -d <domain> -p | httpx -sc -fr -silent
you can add —csv to save the subdomains in csv file.
python3 passive -d uber.com --csv ./subdomains
- Active:
Docker:
docker run -it -v $PWD:/app extpenpy active -h
CMD:
python3 ExtPen.py active -h
python3 ExtPen.py active -d uber.com -w ./custemlist
- APK:
Docker:
docker run -it -v $PWD:/app extpenpy apk -h
CMD:
python3 ExtPen.py apk -h
After running the APK analysis two directories will be created.
- Javacode: which will contain the decompiled code
- apk_decomiled: which holds the data before decompiling