Table of Content:
- Tools Used by Vajra
- Selecting Types of Scan
- Scan Status
- Using Monitoring Service
- How Vajra Works (Module wise description)
Vajra is an automated web hacking framework to automate boring recon tasks and same scans for multiple target during web applications penetration testing. Vajra has highly customizable target scope based scan feature. Instead of running all the scan on target, it runs only those scan selected by you which will minimize unnecessary traffic and stores output in one place at CouchDB.
Vajra uses most common open source tools which every Bug Hunter runs during their testing on target. It does all the stuffs through web browser with very simple UI that makes it absolute beginner friendly framework. Vajra is fully compatible with mobile devices. Thus you can do your recon through your phone also.
Analyzing your data from scan result is very important in Bug Bounty. The chances of missing anything is less only if you could visualize your data in proper way and Vajra does so with a lot of filters.
I created this project for my personal use (about 6 months ago) but looking at its usefulness, I decided to make it open-source so that it can save your time and can get some more improvement from community. I’m not a developer but I know how to automate my stuffs so my code may not be that clean.
Currently, I added only 27 unique bug bounty feature to it but more will be added in near future.
- Debian based OS (currently tested in Ubuntu and Kali Linux)
- Minimum of 1.5 GB of RAM
- Recommended RAM is 3 GB
- Minimum storage of 12 GB
- A VPS is recommended
Tools Used by Vajra
Vajra uses only open source tools and custom scripts with some tweaks to complete its job. It’s accuracy totally depends upon that tools which I’m going to list below
- Subdomain Enumeration: Subfinder, Amass and Assetfinder
- Resolve Subdomains: httpx
- Subdomain Takeover: Custom Tool
- Port Scan : Masscan
- URL with Parameters: ParamSpider
- CVE Scan: Nuclei
- Fuzzing: ffuf
- Extract Endpoints: gau
- Extract Endpoints with Extensions: gau with grapX
- Extract Secrets: Secret Finder
- Broken Links: blc
- Favicon Hash: FavFreak
- Github Dorks: GitDorker
- Templates Scan: Nuclei
- Custom Wordlist: gau with unfurl
- CORS: CORS Scanner and Corsy
- Hidden Endpoints from JS: Linkfinder
- CRLF Scan: CRLF Injection Scanner
- 403 Bypass: byp4xx
- Hidden Parameters: Arjun
- Subdomain Monitor: CertEagle
- To store result: CouchDB
To add the target, go to home page and add any domain name and select Types of Scan and click on Start Scanning. You can check your ongoing scans in Ongoing Scan tab in navigation bar.
The beauty of Vajra is that it is highly specific to target and provides wide range of options while selecting Scan Types.
If you want to perform any scan on target that includes subdomains then make sure to find subdomains first as it requires subdomains to complete scan.
Selecting Types of Scan
The UI of this framework is very simple. You only needs to enter target name and select types of scan to start Scanning.
How to use Monitoring Service
Note: Monitoring your target assets may not allowed in some programs. Read the program rules carefully before using this feature.
Click on Add to Scan and you will get a message if it’s added successfully.
To verify this or to check how many target you’re monitoring, click on Jsmon Status and you will name of your added target.
Use Subdomain Monitor
Currently, you can only see how many subdomains your are monitoring through web interface. To add target name to monitor, you have to use CLI.
Steps to use Subdomain Monitor
- SSH to your VPS.
- Navigate to directory vajra/tools/CertEagle/
- Use any editor to open domains.yml file and add your target name and save the file
- Run screen command to start monitoring on another screen. “screen -S certeagle”
- Run this command: “python3 certeagle.py” and press “ctrl + A and D” respectively to exit screen.
- For more detail on how to CertEagle. click on this link.
How Vajra Works (Module wise description)
If you are using any open source tools or framework then it is very important to know how it works so that you can trust its feature and make optimal use of it. To keep this in mind, I’ve explained the working of Vajra.
Vajra uses Amass, AssetFinder and Subfinder for enumerating subdomains. After getting subdomains from all the sources, it resolves with the help of httpx to get IP’s ,Title and response code of subdomains and saves it into all subdomains row in database. After this, it seperates subdomains with 200 and 302 response code in valid subdomains in row for further processing.
For subdomain takeover, Vajra filters all subdomains with 404 response code with httpx and then checks for CNAME. If target name is not there in CNAME then Vajra marks it as vulnerable for subdomain takeover. If target in not vulnerable then it will not shows in database.
There is three options available for port scanning. Either you can select less than 10,000 ports or less than 30,000 or even Full port scan. To complete this task, masscan comes into play. Masscan runs on 1000 rate for port scanning.
For fuzzing, I used ffuf tool with 30 threads. There is 3 option for wordlist available in Vajra. One is a list of directories which contains 87,000 directory list taken from some good sources. Another is critical files that contains some sensitive files like .bak, .git , etc. And the last one is custom wordlist. Custom wordlist is target specific wordlist which you need to generate it first to use.
Currently there is no web interface to upload any other wordlist but you can do so with SSH. Replace the wordlist in vajra/tools/wordlist directory with another one.
Vajra only uses gau to get all endpoints of a target. After getting endpoints, it seperates endpoints according to the extension like php, js, json for easy further analysis and save it in Endpoints with Extensions.
FavFreak tool is used to get favicon hash of target. It only generates favicon hash and doesn’t check for its service according to fav hash.
Vajra has GitDorker tool to generate github dorks. Well this tools saves a lot of time for github recon. There is a lot of filters in Vajra to filters generate dorks like filter all dorks according to maximum number of matches.
There is only one tools available for template scan and i.e. Nuclei. It has a lot of potential. All the templates are available in vajra/tools/nuclei-templates.
To update templates, go to vajra/tools/ and remove nuclei-templates directory. After this git clone the latest update of nuclei templates in the same directory.
This generates target specific wordlist to find hidden directory or files. Vajra uses gau to get all urls and unfurl to make wordlist from it.
To check CORS Vulnerability, Vajra uses two tools. One is corsy and another is CORS Scanner. After getting output from these two tools, it store result in database.
Hidden Endpoints from JS:
byp4xx is used for this service. You need to provide a url and if the bypass success then it will alert you with output otherwise it says Bypass Failed.
Note: It takes 1–2 minutes to check for bypass.
Find Hidden Parameters:
Arjun tool is used to find hidden parameters. You can also send cookies to perform authenticated bruteforce to find parameters. It takes 3–4 minutes to complete its process. Till then do not move to another tab. After running the scan, it will shows output in alert.
Vajra is definitely worth giving a try. Make sure to star the project on GitHub!
I will be more than happy if you will show some love for Vajra by making a small donation to support this project.
10% of total donation will go to Animal Aid Unilimited.
For any questions you can contact me on twitter, instagram or discord!