Share
## https://sploitus.com/exploit?id=1BF859AD-03D6-5C0A-9CA7-8AEFD17122EE
# VOID
```
โโโ โโโ โโโโโโโ โโโโโโโโโโ
โโโ โโโโโโโโโโโโโโโโโโโโโโโ
โโโ โโโโโโ โโโโโโโโโ โโโ
โโโโ โโโโโโโ โโโโโโโโโ โโโ
โโโโโโโ โโโโโโโโโโโโโโโโโโโโ
โโโโโ โโโโโโโ โโโโโโโโโโ
```
# โ ๏ธ DISCLAIMER
**This tool is for educational purposes and authorized security testing ONLY.**
The author (Elliot Jr / Bratyabasu07) is **not responsible** for any misuse or damage caused by this program.
Attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
**USE AT YOUR OWN RISK.**
---
**VOID โ APT-Style Reconnaissance Framework**
A modular offensive security framework with 35 plugins, 3,890+ payloads, active exploitation, and attack chain analysis. Built for Red Team operations.
---
## โ ๏ธ WARNING
**This tool performs REAL exploitation attacks.** Only use on systems you own or have explicit written authorization to test. Unauthorized use is illegal.
---
## Features
### ๐ Reconnaissance (7 plugins)
- DNS enumeration (A, AAAA, MX, NS, TXT, CNAME, SOA)
- Subdomain takeover detection via dangling CNAMEs
- File & directory discovery (80+ paths)
- API endpoint enumeration
- Log file analysis & credential extraction
- Active Directory recon (LDAP, Kerberoasting, AS-REP roast)
### ๐ท๏ธ Vulnerability Scanning (14 plugins)
- **XSS** โ Reflected, Stored, DOM-based, WAF bypass, polyglots
- **SQLi** โ Union, Error, Boolean, Time-based, OOB, WAF bypass
- **SSTI** โ Jinja2, Twig, Freemarker, Velocity, Mako, Smarty
- **XXE** โ File read, SSRF, OOB exfil, Billion laughs
- **SSRF** โ Internal service probing, cloud metadata access
- **LFI/RFI** โ Path traversal, log poisoning, wrapper RCE
- **RCE** โ Command injection, deserialization, file upload
- **CRLF** โ Header injection, HTTP response splitting
- **Open Redirect** โ Redirect chain with bypass techniques
- **Auth Bypass** โ JWT attacks, OAuth abuse, header injection
- **GraphQL** โ Introspection, batching, injection, DoS
- **Prototype Pollution** โ Client-side, Server-side, URL-based
- **HTTP Smuggling** โ CL.TE, TE.CL, TE.TE, H2C, H2
- **Deserialization** โ Java, PHP, Python pickle, .NET
### ๐ Active Exploitation (15 plugins)
**Full-auto (hit everything):**
- **exploit** โ Run ALL exploitation checks (RCE, LFI, SQLi, SSTI, upload)
- **auto_exploit** โ Auto-exploit discovered vulns, deploy shells, exfiltrate data
**Targeted (single attack):**
- **sqli_exploit** โ SQLi data extraction, DB fingerprint, table/cred dump, auth bypass, SQLiโRCE
- **xss_exploit** โ Cookie theft, session hijack, keylogger, phishing overlay, BeEF hook
- **rce_exploit** โ Command injection detection, system info, file read, reverse shells
- **lfi_exploit** โ File extraction, source code theft, PHP wrappers, log poison โ RCE
- **ssti_exploit** โ Engine fingerprinting (8 engines), sandbox escape, templateโRCE
- **upload_exploit** โ Webshell upload, extension bypass, content-type abuse, .htaccess trick
- **crlf_exploit** โ Header injection, response splitting, session fixation, cache poison
- **redirect_exploit** โ 12 bypass techniques, phishing, OAuth token theft, SSRF chain
- **auth_exploit** โ JWT alg:none forgery, default creds, header/path bypass, session manipulation
- **graphql_exploit** โ Schema dump, SQLi via args, batching abuse, DoS, field leak
- **proto_exploit** โ Client/server-side pollution, privilege escalation, Node.js RCE
- **smuggling_exploit** โ CL.TE, TE.CL, H2C detection, cache poison, request hijack payloads
- **deser_exploit** โ Java ysoserial, PHP phpggc, Python pickle, .NET ViewState, known CVEs
```bash
# Found a SQLi endpoint? Target it directly:
void -t "http://target.com/page.php?id=1" -p sqli_exploit -f
# Got XSS? Run XSS-specific exploitation:
void -t "http://target.com/search?q=test" -p xss_exploit -f
# Suspect file inclusion?
void -t "http://target.com/view?file=test" -p lfi_exploit -f
# Auth bypass on admin panel?
void -t "http://target.com/admin" -p auth_exploit -f
# GraphQL endpoint?
void -t "http://target.com/graphql" -p graphql_exploit -f
# Or run everything at once:
void -t target.com --exploit -f
```
Uses **3,890+ payloads** from 16 wordlists to find and exploit vulnerabilities.
### โ๏ธ Attack Chain Analysis
Automatically maps vulnerability escalation paths:
```
SSRF โ Internal Service โ RCE
SQLi โ LOAD_FILE โ File Read โ Credential Theft
LFI โ Log Poisoning โ RCE โ Shell
XSS โ Session Hijack โ Auth Bypass
XXE โ SSRF โ Cloud Metadata โ AWS Keys
```
### ๐ด Post-Exploitation (8 plugins)
- **Pass-the-Hash** โ SMB PtH, WMI execution, DCOM
- **Lateral Movement** โ SSH/SMB/WinRM spread
- **Privilege Escalation** โ SUID/sudo, kernel exploits, GTFOBins
- **Credential Harvesting** โ SAM, LSA secrets, LSASS, cached creds
- **Persistence** โ Registry, cron, scheduled tasks, services
- **Reverse Shells** โ AMSI/ETW bypass, LOLBins, encrypted payloads
- **Data Exfiltration** โ DNS tunneling, HTTPS, ICMP
- **C2 Server** โ Beacon management, task queuing, exfil
### ๐ฅท Stealth & Evasion
- User-Agent rotation
- Proxy chain support
- Timing jitter (or `--fast` to disable)
- EDR/AV evasion (AMSI bypass, ETW patching, unhooking)
- Silent mode
---
## Installation
```bash
git clone https://github.com/Bratyabasu07/VOID.git
cd VOID
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
# For post-exploitation features
pip install impacket scapy paramiko
```
---
## Usage
### Scan Modes
```bash
# Quick recon (DNS, files, API, subdomains)
void -t target.com --quick
# Web vulnerability scan (XSS, SQLi, SSTI, XXE, SSRF)
void -t target.com --web
# Full vulnerability scan (all web vulns + LFI, RCE, CRLF, redirects)
void -t target.com --vuln
# ๐ FULL EXPLOITATION MODE (vuln scan + active exploitation)
void -t target.com --exploit -f
# Everything + attack chains
void -t target.com --exploit --chain -f
```
### Thorough Mode (All 3,890+ Payloads)
```bash
# Default: ~160 requests per plugin (fast)
void -t target.com --exploit -f
# Thorough: ALL payloads from wordlists (slow but comprehensive)
void -t target.com --exploit --thorough
```
| Mode | Payloads Used | Params Tested | Speed |
|------|--------------|---------------|-------|
| Fast (`-f`) | ~20/plugin | 8 | Quick |
| Default | ~50/plugin | 8 | Medium |
| **Thorough** | **ALL (3,890+)** | **20** | Slow |
### Specific Plugins
```bash
# Run specific plugin(s)
void -t target.com -p sqli -p xss
# Run all plugins
void -t target.com --all
# List available plugins
void --list
```
### Target a Specific URL
```bash
# Target a specific endpoint with known parameters
void -t "http://target.com/page.php?id=1" -p exploit -f
```
---
## Post-Exploitation
### Pass-the-Hash
```yaml
# config.yaml
pth:
username: Administrator
hash: "aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0"
domain: CORP
```
```bash
void -t 192.168.1.100 -p pth
```
### Lateral Movement
```yaml
lateral:
username: root
password: "toor"
ssh_key: /path/to/id_rsa
```
```bash
void -t 192.168.1.0/24 -p lateral_movement
```
### Network Sniffing (requires root)
```bash
sudo void -t 192.168.1.0/24 -p network_sniff
```
### Privilege Escalation
```bash
void -t target.com -p privesc
```
---
## Payload Wordlists
16 wordlists with 3,890+ payloads:
| Wordlist | Payloads | Used By |
|----------|----------|---------|
| `rce_payloads.txt` | 282 | `exploit`, `rce`, `auto_exploit` |
| `sqli_payloads.txt` | 292 | `exploit`, `sqli` |
| `xss_payloads.txt` | 232 | `xss` |
| `lfi_payloads.txt` | 247 | `exploit`, `lfi` |
| `ssti_payloads.txt` | 142 | `exploit`, `ssti` |
| `ssrf_payloads.txt` | 186 | `ssrf` |
| `cmdi_payloads.txt` | 174 | `rce` |
| `auth_bypass_payloads.txt` | 182 | `auth_bypass` |
| `rfi_payloads.txt` | 164 | `lfi` |
| `open_redirect_payloads.txt` | 153 | `open_redirect` |
| `http_smuggling_payloads.txt` | 132 | `smuggling` |
| `crlf_payloads.txt` | 97 | `crlf` |
| `deserialization_payloads.txt` | 77 | `deser` |
| `prototype_pollution_payloads.txt` | 76 | `prototype` |
| `graphql_payloads.txt` | 59 | `graphql` |
| `xxe_payloads.txt` | 52 | `xxe` |
---
## Attack Chain Engine
When `--chain` is enabled, VOID auto-discovers exploitation escalation paths:
```bash
void -t target.com --vuln --chain -f
```
Example output with SSRF + SQLi + LFI + XSS + XXE found:
```
โ๏ธ 14 Attack Chains Discovered:
โญโโโโ ssrf_to_rce โโโโโโโโโโโโโโโโโโโโโโโฎ
โ โโโ ssrf: Initial vulnerability โ
โ โโโ rce: AWS Metadata โ
โ โโโ rce: Internal Admin โ
โ โโโ rce: Redis RCE โ
โฐโโ SSRF to internal service RCE โโโโโโโโฏ
โญโโโโ sqli_to_rce โโโโโโโโโโโโโโโโโโโโโโโฎ
โ โโโ sqli: Initial vulnerability โ
โ โโโ rce: xp_cmdshell โ
โ โโโ rce: INTO OUTFILE โ
โ โโโ rce: LOAD_FILE โ
โฐโโ SQLi to RCE via xp_cmdshell โโโโโโโโโฏ
```
---
## All 48 Plugins
| # | Plugin | Category | Description |
|---|--------|----------|-------------|
| 1 | `dns_enum` | Recon | DNS record enumeration |
| 2 | `subdomain_takeover` | Recon | Dangling CNAME detection |
| 3 | `file_enum` | Recon | Sensitive file discovery |
| 4 | `api_enum` | Recon | API endpoint discovery |
| 5 | `log_analysis` | Recon | Log file credential extraction |
| 6 | `ad_recon` | Recon | Active Directory enumeration |
| 7 | `cache_poison` | Recon | Web cache poisoning |
| 8 | `xss` | Vuln Scan | XSS (Reflected, Stored, DOM) |
| 9 | `sqli` | Vuln Scan | SQL Injection (6 techniques) |
| 10 | `ssti` | Vuln Scan | Server-Side Template Injection |
| 11 | `xxe` | Vuln Scan | XML External Entity |
| 12 | `ssrf` | Vuln Scan | Server-Side Request Forgery |
| 13 | `lfi` | Vuln Scan | Local/Remote File Inclusion |
| 14 | `rce` | Vuln Scan | Remote Code Execution |
| 15 | `crlf` | Vuln Scan | CRLF Injection |
| 16 | `open_redirect` | Vuln Scan | Open Redirect |
| 17 | `auth_bypass` | Vuln Scan | Authentication Bypass |
| 18 | `graphql` | Vuln Scan | GraphQL Attacks |
| 19 | `prototype` | Vuln Scan | Prototype Pollution |
| 20 | `smuggling` | Vuln Scan | HTTP Request Smuggling |
| 21 | `deser` | Vuln Scan | Deserialization Attacks |
| 22 | `exploit` | **Exploit** | Full-auto RCE/LFI/SQLi/SSTI/upload |
| 23 | `auto_exploit` | **Exploit** | Auto-exploit + shell deploy |
| 24 | `sqli_exploit` | **Exploit** | Targeted SQLi: dump, bypass, RCE |
| 25 | `xss_exploit` | **Exploit** | Targeted XSS: steal, hijack, phish |
| 26 | `rce_exploit` | **Exploit** | Targeted RCE: inject, shells, persist |
| 27 | `lfi_exploit` | **Exploit** | Targeted LFI: extract, source, RCE |
| 28 | `ssti_exploit` | **Exploit** | Targeted SSTI: engines, escape, RCE |
| 29 | `upload_exploit` | **Exploit** | Targeted upload: shell, bypass |
| 30 | `crlf_exploit` | **Exploit** | Targeted CRLF: split, poison, fixate |
| 31 | `redirect_exploit` | **Exploit** | Targeted redirect: phish, OAuth, SSRF |
| 32 | `auth_exploit` | **Exploit** | Targeted auth: JWT, creds, bypass |
| 33 | `graphql_exploit` | **Exploit** | Targeted GraphQL: dump, inject, DoS |
| 34 | `proto_exploit` | **Exploit** | Targeted prototype: pollute, RCE |
| 35 | `smuggling_exploit` | **Exploit** | Targeted smuggling: CL.TE, TE.CL, H2C |
| 36 | `deser_exploit` | **Exploit** | Targeted deser: Java, PHP, Python, .NET |
| 37 | `pth` | Post-Exploit | Pass-the-Hash (SMB/WMI) |
| 38 | `lateral_movement` | Post-Exploit | SSH/SMB/WinRM spread |
| 39 | `privesc` | Post-Exploit | Privilege Escalation |
| 40 | `cred_harvest` | Post-Exploit | Credential Harvesting |
| 41 | `persistence` | Post-Exploit | Backdoor Persistence |
| 42 | `revshell` | Post-Exploit | Reverse Shell Generation |
| 43 | `exfil` | Post-Exploit | Data Exfiltration |
| 44 | `c2` | Post-Exploit | Command & Control |
| 45 | `network_sniff` | Post-Exploit | Packet Capture |
| 46 | `keylogger` | Post-Exploit | Remote Keylogging |
| 47 | `screenshot` | Post-Exploit | Remote Screenshots |
| 48 | `evasion` | Post-Exploit | EDR/AV Evasion |
---
## CLI Reference
```
Target:
-t, --target Target domain, IP, or URL
Scan Modes:
--quick Quick recon scan
--web Web vulnerability scan
--vuln Full vulnerability scan
--exploit ๐ Full exploitation mode
--chain Attack chain analysis
-p, --plugin Specific plugin(s) to run
--all Run ALL plugins
--list List available plugins
Performance:
--fast, -f Fast mode (disable jitter)
--thorough Use ALL payloads from wordlists
--threads Number of threads
--timeout Request timeout
Stealth:
-s, --silent Silent mode
--proxy Proxy URL (e.g., http://127.0.0.1:8080)
--delay Delay between requests (seconds)
Output:
-o, --output Output directory
--report Generate report
--autosave Auto-save reports
--format Report format (markdown/json)
```
---
## Configuration
Exploitation credentials in `config.yaml`:
```yaml
pth:
username: Administrator
hash: "LMHASH:NTHASH"
domain: DOMAIN
lateral:
username: root
password: "password"
ssh_key: /path/to/key
privesc:
username: user
password: "pass"
sniff:
interface: eth0
duration: 60
count: 500
```
---
## Requirements
- Python 3.8+
- Core: `requests`, `pyyaml`, `rich`, `dnspython`
- Post-exploitation: `impacket`, `scapy`, `paramiko`
- Root required for packet capture
---
## Author
**Elliot Jr** (@Bratyabasu07)
---
*"They'll see the traffic, but never the needle in the haystack."*