Share
## https://sploitus.com/exploit?id=1BF859AD-03D6-5C0A-9CA7-8AEFD17122EE
# VOID

```
โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— 
โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘
โ•šโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘
 โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
  โ•šโ•โ•โ•โ•   โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ• 
```

# โš ๏ธ DISCLAIMER

**This tool is for educational purposes and authorized security testing ONLY.**

The author (Elliot Jr / Bratyabasu07) is **not responsible** for any misuse or damage caused by this program. 
Attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

**USE AT YOUR OWN RISK.**

---

**VOID โ€” APT-Style Reconnaissance Framework**

A modular offensive security framework with 35 plugins, 3,890+ payloads, active exploitation, and attack chain analysis. Built for Red Team operations.

---

## โš ๏ธ WARNING

**This tool performs REAL exploitation attacks.** Only use on systems you own or have explicit written authorization to test. Unauthorized use is illegal.

---

## Features

### ๐Ÿ” Reconnaissance (7 plugins)
- DNS enumeration (A, AAAA, MX, NS, TXT, CNAME, SOA)
- Subdomain takeover detection via dangling CNAMEs
- File & directory discovery (80+ paths)
- API endpoint enumeration
- Log file analysis & credential extraction
- Active Directory recon (LDAP, Kerberoasting, AS-REP roast)

### ๐Ÿ•ท๏ธ Vulnerability Scanning (14 plugins)
- **XSS** โ€” Reflected, Stored, DOM-based, WAF bypass, polyglots
- **SQLi** โ€” Union, Error, Boolean, Time-based, OOB, WAF bypass
- **SSTI** โ€” Jinja2, Twig, Freemarker, Velocity, Mako, Smarty
- **XXE** โ€” File read, SSRF, OOB exfil, Billion laughs
- **SSRF** โ€” Internal service probing, cloud metadata access
- **LFI/RFI** โ€” Path traversal, log poisoning, wrapper RCE
- **RCE** โ€” Command injection, deserialization, file upload
- **CRLF** โ€” Header injection, HTTP response splitting
- **Open Redirect** โ€” Redirect chain with bypass techniques
- **Auth Bypass** โ€” JWT attacks, OAuth abuse, header injection
- **GraphQL** โ€” Introspection, batching, injection, DoS
- **Prototype Pollution** โ€” Client-side, Server-side, URL-based
- **HTTP Smuggling** โ€” CL.TE, TE.CL, TE.TE, H2C, H2
- **Deserialization** โ€” Java, PHP, Python pickle, .NET

### ๐Ÿ’€ Active Exploitation (15 plugins)

**Full-auto (hit everything):**
- **exploit** โ€” Run ALL exploitation checks (RCE, LFI, SQLi, SSTI, upload)
- **auto_exploit** โ€” Auto-exploit discovered vulns, deploy shells, exfiltrate data

**Targeted (single attack):**
- **sqli_exploit** โ€” SQLi data extraction, DB fingerprint, table/cred dump, auth bypass, SQLiโ†’RCE
- **xss_exploit** โ€” Cookie theft, session hijack, keylogger, phishing overlay, BeEF hook
- **rce_exploit** โ€” Command injection detection, system info, file read, reverse shells
- **lfi_exploit** โ€” File extraction, source code theft, PHP wrappers, log poison โ†’ RCE
- **ssti_exploit** โ€” Engine fingerprinting (8 engines), sandbox escape, templateโ†’RCE
- **upload_exploit** โ€” Webshell upload, extension bypass, content-type abuse, .htaccess trick
- **crlf_exploit** โ€” Header injection, response splitting, session fixation, cache poison
- **redirect_exploit** โ€” 12 bypass techniques, phishing, OAuth token theft, SSRF chain
- **auth_exploit** โ€” JWT alg:none forgery, default creds, header/path bypass, session manipulation
- **graphql_exploit** โ€” Schema dump, SQLi via args, batching abuse, DoS, field leak
- **proto_exploit** โ€” Client/server-side pollution, privilege escalation, Node.js RCE
- **smuggling_exploit** โ€” CL.TE, TE.CL, H2C detection, cache poison, request hijack payloads
- **deser_exploit** โ€” Java ysoserial, PHP phpggc, Python pickle, .NET ViewState, known CVEs

```bash
# Found a SQLi endpoint? Target it directly:
void -t "http://target.com/page.php?id=1" -p sqli_exploit -f

# Got XSS? Run XSS-specific exploitation:
void -t "http://target.com/search?q=test" -p xss_exploit -f

# Suspect file inclusion?
void -t "http://target.com/view?file=test" -p lfi_exploit -f

# Auth bypass on admin panel?
void -t "http://target.com/admin" -p auth_exploit -f

# GraphQL endpoint?
void -t "http://target.com/graphql" -p graphql_exploit -f

# Or run everything at once:
void -t target.com --exploit -f
```

Uses **3,890+ payloads** from 16 wordlists to find and exploit vulnerabilities.

### โ›“๏ธ Attack Chain Analysis
Automatically maps vulnerability escalation paths:
```
SSRF โ†’ Internal Service โ†’ RCE
SQLi โ†’ LOAD_FILE โ†’ File Read โ†’ Credential Theft
LFI  โ†’ Log Poisoning โ†’ RCE โ†’ Shell
XSS  โ†’ Session Hijack โ†’ Auth Bypass
XXE  โ†’ SSRF โ†’ Cloud Metadata โ†’ AWS Keys
```

### ๐Ÿ”ด Post-Exploitation (8 plugins)
- **Pass-the-Hash** โ€” SMB PtH, WMI execution, DCOM
- **Lateral Movement** โ€” SSH/SMB/WinRM spread
- **Privilege Escalation** โ€” SUID/sudo, kernel exploits, GTFOBins
- **Credential Harvesting** โ€” SAM, LSA secrets, LSASS, cached creds
- **Persistence** โ€” Registry, cron, scheduled tasks, services
- **Reverse Shells** โ€” AMSI/ETW bypass, LOLBins, encrypted payloads
- **Data Exfiltration** โ€” DNS tunneling, HTTPS, ICMP
- **C2 Server** โ€” Beacon management, task queuing, exfil

### ๐Ÿฅท Stealth & Evasion
- User-Agent rotation
- Proxy chain support
- Timing jitter (or `--fast` to disable)
- EDR/AV evasion (AMSI bypass, ETW patching, unhooking)
- Silent mode

---

## Installation

```bash
git clone https://github.com/Bratyabasu07/VOID.git
cd VOID
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

# For post-exploitation features
pip install impacket scapy paramiko
```

---

## Usage

### Scan Modes

```bash
# Quick recon (DNS, files, API, subdomains)
void -t target.com --quick

# Web vulnerability scan (XSS, SQLi, SSTI, XXE, SSRF)
void -t target.com --web

# Full vulnerability scan (all web vulns + LFI, RCE, CRLF, redirects)
void -t target.com --vuln

# ๐Ÿ’€ FULL EXPLOITATION MODE (vuln scan + active exploitation)
void -t target.com --exploit -f

# Everything + attack chains
void -t target.com --exploit --chain -f
```

### Thorough Mode (All 3,890+ Payloads)

```bash
# Default: ~160 requests per plugin (fast)
void -t target.com --exploit -f

# Thorough: ALL payloads from wordlists (slow but comprehensive)
void -t target.com --exploit --thorough
```

| Mode | Payloads Used | Params Tested | Speed |
|------|--------------|---------------|-------|
| Fast (`-f`) | ~20/plugin | 8 | Quick |
| Default | ~50/plugin | 8 | Medium |
| **Thorough** | **ALL (3,890+)** | **20** | Slow |

### Specific Plugins

```bash
# Run specific plugin(s)
void -t target.com -p sqli -p xss

# Run all plugins
void -t target.com --all

# List available plugins
void --list
```

### Target a Specific URL

```bash
# Target a specific endpoint with known parameters
void -t "http://target.com/page.php?id=1" -p exploit -f
```

---

## Post-Exploitation

### Pass-the-Hash

```yaml
# config.yaml
pth:
  username: Administrator
  hash: "aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0"
  domain: CORP
```

```bash
void -t 192.168.1.100 -p pth
```

### Lateral Movement

```yaml
lateral:
  username: root
  password: "toor"
  ssh_key: /path/to/id_rsa
```

```bash
void -t 192.168.1.0/24 -p lateral_movement
```

### Network Sniffing (requires root)

```bash
sudo void -t 192.168.1.0/24 -p network_sniff
```

### Privilege Escalation

```bash
void -t target.com -p privesc
```

---

## Payload Wordlists

16 wordlists with 3,890+ payloads:

| Wordlist | Payloads | Used By |
|----------|----------|---------|
| `rce_payloads.txt` | 282 | `exploit`, `rce`, `auto_exploit` |
| `sqli_payloads.txt` | 292 | `exploit`, `sqli` |
| `xss_payloads.txt` | 232 | `xss` |
| `lfi_payloads.txt` | 247 | `exploit`, `lfi` |
| `ssti_payloads.txt` | 142 | `exploit`, `ssti` |
| `ssrf_payloads.txt` | 186 | `ssrf` |
| `cmdi_payloads.txt` | 174 | `rce` |
| `auth_bypass_payloads.txt` | 182 | `auth_bypass` |
| `rfi_payloads.txt` | 164 | `lfi` |
| `open_redirect_payloads.txt` | 153 | `open_redirect` |
| `http_smuggling_payloads.txt` | 132 | `smuggling` |
| `crlf_payloads.txt` | 97 | `crlf` |
| `deserialization_payloads.txt` | 77 | `deser` |
| `prototype_pollution_payloads.txt` | 76 | `prototype` |
| `graphql_payloads.txt` | 59 | `graphql` |
| `xxe_payloads.txt` | 52 | `xxe` |

---

## Attack Chain Engine

When `--chain` is enabled, VOID auto-discovers exploitation escalation paths:

```bash
void -t target.com --vuln --chain -f
```

Example output with SSRF + SQLi + LFI + XSS + XXE found:
```
โ›“๏ธ  14 Attack Chains Discovered:

โ•ญโ”€โ”€โ”€โ”€ ssrf_to_rce โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚  โ”œโ”€โœ“ ssrf: Initial vulnerability      โ”‚
โ”‚  โ”œโ”€โ†’ rce: AWS Metadata                โ”‚
โ”‚  โ”œโ”€โ†’ rce: Internal Admin              โ”‚
โ”‚  โ””โ”€โ†’ rce: Redis RCE                   โ”‚
โ•ฐโ”€โ”€ SSRF to internal service RCE โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

โ•ญโ”€โ”€โ”€โ”€ sqli_to_rce โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚  โ”œโ”€โœ“ sqli: Initial vulnerability      โ”‚
โ”‚  โ”œโ”€โ†’ rce: xp_cmdshell                 โ”‚
โ”‚  โ”œโ”€โ†’ rce: INTO OUTFILE                โ”‚
โ”‚  โ””โ”€โ†’ rce: LOAD_FILE                   โ”‚
โ•ฐโ”€โ”€ SQLi to RCE via xp_cmdshell โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
```

---

## All 48 Plugins

| # | Plugin | Category | Description |
|---|--------|----------|-------------|
| 1 | `dns_enum` | Recon | DNS record enumeration |
| 2 | `subdomain_takeover` | Recon | Dangling CNAME detection |
| 3 | `file_enum` | Recon | Sensitive file discovery |
| 4 | `api_enum` | Recon | API endpoint discovery |
| 5 | `log_analysis` | Recon | Log file credential extraction |
| 6 | `ad_recon` | Recon | Active Directory enumeration |
| 7 | `cache_poison` | Recon | Web cache poisoning |
| 8 | `xss` | Vuln Scan | XSS (Reflected, Stored, DOM) |
| 9 | `sqli` | Vuln Scan | SQL Injection (6 techniques) |
| 10 | `ssti` | Vuln Scan | Server-Side Template Injection |
| 11 | `xxe` | Vuln Scan | XML External Entity |
| 12 | `ssrf` | Vuln Scan | Server-Side Request Forgery |
| 13 | `lfi` | Vuln Scan | Local/Remote File Inclusion |
| 14 | `rce` | Vuln Scan | Remote Code Execution |
| 15 | `crlf` | Vuln Scan | CRLF Injection |
| 16 | `open_redirect` | Vuln Scan | Open Redirect |
| 17 | `auth_bypass` | Vuln Scan | Authentication Bypass |
| 18 | `graphql` | Vuln Scan | GraphQL Attacks |
| 19 | `prototype` | Vuln Scan | Prototype Pollution |
| 20 | `smuggling` | Vuln Scan | HTTP Request Smuggling |
| 21 | `deser` | Vuln Scan | Deserialization Attacks |
| 22 | `exploit` | **Exploit** | Full-auto RCE/LFI/SQLi/SSTI/upload |
| 23 | `auto_exploit` | **Exploit** | Auto-exploit + shell deploy |
| 24 | `sqli_exploit` | **Exploit** | Targeted SQLi: dump, bypass, RCE |
| 25 | `xss_exploit` | **Exploit** | Targeted XSS: steal, hijack, phish |
| 26 | `rce_exploit` | **Exploit** | Targeted RCE: inject, shells, persist |
| 27 | `lfi_exploit` | **Exploit** | Targeted LFI: extract, source, RCE |
| 28 | `ssti_exploit` | **Exploit** | Targeted SSTI: engines, escape, RCE |
| 29 | `upload_exploit` | **Exploit** | Targeted upload: shell, bypass |
| 30 | `crlf_exploit` | **Exploit** | Targeted CRLF: split, poison, fixate |
| 31 | `redirect_exploit` | **Exploit** | Targeted redirect: phish, OAuth, SSRF |
| 32 | `auth_exploit` | **Exploit** | Targeted auth: JWT, creds, bypass |
| 33 | `graphql_exploit` | **Exploit** | Targeted GraphQL: dump, inject, DoS |
| 34 | `proto_exploit` | **Exploit** | Targeted prototype: pollute, RCE |
| 35 | `smuggling_exploit` | **Exploit** | Targeted smuggling: CL.TE, TE.CL, H2C |
| 36 | `deser_exploit` | **Exploit** | Targeted deser: Java, PHP, Python, .NET |
| 37 | `pth` | Post-Exploit | Pass-the-Hash (SMB/WMI) |
| 38 | `lateral_movement` | Post-Exploit | SSH/SMB/WinRM spread |
| 39 | `privesc` | Post-Exploit | Privilege Escalation |
| 40 | `cred_harvest` | Post-Exploit | Credential Harvesting |
| 41 | `persistence` | Post-Exploit | Backdoor Persistence |
| 42 | `revshell` | Post-Exploit | Reverse Shell Generation |
| 43 | `exfil` | Post-Exploit | Data Exfiltration |
| 44 | `c2` | Post-Exploit | Command & Control |
| 45 | `network_sniff` | Post-Exploit | Packet Capture |
| 46 | `keylogger` | Post-Exploit | Remote Keylogging |
| 47 | `screenshot` | Post-Exploit | Remote Screenshots |
| 48 | `evasion` | Post-Exploit | EDR/AV Evasion |

---

## CLI Reference

```
Target:
  -t, --target          Target domain, IP, or URL

Scan Modes:
  --quick               Quick recon scan
  --web                 Web vulnerability scan
  --vuln                Full vulnerability scan
  --exploit             ๐Ÿ’€ Full exploitation mode
  --chain               Attack chain analysis
  -p, --plugin          Specific plugin(s) to run
  --all                 Run ALL plugins
  --list                List available plugins

Performance:
  --fast, -f            Fast mode (disable jitter)
  --thorough            Use ALL payloads from wordlists
  --threads             Number of threads
  --timeout             Request timeout

Stealth:
  -s, --silent          Silent mode
  --proxy               Proxy URL (e.g., http://127.0.0.1:8080)
  --delay               Delay between requests (seconds)

Output:
  -o, --output          Output directory
  --report              Generate report
  --autosave            Auto-save reports
  --format              Report format (markdown/json)
```

---

## Configuration

Exploitation credentials in `config.yaml`:

```yaml
pth:
  username: Administrator
  hash: "LMHASH:NTHASH"
  domain: DOMAIN

lateral:
  username: root
  password: "password"
  ssh_key: /path/to/key

privesc:
  username: user
  password: "pass"

sniff:
  interface: eth0
  duration: 60
  count: 500
```

---

## Requirements

- Python 3.8+
- Core: `requests`, `pyyaml`, `rich`, `dnspython`
- Post-exploitation: `impacket`, `scapy`, `paramiko`
- Root required for packet capture

---

## Author

**Elliot Jr** (@Bratyabasu07)

---

*"They'll see the traffic, but never the needle in the haystack."*