Tentacle is a POC vulnerability verification and exploits framework. It supports a free extension of exploits and uses POC scripts. It supports calls to Zoomeye, Fofa, Shodan, and other APIs to perform bulk vulnerability verification for multiple targets.
Tentacle is an open-source vulnerability verification and exploits framework that is coded in Python3. It supports easy addition of exploits and even facilitates bulk vulnerability verification across targets using search engines such as Google, Baidu, Bing and internet-connected search engines such as ZoomEye, FOFA, Shodan, etc.
This tool also supports verification of commonly exposed default passwords for the following services and web applications such as ActiveMQ, DB2, FTP, MySQL, Oracle, phpMyAdmin, POP3, RabbitMQ, Redis, rsync, SMB, SMTP, SQL Server, SSH, Sybase, TELNET, Tomcat, WebLogic, and Zabbix.
Tentacle also checks for common vulnerabilities such as storage of backup files, existence of crossdomain.xml, cross-site tracing, open directory listing, HTTP OPTIONS method testing, information disclosure via various other files such as web config, etc.
Tentacle supports verification of the following exploits
python3 tentacle.py -iS 127.0.0.1 -m script/web/web_status # Scan top 150 ports and then perform bulk vulnerability verification for multiple targets.
python3 tentacle.py -iS 127.0.0.1 -m script/web/web_status -sP # Skip port scan and then it will try the default port number server
python3 tentacle.py -iS 127.0.0.1 -m script/web/web_status -lP 80-90,443 # Scan 80-90 ports and 443 port and then perform bulk vulnerability verification for multiple targets.
Use function of a module by -m and -f (e.g. -m web_status -f prove), and you should make sure the function of the module is exist.
┌─[bullseye@parrot]─[~/Tools/Tentacle]└──╼$sudopython3tentacle.py--show.___________._______.____..___________.__________________|||____||\||||/\/||||____|{1.0.0#stable}`---| |----`||__|\||`---| |----`/^\|,----'| | | |__
| | | __| | . ` | | | / /_\ \ | | | | | __|
| | | |____ | |\ | | | / _____ \ | `----.| `----.| |____
|__| |_______||__| \__| |__| /__/ \__\ \______||_______||_______| http://www.orleven.com/
[19:09:54] [*] Created task:
[19:09:54] [*] Set timeout: 5
[19:09:54] [*] Set thread: 100
[19:09:54] [*] There are available modules as follows:
-----------------------------------------------------------
| Module path, you can load module by -m module_path, |
| and you can see module'descriptionfor-fshow|-----------------------------------------------------------|script/activemq/CVE-2016-3088||script/activemq/activemq_burst||script/apache/CVE-2018-1335||script/atlassian_cloud/atlassian_cloud_getshell||script/axis/axis2_file_read||script/axis/axis2_getshell||script/confluence/CVE-2015-8399||script/confluence/CVE-2019-3396||script/coremail/coremail_config||script/coremail/coremail_v5_getshell||script/dedecms/dedecms_win_apache_shortfile||script/dedecms/dedecms_win_find_manage||script/discuz/discuz34_ssrf_Weixin_Plugin||script/django/CVE-2018-14574||script/docker/docker_unauth||script/druid/druid_monitor_unauth||script/dubbo/dubbo_info_file||script/dubbo/dubbo_unauth||script/ecology/ecology8_admincenter_sql_inject||script/ecology/ecology8_download||script/ecology/ecology8_download2||script/ecology/ecology8_mobile_sql_inject||script/ecology/ecology8_mobilemode_download||script/ecology/ecology8_mobilemode_getshell||script/ecology/ecology8_social_sql_inject||script/ecology/ecology_bsh||script/elasticsearch/CVE-2015-1427||script/flexpaper/CVE-2018-11686||script/ftp/ftp_burst||script/hadoop/hadoop_manage_unauth||script/hadoop/hadoop_yarn_rce||script/hadoop/hadoop_yarn_unauth||script/harbor/harbor_unauth_admin_add||script/iis/iis_short_file||script/info/port_scan||script/java_rmi/java_rmi_rce||script/jenkins/CVE-2018-1000600||script/jenkins/CVE-2018-1000861||script/jenkins/jenkins_getshell||script/kafka/kafka_unauth||script/kibana/kibana-unauth||script/kindeditor/upload_json||script/memcache/memcache_unauth||script/mongodb/mongodb_unauth||script/mysql/mysql_burst||script/nexes-manager/CVE-2019-7238||script/niushop/niushop22_getshell||script/odin/odin_download||script/pbootcms/pbootcms132_rce||script/pbootcms/pbootcms132_sql||script/php7cms/php7cms_getshell||script/phpcms/phpcms9_download||script/phpmyadmin/CVE-2018-12613||script/phpmyadmin/phpmyadmin_burst||script/phpmyadmin/phpmyadmin_setup_deserialization||script/phpstudy/phpstudy_backdoor||script/proxy/proxy_unauth||script/rabbitmq/rabbitmq_burst||script/redis/redis_burst||script/redis/redis_unauth||script/rsync/rsync_burst||script/rsync/rsync_unauth||script/s-cms/scms_download||script/seeyon/htmlofficeservlet_getshell||script/seeyon/officeservlet_download||script/shiro/shiro_550||script/smb/CVE-2020-0796||script/smb/MS17-010||script/smtp/smtp_burst||script/solr/CVE-2017-12629||script/solr/CVE-2019-0193||script/solr/solr_template_rce||script/solr/solr_unauth||script/spring/CVE-2017-8046||script/spring/CVE-2018-1273||script/spring/CVE-2020-5405||script/spring/springboot_info||script/ssh/ssh_burst||script/struts2/s2_005||script/struts2/s2_016||script/struts2/s2_019||script/struts2/s2_032||script/struts2/s2_045||script/struts2/s2_048||script/struts2/s2_ongl_console||script/supervisor/CVE-2017-11610||script/supervisor/supervisor_unauth||script/thinkcmf/thinkcmf223_sql||script/thinkcmf/thinkcmf223_template_1||script/thinkcmf/thinkcmf223_template_2||script/thinkphp/thinkphp5023_getshell||script/thinkphp/thinkphp5131_getshell||script/thinkphp/thinkphp51_52_getshell||script/thinkphp/thinkphp_debug||script/thinkphp/thinkphp_url_exec||script/thinkphp/thinkphp_v6_file_write||script/tomcat/CVE-2018-11759||script/tomcat/CVE-2020-1938||script/tomcat/tomcat_pages||script/tomcat/tomcat_put||script/tongda/tongda2000_lfi_getshell||script/ucms/ucms_upload||script/uwsgi/CVE-2018-7490||script/vpn/svpnrcico||script/web/back_file||script/web/crossdomain||script/web/cst||script/web/directory_list||script/web/http_basicauth_burst||script/web/http_options||script/web/info_file||script/web/web_content_key||script/web/web_status||script/weblogic/CNVD-C-2019-48814||script/weblogic/CVE-2018-2628||script/weblogic/CVE-2018-2894||script/weblogic/CVE-2019-2890||script/weblogic/CVE-2020-2551||script/weblogic/cve-2017-10271||script/weblogic/weblogic_burst||script/weblogic/weblogic_ssrf||script/weblogic/weblogic_xmldecode_bypass||script/wordpress/CVE-2019-9978||script/yst_dlp/yst_dlp_unauth||script/zabbix/zabbix_burst||script/zimbra/CVE-2019-9670||script/zookeeper/zookeeper_unauth|-----------------------------------------------------------
Tentacle Show all function of a module by -f show or -f help
1
sudo python3 tentacle.py -m script/web/web_status -f show
1
sudo python3 tentacle.py -m script/web/web_status -f help
Load web_status module
1
sudo python3 tentacle.py -iS 127.0.0.1 -m @web
Video Tentacle
Become a member on Odysee.com Earning on Odysee for watching videos ♥️ Here an invitation link, so that we both benefit. In this way, you also support my work.
Dear people, I do a lot of things on the Internet and I do it all for free. If I don’t get enough to support myself, it becomes very difficult to maintain my web presence, which takes a lot of time, and the server costs also have to be paid.
Your support is greatly appreciated.
All the techniques provided in the tutorials on HackingPassion.com, are meant for educational purposes only.
If you are using any of those techniques for illegal purposes, HackingPassion.com can’t be held responsible for possible lawful consequences.
My goal is to educate people and increase awareness by exposing methods used by real black-hat hackers and show how to secure systems from these hackers.
My name is Jolanda de Koff and on the internet, I'm also known as Bulls Eye. Ethical Hacker, Penetration tester, Researcher, Programmer, Self Learner, and forever n00b.
Not necessarily in that order. Like to make my own hacking tools and I sometimes share them with you.
"You can create art & beauty with a computer and Hacking is not a hobby but a way of life ...
![conf Tentacle]](/wp-content/uploads/2020/04/conf-tentacle.png)
