Skip to content

Instantly share code, notes, and snippets.

@jesusprubio
Last active April 12, 2023 15:02
Show Gist options
  • Save jesusprubio/8f092af4ca252e252eab to your computer and use it in GitHub Desktop.
Save jesusprubio/8f092af4ca252e252eab to your computer and use it in GitHub Desktop.
Proposal: A Node.js penetration test framework

Proposal: Node.js penetration test framework

Hi guys! Since I started to write Bluebox-ng I've been tracking the different security projects I found written in Node.js. Now we've published the first stable version we think it's the right moment to speak among us (and, of course, everyone interested in it :).

Why?

  • I think we're rewriting the same stuff in our respective projects again and again. For example, almost any tool supports IPv6 because the functions we need are still not present in the Node core and the libraries I found (IMHO) were not enough.
  • There're different projects implementing exactly the same thing, ie: port scanners.
  • We're working in a too new environment, so we need to make it together.
  • Our 2 cents to make Node still more awesome. Now we have io.js whose main idea is to gain commiters.

To clarify: We've NO interest in keeping the project name or something similar, our only idea is to code in a bigger community.

@multitic
Copy link

yes, we can install bluebox-ng in bugtraq2 and in VAST with the same method than with Kali:

https://multitic.wordpress.com/2015/01/16/serie-pentesting-voip-2/

@vertexclique
Copy link

https://gitter.im/ for talks maybe...

@Random1984
Copy link

This project could be called like a powerful car with an V8 engine.
"Nuevo Seat Panda - A tu ritmo"

@multitic
Copy link

jajajajaj,
common rails 4x4 !!!

---> V8IP !!!

@jesusprubio
Copy link
Author

multitic-celtica

  • Thanks, but we've a lot to do ;)
  • For sure we'll have to speak about it, but I think that, for now, we we don't know exactly what we want.
  • Yep, we need a name!
  • I think that we should not focus specially in VoIP. This was the original idea of Bluebox. But we started this because we want to join to everyone who was developing something related with Node and pentesting/exploiting.

vertexclique

  • I think Gitter could fit

Moreover I'm writing a first website draft, I hope to have it finished in a couple of days. Until then, here there is my proposal for a temporal logo. I have to clear that I'm not a graphical artist, I'm only playing with Inkscape.

About the name I should not use anything with "pentest" or "exploit" and derived ones. My main reason is to be opened to as many people as possible. My 2 cents:

  • ninja.js - JavaScript Ninja
  • abusive.js - Abusive JavaScript / Abusive Node
  • warfare.js, offensive.js, unpleasant.js, violent.js, etc.
  • "Bringing pentest/exploit stuff to Node!"

To resume, our goal:

  • Have a repository with useful resources to use in our projects.
  • Ask any member to publish a part of his code as a NPM module and send some PR, instead of code it from scratch.
  • Contribute to the same libraries to achieve a common goal.
  • Subproject: Complete framework

About the communication I think we only need for now:

  • IRC channel on Freenode. Remember, we're in #breakingvoip until we choose a name.
  • GitHub repo.
  • A mail with GPG key.
  • Mail list: Google group. But we can configure our GitHub account to send the notifications by mail, so maybe we can avoid it.
  • Twitter: If anybody wants to manage it, I've no time :(.
  • A federated social network like Quitter or Identi.ca: They have Twitter integration so we can publish in both networks at the same time.

We need an IRC meeting to vote about everything, any preference? Until then we can comment here to keep pushing.

@vertexclique
Copy link

I can make the logo. 👍 for warfare.js and i can offer weird names

  • assault.js, ravage.js etc.
  • related with biology: coacervate(initial component of cell), protocell (before the cellular structure) / why? because pentesting and exploiting is generally in low-level.

@jesusprubio
Copy link
Author

I like assault.js too. We need a Doodle, please add more here and I'll add them:

It seems that the logo was not correctly uploaded, but I've fixed it now. You can upload your proposals, we need ideas :)

3 votes each one? :)

@sergiogr
Copy link

If I had to pick only one I would go for assault.js, but I like warfare.js as well. My third option would be ninja.js which would be easier to design a logo for, but it's also more generic, I think.

@vertexclique
Copy link

Guys, there is already a project with that name btw http://ninjaui.com/

@jesusprubio
Copy link
Author

Hi, I've published a draft of the future web. I've used the most voted name for now. It's implemented using Polymer. I think I've already added all interested one projects. Ideas? :)

https://jesusprubio.github.io/

@Random1984
Copy link

I think assault.js is the coolest name it could have.

@jesusprubio
Copy link
Author

I aggree, I think we have a name. See you on #assaultjs at Freenode :). New links:

@jpenalbae
Copy link

Does this fit somewhere within the project?

https://gist.github.com/jpenalbae/80b697dc25b5ec4ac8dd

@jonatanrdsantos
Copy link

LOL, just now I see this, good name.

@ellerbrock
Copy link

ellerbrock commented Jun 8, 2016

hey guys,

is the project still active? i would love to join in! I basically had the same plan to write some pentesting stuff in node but was looking for few people to join. you can get in touch with me on gitter: https://gitter.im/frapsoft/penetration-testing ...

@cpruijsen
Copy link

👍 on the above - are we still alive? Would be cool to get involved.

@SJCaldwell
Copy link

This still active?

I'd be interested in contributing!

@maikelSec
Copy link

Is this still happening ?

@pdparchitect
Copy link

Hi everyone,

I am surprised to see this community page. It is awesome!

I started a nodejs security project called pownjs. You can learn more about what it is and the philosophy behind it over here https://github.com/pownjs/pown.

So far I have contributed a few modules including a LMNR spoofer, simple captcha breaking tool, pcap2 based sniffing tool, offline hacking tips browser and a few more modules. I am also toying with many ideas that I would like to eventually implement such as UPNP discovery and hacking toolkit, a proxy, arp spoofing etc, TV hacking toolkit, web security tools, recon tools, more responders (mdns, dns, dhcp etc), exploit development modules, etc.

I would love to get your opinion and also, if interested, get you involved.

The best part is that pownjs is decentralised project because it is based around npm and practically anyone can make their own distributions of the toolkit. This is part of the philosophy - i.e modules are framework agnostic and everyone is a contributor even the indirectly sometimes (check $ pown credits to see).

Let me know if you have any questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment