Summary
Legion is a fork of SECFORCE’s Sparta, it is an open source and easy to use semi-automated network penetration testing framework designed to aid in reconnaissance, discovery, and exploitation of information systems.
🍿 Features
- Automatic recon and scanning with NMAP, whataweb, nikto, Vulners, Hydra, SMBenum, dirbuster, sslyzer, webslayer and more (with almost 100 auto-scheduled scripts).
- Easy to use graphical interface with rich context menus and panels that allow pentesters to quickly find and exploit attack vectors on hosts.
- Modular functionality allows users to easily customize Legion and automatically call their own scripts/tools.
- Multiple custom scan configurations ideal for testing different environments of various size and complexity.
- Highly customizable stage scanning for ninja-like IPS evasion.
- Automatic detection of CPEs (Common Platform Enumeration) and CVEs (Common Vulnerabilities and Exposures).
- Ties CVEs to Exploits as detailed in Exploit-Databases.
- Realtime auto-saving of project results and tasks.
Legion is maintained by Gotham Security, comes installed by default on Kali Linux, and may be free accessed on Github.
Installation and Launching
git clone https://github.com/GoVanguard/legion.gitcd legionsudo python3 legion.pyNotes:
- Don't start legion using the startLegion.sh script. This isn't needed under kali.
- Legion must be run as root, so use sudo.
- Legion will refuse to run if nmap 7.92 is installed. This is intentional.
- See the instructions on https://github.com/GoVanguard/legion on updating nmap (which cannot be done via apt at this time).
Importing & Running Scans
Running scans from Legion is very intuitive, simply click “Click here to add host(s) to scope from the main GUI.
- Add in the target(s) you wish in the first section, this can be individual IPs, URLs, or IP ranges.
- Select the Mode
- Easy uses the pre-defined default configurations
- Hard allows you to select more details such as Timing and Performance (Nmap T0-T5), as well as additional Port Scanning and Host Discovery options.
Note: The option that says “obfuscation” adds the following features:
nmap --data-length 5 --max-retries 2 --randomize-hosts
You can also import existing nmap scan results into Legion and use the GUI to organize the data and launch additional tools.
Note: The best way to import the data from an nmap scan is to save the nmap output as a .xml using the -oX flag.
By right clicking one of the ports, in this case port 80, you will see a long list of all the additional tools and scripts that can be automatically run related to that port
Modifying Scan Configuration
One of the best features of Legion when compared to some other semi-automated tools is the ability to easily modify how any scans are configured. You can specify which ports to scan, which scripts and additional tools to run automatically, and even what order to run them in all by modifying legion.conf. In the below example we will adjust the default configuration to be more tailored to a large scope of systems where speed is a necessity by limiting the scan to about 30 ports and removing several tool automations.
sudo nano /root/.local/share/legion/legion.conf
Next, adjust the StagedNmapSettings to define what ports you want scanned, in what order, and when you want the vulners script to be run. **Note, don't delete stages 5 and 6 you need something there. But you can change these however you like.
Save the file. Now you can launch legion and select Help → Config to verify that the specified settings are reflected properly.
Note: Several pre-made configuration files are included with the newer versions of Legion by default and can simply be copy & pasted into legion.conf to suit your needs.