2017-01-15 22:23:28 +00:00
# Experimental version!
2017-01-16 20:06:37 +00:00
# Any commit can highly modify anything currently!
#
# This is the main file of PTZ.
#
# Logic
# Provided IP -> vhost enum -> scan everything connected-> Identify services -> Vuln scan -> Add to queryable db
# Provided domain name -> ip enum -> scan everything connected -> Identify services -> Vuln scan -> Add to queryable db
2017-01-15 22:23:28 +00:00
2017-01-13 21:31:48 +00:00
debug = 1
2017-01-15 22:23:28 +00:00
fpath = ( ~/.ptz/v3das $fpath )
autoload -U compinit
compinit
zstyle ':completion:*' menu select = 2
function nls {
echo "You can get help from the following topics:"
for f in ~/.ptz/v3das/* ; do
echo $f | rev | cut -d'/' -f1 | rev | cut -d'.' -f1
done
2017-01-12 19:41:16 +00:00
}
2017-01-14 15:27:28 +00:00
2017-01-15 22:23:28 +00:00
function n {
# query knowledgebase, use tab after n
2017-01-14 15:27:28 +00:00
if [ -d "~/.ptz/v3das" ]
then
2017-01-15 22:23:28 +00:00
echo "knowledge base / notes are missing"
else
cat ~/.ptz/v3das/$1
2017-01-14 15:27:28 +00:00
fi
}
2017-01-15 22:23:28 +00:00
function ptzdepchk {
# check if dependencies are met or not
2017-01-16 20:06:37 +00:00
type python >/dev/null 2>& 1 || { echo >& 2 "python is missing." ; }
2017-01-15 22:23:28 +00:00
type wget >/dev/null 2>& 1 || { echo >& 2 "wget is missing." ; }
type openssl >/dev/null 2>& 1 || { echo >& 2 "openssl is missing." ; }
2017-01-16 20:06:37 +00:00
type john >/dev/null 2>& 1 || { echo >& 2 "john is missing." ; }
type rar >/dev/null 2>& 1 || { echo >& 2 "rar is missing." ; }
type zip >/dev/null 2>& 1 || { echo >& 2 "zip is missing." ; }
type unzip >/dev/null 2>& 1 || { echo >& 2 "unzip is missing." ; }
2017-01-15 22:23:28 +00:00
type tor >/dev/null 2>& 1 || { echo >& 2 "tor is missing." ; }
2017-01-16 20:06:37 +00:00
type torsocks >/dev/null 2>& 1 || { echo >& 2 "torsocks is missing." ; }
2017-01-15 22:23:28 +00:00
type traceroute >/dev/null 2>& 1 || { echo >& 2 "traceroute is missing." ; }
type theharvester >/dev/null 2>& 1 || { echo >& 2 "theharvester is missing." ; }
type dnsenum >/dev/null 2>& 1 || { echo >& 2 "dnsenum is missing." ; }
type fierce >/dev/null 2>& 1 || { echo >& 2 "fierce is missing." ; }
type nmap >/dev/null 2>& 1 || { echo >& 2 "nmap is missing." ; }
type searchsploit >/dev/null 2>& 1 || { echo >& 2 "searchsploit is missing." ; }
#type dig >/dev/null 2>&1 || { echo >&2 "dig is missing."; }
#type curl >/dev/null 2>&1 || { echo >&2 "curl is missing."; }
#type arachni >/dev/null 2>&1 || { echo >&2 "arachni is missing."; }
#type hydra >/dev/null 2>&1 || { echo >&2 "hydra is missing."; }
#type dirb >/dev/null 2>&1 || { echo >&2 "dirb is missing."; }
2017-01-14 15:27:28 +00:00
}
2017-01-12 19:41:16 +00:00
function ton {
. torsocks on
}
2017-01-14 15:27:28 +00:00
2017-01-12 19:41:16 +00:00
function tof {
. torsocks off
}
2017-01-14 15:27:28 +00:00
2017-01-13 21:31:48 +00:00
function tip {
2017-01-15 22:23:28 +00:00
# check if tor is really used or not
2017-01-13 21:31:48 +00:00
wget -qO- https://check.torproject.org/ -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" | egrep -i "Congratulations. This browser is configured to use Tor.|Sorry. You are not using Tor." | uniq
}
2017-01-14 15:27:28 +00:00
2017-01-13 21:31:48 +00:00
function wip {
2017-01-15 22:23:28 +00:00
# check public ip
2017-01-13 21:31:48 +00:00
if [ $RANDOM -gt $RANDOM ]
then
wget -qO- -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" ipecho.net/plain
else
wget -qO- -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" icanhazip.com
fi
# curl -s checkip.dyndns.org | sed 's#.*Address: \(.*\)</b.*#\1#' # Alternative 1
# dig +short myip.opendns.com @resolver1.opendns.com # Alternative 2
}
2017-01-12 19:41:16 +00:00
2017-01-14 15:27:28 +00:00
2017-01-12 19:41:16 +00:00
function chkhttpz {
2017-01-15 22:23:28 +00:00
# http response checks from a given host / port
2017-01-12 19:41:16 +00:00
echo "HTTP responses"
wget --spider -S " http:// $1 : $2 / " 2>& 1 | grep "HTTP/"
echo "\nHTTPS responses"
wget --spider -S " https:// $1 : $2 / " 2>& 1 | grep "HTTP/"
}
function chkcrt {
2017-01-15 22:23:28 +00:00
# check ssl certificate of a server
2017-01-12 19:41:16 +00:00
openssl s_client -showcerts -connect $1 :$2
}
2017-01-15 22:23:28 +00:00
function rnd {
# get some random characters
2017-01-12 19:41:16 +00:00
cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${ 1 :- 8 } ; echo;
cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${ 1 :- 16 } ; echo;
cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${ 1 :- 32 } ; echo;
cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${ 1 :- 64 } ; echo;
}
function johnzip {
if [ $# -ne 2 ]
then
echo " Usage $0 <zipfile> <wordlist> "
return
fi
echo "Unzip test..."
unzip -l $1
echo "Cracking...."
for i in $( john --wordlist= $2 --rules --stdout)
do
echo -ne " \rtrying \" $i \" "
unzip -o -P $i $1 >/dev/null 2>& 1
STATUS = $?
if [ $STATUS -eq 0 ] ; then
echo -e " \nArchive password is: \" $i \" "
return
fi
done
}
function johnrar {
if [ $# -ne 2 ]
then
echo " Usage $0 <rarfile> <wordlist> "
else
rar l $1
echo "Cracking...."
john --wordlist= $2 --rules --stdout | while read i
do
echo -ne " \rtrying \" $i \" "
rar e -o+ -inul -p$i $1 >/dev/null
STATUS = $?
if [ $STATUS -eq "0" ] ; then
echo -e " \nArchive password is: \" $i \" "
return
fi
done
fi
}
function pawnpls {
amir00t = $( whoami)
if [ " $amir00t " != "root" ]
then
echo "pawnpls needs root in order to be effective (eg. for nmap -sS scans)."
return
fi
if [ $# -ne 1 ]
then
echo "Are you sure? You need to specify a target. Be careful. This runs out of tor also, even if you have torsocks ;)"
return
fi
# Pass to the scan function, no active attacks, just scanning
pawnpls_tof_target = $1
dns_enum_tof
scan_enum_tof
active_attack_tof
}
function dns_enum_tof {
2017-01-13 21:31:48 +00:00
if [ $debug -eq 1 ]
then
echo "Calling function scan_enum_tof"
fi
2017-01-12 19:41:16 +00:00
. torsocks off
dnstarg = ( $pawnpls_tof_target )
cdate = $( date +"%Y-%m-%d-%H%M" )
2017-01-13 21:31:48 +00:00
dettmpfold = " .ptz/ $pawnpls_tof_target /result-enum- $cdate "
mkdir -p ~/$dettmpfold
cd ~/$dettmpfold
touch dnsenum_history.txt
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Starting traceroute." >> dnsenum_history.txt
traceroute $dnstarg > 1_traceroute_$pawnpls_tof_target .txt
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Finished traceroute." >> dnsenum_history.txt
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Starting theharvester." >> dnsenum_history.txt
theharvester -d $dnstarg -b all -v > 2_harvester_$pawnpls_tof_target .txt
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Finished theharvester." >> dnsenum_history.txt
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Starting fierce." >> dnsenum_history.txt
#fierce -dns $dnstarg -wide > 3_fierce_$pawnpls_tof_target.txt # wide takes too much time for this script
fierce -dns $dnstarg > 3_fierce_$pawnpls_tof_target .txt
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Finished fierce." >> dnsenum_history.txt
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Starting dnsrecon." >> dnsenum_history.txt
dnsrecon -d $dnstarg -t std,brt,srv,axfr,goo --iw -a -s -c ./4_dnsrecon_$pawnpls_tof_target .txt
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Finished dnsrecon." >> dnsenum_history.txt
cat 4_dnsrecon_$pawnpls_tof_target .txt | grep -v 'hostnames found' | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -u > 5_ip_list_of_target.txt
cat 3_fierce_$pawnpls_tof_target .txt | grep 'hostnames found' | grep -E -o "([0-9]{1,3}[\.-]){4}[0-9]{1,3}" | sort -u > 6_ip_ranges_of_target.txt
# vhost enumeration missing yet
while read ipv ; do dig +short -x $ipv >> 7_vhosts_enumerated.txt ; done < 5_ip_list_of_target.txt
2017-01-16 20:06:37 +00:00
2017-01-13 21:31:48 +00:00
cd
2017-01-12 19:41:16 +00:00
}
2017-01-13 21:31:48 +00:00
2017-01-12 19:41:16 +00:00
function scan_enum_tof {
2017-01-13 21:31:48 +00:00
if [ $debug -eq 1 ]
then
echo "Calling function scan_enum_tof"
fi
2017-01-12 19:41:16 +00:00
. torsocks off
# Variables
targetx = ( $pawnpls_tof_target ) # Space delimited!
ports = ( 21-23,25-26,53,80-81,110-111,113,135,139,143,179,199,443,445,465,514-515,548,554,587,646,993,995,1025-1027,1433,1720,1723,2000-2001,3306,3389,4443,5060,5666,5900,6001,8000,8008,8080,8443,8888,10000,32768,49152,49154,11211)
# Initialize directory and naming structure
cdate = $( date +"%Y-%m-%d-%H%M" )
2017-01-13 21:31:48 +00:00
sctmpfold = " .ptz/ $pawnpls_tof_target /result-scan- $cdate "
mkdir -p ~/$sctmpfold
cd ~/$sctmpfold
2017-01-12 19:41:16 +00:00
touch scan_history.txt
# Start with standard alive scan and check ports on alive hosts
# Get alive hosts
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Starting alive hosts scan." >> scan_history.txt
nmap --randomize-hosts -sn -PS$ports $targetx -oG 1_alive_hosts.out
alive_hosts = $( grep "Status: Up" 1_alive_hosts.out | cut -d' ' -f2 | tr '\r\n' ' ' )
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Finished alive hosts scan. Found hosts: " $alive_hosts >> scan_history.txt
# Port scanning on alive hosts and version detection
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Starting port scans on alive hosts with top 1000." >> scan_history.txt
nmap --randomize-hosts -sS -sV -n -Pn --top-ports 1000 $targetx > 2_ports_and_service_top1000_on_alive_hosts.out
python ~/.zsh/agro_detection_parser.py | sed -n '/ /s/ \+/ /gp' > 3_ip_port_service.out
number_open_tcp_ports = $( grep -v "Nmap scan report for" 3_ip_port_service.out | wc -l) # It lists all ports, even unknown and faster to grep from here for this.
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Finished port scans on alive hosts with top 1000. Number of open ports: " $number_open_tcp_ports >> scan_history.txt
# Run UDP scan on most common ports
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Starting UDP scans." >> scan_history.txt
nmap -sU --top-ports 50 $targetx > 4_udpscan.out
number_open_udp_ports = $( grep "open" 4_udpscan.out | wc -l)
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Finished UDP scans. Number of open UDP ports: " $number_open_udp_ports >> scan_history.txt
# Vulnerability scanning
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Starting simple vulnerbility scans." >> scan_history.txt
nmap -n -p 21 --script= ftp-anon.nse $targetx > 5_nmap_script_ftpanon.txt
nmap -sU -sS --script smb-enum-* -p U:137,T:139 $targetx > 6_nmap_sbm_nse_scan.txt # There is issue with the * askterisk... should be escaped or something
nmap -sS -n -p $ports --script= default,safe,vuln $targetx > 7_nmap_script_default-safe-vuln_scan.txt
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Finished vulnerability scans. Lists are in the relevant txt files." >> scan_history.txt
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Started scan for automatic searchsploit." >> scan_history.txt
# for searchsploit, but nmap should be configured to scan with xml, default is top 1000
nmap -sS -sV -sC -O --host-timeout= 5m --max-hostgroup= 1 -Pn $targetx -oA 8_nmap_for_searchsploit
searchsploit -v --nmap 8_nmap_for_searchsploit.xml > 9_searchslpoit_results.txt
2017-01-13 21:31:48 +00:00
rm 8_nmap_for_searchsploit.nmap 8_nmap_for_searchsploit.gnmap
2017-01-12 19:41:16 +00:00
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Finished the searchsploit queries. Outputs are in the relevant files." >> scan_history.txt
2017-01-16 20:06:37 +00:00
# single nmap for all ports. thinking about this.. this is long, but more torough + replaces the others!
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Started all TCP ports / extended UDP scan for automatic searchsploit." >> scan_history.txt
nmap -sSU -p T:1-65535,U:7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831 -sV -O --script= "(default or vuln or auth or brute or discovery) and not (broadcast or dos)" --script-args= "unsafe=1,userdb=admin,passwd=admin" --host-timeout= 180m --max-hostgroup= 1 -Pn -oA 99_nmap_for_searchsploit $targetx
searchsploit -v --nmap 99_nmap_for_searchsploit.xml > 99_allports_searchslpoit_results.txt
rm 99_nmap_for_searchsploit.nmap 99_nmap_for_searchsploit.gnmap
echo $( date +"%Y-%m-%d-%H-%M-%S" ) " Finished the extended ports scan and searchsploit queries. Outputs are in the relevant files." >> scan_history.txt
2017-01-13 21:31:48 +00:00
cd
2017-01-12 19:41:16 +00:00
}
function active_attack_tof {
2017-01-13 21:31:48 +00:00
if [ $debug -eq 1 ]
then
echo "Calling function active_attack_tof"
fi
2017-01-12 19:41:16 +00:00
. torsocks off
cdate = $( date +"%Y-%m-%d-%H%M" )
2017-01-13 21:31:48 +00:00
aatmpfold = " .ptz/ $pawnpls_tof_target /result-attack- $cdate "
mkdir -p ~/$aatmpfold
cd ~/$aatmpfold
2017-01-12 19:41:16 +00:00
# Preconfs
hydrabruteprotocol = ( cvs firebird icq irc ldap nntp oracle-listener oracle-sid pcanywhere pcnfs postgres rdp redis rtsp ssh sip teamspeak vmauthd)
usernames = "/usr/share/nmap/nselib/data/usernames.lst"
passwords = "/usr/share/nmap/nselib/data/passwords.lst"
2017-01-13 21:31:48 +00:00
# run hydra, dirb, arachni and the others....
2017-01-12 19:41:16 +00:00
2017-01-13 21:31:48 +00:00
cd
2017-01-12 19:41:16 +00:00
}