Merging, fixing, making it better.
parent
b20f184f0e
commit
baf1de8b3d
12
README.md
12
README.md
|
@ -1,24 +1,20 @@
|
|||
Penetration Tester's Zsh
|
||||
========================
|
||||
|
||||
Goal: make penetration testing faster, more convinient, transparent and efficient.
|
||||
|
||||
Features planned: preconfigured functions (including tools), note knowledge base with practical examples, automated "dumb" pentesting.
|
||||
Goal: make the life of a hacker / penetration tester faster, more convinient, transparent and efficient.
|
||||
|
||||
Usability features: tor trigger (ton/tof), external ip check, tor check... and more to be added.
|
||||
|
||||
Note: this project is a work in progress which we develop with one of my friend in our free time. If you use it, be prepared for some glitches.
|
||||
|
||||
Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also. If the dependencies are not met, the functions will still run, but outputs will be empty - at least in the currently status.
|
||||
Works on Debian if the dependencies are met or on Kali "out of box". If the dependencies are not met, the functions will still run, but outputs will be empty or you get an alert.
|
||||
|
||||
|
||||
Install
|
||||
=======
|
||||
|
||||
Full console install: cd /tmp/ && git clone https://github.com/51x/PTZ && cd PTZ && cp profile_files/.* -R ~/
|
||||
cd /tmp/ && git clone https://github.com/51x/PTZ && cd PTZ && cp profile_files/.* -R ~/ && cd
|
||||
|
||||
Using only the pentest functions can be done by including just: pentest_functions.zsh
|
||||
If you want also the notes/knowledge database, you shoul add the v3das folder to you ~/.ptz/ folder.
|
||||
If you want also the notes/knowledge database, you should add the v3das folder to you ~/.ptz/ folder.
|
||||
|
||||
|
||||
General function of PTZ
|
||||
|
|
|
@ -1,2 +1,4 @@
|
|||
alias py='python'
|
||||
alias py='python3'
|
||||
alias pl='perl'
|
||||
alias l='ls -l'
|
||||
alias xtr='extract'
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
function extract {
|
||||
echo Running extract on $1 ...
|
||||
if [ -f $1 ] ; then
|
||||
case $1 in
|
||||
*.tar.bz2) tar xjf $1 ;;
|
||||
*.tar.gz) tar xzf $1 ;;
|
||||
*.bz2) bunzip2 $1 ;;
|
||||
*.rar) unrar x $1 ;;
|
||||
*.gz) gunzip $1 ;;
|
||||
*.tar) tar xf $1 ;;
|
||||
*.tbz2) tar xjf $1 ;;
|
||||
*.tgz) tar xzf $1 ;;
|
||||
*.zip) unzip $1 ;;
|
||||
*.Z) uncompress $1 ;;
|
||||
*.7z) 7z x $1 ;;
|
||||
*.xz) unxz $1 ;;
|
||||
*) echo "'$1' cannot be extracted via extract()" ;;
|
||||
esac
|
||||
else
|
||||
echo "'$1' is not a valid file"
|
||||
fi
|
||||
}
|
||||
|
||||
function wttrb {
|
||||
curl wttr.in/budapest
|
||||
}
|
||||
|
||||
#function wttrk {
|
||||
# curl wttr.in/~Kilimanjaro
|
||||
#}
|
|
@ -1,222 +0,0 @@
|
|||
#!/bin/zsh
|
||||
# This file contains ideas/notes/examples to be added to the main pentest zsh file.
|
||||
|
||||
# Offensive part
|
||||
echo "Usage $0 domain.com [tor] [user wordlist] [password wordlist] [nessusURL:port] [nessususer] [nessuspassword]"
|
||||
|
||||
#echo "Updating searchsploit"
|
||||
#searchsploit -u
|
||||
|
||||
# TODO parse arguments correctly
|
||||
echo "[DEBUG] number of arguments $#"
|
||||
|
||||
|
||||
# VARIABLES
|
||||
currentdir=$(pwd)
|
||||
# hydra protocol not bruted by nmap
|
||||
hydrabruteprotocol=(cvs firebird icq irc ldap nntp oracle-listener oracle-sid pcanywhere pcnfs postgres rdp redis rtsp ssh sip teamspeak vmauthd)
|
||||
#TODO provides usernames password in args
|
||||
usernames="/usr/share/nmap/nselib/data/usernames.lst"
|
||||
passwords="/usr/share/nmap/nselib/data/passwords.lst"
|
||||
# Nessus
|
||||
nessusapi=$5
|
||||
nessususer=$6
|
||||
nessuspass=$7
|
||||
|
||||
|
||||
# TODO low priority optimize tools location if not in Kali OS
|
||||
# nmap = which nmap
|
||||
# fierce = which fierce ...
|
||||
|
||||
|
||||
if [ $# -eq 0 ]; then echo "please provide something to pentest you dumb bear (ᵔᴥᵔ) ! :D" ; exit ; fi
|
||||
|
||||
if [ "$(id -u)" != "0" ]; then
|
||||
echo "This script must be run as root for Nmap scripting and syn scan." 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Attacked domain
|
||||
domainattacked=$1;
|
||||
echo "Domain attacked is : $domainattacked !"
|
||||
|
||||
|
||||
# START RECON PART
|
||||
|
||||
# Enum domain with std wordlist
|
||||
echo "Enumerating domains ";
|
||||
fierce -dns $1 -wide -file targets.fierce
|
||||
# Dnsreconing
|
||||
dnsrecon -d $domainattacked -t std,brt,srv,axfr,goo --iw -a -s -c $currentdir/targets.dnsrecon
|
||||
echo "Enumerating domains ... DONE";
|
||||
# Robtex graph
|
||||
echo "Getting graph of the domain infrastructure"
|
||||
wget -qO $domainattacked.png "https://gfx.robtex.com/gfx/graph.png?dns=$domainattacked"
|
||||
# getting a traceroute for network device mapping
|
||||
traceroute $domainattacked > $domainattacked.traceroute
|
||||
tcptraceroute $domainattacked 80 >> $domainattacked.traceroute
|
||||
tcptraceroute $domainattacked 25 >> $domainattacked.traceroute
|
||||
|
||||
|
||||
# extract IPs
|
||||
cat targets.dnsrecon | grep -v 'hostnames found' | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -u > ips.lst;
|
||||
echo "IPs extracted ! Ready to shoot."
|
||||
#extract IP ranges
|
||||
cat targets.fierce | grep 'hostnames found' | grep -E -o "([0-9]{1,3}[\.-]){4}[0-9]{1,3}" | sort -u > ipranges.lst
|
||||
echo "IPs ranges extracted as well. If you want to extend scan.";
|
||||
|
||||
# LEGACY add dig ANY targets , NS , SRV , ... done by dnsrecon now
|
||||
# dig +recurse +authority $domainattacked ANY | grep -v 'SERVER' | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -u >> ips.lst;
|
||||
|
||||
|
||||
# TODO extend IP detection with
|
||||
# rwhois ? SPF IP ?
|
||||
|
||||
|
||||
# TODO building custom userlist with harvester, add vhost and add ips ?
|
||||
echo "Harvesting info about domain $domainattacked"
|
||||
#theharvester -d $domainattacked -b all -v > $domainattacked.harvester
|
||||
#grep IP inside .harvester
|
||||
|
||||
# EXTENDING if requested extend scan to ip ranges
|
||||
# nmap -sL >> ips.lst
|
||||
|
||||
# CLEANING before starting if IPs added with other scripts
|
||||
# cat ips.lst | sort -u > finalips.lst
|
||||
|
||||
|
||||
# START SERVICES PART
|
||||
|
||||
# SERVICES ENUM FINGERPRINT + NSE VULN PART
|
||||
# main loop for IP
|
||||
for x in `cat ips.lst`; do
|
||||
|
||||
|
||||
|
||||
# create a dir per IP for db txt files
|
||||
mkdir $x;
|
||||
echo "Enumerating ports and services, vuln scanning and brute forcing ... jeez thats alota work";
|
||||
|
||||
# full scan
|
||||
# echo "Full nmap scan start"
|
||||
# nmap -sSU -p T:1-65535,U:7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831 -sV --script="(default or vuln or auth or brute or discovery) and not (broadcast or dos)" --script-args="unsafe=1,userdb=$usernames,passwd=$passwords" --host-timeout=180m --max-hostgroup=1 -Pn -v $x -oA $x/nmapresults
|
||||
# reduced scan for TESTING
|
||||
echo "[DEBUG] TEST MODE for nmap sS top1k ONLY"
|
||||
nmap -sS -sV --script="(default or vuln or auth or brute or discovery) and not (broadcast or dos)" --host-timeout=30m --max-hostgroup=1 -Pn $x -oA $x/nmapresults
|
||||
echo "Nmap fingerprinting and NSE for $x... DONE";
|
||||
|
||||
# TODO
|
||||
|
||||
echo "[UNDER CONSTRUCTION] Nessus API Scan";
|
||||
echo "Starting the Nessus scan ..."
|
||||
token=`curl -k -X POST -H 'Content-Type: application/json' -d '{"username":"$nessususer","password":"$nessuspassword"}' "https://$nessusurl/session"`
|
||||
|
||||
# echo "Adding targets to FULL scan"
|
||||
#+ call nessus api
|
||||
# get results in the end
|
||||
|
||||
|
||||
# TODO service / version detection for smarter brute force and searchsploit
|
||||
# echo "[UNDER CONSTRUCTION] Smart protocol detection for hydra ..."
|
||||
# cat nmapresults.xml | grep "port protocol" | cut -d '"' -f12
|
||||
|
||||
|
||||
#getting nmap CPE version of services and using Searchsploit
|
||||
# REPORT services version and cleaning the file
|
||||
echo -n "" > $x/version.services
|
||||
for z in `cat $x/nmapresults.xml | grep '<cpe>'`; do echo $z | grep -ozP "(?s)<cpe>.*?(?=</cpe>)" >> $x/version.services && echo "" >> $x/version.services; done
|
||||
|
||||
# REPORT exploitdb search from nmap
|
||||
echo "Searching interesting vulnerabilities for target $x"
|
||||
#legacy searchsploit for a in $(cat $x/version.services); do echo $a | cut -d : -f3-5 | tr ":" " " | cut -d '.' -f1 >> $x/version.exploits; done
|
||||
searchsploit -v --nmap $x/nmapresults.xml > $x/version.exploits;
|
||||
|
||||
# TODO ADD default credentials
|
||||
|
||||
|
||||
#### Brute force non nmap
|
||||
# TODO optimtize per port
|
||||
echo "STARTING additional BRUTE FORCE PART with hydra";
|
||||
echo "[DEBUG] not bruting for faster testing";
|
||||
for b in ${hydrabruteprotocol[@]}; do hydra -L $usernames -P $passwords -o $x/validuserpass.hydra $b://$x; done;
|
||||
echo "FINISHED additional hydra BRUTE FORCE";
|
||||
|
||||
|
||||
echo "Enumerating ports and services, fingerprinting, vuln scanning and brute forcing .... DONE ";
|
||||
|
||||
|
||||
##################### STOP SERVICES PART
|
||||
|
||||
|
||||
###################### START WEB PART
|
||||
#### WEB VULNS PART
|
||||
echo "Web pentesting now ...";
|
||||
# vhost enum
|
||||
echo "Vhost enum"
|
||||
# adding the IP as vhost , often forgotten
|
||||
echo "$x" >> $x/vhost.list;
|
||||
# manual reverse PTR in case there is none
|
||||
cat targets.dnsrecon | grep $x | grep '^A' | cut -d ',' -f2 >> $x/vhost.list;
|
||||
# reverse PTR
|
||||
dig +short -x $x >> $x/vhost.list;
|
||||
# using robtex from nmap
|
||||
awk '/hostmap-robtex/{f=1;next} /ip-geolocation-geoplugin/{f=0} f' $x/nmapresults.nmap >> $x/vhost.list; # extract vhosts from NMAP robtex script
|
||||
# adding hackertarget vhost
|
||||
timeout 2m curl "http://api.hackertarget.com/reverseiplookup/?q=$x" >> vhost.list;
|
||||
# TO DO add harvester ?
|
||||
# sorting vhosts
|
||||
sort -u $x/vhost.list > $x/vhost.sorted;
|
||||
|
||||
echo "Start port loop for $x"
|
||||
|
||||
# if HTTP port test
|
||||
for y in `cat $x/nmapresults.nmap | grep '/tcp' | grep ' http ' | cut -d '/' -f1`;
|
||||
### WEB RECON
|
||||
do echo "start vhost loop for IP $y";
|
||||
for z in `cat $x/vhost.sorted`;
|
||||
# dirb for each vhost
|
||||
do dirb "http://$z:$y" -f -l > "$x/enum$z.dirb";
|
||||
### WEB fingerprint
|
||||
whatweb -v "http://$z:$y";
|
||||
# nikto for each vhost
|
||||
nikto -host "http://$z:$y" > "$x/$z.nikto";
|
||||
|
||||
# arachni
|
||||
# arachni
|
||||
|
||||
# sqlmap for earch vhost
|
||||
#sqlmap --crawl=2 --forms --batch
|
||||
|
||||
done; ## end vhost loop
|
||||
done; ## end nmap port loop
|
||||
|
||||
|
||||
# if HTTPS port
|
||||
# TO DO again
|
||||
# copy pasta
|
||||
# for y in `cat $x/nmapresults.nmap | grep '/tcp' | grep 'ssl/http' | cut -d '/' -f1`;
|
||||
|
||||
done; ## end IP loop
|
||||
|
||||
|
||||
# REPORT VULNS FOUND
|
||||
echo "======================================"
|
||||
echo "Vulnerability summary from NSE Scripts"
|
||||
echo ""
|
||||
grep -i "vulner" -B1 */nmapresults.nmap
|
||||
echo "You might also need to read manually also the .nmap as vulnerable state is not harmonized through NSE"
|
||||
echo ""
|
||||
|
||||
echo "======================================"
|
||||
echo "ExploitDB research results"
|
||||
echo ""
|
||||
echo "Interesting exploits found: "
|
||||
cat */version.exploits
|
||||
echo ""
|
||||
|
||||
echo "======================================"
|
||||
echo "Bruteforce results"
|
||||
echo ""
|
||||
echo "Valid passwords found: "
|
||||
cat */validuserpass.hydra
|
||||
echo ""
|
|
@ -7,6 +7,8 @@
|
|||
# Provided IP -> vhost enum -> scan everything connected-> Identify services -> Vuln scan -> Add to queryable db
|
||||
# Provided domain name -> ip enum -> scan everything connected -> Identify services -> Vuln scan -> Add to queryable db
|
||||
|
||||
## v3das
|
||||
|
||||
fpath=(~/.ptz/v3das $fpath)
|
||||
autoload -U compinit
|
||||
compinit
|
||||
|
@ -32,6 +34,37 @@ function n {
|
|||
}
|
||||
|
||||
|
||||
## Extract files
|
||||
|
||||
function extract {
|
||||
echo Running extract on $1 ...
|
||||
if [ -f $1 ] ; then
|
||||
case $1 in
|
||||
*.tar.bz2) tar xjf $1 ;;
|
||||
*.tar.gz) tar xzf $1 ;;
|
||||
*.bz2) bunzip2 $1 ;;
|
||||
*.rar) unrar x $1 ;;
|
||||
*.gz) gunzip $1 ;;
|
||||
*.tar) tar xf $1 ;;
|
||||
*.tbz2) tar xjf $1 ;;
|
||||
*.tgz) tar xzf $1 ;;
|
||||
*.zip) unzip $1 ;;
|
||||
*.Z) uncompress $1 ;;
|
||||
*.7z) 7z x $1 ;;
|
||||
*.xz) unxz $1 ;;
|
||||
*) echo "'$1' cannot be extracted via extract()" ;;
|
||||
esac
|
||||
else
|
||||
echo "'$1' is not a valid file"
|
||||
fi
|
||||
}
|
||||
|
||||
function wttrb {
|
||||
# sorry, but they dont have a vaild cert and it's still better than http
|
||||
curl --insecure wttr.in/budapest
|
||||
}
|
||||
|
||||
|
||||
function ptzdepchk {
|
||||
# check if dependencies are met or not
|
||||
type python >/dev/null 2>&1 || { echo >&2 "python is missing."; }
|
||||
|
@ -127,6 +160,9 @@ function rnd {
|
|||
}
|
||||
|
||||
|
||||
|
||||
## Pentesting
|
||||
|
||||
function johnzip {
|
||||
if [ $# -ne 2 ]
|
||||
then
|
Loading…
Reference in New Issue