Merging, fixing, making it better.

master
sıx 2018-04-19 23:28:34 +02:00
parent b20f184f0e
commit baf1de8b3d
5 changed files with 43 additions and 261 deletions

View File

@ -1,24 +1,20 @@
Penetration Tester's Zsh
========================
Goal: make penetration testing faster, more convinient, transparent and efficient.
Features planned: preconfigured functions (including tools), note knowledge base with practical examples, automated "dumb" pentesting.
Goal: make the life of a hacker / penetration tester faster, more convinient, transparent and efficient.
Usability features: tor trigger (ton/tof), external ip check, tor check... and more to be added.
Note: this project is a work in progress which we develop with one of my friend in our free time. If you use it, be prepared for some glitches.
Works on Debian if the dependencies are met or on Kali. Probably works on Pentoo also. If the dependencies are not met, the functions will still run, but outputs will be empty - at least in the currently status.
Works on Debian if the dependencies are met or on Kali "out of box". If the dependencies are not met, the functions will still run, but outputs will be empty or you get an alert.
Install
=======
Full console install: cd /tmp/ && git clone https://github.com/51x/PTZ && cd PTZ && cp profile_files/.* -R ~/
cd /tmp/ && git clone https://github.com/51x/PTZ && cd PTZ && cp profile_files/.* -R ~/ && cd
Using only the pentest functions can be done by including just: pentest_functions.zsh
If you want also the notes/knowledge database, you shoul add the v3das folder to you ~/.ptz/ folder.
If you want also the notes/knowledge database, you should add the v3das folder to you ~/.ptz/ folder.
General function of PTZ

View File

@ -1,2 +1,4 @@
alias py='python'
alias py='python3'
alias pl='perl'
alias l='ls -l'
alias xtr='extract'

View File

@ -1,30 +0,0 @@
function extract {
echo Running extract on $1 ...
if [ -f $1 ] ; then
case $1 in
*.tar.bz2) tar xjf $1 ;;
*.tar.gz) tar xzf $1 ;;
*.bz2) bunzip2 $1 ;;
*.rar) unrar x $1 ;;
*.gz) gunzip $1 ;;
*.tar) tar xf $1 ;;
*.tbz2) tar xjf $1 ;;
*.tgz) tar xzf $1 ;;
*.zip) unzip $1 ;;
*.Z) uncompress $1 ;;
*.7z) 7z x $1 ;;
*.xz) unxz $1 ;;
*) echo "'$1' cannot be extracted via extract()" ;;
esac
else
echo "'$1' is not a valid file"
fi
}
function wttrb {
curl wttr.in/budapest
}
#function wttrk {
# curl wttr.in/~Kilimanjaro
#}

View File

@ -1,222 +0,0 @@
#!/bin/zsh
# This file contains ideas/notes/examples to be added to the main pentest zsh file.
# Offensive part
echo "Usage $0 domain.com [tor] [user wordlist] [password wordlist] [nessusURL:port] [nessususer] [nessuspassword]"
#echo "Updating searchsploit"
#searchsploit -u
# TODO parse arguments correctly
echo "[DEBUG] number of arguments $#"
# VARIABLES
currentdir=$(pwd)
# hydra protocol not bruted by nmap
hydrabruteprotocol=(cvs firebird icq irc ldap nntp oracle-listener oracle-sid pcanywhere pcnfs postgres rdp redis rtsp ssh sip teamspeak vmauthd)
#TODO provides usernames password in args
usernames="/usr/share/nmap/nselib/data/usernames.lst"
passwords="/usr/share/nmap/nselib/data/passwords.lst"
# Nessus
nessusapi=$5
nessususer=$6
nessuspass=$7
# TODO low priority optimize tools location if not in Kali OS
# nmap = which nmap
# fierce = which fierce ...
if [ $# -eq 0 ]; then echo "please provide something to pentest you dumb bear (ᵔᴥᵔ) ! :D" ; exit ; fi
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root for Nmap scripting and syn scan." 1>&2
exit 1
fi
# Attacked domain
domainattacked=$1;
echo "Domain attacked is : $domainattacked !"
# START RECON PART
# Enum domain with std wordlist
echo "Enumerating domains ";
fierce -dns $1 -wide -file targets.fierce
# Dnsreconing
dnsrecon -d $domainattacked -t std,brt,srv,axfr,goo --iw -a -s -c $currentdir/targets.dnsrecon
echo "Enumerating domains ... DONE";
# Robtex graph
echo "Getting graph of the domain infrastructure"
wget -qO $domainattacked.png "https://gfx.robtex.com/gfx/graph.png?dns=$domainattacked"
# getting a traceroute for network device mapping
traceroute $domainattacked > $domainattacked.traceroute
tcptraceroute $domainattacked 80 >> $domainattacked.traceroute
tcptraceroute $domainattacked 25 >> $domainattacked.traceroute
# extract IPs
cat targets.dnsrecon | grep -v 'hostnames found' | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -u > ips.lst;
echo "IPs extracted ! Ready to shoot."
#extract IP ranges
cat targets.fierce | grep 'hostnames found' | grep -E -o "([0-9]{1,3}[\.-]){4}[0-9]{1,3}" | sort -u > ipranges.lst
echo "IPs ranges extracted as well. If you want to extend scan.";
# LEGACY add dig ANY targets , NS , SRV , ... done by dnsrecon now
# dig +recurse +authority $domainattacked ANY | grep -v 'SERVER' | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -u >> ips.lst;
# TODO extend IP detection with
# rwhois ? SPF IP ?
# TODO building custom userlist with harvester, add vhost and add ips ?
echo "Harvesting info about domain $domainattacked"
#theharvester -d $domainattacked -b all -v > $domainattacked.harvester
#grep IP inside .harvester
# EXTENDING if requested extend scan to ip ranges
# nmap -sL >> ips.lst
# CLEANING before starting if IPs added with other scripts
# cat ips.lst | sort -u > finalips.lst
# START SERVICES PART
# SERVICES ENUM FINGERPRINT + NSE VULN PART
# main loop for IP
for x in `cat ips.lst`; do
# create a dir per IP for db txt files
mkdir $x;
echo "Enumerating ports and services, vuln scanning and brute forcing ... jeez thats alota work";
# full scan
# echo "Full nmap scan start"
# nmap -sSU -p T:1-65535,U:7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831 -sV --script="(default or vuln or auth or brute or discovery) and not (broadcast or dos)" --script-args="unsafe=1,userdb=$usernames,passwd=$passwords" --host-timeout=180m --max-hostgroup=1 -Pn -v $x -oA $x/nmapresults
# reduced scan for TESTING
echo "[DEBUG] TEST MODE for nmap sS top1k ONLY"
nmap -sS -sV --script="(default or vuln or auth or brute or discovery) and not (broadcast or dos)" --host-timeout=30m --max-hostgroup=1 -Pn $x -oA $x/nmapresults
echo "Nmap fingerprinting and NSE for $x... DONE";
# TODO
echo "[UNDER CONSTRUCTION] Nessus API Scan";
echo "Starting the Nessus scan ..."
token=`curl -k -X POST -H 'Content-Type: application/json' -d '{"username":"$nessususer","password":"$nessuspassword"}' "https://$nessusurl/session"`
# echo "Adding targets to FULL scan"
#+ call nessus api
# get results in the end
# TODO service / version detection for smarter brute force and searchsploit
# echo "[UNDER CONSTRUCTION] Smart protocol detection for hydra ..."
# cat nmapresults.xml | grep "port protocol" | cut -d '"' -f12
#getting nmap CPE version of services and using Searchsploit
# REPORT services version and cleaning the file
echo -n "" > $x/version.services
for z in `cat $x/nmapresults.xml | grep '<cpe>'`; do echo $z | grep -ozP "(?s)<cpe>.*?(?=</cpe>)" >> $x/version.services && echo "" >> $x/version.services; done
# REPORT exploitdb search from nmap
echo "Searching interesting vulnerabilities for target $x"
#legacy searchsploit for a in $(cat $x/version.services); do echo $a | cut -d : -f3-5 | tr ":" " " | cut -d '.' -f1 >> $x/version.exploits; done
searchsploit -v --nmap $x/nmapresults.xml > $x/version.exploits;
# TODO ADD default credentials
#### Brute force non nmap
# TODO optimtize per port
echo "STARTING additional BRUTE FORCE PART with hydra";
echo "[DEBUG] not bruting for faster testing";
for b in ${hydrabruteprotocol[@]}; do hydra -L $usernames -P $passwords -o $x/validuserpass.hydra $b://$x; done;
echo "FINISHED additional hydra BRUTE FORCE";
echo "Enumerating ports and services, fingerprinting, vuln scanning and brute forcing .... DONE ";
##################### STOP SERVICES PART
###################### START WEB PART
#### WEB VULNS PART
echo "Web pentesting now ...";
# vhost enum
echo "Vhost enum"
# adding the IP as vhost , often forgotten
echo "$x" >> $x/vhost.list;
# manual reverse PTR in case there is none
cat targets.dnsrecon | grep $x | grep '^A' | cut -d ',' -f2 >> $x/vhost.list;
# reverse PTR
dig +short -x $x >> $x/vhost.list;
# using robtex from nmap
awk '/hostmap-robtex/{f=1;next} /ip-geolocation-geoplugin/{f=0} f' $x/nmapresults.nmap >> $x/vhost.list; # extract vhosts from NMAP robtex script
# adding hackertarget vhost
timeout 2m curl "http://api.hackertarget.com/reverseiplookup/?q=$x" >> vhost.list;
# TO DO add harvester ?
# sorting vhosts
sort -u $x/vhost.list > $x/vhost.sorted;
echo "Start port loop for $x"
# if HTTP port test
for y in `cat $x/nmapresults.nmap | grep '/tcp' | grep ' http ' | cut -d '/' -f1`;
### WEB RECON
do echo "start vhost loop for IP $y";
for z in `cat $x/vhost.sorted`;
# dirb for each vhost
do dirb "http://$z:$y" -f -l > "$x/enum$z.dirb";
### WEB fingerprint
whatweb -v "http://$z:$y";
# nikto for each vhost
nikto -host "http://$z:$y" > "$x/$z.nikto";
# arachni
# arachni
# sqlmap for earch vhost
#sqlmap --crawl=2 --forms --batch
done; ## end vhost loop
done; ## end nmap port loop
# if HTTPS port
# TO DO again
# copy pasta
# for y in `cat $x/nmapresults.nmap | grep '/tcp' | grep 'ssl/http' | cut -d '/' -f1`;
done; ## end IP loop
# REPORT VULNS FOUND
echo "======================================"
echo "Vulnerability summary from NSE Scripts"
echo ""
grep -i "vulner" -B1 */nmapresults.nmap
echo "You might also need to read manually also the .nmap as vulnerable state is not harmonized through NSE"
echo ""
echo "======================================"
echo "ExploitDB research results"
echo ""
echo "Interesting exploits found: "
cat */version.exploits
echo ""
echo "======================================"
echo "Bruteforce results"
echo ""
echo "Valid passwords found: "
cat */validuserpass.hydra
echo ""

View File

@ -7,6 +7,8 @@
# Provided IP -> vhost enum -> scan everything connected-> Identify services -> Vuln scan -> Add to queryable db
# Provided domain name -> ip enum -> scan everything connected -> Identify services -> Vuln scan -> Add to queryable db
## v3das
fpath=(~/.ptz/v3das $fpath)
autoload -U compinit
compinit
@ -32,6 +34,37 @@ function n {
}
## Extract files
function extract {
echo Running extract on $1 ...
if [ -f $1 ] ; then
case $1 in
*.tar.bz2) tar xjf $1 ;;
*.tar.gz) tar xzf $1 ;;
*.bz2) bunzip2 $1 ;;
*.rar) unrar x $1 ;;
*.gz) gunzip $1 ;;
*.tar) tar xf $1 ;;
*.tbz2) tar xjf $1 ;;
*.tgz) tar xzf $1 ;;
*.zip) unzip $1 ;;
*.Z) uncompress $1 ;;
*.7z) 7z x $1 ;;
*.xz) unxz $1 ;;
*) echo "'$1' cannot be extracted via extract()" ;;
esac
else
echo "'$1' is not a valid file"
fi
}
function wttrb {
# sorry, but they dont have a vaild cert and it's still better than http
curl --insecure wttr.in/budapest
}
function ptzdepchk {
# check if dependencies are met or not
type python >/dev/null 2>&1 || { echo >&2 "python is missing."; }
@ -127,6 +160,9 @@ function rnd {
}
## Pentesting
function johnzip {
if [ $# -ne 2 ]
then