# Experimental version!
# Any commit can highly modify anything currently!
#
# This is the main file of PTZ.
#
# Logic
# Provided IP -> vhost enum -> scan everything connected-> Identify services -> Vuln scan -> Add to queryable db
# Provided domain name -> ip enum -> scan everything connected -> Identify services -> Vuln scan -> Add to queryable db

debug=0

fpath=(~/.ptz/v3das $fpath) 
autoload -U compinit
compinit
zstyle ':completion:*' menu select=2

function nls {
    echo "\nYou can get help from the following topics:\n"
    for f in ~/.ptz/v3das/* ; do
        echo $f | rev | cut -d'/' -f1 | rev | cut -d'.' -f1 | egrep -v "^_n"
    done
    echo ""
}


function n {
    # query knowledgebase, use tab after n
    if [ -d "~/.ptz/v3das" ]
      then
        echo "knowledge base / notes are missing"
    else
        cat ~/.ptz/v3das/$1
    fi
}


function ptzdepchk {
    # check if dependencies are met or not
    type python >/dev/null 2>&1 || { echo >&2 "python is missing."; }
    type wget >/dev/null 2>&1 || { echo >&2 "wget is missing."; }
    type openssl >/dev/null 2>&1 || { echo >&2 "openssl is missing."; }
    type john >/dev/null 2>&1 || { echo >&2 "john is missing."; }
    type rar >/dev/null 2>&1 || { echo >&2 "rar is missing."; }
    type zip >/dev/null 2>&1 || { echo >&2 "zip is missing."; }
    type unzip >/dev/null 2>&1 || { echo >&2 "unzip is missing."; }
    type tor >/dev/null 2>&1 || { echo >&2 "tor is missing."; }
    type torsocks >/dev/null 2>&1 || { echo >&2 "torsocks is missing."; }
    type traceroute >/dev/null 2>&1 || { echo >&2 "traceroute is missing."; }
    type theharvester >/dev/null 2>&1 || { echo >&2 "theharvester is missing."; }
    type dnsenum >/dev/null 2>&1 || { echo >&2 "dnsenum is missing."; }
    type fierce >/dev/null 2>&1 || { echo >&2 "fierce is missing."; }
    type nmap >/dev/null 2>&1 || { echo >&2 "nmap is missing."; }
    type searchsploit >/dev/null 2>&1 || { echo >&2 "searchsploit is missing."; }
    #type dig >/dev/null 2>&1 || { echo >&2 "dig is missing."; }
    #type curl  >/dev/null 2>&1 || { echo >&2 "curl is missing."; }
    #type arachni >/dev/null 2>&1 || { echo >&2 "arachni is missing."; }
    #type hydra >/dev/null 2>&1 || { echo >&2 "hydra is missing."; }
    #type dirb >/dev/null 2>&1 || { echo >&2 "dirb is missing."; }
     
}


function ton {
    . torsocks on
}


function tof {
    . torsocks off
}


function tip {
    # check if tor is really used or not
    wget -qO- https://check.torproject.org/ -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" | egrep -i "Congratulations. This browser is configured to use Tor.|Sorry. You are not using Tor." | uniq
}


function wip {
    # check public ip
    if [ $RANDOM -gt $RANDOM ]
        then
            wget -qO- -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" ipecho.net/plain
        else
            wget -qO- -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" icanhazip.com
    fi
    # curl -s checkip.dyndns.org | sed 's#.*Address: \(.*\)</b.*#\1#' # Alternative 1
    # dig +short myip.opendns.com @resolver1.opendns.com  # Alternative 2
}

function tmp {
    curran=$RANDOM$RANDOM
    echo "Temporary file name: /tmp/$curran"
    vim /tmp/$curran
}

function chkhttpz {
    # http response checks from a given host / port
    echo "HTTP responses"
    wget --spider -S "http://$1:$2/" 2>&1 | grep "HTTP/"

    echo "\nHTTPS responses"
    wget --spider -S "https://$1:$2/" 2>&1 | grep "HTTP/"
}


function chkcrt {
    # check ssl certificate of a server
    openssl s_client -showcerts -connect $1:$2
}


function rnd {
    # get some random characters
    cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;
    cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo;
    cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo;
    cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-64};echo;
}


function johnzip {
  if [ $# -ne 2 ]
    then
      echo "Usage $0 <zipfile> <wordlist>"
      return
  fi
  
  echo "Unzip test..."
  unzip -l $1
  
  echo "Cracking...."
  for i in $(john --wordlist=$2 --rules --stdout)
    do
      echo -ne "\rtrying \"$i\" " 
      unzip -o -P $i $1 >/dev/null 2>&1
      STATUS=$?
      if [ $STATUS -eq 0 ]; then
        echo -e "\nArchive password is: \"$i\""
        return
      fi
    done
}


function johnrar {
  if [ $# -ne 2 ]
    then
      echo "Usage $0 <rarfile> <wordlist>"
  else
      rar l $1
      echo "Cracking...."
      john --wordlist=$2 --rules --stdout | while read i
        do
          echo -ne "\rtrying \"$i\" "
          rar e -o+ -inul -p$i $1 >/dev/null
          STATUS=$?
          if [ $STATUS -eq "0" ]; then
              echo -e "\nArchive password is: \"$i\""
              return
          fi
        done
    fi
}



function pawnpls {
  amir00t=$(whoami)
  if [ "$amir00t" != "root" ]
    then 
      echo "pawnpls needs root in order to be effective (eg. for nmap -sS scans)."
      return
  fi

  if [ $# -ne 1 ]
    then
      echo "Are you sure? You need to specify a target. Be careful. This runs out of tor also, even if you have torsocks ;)"
      return
  fi

  # Pass to the scan function, no active attacks, just scanning
  pawnpls_tof_target=$1
  dns_enum_tof
  scan_enum_tof
  active_attack_tof

}


function dns_enum_tof {
     if [ $debug -eq 1 ]
         then
             echo "Calling function scan_enum_tof"
     fi

    . torsocks off

    dnstarg=($pawnpls_tof_target)

    cdate=$(date +"%Y-%m-%d-%H%M")
    dettmpfold=".ptz/$pawnpls_tof_target/result-enum-$cdate"
    mkdir -p ~/$dettmpfold
    cd ~/$dettmpfold

    touch dnsenum_history.txt

    echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting traceroute." >> dnsenum_history.txt
    traceroute $dnstarg > 1_traceroute_$pawnpls_tof_target.txt
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished traceroute." >> dnsenum_history.txt
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting theharvester." >> dnsenum_history.txt
    theharvester -d $dnstarg -b all -v > 2_harvester_$pawnpls_tof_target.txt
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished theharvester." >> dnsenum_history.txt
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting fierce." >> dnsenum_history.txt
    #fierce -dns $dnstarg -wide > 3_fierce_$pawnpls_tof_target.txt  # wide takes too much time for this script
    fierce -dns $dnstarg > 3_fierce_$pawnpls_tof_target.txt
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished fierce." >> dnsenum_history.txt
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting dnsrecon." >> dnsenum_history.txt
    dnsrecon -d $dnstarg -t std,brt,srv,axfr,goo --iw -a -s -c ./4_dnsrecon_$pawnpls_tof_target.txt
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished dnsrecon." >> dnsenum_history.txt

    cat 4_dnsrecon_$pawnpls_tof_target.txt | grep -v 'hostnames found' | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -u  > 5_ip_list_of_target.txt
    cat 3_fierce_$pawnpls_tof_target.txt  | grep 'hostnames found'  | grep -E -o "([0-9]{1,3}[\.-]){4}[0-9]{1,3}" | sort -u > 6_ip_ranges_of_target.txt

    # vhost enumeration missing yet
    while read ipv ; do dig +short -x $ipv >> 7_vhosts_enumerated.txt ; done < 5_ip_list_of_target.txt 
   
    cd
}


function scan_enum_tof {
    if [ $debug -eq 1 ]
        then
            echo "Calling function scan_enum_tof"
    fi

    . torsocks off

    # Variables
    targetx=($pawnpls_tof_target)  # Space delimited!
    ports=(21-23,25-26,53,80-81,110-111,113,135,139,143,179,199,443,445,465,514-515,548,554,587,646,993,995,1025-1027,1433,1720,1723,2000-2001,3306,3389,4443,5060,5666,5900,6001,8000,8008,8080,8443,8888,10000,32768,49152,49154,11211)
    
    # Initialize directory and naming structure
    cdate=$(date +"%Y-%m-%d-%H%M")
    sctmpfold=".ptz/$pawnpls_tof_target/result-scan-$cdate"
    mkdir -p ~/$sctmpfold
    cd ~/$sctmpfold

    touch scan_history.txt

    # Start with standard alive scan and check ports on alive hosts
    # Get alive hosts
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting alive hosts scan." >> scan_history.txt
    nmap --randomize-hosts -sn -PS$ports $targetx -oG 1_alive_hosts.out 
    alive_hosts=$(grep "Status: Up" 1_alive_hosts.out | cut -d' ' -f2 | tr '\r\n' ' ')
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished alive hosts scan. Found hosts: " $alive_hosts >> scan_history.txt

    # Port scanning on alive hosts and version detection
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting port scans on alive hosts with top 1000." >> scan_history.txt
    nmap --randomize-hosts -sS -sV -n -Pn --top-ports 1000 $targetx > 2_ports_and_service_top1000_on_alive_hosts.out
    python ~/.zsh/agro_detection_parser.py | sed -n '/ /s/ \+/ /gp' > 3_ip_port_service.out
    number_open_tcp_ports=$(grep -v "Nmap scan report for" 3_ip_port_service.out |wc -l)  # It lists all ports, even unknown and faster to grep from here for this.
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished port scans on alive hosts with top 1000. Number of open ports: " $number_open_tcp_ports >> scan_history.txt
    # Run UDP scan on most common ports
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting UDP scans." >> scan_history.txt
    nmap -sU --top-ports 50 $targetx > 4_udpscan.out
    number_open_udp_ports=$(grep "open" 4_udpscan.out |wc -l)
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished UDP scans. Number of open UDP ports: " $number_open_udp_ports >> scan_history.txt

    # Vulnerability scanning
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting simple vulnerbility scans." >> scan_history.txt
    nmap -n -p 21 --script=ftp-anon.nse $targetx > 5_nmap_script_ftpanon.txt
    nmap -sU -sS --script smb-enum-* -p U:137,T:139 $targetx > 6_nmap_sbm_nse_scan.txt  # There is issue with the * askterisk... should be escaped or something
    nmap -sS -n -p $ports --script=default,safe,vuln $targetx > 7_nmap_script_default-safe-vuln_scan.txt
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished vulnerability scans. Lists are in the relevant txt files." >> scan_history.txt

    echo $(date +"%Y-%m-%d-%H-%M-%S") " Started scan for automatic searchsploit." >> scan_history.txt
    # for searchsploit, but nmap should be configured to scan with xml, default is top 1000
    nmap -sS -sV -sC -O --host-timeout=5m --max-hostgroup=1 -Pn $targetx -oA 8_nmap_for_searchsploit
    searchsploit -v --nmap 8_nmap_for_searchsploit.xml > 9_searchslpoit_results.txt
    rm 8_nmap_for_searchsploit.nmap 8_nmap_for_searchsploit.gnmap
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished the searchsploit queries. Outputs are in the relevant files." >> scan_history.txt


    # single nmap for all ports. thinking about this.. this is long, but more torough + replaces the others!
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Started all TCP ports / extended UDP scan for automatic searchsploit." >> scan_history.txt
    nmap -sSU -p T:1-65535,U:7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831 -sV -O --script="(default or vuln or auth or brute or discovery) and not (broadcast or dos)" --script-args="unsafe=1,userdb=admin,passwd=admin" --host-timeout=180m --max-hostgroup=1 -Pn -oA 99_nmap_for_searchsploit $targetx
    searchsploit -v --nmap 99_nmap_for_searchsploit.xml > 99_allports_searchslpoit_results.txt
    rm 99_nmap_for_searchsploit.nmap 99_nmap_for_searchsploit.gnmap
    echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished the extended ports scan and searchsploit queries. Outputs are in the relevant files." >> scan_history.txt

 
    cd
}

function active_attack_tof {
     if [ $debug -eq 1 ]
         then
             echo "Calling function active_attack_tof"
     fi

    . torsocks off

    cdate=$(date +"%Y-%m-%d-%H%M")
    aatmpfold=".ptz/$pawnpls_tof_target/result-attack-$cdate"
    mkdir -p ~/$aatmpfold
    cd ~/$aatmpfold


    # Preconfs
    hydrabruteprotocol=(cvs firebird icq irc ldap nntp oracle-listener oracle-sid pcanywhere pcnfs postgres rdp redis rtsp ssh sip teamspeak vmauthd)
    usernames="/usr/share/nmap/nselib/data/usernames.lst"
    passwords="/usr/share/nmap/nselib/data/passwords.lst"

    # run hydra, dirb, arachni and the others....

    cd
}