273 lines
10 KiB
Bash
Executable File
273 lines
10 KiB
Bash
Executable File
#!/bin/zsh
|
|
# Agro scanner standalone
|
|
# License: GNU GPL v3, see LICENSE file
|
|
# Creation date: 2017.01.10. 21:30
|
|
# Dependencies: apt update && apt install zsh nmap python2.7 libxml2-utils -y
|
|
# Dependencies for offensive part: apt install theharvester nmap fierce dnsrecon dnsutils hydra dirb sqlmap wget dirb curl nikto libxml2-utils whatweb
|
|
# Requires root, sry.
|
|
|
|
# Variables
|
|
targetx=(127.0.0.1) # Space delimited!
|
|
ports=(21-23,25-26,53,80-81,110-111,113,135,139,143,179,199,443,445,465,514-515,548,554,587,646,993,995,1025-1027,1433,1720,1723,2000-2001,3306,3389,4443,5060,5666,5900,6001,8000,8008,8080,8443,8888,10000,32768,49152,49154,11211)
|
|
|
|
# Initialize directory and naming structure
|
|
cdate=$(date +"%Y-%m-%d")
|
|
mkdir -p result-$cdate
|
|
cd result-$cdate
|
|
touch scan_history.txt
|
|
echo "---- Starting AgroScanner ----" >> scan_history.txt
|
|
|
|
# Start with standard alive scan and check ports on alive hosts
|
|
|
|
# Get alive hosts
|
|
echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting alive hosts scan." >> scan_history.txt
|
|
nmap --randomize-hosts -sn -PS$ports $targetx -oG 1_alive_hosts.out
|
|
alive_hosts=$(grep "Status: Up" 1_alive_hosts.out | cut -d' ' -f2 | tr '\r\n' ' ')
|
|
echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished alive hosts scan. Found hosts: " $alive_hosts >> scan_history.txt
|
|
|
|
# Port scanning on alive hosts and version detection
|
|
echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting port scans on alive hosts with top 1000." >> scan_history.txt
|
|
nmap --randomize-hosts -sS -sV -n -Pn --top-ports 1000 $targetx > 2_ports_and_service_top1000_on_alive_hosts.out
|
|
python ../agro_detection_parser.py | sed -n '/ /s/ \+/ /gp' > 3_ip_port_service.out
|
|
number_open_tcp_ports=$(grep -v "Nmap scan report for" 3_ip_port_service.out |wc -l) # It lists all ports, even unknown and faster to grep from here for this.
|
|
echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished port scans on alive hosts with top 1000. Number of open ports: " $number_open_tcp_ports >> scan_history.txt
|
|
|
|
# Run UDP scan on most common ports
|
|
echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting UDP scans." >> scan_history.txt
|
|
nmap -sU --top-ports 50 $targetx > 4_udpscan.out
|
|
number_open_udp_ports=$(grep "open" 4_udpscan.out |wc -l)
|
|
echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished UDP scans. Number of open UDP ports: " $number_open_udp_ports >> scan_history.txt
|
|
|
|
# Vulnerability scanning
|
|
echo $(date +"%Y-%m-%d-%H-%M-%S") " Starting simple vulnerbility scans." >> scan_history.txt
|
|
nmap -n -p 21 --script=ftp-anon.nse $targetx > 5_nmap_script_ftpanon.txt
|
|
#nmap -sU -sS --script smb-enum-* -p U:137,T:139 $targetx > 6_nmap_sbm_nse_scan.txt # There is issue with the * askterisk... should be escaped or something
|
|
nmap -sS -n -p $ports --script=default,safe,vuln $targetx > 7_nmap_script_default-safe-vuln_scan.txt
|
|
echo $(date +"%Y-%m-%d-%H-%M-%S") " Finished vulnerability scans. Lists are in the relevant txt files." >> scan_history.txt
|
|
|
|
|
|
|
|
# Offensive part
|
|
echo "Usage $0 domain.com [tor] [user wordlist] [password wordlist] [nessusURL:port] [nessususer] [nessuspassword]"
|
|
|
|
#echo "Updating searchsploit"
|
|
#searchsploit -u
|
|
|
|
# TODO parse arguments correctly
|
|
echo "[DEBUG] number of arguments $#"
|
|
|
|
|
|
# torify everything on demand
|
|
if [ $2 == "tor" ]; then echo "TOR mode ON" && torrequested=true; fi
|
|
|
|
|
|
# VARIABLES
|
|
currentdir=$(pwd)
|
|
# hydra protocol not bruted by nmap
|
|
hydrabruteprotocol=(cvs firebird icq irc ldap nntp oracle-listener oracle-sid pcanywhere pcnfs postgres rdp redis rtsp ssh sip teamspeak vmauthd)
|
|
#TODO provides usernames password in args
|
|
usernames="/usr/share/nmap/nselib/data/usernames.lst"
|
|
passwords="/usr/share/nmap/nselib/data/passwords.lst"
|
|
# Nessus
|
|
nessusapi=$5
|
|
nessususer=$6
|
|
nessuspass=$7
|
|
|
|
|
|
# TODO low priority optimize tools location if not in Kali OS
|
|
# nmap = which nmap
|
|
# fierce = which fierce ...
|
|
|
|
|
|
if [ $# -eq 0 ]; then echo "please provide something to pentest you dumb bear (ᵔᴥᵔ) ! :D" ; exit ; fi
|
|
|
|
if [ "$(id -u)" != "0" ]; then
|
|
echo "This script must be run as root for Nmap scripting and syn scan." 1>&2
|
|
exit 1
|
|
fi
|
|
|
|
# Attacked domain
|
|
domainattacked=$1;
|
|
echo "Domain attacked is : $domainattacked !"
|
|
|
|
|
|
# START RECON PART
|
|
|
|
# Enum domain with std wordlist
|
|
echo "Enumerating domains ";
|
|
fierce -dns $1 -wide -file targets.fierce
|
|
# Dnsreconing
|
|
dnsrecon -d $domainattacked -t std,brt,srv,axfr,goo --iw -a -s -c $currentdir/targets.dnsrecon
|
|
echo "Enumerating domains ... DONE";
|
|
# Robtex graph
|
|
echo "Getting graph of the domain infrastructure"
|
|
wget -qO $domainattacked.png "https://gfx.robtex.com/gfx/graph.png?dns=$domainattacked"
|
|
# getting a traceroute for network device mapping
|
|
traceroute $domainattacked > $domainattacked.traceroute
|
|
tcptraceroute $domainattacked 80 >> $domainattacked.traceroute
|
|
tcptraceroute $domainattacked 25 >> $domainattacked.traceroute
|
|
|
|
|
|
# extract IPs
|
|
cat targets.dnsrecon | grep -v 'hostnames found' | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -u > ips.lst;
|
|
echo "IPs extracted ! Ready to shoot."
|
|
#extract IP ranges
|
|
cat targets.fierce | grep 'hostnames found' | grep -E -o "([0-9]{1,3}[\.-]){4}[0-9]{1,3}" | sort -u > ipranges.lst
|
|
echo "IPs ranges extracted as well. If you want to extend scan.";
|
|
|
|
# LEGACY add dig ANY targets , NS , SRV , ... done by dnsrecon now
|
|
# dig +recurse +authority $domainattacked ANY | grep -v 'SERVER' | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -u >> ips.lst;
|
|
|
|
|
|
# TODO extend IP detection with
|
|
# rwhois ? SPF IP ?
|
|
|
|
|
|
# TODO building custom userlist with harvester, add vhost and add ips ?
|
|
echo "Harvesting info about domain $domainattacked"
|
|
#theharvester -d $domainattacked -b all -v > $domainattacked.harvester
|
|
#grep IP inside .harvester
|
|
|
|
# EXTENDING if requested extend scan to ip ranges
|
|
# nmap -sL >> ips.lst
|
|
|
|
# CLEANING before starting if IPs added with other scripts
|
|
# cat ips.lst | sort -u > finalips.lst
|
|
|
|
|
|
# START SERVICES PART
|
|
|
|
# SERVICES ENUM FINGERPRINT + NSE VULN PART
|
|
# main loop for IP
|
|
for x in `cat ips.lst`; do
|
|
|
|
|
|
|
|
# create a dir per IP for db txt files
|
|
mkdir $x;
|
|
echo "Enumerating ports and services, vuln scanning and brute forcing ... jeez thats alota work";
|
|
|
|
# full scan
|
|
# echo "Full nmap scan start"
|
|
# nmap -sSU -p T:1-65535,U:7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831 -sV --script="(default or vuln or auth or brute or discovery) and not (broadcast or dos)" --script-args="unsafe=1,userdb=$usernames,passwd=$passwords" --host-timeout=180m --max-hostgroup=1 -Pn -v $x -oA $x/nmapresults
|
|
# reduced scan for TESTING
|
|
echo "[DEBUG] TEST MODE for nmap sS top1k ONLY"
|
|
nmap -sS -sV --script="(default or vuln or auth or brute or discovery) and not (broadcast or dos)" --host-timeout=30m --max-hostgroup=1 -Pn $x -oA $x/nmapresults
|
|
echo "Nmap fingerprinting and NSE for $x... DONE";
|
|
|
|
# TODO
|
|
|
|
echo "[UNDER CONSTRUCTION] Nessus API Scan";
|
|
echo "Starting the Nessus scan ..."
|
|
token=`curl -k -X POST -H 'Content-Type: application/json' -d '{"username":"$nessususer","password":"$nessuspassword"}' "https://$nessusurl/session"`
|
|
|
|
# echo "Adding targets to FULL scan"
|
|
#+ call nessus api
|
|
# get results in the end
|
|
|
|
|
|
# TODO service / version detection for smarter brute force and searchsploit
|
|
# echo "[UNDER CONSTRUCTION] Smart protocol detection for hydra ..."
|
|
# cat nmapresults.xml | grep "port protocol" | cut -d '"' -f12
|
|
|
|
|
|
#getting nmap CPE version of services and using Searchsploit
|
|
# REPORT services version and cleaning the file
|
|
echo -n "" > $x/version.services
|
|
for z in `cat $x/nmapresults.xml | grep '<cpe>'`; do echo $z | grep -ozP "(?s)<cpe>.*?(?=</cpe>)" >> $x/version.services && echo "" >> $x/version.services; done
|
|
|
|
# REPORT exploitdb search from nmap
|
|
echo "Searching interesting vulnerabilities for target $x"
|
|
#legacy searchsploit for a in $(cat $x/version.services); do echo $a | cut -d : -f3-5 | tr ":" " " | cut -d '.' -f1 >> $x/version.exploits; done
|
|
searchsploit -v --nmap $x/nmapresults.xml > $x/version.exploits;
|
|
|
|
# TODO ADD default credentials
|
|
|
|
|
|
#### Brute force non nmap
|
|
# TODO optimtize per port
|
|
echo "STARTING additional BRUTE FORCE PART with hydra";
|
|
echo "[DEBUG] not bruting for faster testing";
|
|
for b in ${hydrabruteprotocol[@]}; do hydra -L $usernames -P $passwords -o $x/validuserpass.hydra $b://$x; done;
|
|
echo "FINISHED additional hydra BRUTE FORCE";
|
|
|
|
|
|
echo "Enumerating ports and services, fingerprinting, vuln scanning and brute forcing .... DONE ";
|
|
|
|
|
|
##################### STOP SERVICES PART
|
|
|
|
|
|
###################### START WEB PART
|
|
#### WEB VULNS PART
|
|
echo "Web pentesting now ...";
|
|
# vhost enum
|
|
echo "Vhost enum"
|
|
# adding the IP as vhost , often forgotten
|
|
echo "$x" >> $x/vhost.list;
|
|
# manual reverse PTR in case there is none
|
|
cat targets.dnsrecon | grep $x | grep '^A' | cut -d ',' -f2 >> $x/vhost.list;
|
|
# reverse PTR
|
|
dig +short -x $x >> $x/vhost.list;
|
|
# using robtex from nmap
|
|
awk '/hostmap-robtex/{f=1;next} /ip-geolocation-geoplugin/{f=0} f' $x/nmapresults.nmap >> $x/vhost.list; # extract vhosts from NMAP robtex script
|
|
# adding hackertarget vhost
|
|
timeout 2m curl "http://api.hackertarget.com/reverseiplookup/?q=$x" >> vhost.list;
|
|
# TO DO add harvester ?
|
|
# sorting vhosts
|
|
sort -u $x/vhost.list > $x/vhost.sorted;
|
|
|
|
echo "Start port loop for $x"
|
|
|
|
# if HTTP port test
|
|
for y in `cat $x/nmapresults.nmap | grep '/tcp' | grep ' http ' | cut -d '/' -f1`;
|
|
### WEB RECON
|
|
do echo "start vhost loop for IP $y";
|
|
for z in `cat $x/vhost.sorted`;
|
|
# dirb for each vhost
|
|
do dirb "http://$z:$y" -f -l > "$x/enum$z.dirb";
|
|
### WEB fingerprint
|
|
whatweb -v "http://$z:$y";
|
|
# nikto for each vhost
|
|
nikto -host "http://$z:$y" > "$x/$z.nikto";
|
|
|
|
# arachni
|
|
# arachni
|
|
|
|
# sqlmap for earch vhost
|
|
#sqlmap --crawl=2 --forms --batch
|
|
|
|
done; ## end vhost loop
|
|
done; ## end nmap port loop
|
|
|
|
|
|
# if HTTPS port
|
|
# TO DO again
|
|
# copy pasta
|
|
# for y in `cat $x/nmapresults.nmap | grep '/tcp' | grep 'ssl/http' | cut -d '/' -f1`;
|
|
|
|
done; ## end IP loop
|
|
|
|
|
|
# REPORT VULNS FOUND
|
|
echo "======================================"
|
|
echo "Vulnerability summary from NSE Scripts"
|
|
echo ""
|
|
grep -i "vulner" -B1 */nmapresults.nmap
|
|
echo "You might also need to read manually also the .nmap as vulnerable state is not harmonized through NSE"
|
|
echo ""
|
|
|
|
echo "======================================"
|
|
echo "ExploitDB research results"
|
|
echo ""
|
|
echo "Interesting exploits found: "
|
|
cat */version.exploits
|
|
echo ""
|
|
|
|
echo "======================================"
|
|
echo "Bruteforce results"
|
|
echo ""
|
|
echo "Valid passwords found: "
|
|
cat */validuserpass.hydra
|
|
echo ""
|