PTZ/profile_files/.zsh/pentest_chaosfile_only_EXAM...

223 lines
7.6 KiB
Bash
Executable File

#!/bin/zsh
# This file contains ideas/notes/examples to be added to the main pentest zsh file.
# Offensive part
echo "Usage $0 domain.com [tor] [user wordlist] [password wordlist] [nessusURL:port] [nessususer] [nessuspassword]"
#echo "Updating searchsploit"
#searchsploit -u
# TODO parse arguments correctly
echo "[DEBUG] number of arguments $#"
# VARIABLES
currentdir=$(pwd)
# hydra protocol not bruted by nmap
hydrabruteprotocol=(cvs firebird icq irc ldap nntp oracle-listener oracle-sid pcanywhere pcnfs postgres rdp redis rtsp ssh sip teamspeak vmauthd)
#TODO provides usernames password in args
usernames="/usr/share/nmap/nselib/data/usernames.lst"
passwords="/usr/share/nmap/nselib/data/passwords.lst"
# Nessus
nessusapi=$5
nessususer=$6
nessuspass=$7
# TODO low priority optimize tools location if not in Kali OS
# nmap = which nmap
# fierce = which fierce ...
if [ $# -eq 0 ]; then echo "please provide something to pentest you dumb bear (ᵔᴥᵔ) ! :D" ; exit ; fi
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root for Nmap scripting and syn scan." 1>&2
exit 1
fi
# Attacked domain
domainattacked=$1;
echo "Domain attacked is : $domainattacked !"
# START RECON PART
# Enum domain with std wordlist
echo "Enumerating domains ";
fierce -dns $1 -wide -file targets.fierce
# Dnsreconing
dnsrecon -d $domainattacked -t std,brt,srv,axfr,goo --iw -a -s -c $currentdir/targets.dnsrecon
echo "Enumerating domains ... DONE";
# Robtex graph
echo "Getting graph of the domain infrastructure"
wget -qO $domainattacked.png "https://gfx.robtex.com/gfx/graph.png?dns=$domainattacked"
# getting a traceroute for network device mapping
traceroute $domainattacked > $domainattacked.traceroute
tcptraceroute $domainattacked 80 >> $domainattacked.traceroute
tcptraceroute $domainattacked 25 >> $domainattacked.traceroute
# extract IPs
cat targets.dnsrecon | grep -v 'hostnames found' | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -u > ips.lst;
echo "IPs extracted ! Ready to shoot."
#extract IP ranges
cat targets.fierce | grep 'hostnames found' | grep -E -o "([0-9]{1,3}[\.-]){4}[0-9]{1,3}" | sort -u > ipranges.lst
echo "IPs ranges extracted as well. If you want to extend scan.";
# LEGACY add dig ANY targets , NS , SRV , ... done by dnsrecon now
# dig +recurse +authority $domainattacked ANY | grep -v 'SERVER' | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -u >> ips.lst;
# TODO extend IP detection with
# rwhois ? SPF IP ?
# TODO building custom userlist with harvester, add vhost and add ips ?
echo "Harvesting info about domain $domainattacked"
#theharvester -d $domainattacked -b all -v > $domainattacked.harvester
#grep IP inside .harvester
# EXTENDING if requested extend scan to ip ranges
# nmap -sL >> ips.lst
# CLEANING before starting if IPs added with other scripts
# cat ips.lst | sort -u > finalips.lst
# START SERVICES PART
# SERVICES ENUM FINGERPRINT + NSE VULN PART
# main loop for IP
for x in `cat ips.lst`; do
# create a dir per IP for db txt files
mkdir $x;
echo "Enumerating ports and services, vuln scanning and brute forcing ... jeez thats alota work";
# full scan
# echo "Full nmap scan start"
# nmap -sSU -p T:1-65535,U:7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831 -sV --script="(default or vuln or auth or brute or discovery) and not (broadcast or dos)" --script-args="unsafe=1,userdb=$usernames,passwd=$passwords" --host-timeout=180m --max-hostgroup=1 -Pn -v $x -oA $x/nmapresults
# reduced scan for TESTING
echo "[DEBUG] TEST MODE for nmap sS top1k ONLY"
nmap -sS -sV --script="(default or vuln or auth or brute or discovery) and not (broadcast or dos)" --host-timeout=30m --max-hostgroup=1 -Pn $x -oA $x/nmapresults
echo "Nmap fingerprinting and NSE for $x... DONE";
# TODO
echo "[UNDER CONSTRUCTION] Nessus API Scan";
echo "Starting the Nessus scan ..."
token=`curl -k -X POST -H 'Content-Type: application/json' -d '{"username":"$nessususer","password":"$nessuspassword"}' "https://$nessusurl/session"`
# echo "Adding targets to FULL scan"
#+ call nessus api
# get results in the end
# TODO service / version detection for smarter brute force and searchsploit
# echo "[UNDER CONSTRUCTION] Smart protocol detection for hydra ..."
# cat nmapresults.xml | grep "port protocol" | cut -d '"' -f12
#getting nmap CPE version of services and using Searchsploit
# REPORT services version and cleaning the file
echo -n "" > $x/version.services
for z in `cat $x/nmapresults.xml | grep '<cpe>'`; do echo $z | grep -ozP "(?s)<cpe>.*?(?=</cpe>)" >> $x/version.services && echo "" >> $x/version.services; done
# REPORT exploitdb search from nmap
echo "Searching interesting vulnerabilities for target $x"
#legacy searchsploit for a in $(cat $x/version.services); do echo $a | cut -d : -f3-5 | tr ":" " " | cut -d '.' -f1 >> $x/version.exploits; done
searchsploit -v --nmap $x/nmapresults.xml > $x/version.exploits;
# TODO ADD default credentials
#### Brute force non nmap
# TODO optimtize per port
echo "STARTING additional BRUTE FORCE PART with hydra";
echo "[DEBUG] not bruting for faster testing";
for b in ${hydrabruteprotocol[@]}; do hydra -L $usernames -P $passwords -o $x/validuserpass.hydra $b://$x; done;
echo "FINISHED additional hydra BRUTE FORCE";
echo "Enumerating ports and services, fingerprinting, vuln scanning and brute forcing .... DONE ";
##################### STOP SERVICES PART
###################### START WEB PART
#### WEB VULNS PART
echo "Web pentesting now ...";
# vhost enum
echo "Vhost enum"
# adding the IP as vhost , often forgotten
echo "$x" >> $x/vhost.list;
# manual reverse PTR in case there is none
cat targets.dnsrecon | grep $x | grep '^A' | cut -d ',' -f2 >> $x/vhost.list;
# reverse PTR
dig +short -x $x >> $x/vhost.list;
# using robtex from nmap
awk '/hostmap-robtex/{f=1;next} /ip-geolocation-geoplugin/{f=0} f' $x/nmapresults.nmap >> $x/vhost.list; # extract vhosts from NMAP robtex script
# adding hackertarget vhost
timeout 2m curl "http://api.hackertarget.com/reverseiplookup/?q=$x" >> vhost.list;
# TO DO add harvester ?
# sorting vhosts
sort -u $x/vhost.list > $x/vhost.sorted;
echo "Start port loop for $x"
# if HTTP port test
for y in `cat $x/nmapresults.nmap | grep '/tcp' | grep ' http ' | cut -d '/' -f1`;
### WEB RECON
do echo "start vhost loop for IP $y";
for z in `cat $x/vhost.sorted`;
# dirb for each vhost
do dirb "http://$z:$y" -f -l > "$x/enum$z.dirb";
### WEB fingerprint
whatweb -v "http://$z:$y";
# nikto for each vhost
nikto -host "http://$z:$y" > "$x/$z.nikto";
# arachni
# arachni
# sqlmap for earch vhost
#sqlmap --crawl=2 --forms --batch
done; ## end vhost loop
done; ## end nmap port loop
# if HTTPS port
# TO DO again
# copy pasta
# for y in `cat $x/nmapresults.nmap | grep '/tcp' | grep 'ssl/http' | cut -d '/' -f1`;
done; ## end IP loop
# REPORT VULNS FOUND
echo "======================================"
echo "Vulnerability summary from NSE Scripts"
echo ""
grep -i "vulner" -B1 */nmapresults.nmap
echo "You might also need to read manually also the .nmap as vulnerable state is not harmonized through NSE"
echo ""
echo "======================================"
echo "ExploitDB research results"
echo ""
echo "Interesting exploits found: "
cat */version.exploits
echo ""
echo "======================================"
echo "Bruteforce results"
echo ""
echo "Valid passwords found: "
cat */validuserpass.hydra
echo ""