-
Notifications
You must be signed in to change notification settings - Fork 132
/
attackplan.ini
106 lines (104 loc) · 5.45 KB
/
attackplan.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#= Vanquish Attack Plan Config File ============
# Each section represents a phase of the assessment cycle
# the values under each section represent the commands that will be run against each identified service
# the commands are configured in the config.ini file
#= Phase Ordering ============
# The following section defines the scan and enumeration phase ordering
# Scans Start = The scans to complete upfront before any enumeration has started... these should be quick
# Scans Background = The slow scans that will run in the background while the enumeration phases are executing
# Enumeration Plan = The order in which the enumeration phases will be executed
[Scans Start]
Order: Nmap Fast TCP with Port and OS Identification,Nmap Fast UDP with Port Identification
[Enumeration Plan]
Order: Information Gathering,User Enumeration,Password Enumeration,Vulnerablity Analysis,Web Site Scanning,Web Site Nikto Scanning,GoBuster Web Content Bruteforce,User Enumeration Bruteforce
[Post Enumeration Plan]
Order: Brute Forcing
#= Enumeration Phases ============
# The following sections detail the specific commands that will be run (found in the config.ini) at each enumeration phase
# a special always: item can be specified to always run these commands against a host once.
[Information Gathering]
http: NMap Http Shell Shock,
https: NMap SSL Heartbleed,SSLScan,SSLyze,
ftp: FTP Nmap Anon,FTP Nmap Bounce
mysql: MySQL Nmap Empty Password,MySql Dump Tables
smb: SMB Nmap Vuln Scan,SMB NBTScan,SMB Enum4linux,SMB Nmap All,SMB Nmblookup,SMB Client Connect,SMB Nbtscan-unixwiz
ssn: SMB Nmap Vuln Scan,SMB NBTScan,SMB Enum4linux,SMB Nmap All,SMB Nmblookup,SMB Client Connect,SMB Nbtscan-unixwiz
smtp: SMTP Nmap Vuln Scan,SMTP Nmap Commands
snmp: SNMP Nmap All,SNMP Onesixtyone,SNMP SNMPWalk,SNMP SNMP-Check
ssh: SSLScan,SSLyze,SSH Nmap Enum
rexec: Nmap Rexec
rlogin: Nmap Rlogin
vnc: VNC NMap Scan
telnet: Telnet NMap All
dns: DNS Nmap All,DNS Recon
finger: Finger Nmap All
msrpc: Msrpc Nmap Enum,Msrpc Enum4linux
rdp: RDP Nmap Enum Encryption,RDP Nmap Vuln Scan
rpc: RPC RPCClient Help,RPC RPCClient Enumprivs,RPC RPCClient Netshareenum,RPC RPCClient Srvinfo,RPC RPCClient Lookupnames Root,RPC Nmap RPC Info
kerberos: Kerberos
nfs: NFS List Shares
james-admin: James-Admin
ntp:NTP NTPQ Version,NTP NTPQ Readlist,NTP NTPQ Hostnames,NTP Nmap All
pop3: POP3 Nmap Enum
imap: IMAP Nmap Enum
[Web Site Scanning]
http: Nmap Web Scan,HTTP What Web,HTTP Wordpress Scan 1,HTTP Wordpress Scan 2,HTTP BlindElephant Guess
https: Nmap Web Scan,HTTPS What Web,HTTPS Wordpress Scan 1,HTTPS Wordpress Scan 2,HTTPS BlindElephant Guess
[Web Site Nikto Scanning]
http: HTTP Nikto
https: HTTPS Nikto
[Dirb Web Content Bruteforce]
http: HTTP Dirb
https: HTTPS Dirb
[GoBuster Web Content Bruteforce]
http: HTTP GoBuster All Dicts
https: HTTPS GoBuster All Dicts
[User Enumeration]
smtp: SMTP Nmap Enum Users
snmp: SNMP SNMP-Check
rpc: RPC Enum4Linux User Enumeration
smb: SMB Nmap User Enumeration
ident: Ident ident-user-enum Service Users
[User Enumeration Bruteforce]
smtp:SMTP Emum Users Name,SMTP Emum Users Unix Users
[Password Enumeration Bruteforce]
http:
[Vulnerablity Analysis]
always: Nmap Vulnerability Scan All Host Ports
http: HTTP Nmap Vuln Scan
https: HTTP Nmap Vuln Scan
ftp: FTP Nmap Vuln Scan
snmp: SNMP Nmap All
ms-sql-s: MS-SQL Nmap All
smb: Samba Nmap Vuln Scan
[Vulnerability Validation]
http:
https:
ftp:
[Brute Forcing]
ftp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
ftps: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
irc: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
imap: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
pop3: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
mssql: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
mysql: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
rdp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
rexec: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
rlogin: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
rsh: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
smb: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
smtp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
snmp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
ssh: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
telnet: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
vnc: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra dirb-passwords-top-110,Hydra fastrack
# use any credentials discovered to execute exploits
[Exploitation]
http:
https:
ftp:
[Exploit Searching]
http:
https:
ftp: