-
Notifications
You must be signed in to change notification settings - Fork 132
/
attackplan.ini
161 lines (156 loc) · 7.37 KB
/
attackplan.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
#= Vanquish Attack Plan Config File ============
# Each section represents a phase of the assessment cycle
# the values under each section represent the commands that will be run against each identified service
# the commands are configured in the config.ini file
#= Nmap Scan Ordering ============
# The Vanquish script will alternate between an Nmap scan and the enumeration Plan
[Nmap Scans]
Order: Nmap Fast TCP and UDP,Nmap All TCP Ports,Nmap All UDP Ports
#= Phase Ordering ============
# The following section defines the scan and enumeration phase ordering
# Scans Start = The scans to complete upfront before any enumeration has started... these should be quick
# Scans Background = The slow scans that will run in the background while the enumeration phases are executing
# Enumeration Plan = The order in which the enumeration phases will be executed
[Nmap Fast TCP and UDP]
Order: Nmap Scan Fast TCP,Nmap Scan Fast UDP
[Nmap All TCP Ports]
Order: Nmap Scan All TCP
[Nmap All UDP Ports]
Order: Nmap Scan All UDP
[Enumeration Plan]
Order: Information Gathering,User Enumeration,Vulnerablity Analysis,Web Site Scanning,Password List Generation,User Enumeration Bruteforce
[Post Enumeration Plan]
Order: Metasploit Database Start,Metasploit Database Import,Nmap HTTP Scan,Metasploit Report Generation,Brute Forcing Lite,Web Site Nikto Tests,Web Content Detection,Brute Forcing
#= Nmap Phases ============
# The following sections detail the specific commands that will be run (found in the config.ini) at each nmap phase
# a special "always:" item can be specified to always run these commands against a host once.
# a special "run once:" item will only run the item once per phase regardless of the number of hosts.
[Nmap Scan Fast TCP]
always: Nmap Fast TCP
[Nmap Scan Fast UDP]
always: Nmap Fast UDP
[Nmap Scan All TCP]
always: Nmap All TCP
[Nmap Scan All UDP]
always: Nmap All UDP
#= Enumeration Phases ============
# The following sections detail the specific commands that will be run (found in the config.ini) at each enumeration phase
# a special "always:" item can be specified to always run these commands against a host once.
# a special "run once:" item will only run the item once per phase regardless of the number of hosts.
[Information Gathering]
http: NMap Http Shell Shock,HTTP Nikto Fast
https: NMap SSL Heartbleed,SSLScan,SSLyze,HTTPS Nikto Fast
ftp: FTP Nmap Anon,FTP Nmap Bounce
mysql: MySQL Nmap Empty Password,MySql Dump Tables
smb: SMB Nmap Vuln Scan,SMB NBTScan,SMB Enum4linux,SMB Nmap All,SMB Nmblookup,SMB Client Connect,SMB Nbtscan-unixwiz
ssn: SMB Nmap Vuln Scan,SMB NBTScan,SMB Enum4linux,SMB Nmap All,SMB Nmblookup,SMB Client Connect,SMB Nbtscan-unixwiz
smtp: SMTP Nmap Vuln Scan,SMTP Nmap Commands
snmp: SNMP Nmap All,SNMP Onesixtyone,SNMP SNMPWalk,SNMP SNMP-Check
ssh: SSLScan,SSLyze,SSH Nmap Hostkey
rexec: Nmap Rexec
rlogin: Nmap Rlogin
vnc: VNC NMap Scan
telnet: Telnet NMap All
dns: DNS Nmap All,DNS Recon,DNS Nmap Host Names Lookup
dhcp: DHCP Nmap Discover, DHCP Nmap Broadcast Discover,DHCP Nmap v6 Broadcast Discover
finger: Finger Nmap All
msrpc: Msrpc Nmap Enum,Msrpc Enum4linux
rdp: RDP Nmap Enum Encryption,RDP Nmap Vuln Scan
rpc: RPC RPCClient Help,RPC RPCClient Enumprivs,RPC RPCClient Netshareenum,RPC RPCClient Srvinfo,RPC RPCClient Lookupnames Root,RPC Nmap RPC Info
kerberos: Kerberos
nfs: NFS List Shares
james-admin: James-Admin
ntp:NTP NTPQ Version,NTP NTPQ Readlist,NTP NTPQ Hostnames,NTP Nmap All
pop3: POP3 Nmap Enum
imap: IMAP Nmap Enum
[Web Site Scanning]
http: HTTP What Web,HTTP Wordpress Scan 1,HTTP Wordpress Scan 2,HTTP BlindElephant Guess,HTTP Cewl Password List,HTTP Robots
https: HTTPS What Web,HTTPS Wordpress Scan 1,HTTPS Wordpress Scan 2,HTTPS BlindElephant Guess,HTTPS Cewl Password List,HTTPS Robots
[Web Site Nikto Tests]
http: HTTP Nikto Tests
https: HTTPS Nikto Tests
[Web Content Detection]
http: HTTP GoBuster,HTTP What Web All Urls,HTTP BlindElephant Guess All Urls,HTTP Wordpress Scan All Urls
https: HTTPS GoBuster,HTTPS What Web All Urls,HTTPS BlindElephant Guess All Urls,HTTPS Wordpress Scan All Urls
[GoBuster Web Content Bruteforce]
http: HTTP GoBuster All Dicts
https: HTTPS GoBuster All Dicts
[Nmap HTTP Scan]
http: Nmap Web Scan
https: Nmap Web Scan
[User Enumeration]
smtp: SMTP Nmap Enum Users
snmp: SNMP SNMP-Check
rpc: RPC Enum4Linux User Enumeration
smb: SMB Nmap User Enumeration
ident: Ident ident-user-enum Service Users
[User Enumeration Bruteforce]
smtp:SMTP Emum Users Name,SMTP Emum Users Unix Users
[Password List Generation]
http: HTTP Cewl Password List All Urls
https: HTTPS Cewl Password List All Urls
[Vulnerablity Analysis]
always: Nmap Vulnerability Scan All Host Ports
http: HTTP Nmap Vuln Scan
https: HTTP Nmap Vuln Scan
ftp: FTP Nmap Vuln Scan
snmp: SNMP Nmap All
ms-sql-s: MS-SQL Nmap All
smb: Samba Nmap Vuln Scan
[Vulnerability Validation]
http:
https:
ftp:
[Brute Forcing Lite]
ftp: Hydra dirb-passwords-top-110
ftps: Hydra dirb-passwords-top-110
irc: Hydra dirb-passwords-top-110
imap: Hydra dirb-passwords-top-110
pop3: Hydra dirb-passwords-top-110
mssql: Hydra dirb-passwords-top-110
mysql: Hydra dirb-passwords-top-110
rdp: Hydra dirb-passwords-top-110
rexec: Hydra dirb-passwords-top-110
rlogin: Hydra dirb-passwords-top-110
rsh: Hydra dirb-passwords-top-110
smb: Hydra dirb-passwords-top-110
smtp: Hydra dirb-passwords-top-110
snmp: Hydra dirb-passwords-top-110
ssh: Hydra dirb-passwords-top-110
telnet: Hydra dirb-passwords-top-110
vnc: Hydra dirb-passwords-top-110
# use any credentials discovered to execute exploits
[Brute Forcing]
ftp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
ftps: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
irc: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
imap: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
pop3: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
mssql: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
mysql: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
rdp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
rexec: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
rlogin: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
rsh: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
smb: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
smtp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
snmp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
ssh: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
telnet: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
vnc: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
# Import data into Metasploit database
[Metasploit Database Start]
run once: Metasploit Start Database
[Metasploit Database Import]
run once: Metasploit Import Database
[Metasploit Report Generation]
run once: Metasploit Hosts Report,Metasploit Services Report
# use any credentials discovered to execute exploits
[Exploitation]
http:
https:
ftp:
[Exploit Searching]
http:
https:
ftp: