diff --git a/Vanquish2.py b/Vanquish2.py index 4278c8f..a26f410 100644 --- a/Vanquish2.py +++ b/Vanquish2.py @@ -6,14 +6,14 @@ # TODO: Import data into MSF database and generate pretty table reports of servers and ports # TODO: Append the exact command that is used to the output text files for easy refernce in documentation # TODO: Create a suggest only mode that dumps a list of commands to try rather than running anything -# TODO: Fix TCP / UDP / Multi Nmap scan merging - When multiple scans have the same port info,we get duplicate entries -# TODO: Do not enum closed or filtered ports # TODO: Command replacer for lists of users, passwords and directory lists +# TODO: Add color and -color -colour flags to disable it +# TODO: Expand user enumeration # Starts Fast moves to Through # 1. NMAP Scan # 2. Service Enumeration Scan -# -# TODO: +# 3. Finds relavant exploits and copies to a subfolder +# TODO: still havent finished the following features # 3. Word list creation 1st pass # Banner Grabx # HTTP Enum @@ -34,9 +34,10 @@ """ Main application logic and automation functions """ +from parser import ParserError -__version__ = '0.8' -__lastupdated__ = 'June 17, 2017' +__version__ = '0.9' +__lastupdated__ = 'June 18, 2017' __nmap_folder__ = 'Nmap' ### @@ -51,12 +52,16 @@ import argparse import random from pprint import pformat +from pprint import pprint +from shutil import copyfile +import json import subprocess from subprocess import call import multiprocessing import threading import xml.etree.ElementTree as ET from multiprocessing.dummy import Pool as ThreadPool +from subprocess import Popen, PIPE, STDOUT # PROGRESS BAR - Thank you! clint.textui.progress @@ -150,17 +155,23 @@ def bar(it, label='', width=32, hide=None, empty_char=BAR_EMPTY_CHAR, bar.show(i + 1) class logger: - DEBUG = False; - VERBOSE = False; + DEBUG = False + VERBOSE = False + DEBUG_FILE = None + VERBOSE_FILE = None @staticmethod def debug(msg): - if logger.DEBUG == True: + if logger.DEBUG_FILE is not None: + logger.DEBUG_FILE.write(msg+'\n') + elif logger.DEBUG == True: print("[!] "+msg) @staticmethod def verbose(msg): - if logger.VERBOSE == True: + if logger.VERBOSE_FILE is not None: + logger.VERBOSE_FILE.write(msg + '\n') + elif logger.VERBOSE == True: print("[*] "+msg) class Vanquish: @@ -183,12 +194,14 @@ def __init__(self, argv): self.parser.add_argument("-reportFile", metavar='report', type=str, default="report.txt", help='filename used for the report (default: %(default)s)') self.parser.add_argument("-noResume", action='store_true', help='do not resume a previous session') - self.parser.add_argument("-range", metavar='IPs', type=str, nargs="+", default="", - help='a range to scan ex: 10.10.10.0/24') self.parser.add_argument("-threadPool", metavar='threads', type=int, default="8", help='Thread Pool Size (default: %(default)s)') + self.parser.add_argument("-phase", metavar='phase', type=str, default='', help='only execute a specific phase') + self.parser.add_argument("-noExploitSearch", action='store_true', help='disable searchspolit exploit searching') + self.parser.add_argument("-logging", action='store_true', help='enable verbose and debug data logging to files') self.parser.add_argument("-verbose", action='store_true', help='display verbose details during the scan') self.parser.add_argument("-debug", action='store_true', help='display debug details during the scan') + self.args = self.parser.parse_args() self.hosts = self.args.hostFile @@ -209,6 +222,21 @@ def __init__(self, argv): #current enumeration phase command que self.phase_commands = [] + #Current Thread Pool command contents + self.thread_pool_commands = [] + self.thread_pool_errors = [] + + # write errors to error log rather than display them on screen + self.command_error_log = open("commanderrorlog.txt", 'w') + if self.args.logging: + self.debug_log = open("debuglog.txt", 'w') + self.verbose_log = open("verboselog.txt", 'w') + logger.DEBUG_FILE= self.debug_log + logger.VERBOSE_FILE= self.verbose_log + + sys.stderr = self.command_error_log + self.devnull = open(os.devnull, 'w') + # Scan the hosts using Nmap # Create a thread pool and run multiple nmap sessions in parallel def upfront_scan_hosts(self, hosts, command_label): @@ -233,16 +261,11 @@ def upfront_scan_hosts(self, hosts, command_label): logger.debug("scan_hosts() - command : " + command) #results = pool.map(self.execute_scan, self.phase_commands) - for _ in bar(pool.imap_unordered(self.execute_scan, self.phase_commands), expected_size=len(self.phase_commands)): + for _ in bar(pool.imap_unordered(self.execute_command, self.phase_commands), expected_size=len(self.phase_commands)): pass pool.close() pool.join() - def execute_scan(self, command): - logger.debug("execute_scan() - " + command) - stream = os.popen(command) - logger.debug("execute_scan() - COMPLETED! - " + command) - # Parse Nmap XML - Reads all the Nmap xml files in the Nmap folder def parse_nmap_xml(self): print "[+] Reading Nmap XML Output Files..." @@ -312,18 +335,35 @@ def merge_two_dicts( x, y): # find exploits from exploit db and copy them to service folder # TODO: Copy results to service folders - update nmap_dict with other web app etc products and versions... - def exploit_search(self): + def exploit_search(self, command_label): + if self.args.noExploitSearch: return False logger.debug("exploit_search()") - # Check nmap_dict - self.phase_commands = [] for host in self.nmap_dict: for service in self.nmap_dict[host]['ports']: if service.get('product', '') is not '' and service.get('version','') is not '': - version_digits = ' '.join(str(x) for x in re.findall(r'\d+',service.get('version',''))) - stream = os.popen('searchsploit --json '+service.get('product', '')+" "+version_digits) - json_results = stream.read() - stream.close() - print json_results + version_digits = ' '.join(str(x) for x in re.findall(r'\d+', service.get('version', ''))) + command_keys = { + 'output': self.get_enumeration_path(host, service['name'],service['portid'], command_label), + 'target': service.get('product', '')} + base, filename = os.path.split(command_keys['output']) # Resume file already exists + if not self.args.noResume and self.find_files(base, filename + ".*").__len__() > 0: + logger.verbose("exploit_search() -Exploit Search file already exists: " + + command_keys['output']) + else: + self.execute_command(self.prepare_command(command_label, command_keys)) + with open(command_keys['output']+".json") as data_file: + try: + data = json.load(data_file) + except: + continue + if len(data['RESULTS']) == 0: + os.remove(command_keys['output']+".json") + else: # copy exploits to exploit folder + exploits_path = os.path.join(base, "exploits") + if not os.path.exists(exploits_path): os.makedirs(exploits_path) + for exploit in data['RESULTS']: + exploit_base, exploit_filename = os.path.split(exploit['Path']) + copyfile(exploit['Path'], os.path.join(exploits_path,exploit_filename)) # Enumerate a phase # phases are defined in attackplan.ini @@ -333,6 +373,7 @@ def exploit_search(self): def enumerate(self,phase_name): logger.debug("Enumerate - "+ phase_name) self.phase_commands = [] + self.thread_pool_errors = [] for host in self.nmap_dict: logger.debug("enumerate() - Host: " + host) for service in self.nmap_dict[host]['ports']: @@ -341,36 +382,55 @@ def enumerate(self,phase_name): if not ('closed' in service['state'] or 'filtered' in service['state']) \ and ( service['name'].find(known_service) <> -1 or service['portid'] in ports.split(',')): if self.plan.has_option(phase_name,known_service): - for command in self.plan.get(phase_name,known_service).split(','): - if command is not '': + for command_label in self.plan.get(phase_name,known_service).split(','): + if command_label is not '': command_keys = { - 'output': self.get_enumeration_path(host, service['name'],service['portid'], command), + 'output': self.get_enumeration_path(host, service['name'],service['portid'], command_label), 'target': host, 'domain': self.args.domain, 'service': service['name'], - 'port':service['portid'] + 'port':service['portid'], } base, filename = os.path.split(command_keys['output']) # Resume file already exists if not self.args.noResume and self.find_files(base,filename+".*").__len__()>0: logger.verbose("enumerate() - RESUME - output file already exists: " + command_keys['output']) else: - self.phase_commands.append(self.prepare_command(command,command_keys)) - logger.verbose("enumerate() - command : " + command) + command = self.prepare_command(command_label, command_keys) + #TODO: Check for dictionary tags / list tags + contains_list = False + for section in self.config.sections(): + if "List" in section: + if command.find("<"+section+">") <> -1: # include entire list from section + contains_list = True + for item in self.config.items(section): + new_command = command + new_command = new_command.replace("<" + section + ">",self.config.get(section, item)) + self.phase_commands.append(new_command) + else: + for item in self.config.items(section): + command = command.replace("<" + item[0] + ">",item[1]) + if contains_list == False: self.phase_commands.append(command) + logger.verbose("enumerate() - command : " + command_label) else: logger.debug("\tenumerate() - NO command section found for phase: " + phase_name + " service name: "+known_service ) pool = ThreadPool(self.args.threadPool) - #results = pool.map(self.execute_enumeration, self.phase_commands) - for _ in bar(pool.imap_unordered(self.execute_enumeration, self.phase_commands), expected_size=len(self.phase_commands)): + for _ in bar(pool.imap_unordered(self.execute_command, self.phase_commands), expected_size=len(self.phase_commands)): pass pool.close() pool.join() - def execute_enumeration(self,enumerate_command): - logger.debug("execute_enumeration() - " + enumerate_command) - stream = os.popen(enumerate_command) - logger.debug("execute_enumeration() - COMPLETED! - " + enumerate_command) + def execute_command(self, command): + logger.debug("execute_enumeration() - " + command) + self.thread_pool_commands.append(command) + process = Popen(command, shell=True, stdin=PIPE, stderr=self.command_error_log, stdout=self.devnull) + process.stdin.close() + #if process.wait() != 0: + #logger.debug("execute_enumeration() - ERRORS EXECUTING: - " + command) + #self.thread_pool_errors.append(command) + logger.debug("execute_enumeration() - COMPLETED! - " + command) + self.thread_pool_commands.remove(command) def get_enumeration_path(self, host, service, port, command): ip_path = os.path.join(self.args.outputFolder, host.strip().replace(".","_")) @@ -450,13 +510,14 @@ def banner_block(): # Entry point for command-line execution ################################################################################## + @property def main(self): start_time = time.time() #sys.stderr = open("errorlog.txt", 'w') - print("[+] Configuration file: " + str(self.args.configFile)) - print("[+] Attack plan file: " + str(self.args.attackPlanFile)) - print("[+] Output Path: " + str(self.args.outputFolder)) - print("[+] Host File: " + str(self.args.hostFile.name)) + print("Configuration file: " + str(self.args.configFile)) + print("Attack plan file: " + str(self.args.attackPlanFile)) + print("Output Path: " + str(self.args.outputFolder)) + print("Host File: " + str(self.args.hostFile.name)) logger.debug("DEBUG MODE ENABLED!") logger.verbose("VERBOSE MODE ENABLED!") @@ -473,38 +534,76 @@ def main(self): print "[+] Starting upfront Nmap Scan..." for scan_command in self.plan.get("Scans Start", "Order").split(","): print "[+] Starting Scan Type: " + scan_command - self.upfront_scan_hosts(self.hosts, scan_command) + try: + if self.args.phase == '': self.upfront_scan_hosts(self.hosts, scan_command) + except KeyboardInterrupt: + logger.verbose("Keyboard Interrupt Detected... skipping "+scan_command) + print "\t[X] Keyboard Interrupt Detected... skipping "+scan_command + continue + except ValueError as err: + bar(self.phase_commands,expected_size=len(self.phase_commands)) + if len(self.thread_pool_errors) > 0: + logger.verbose("[X] Phase completed but encountered the following errors: \n" + + pformat(self.thread_pool_errors) + pformat(self.thread_pool_commands) ) + print "[X] Phase completed but encountered the following errors: \n" \ + + pformat(self.thread_pool_errors) + pformat(self.thread_pool_commands) + continue print "[+] Starting background Nmap Scan..." + + # TODO background thread with long term comprehensive scan - restart enumeration it has finished - # Start background Nmap port scans ... these will take time and will run concurrently with enumeration #for scan_command in self.plan.get("Scans Start", "Order").split(","): # self.upfront_scan_hosts(self.hosts, scan_command) #thread = threading.Thread(target=self.background_scan_hosts, args=()) #thread.daemon = True # Daemonize thread #thread.start() # Start the execution - #TODO background thread with long term comprehensive scan - restart enumeration it has finished - # ensure resume is turned on + self.write_report_file(self.nmap_dict) # Begin Enumeration Phases print "[+] Starting enumeration..." for phase in self.plan.get("Enumeration Plan","Order").split(","): self.parse_nmap_xml() - self.write_report_file(self.nmap_dict) - # print "[+] Starting upfront Nmap Scan..." - # TODO Search for exploits - #self.exploit_search() print "[+] Starting Phase: " + phase - self.enumerate(phase) - + try: + if self.args.phase == phase or self.args.phase == '': self.enumerate(phase) + except KeyboardInterrupt: + logger.verbose("[X] Keyboard Interrupt Detected... exiting phase:: "+phase) + logger.verbose("[X] Thread Pool at Interrupt: \n" + pformat(self.thread_pool_commands)) + print "[X] Keyboard Interrupt Detected... exiting phase: "+phase + print "[X] Thread Pool at Interrupt:" + pprint(self.thread_pool_commands) + continue + except ValueError as err: + bar(self.phase_commands, expected_size=len(self.phase_commands)) + if len(self.thread_pool_errors) > 0: + logger.verbose("[X] Phase completed but encountered the following errors: \n" + + pformat(self.thread_pool_errors) + pformat(self.thread_pool_commands) ) + print "[X] Phase completed but encountered the following errors: \n" \ + + pformat(self.thread_pool_errors) + pformat(self.thread_pool_commands) + continue + + try: + self.write_report_file(self.nmap_dict) + print "[+] Searching for matching exploits..." + self.exploit_search("SearchSploit JSON") + except: + bar(self.phase_commands, expected_size=len(self.phase_commands)) print "[+] Elapsed Time: " + time.strftime('%H:%M:%S', time.gmtime(time.time() - start_time)) logger.verbose("Goodbye!") + self.command_error_log.close() + if self.args.logging: + self.debug_log.close() + self.verbose_log.close() return 0 def main(argv=None): vanquish = Vanquish(argv if argv else sys.argv[1:]) - return vanquish.main() + return vanquish.main + if __name__ == "__main__": sys.exit(main()) \ No newline at end of file diff --git a/attackplan.ini b/attackplan.ini index 95973e3..c31e956 100644 --- a/attackplan.ini +++ b/attackplan.ini @@ -18,11 +18,11 @@ Order: Information Gathering,Web Content Enumeration,User Enumeration,Password E #= Enumeration Phases ============ # The following sections detail the specific commands that will be run (found in the config.ini) at each enumeration phase [Information Gathering] -http: NMap Http Shell Shock,HTTP GoBuster -https: NMap SSL Heartbleed,SSLScan,SSLyze,HTTPS GoBuster +http: NMap Http Shell Shock, +https: NMap SSL Heartbleed,SSLScan,SSLyze, ftp: FTP Nmap Anon,FTP Nmap Bounce mysql: MySQL Nmap Empty Password,MySql Dump Tables -smb: SMB Nmap Vuln Scan,SMB NBTScan,SMB Enum4linux,SMB Nmap All,SMB Nmblookup,SMB Client Connect,SMB Nmap User Enumeration +smb: SMB Nmap Vuln Scan,SMB NBTScan,SMB Enum4linux,SMB Nmap All,SMB Nmblookup,SMB Client Connect,SMB Nbtscan-unixwiz smtp: SMTP Nmap Vuln Scan,SMTP Nmap Commands snmp: SNMP Nmap All,SNMP Onesixtyone,SNMP SNMPWalk,SNMP SNMP-Check ssh: SSLScan,SSLyze @@ -32,20 +32,30 @@ vnc: VNC NMap Scan telnet: Telnet NMap All dns: DNS Nmap All,DNS Recon finger: Finger Nmap All +msrpc: Msrpc Nmap Enum,Msrpc Enum4linux +rdp: RDP Nmap Enum Encryption,RDP Nmap Vuln Scan +rpc: RPC RPCClient Help,RPC RPCClient Enumprivs,RPC RPCClient Netshareenum,RPC RPCClient Srvinfo,RPC RPCClient Lookupnames Root,RPC Nmap RPC Info +kerberos: Kerberos +nfs: NFS List Shares +james-admin: James-Admin +ntp:NTP NTPQ Version,NTP NTPQ Readlist,NTP NTPQ Hostnames,NTP Nmap All [Web Site Scanning] -http: Nmap Web Scan,HTTP Nikto,HTTP What Web,HTTP Wordpress Scan 1,HTTP Wordpress Scan 2 -https: Nmap Web Scan,HTTP Nikto,HTTPS What Web,HTTPS Wordpress Scan 1,HTTPS Wordpress Scan 2 +http: HTTP GoBuster,Nmap Web Scan,HTTP Nikto,HTTP What Web,HTTP Wordpress Scan 1,HTTP Wordpress Scan 2,HTTP BlindElephant Guess +https: HTTPS GoBuster,Nmap Web Scan,HTTP Nikto,HTTPS What Web,HTTPS Wordpress Scan 1,HTTPS Wordpress Scan 2,HTTPS BlindElephant Guess [Dirb Web Content Bruteforce] http: HTTP Dirb https: HTTPS Dirb [User Enumeration] -smtp: SMTP Nmap Enum Users,SMTP Emum Users Namelist,SMTP Emum Users Unix Users +smtp: SMTP Nmap Enum Users,SMTP Emum Users Name,SMTP Emum Users Unix Users snmp: SNMP SNMP-Check +rpc: RPC Enum4Linux User Enumeration +smb: SMB Nmap User Enumeration +ident: Ident ident-user-enum Service Users [Password Enumeration] http: [Vulnerablity Analysis] -http: -https: +http: HTTP Nmap Vuln Scan +https: HTTP Nmap Vuln Scan ftp: FTP Nmap All snmp: SNMP Nmap All ms-sql-s: MS-SQL Nmap All diff --git a/config.ini b/config.ini index c894d87..2981827 100644 --- a/config.ini +++ b/config.ini @@ -14,7 +14,7 @@ telnet: 23 ssh: 22 msrpc: 135 netbios-ssn: 139 -msrpc: 135 +msrpc: 135,1025 smb: 445 wsdapi: 5357 dns: 53 @@ -28,13 +28,21 @@ rexec: 512 rlogin: 513 vnc: 5800,5900 finger: 79 +rpc: 111 +ldap: 389 +ldaps: 636 +nfs: 2049 +james-admin: 4555 +ident: 113 #= Service Labels ============================== # The following NMAP services will be replaced with labels in order to ease command mapping [Service Labels] ms-wbt-server: rdp +rpcbind: rpc netbios-ssn: smb microsoft-ds: smb +nfs_acl: nfs #= Commands ============================== # The following INI sections are enumeration commands which have the following dynamic replacement values @@ -52,11 +60,21 @@ microsoft-ds: smb # # # +# +# Using word lists +# Config section and item parameters can be used in place of config list paths. +# List sections must always contain the word "List" +# Ex. - run the command using item best15:path/to/list under the [List Directories] section +# Commands can also be executed against each entry in a list if the section name is referenced +# Ex. - run a command against all items under the section [List Directories] +# <*list section name*> = Execute the command against all file lists +# <*list item name*> = Execute the command using a list item under any section + #= Network Scan Command ==================== # The following commands scan the network for hosts [Nmap Fast TCP] -Command: nmap -sV --version-all -F -oN .nmap -oX .xml +Command: nmap -sV -sC -O --version-all -F -oN .nmap -oX .xml [Nmap Fast UDP] Command: nmap -sU -p 123,161,162 -sV --version-all -oN .nmap -oX .xml [Nmap All TCP] @@ -70,6 +88,12 @@ Command: nmap -A -sU -sV --version-all -p- --script "default or (discovery and s [Nmap All TCP UDP Comprehensive] Command: nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" -oN .nmap -oX .xml +#= Exploit Searching ==================== +[SearchSploit JSON] +Command: searchsploit --json --colour >> .json +[SearchSploit Txt] +Command: searchsploit --colour >> .txt + #= Fast Enumeration Commands ==================== # The following commands can be quickly run within a few seconds [DNS Hostname] @@ -80,6 +104,8 @@ Command: dig @ -axfr >> .txt Command: nmap -v --script=smb-vuln* -p -oN .nmap -oX .xml >> .txt [SMB NBTScan] Command: nbtscan -r -v -h >> .txt +[SMB Nbtscan-unixwiz] +Command: nbtscan-unixwiz >> .txt [SMB Enum4linux] Command: enum4linux -a -M -v >> .txt [SMB Nmblookup] @@ -107,11 +133,11 @@ Command: nmap -v --script smtp-ntlm-info -p -d -oN .nmap [SMTP Nmap Open Relay] Command: nmap -v --script=smtp-open-relay -p -d -oN .nmap -oX .xml >> .txt [NMap SSL Heartbleed] -Command: nmap -sV -p --script=ssl-heartbleed -d -oN .nmap -oX .xml >> .txt +Command: nmap -v -p --script=ssl-heartbleed -d -oN .nmap -oX .xml >> .txt [NMap Http Shell Shock] -Command: nmap -sV -p --script=http-shellshock -d -oN .nmap -oX .xml >> .txt +Command: nmap -v -p --script=http-shellshock -d -oN .nmap -oX .xml >> .txt [SNMP Nmap All] -Command: nmap -sU -vv --script=snmp* -p -d -oN .nmap -oX .xml >> .txt +Command: nmap --script=snmp* -p -d -oN .nmap -oX .xml >> .txt [SNMP Onesixtyone] Command: onesixtyone >> .txt [SNMP SNMPWalk] @@ -123,21 +149,55 @@ Command: sslscan : >> .txt [SSLyze] Command: sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers : >> .txt [Nmap Web Scan] -Command: nmap -sV -Pn -vv -p --script='(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)' -oN .nmap -oX .xml >> .txt +Command: nmap -v -p --script='(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)' -oN .nmap -oX .xml >> .txt [Nmap Rlogin] -Command: nmap -A -sV -T5 -Pn -p --script=rlogin* -oN .nmap -oX .xml >> .txt +Command: nmap -v -p --script=rlogin* -oN .nmap -oX .xml >> .txt [Nmap Rexec] -Command: nmap -A -sV -Pn -T5 -p --script=rexec* -oN .nmap -oX .xml >> .txt +Command: nmap -v -p --script=rexec* -oN .nmap -oX .xml >> .txt [MySql Dump Tables] Command: mysql -u root -h -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;' >> .txt [VNC NMap Scan] -Command: nmap -A -sV -Pn -T5 --script=vnc* -p -oN .nmap -oX .xml >> .txt +Command: nmap -v --script=vnc* -p -oN .nmap -oX .xml >> .txt [Telnet NMap All] -Command: nmap -A -sV -Pn -T5 --script=telnet* -p -oN .nmap -oX .xml >> .txt +Command: nmap -v --script=telnet* -p -oN .nmap -oX .xml >> .txt [Telnet Cisco Torch] Command: cisco-torch -A >> .txt [Finger Nmap All] -Command: nmap -A -sV -Pn -T5 --script=finger* -p -oN .nmap -oX .xml >> .txt +Command: nmap -v --script=finger* -p -oN .nmap -oX .xml >> .txt +[Msrpc Nmap Enum] +Command: nmap -v -p --script=msrpc-enum -d -oN .nmap -oX .xml >> .txt +[Msrpc Enum4linux] +Command: enum4linux -a -M -v >> .txt +[RDP Nmap Enum Encryption] +Command: nmap -v -p --script=rdp-enum-encryption -d -oN .nmap -oX .xml >> .txt +[RDP Nmap Vuln Scan] +Command: nmap -v -p --script=rdp-vuln* -d -oN .nmap -oX .xml >> .txt +[RPC RPCClient Help] +Command: rpcclient -U "" -N -chelp >> .txt +[RPC RPCClient Enumprivs] +Command: rpcclient -U "" -N -cenumprivs >> .txt +[RPC RPCClient Netshareenum] +Command: rpcclient -U "" -N -cnetshareenum >> .txt +[RPC RPCClient Srvinfo] +Command: rpcclient -U "" -N -csrvinfo >> .txt +[RPC RPCClient Lookupnames Root] +Command: rpcclient -U "" -N -c"lookupnames root" >> .txt +[RPC Nmap RPC Info] +Command: nmap -v -p --script=rpcinfo -d -oN .nmap -oX .xml >> .txt +[Kerberos] +Command: searchsploit --colour MS14-068 >> .txt +[NFS List Shares] +Command: showmount -e >> .txt +[James-Admin] +Command: searchsploit --colour "apache james" >> .txt +[NTP NTPQ Version] +Command: ntpq -c version >> .txt +[NTP NTPQ Readlist] +Command: ntpq -c readlist >> .txt +[NTP NTPQ Hostnames] +Command: ntpq -c hostnames >> .txt +[NTP Nmap All] +Command: nmap -sU -p --script=ntp* >> .txt #= Slow Enumeration Commands ==================== # The following commands can take up to 20 minutes to run [DNS Recon] @@ -164,9 +224,9 @@ Command: dirb https:/// -S -w >> .txt Command: gobuster -e -w /usr/share/wordlists/dirb/common.txt -u http:/// -t 10 -U username -P password >> .txt [HTTPS GoBuster] Command: gobuster -e -w /usr/share/wordlists/dirb/common.txt -u https:/// -t 10 -U username -P password >> .txt -[HTTP GoBuster All Wordlists] +[HTTP GoBuster All Dicts] Command: gobuster -e -u http:/// -t 10 -w -U username -P password >> .txt -[HTTPS GoBuster All Wordlists] +[HTTPS GoBuster All Dicts] Command: gobuster -e -u https:/// -t 10 -w -U username -P password >> .txt [HTTP Web Application Firewall] Command: wafw00f http:// >> .txt @@ -184,23 +244,34 @@ Command: wpscan --url https:// --batch >> .txt Command: wpscan --url http:///wordpress/ --batch >> .txt [HTTPS Wordpress Scan 2] Command: wpscan --url https:///wordpress/ --batch >> .txt - +[HTTP BlindElephant Guess] +Command: BlindElephant.py http:/// guess >> .txt +[HTTPS BlindElephant Guess] +Command: BlindElephant.py http:/// guess >> .txt +[HTTP Nmap Vuln Scan] +Command: nmap -v -p --script=http-vuln* -d -oN .nmap -oX .xml >> .txt #= User Enumeration ========================= -[SMTP Emum Users Namelist] # http://pentestmonkey.net/tools/smtp-user-enum -Command: smtp-user-enum -U /usr/share/wordlists/metasploit/namelist.txt -t -p >> .txt +[SMTP Emum Users Name] # http://pentestmonkey.net/tools/smtp-user-enum +Command: smtp-user-enum -U -t -p >> .txt [SMTP Emum Users Unix Users] # http://pentestmonkey.net/tools/smtp-user-enum -Command: smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt -t -p >> .txt +Command: smtp-user-enum -U -t -p >> .txt +[SMTP Emum Users All Dicts] # http://pentestmonkey.net/tools/smtp-user-enum +Command: smtp-user-enum -U -t -p >> .txt [SMTP Nmap Enum Users] Command: nmap -v --script smtp-enum-users -p -oN .nmap -oX .xml -d >> .txt [SMB Nmap User Enumeration] Command: nmap -sU -sS --script=smb-enum-users -p U:137,T:139 -oN .nmap -oX .xml >> .txt +[RPC Enum4Linux User Enumeration] +Command: enum4linux -k root,Administrator -r >> .txt +[Ident ident-user-enum Service Users] +Command: ident-user-enum 22 80 443 21 23 135 139 445 53 161 25 3389 3306 1433 123 512 5800 5900 79 111 389 2049 #= Exploits ============================= [MySQL Nmap Audit] Command: nmap -p --script mysql-audit --script-args "mysql-audit.username='',mysql-audit.password='',mysql-audit.filename='nselib/data/mysql-cis.audit'" >> .txt #= Username, Password and Directory Lists ============================== -[Directory Lists] +[List Directories] # 15 Lines best15: /usr/share/wordlists/dirb/other/best15.txt # 49 lines @@ -280,7 +351,7 @@ weblogic: /usr/share/wordlists/dirb/vulns/weblogic.txt # 560 Lines websphere: /usr/share/wordlists/dirb/vulns/websphere.txt -[User Lists] +[List Users] #4 Lines postgres-users: /usr/share/wordlists/metasploit/postgres_default_user.txt #6 Lines @@ -297,7 +368,8 @@ service-default-users: /usr/share/wordlists/metasploit/default_users_for_service namelist: /usr/share/wordlists/metasploit/namelist.txt #8607 Lines dirb-users: /usr/share/wordlists/dirb/others/names.txt -[Password Lists] + +[List Passwords] #4 Lines postgres-pass: /usr/share/wordlists/metasploit/postgres_default_pass.txt #6 lines