Add files via upload

Hydra brute force using generated password list and enumerated users
frizb · Aug 20, 2017 · 2a1c6a4 · 2a1c6a4
1 parent a2f5882
commit 2a1c6a4
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 33 deletions.
diff --git a/attackplan.ini b/attackplan.ini
@@ -132,23 +132,23 @@ telnet: Hydra dirb-passwords-top-110
 vnc: Hydra dirb-passwords-top-110
 # use any credentials discovered to execute exploits
 [Brute Forcing]
-ftp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-ftps: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-irc: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-imap: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-pop3: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-mssql: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-mysql: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-rdp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-rexec: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-rlogin: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-rsh: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-smb: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-smtp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-snmp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-ssh: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-telnet: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
-vnc: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack
+ftp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+ftps: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+irc: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+imap: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+pop3: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+mssql: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+mysql: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+rdp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+rexec: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+rlogin: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+rsh: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+smb: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+smtp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+snmp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+ssh: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+telnet: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
+vnc: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
 # Import data into Metasploit database
 [Metasploit Database Start]
 run once: Metasploit Start Database

diff --git a/config.ini b/config.ini
@@ -63,11 +63,11 @@
 [Nmap Fast TCP]
 Command: nmap -F <nmap dns server> <target> -oN <output>.nmap -oX <output nmap>.xml >> <output>.txt
 [Nmap Fast UDP]
-Command: nmap -p 123,161,162 <nmap dns server> <target> -oN <output>.nmap -oX <output nmap>.xml >> <output>.txt
+Command: nmap -p 123,161,162,137,138 <nmap dns server> <target> -oN <output>.nmap -oX <output nmap>.xml >> <output>.txt
 [Nmap Fast TCP with Port and OS Identification]
 Command: nmap -sV -sC -O --version-all <nmap dns server> -F <target> -oN <output>.nmap -oX <output nmap>.xml >> <output>.txt
 [Nmap Fast UDP with Port Identification]
-Command: nmap -sU -p 123,161,162 -sV <nmap dns server> --version-all <target> -oN <output>.nmap -oX <output nmap>.xml >> <output>.txt
+Command: nmap -sU -p 123,161,162,137,138 -sV <nmap dns server> --version-all <target> -oN <output>.nmap -oX <output nmap>.xml >> <output>.txt
 [Nmap All TCP]
 Command: nmap -A -p- <nmap dns server> <target> -oN <output>.nmap -oX <output nmap>.xml >> <output>.txt
 [Nmap All UDP]
@@ -85,8 +85,10 @@ Command: searchsploit --json --colour <target> >> <output>.json
 [SearchSploit Txt]
 Command: searchsploit --colour <target> >> <output>.txt
 [SearchSploit Nmap]
-Command: for f in <output nmap>/*.xml; do echo "Processing $f file.."; searchsploit --nmap $f >> <output>$f.txt; done >> <output>.txt
-
+Command: for f in <output folder>/Nmap/*.xml; do echo "Processing $f file.."; searchsploit --nmap $f >> <output>$f.txt; done >> <output>.txt
+[NMap Vulscan and Version Detection]
+Command: nmap -sV -p- -O --script=vulscan/vulscan.nse -oN <output>.nmap -oX <output>.xml <target> >> <output>.txt
+Findings OS: OS details: (.+)\n
 #= Fast Enumeration Commands ====================
 # The following commands can be quickly run within a few seconds
 [DNS Hostname]
@@ -180,7 +182,7 @@ Command: sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 -
 [SSH Nmap Enum]
 Command: nmap -v -sV -p <port> --script="ssh*" <target> -d -oN <output>.nmap -oX <output>.xml >> <output>.txt
 [SSH Nmap Hostkey]
-Command: nmap <target> -p <port> -sV -oN <output>.nmap -oX <output>.xml >> <output>.txt
+Command: nmap <target> -p <port> -sV --script="ssh-hostkey,ssh-auth-methods" --script-args ssh_hostkey=full -oN <output>.nmap -oX <output>.xml >> <output>.txt
 Findings Services: open\s+ssh\s+(.+)
 Findings Sshhostkeys: \|_*\s+\d+\s+(([a-f0-9][a-f0-9]\:)+[a-f0-9][a-f0-9])
 [Nmap Web Scan]
@@ -284,7 +286,8 @@ Findings HttpFormFuzzer: \| (http-form-fuzzer:(\s*\|\s+.+$)+\s+\|_\s+.+$)
 [HTTPS Nmap Form Fuzzer Findings List]
 Command: nmap -sV -p <port> --script=http-form-fuzzer --script-args=http-form-fuzzer.targets={{path="<FindingsList UrlsHttpsRelative>"}} <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
 Findings HttpFormFuzzer: \| (http-form-fuzzer:(\s*\|\s+.+$)+\s+\|_\s+.+$)
-
+[XProbe2 OS Enumeration]
+Command: xprobe2 <target> >> <output>.txt
 #= Slow Enumeration Commands ====================
 # The following commands can take up to 20 minutes to run
 [DNS Recon]
@@ -308,10 +311,8 @@ Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
 [SNMP Nmap All]
 Command: nmap -sV -Pn -vv -p <port> --script=snmp* -oN <output>.nmap -oX <output>.xml <target> >> <output>.txt
 Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
-[NMap Vulscan and Version Detection]
-Command: nmap -sV -p- --script=vulscan/vulscan.nse <target> -oN <output>.nmap -oX <output>.xml <target> >> <output>.txt
 [HTTP Nikto Fast]
-Command: nikto -nointeractive -maxtime 30m -Plugins 'paths;outdated;report_sqlg;auth;content_search;report_text;fileops;parked;shellshock;report_html;cgi;headers;report_nbe;favicon;cookies;robots;report_xml;report_csv;ms10_070;msgs;drupal;apache_expect_xss;siebel;put_del_test;apacheusers;dictionary;embedded;ssl;clientaccesspolicy;httpoptions;subdomain;negotiate;sitefiles;mutiple_index' -C all -host http://<target>/ -p <port> >> <output>.txt
+Command: nikto -nointeractive -maxtime 30m -Plugins 'paths;outdated;report_sqlg;auth;content_search;report_text;fileops;parked;shellshock;report_html;cgi;headers;report_nbe;favicon;cookies;robots;report_xml;report_csv;ms10_070;msgs;drupal;apache_expect_xss;siebel;put_del_test;apacheusers;dictionary;embedded;ssl;clientaccesspolicy;httpoptions;subdomain;negotiate;sitefiles;mutiple_index' -C all -host http://<target>/ -port <port> >> <output>.txt
 Findings Vulnerabilities1: \+ (\/.+)
 Findings Vulnerabilities2: \+ (Allowed HTTP Methods\:.+)
 Findings Vulnerabilities3: \+\s(.+\: \/.+\: Site appears.+\.)
@@ -324,7 +325,7 @@ Findings Vulnerabilities9: \+ (Entry.+)
 Findings Services: \+ Server\: (.+)\s+\+
 Findings Announce: \+.+\: .+\'(shellshock)\'.+
 [HTTPS Nikto Fast]
-Command: nikto -nointeractive -maxtime 30m -Plugins 'paths;outdated;report_sqlg;auth;content_search;report_text;fileops;parked;shellshock;report_html;cgi;headers;report_nbe;favicon;cookies;robots;report_xml;report_csv;ms10_070;msgs;drupal;apache_expect_xss;siebel;put_del_test;apacheusers;dictionary;embedded;ssl;clientaccesspolicy;httpoptions;subdomain;negotiate;sitefiles;mutiple_index' -C all -host https://<target>/ -p <port> >> <output>.txt
+Command: nikto -nointeractive -maxtime 30m -Plugins 'paths;outdated;report_sqlg;auth;content_search;report_text;fileops;parked;shellshock;report_html;cgi;headers;report_nbe;favicon;cookies;robots;report_xml;report_csv;ms10_070;msgs;drupal;apache_expect_xss;siebel;put_del_test;apacheusers;dictionary;embedded;ssl;clientaccesspolicy;httpoptions;subdomain;negotiate;sitefiles;mutiple_index' -C all -host https://<target>/ -port <port> >> <output>.txt
 Findings Vulnerabilities1: \+ (\/.+)
 Findings Vulnerabilities2: \+ (Allowed HTTP Methods\:.+)
 Findings Vulnerabilities3: \+\s(.+\: \/.+\: Site appears.+\.)
@@ -337,7 +338,7 @@ Findings Vulnerabilities9: \+ (Entry.+)
 Findings Services: \+ Server\: (.+)\s+\+
 Findings Announce: \+.+\: .+\'(shellshock)\'.+
 [HTTP Nikto Tests]
-Command: nikto -nointeractive -maxtime 90m -Plugins 'tests' -C all -host http://<target>/ -p <port> >> <output>.txt
+Command: nikto -nointeractive -maxtime 90m -Plugins 'tests' -C all -host http://<target>/ -port <port> >> <output>.txt
 Findings Vulnerabilities1: \+ (\/.+)
 Findings Vulnerabilities2: \+ (Allowed HTTP Methods\:.+)
 Findings Vulnerabilities3: \+\s(.+\: \/.+\: Site appears.+\.)
@@ -350,7 +351,7 @@ Findings Vulnerabilities9: \+ (Entry.+)
 Findings Services: \+ Server\: (.+)\s+\+
 Findings Announce: \+.+\: .+\'(shellshock)\'.+
 [HTTPS Nikto Tests]
-Command: nikto -nointeractive -maxtime 90m -Plugins 'tests' -C all -host https://<target>/ -p <port> >> <output>.txt
+Command: nikto -nointeractive -maxtime 90m -Plugins 'tests' -C all -host https://<target>/ -port <port> >> <output>.txt
 Findings Vulnerabilities1: \+ (\/.+)
 Findings Vulnerabilities2: \+ (Allowed HTTP Methods\:.+)
 Findings Vulnerabilities3: \+\s(.+\: \/.+\: Site appears.+\.)
@@ -367,19 +368,27 @@ Command: dirb http://<target>:<port>/ -S -w  >> <output>.txt
 [HTTPS Dirb]
 Command: dirb https://<target>:<port>/ -S -w  >> <output>.txt
 [HTTP GoBuster]
-Command: gobuster -e -w -r -t 5 -U username -P password -s '200,204,403,500' /usr/share/wordlists/dirb/common.txt -u http://<target>:<port>/ >> <output>.txt
+Command: gobuster -e -r -t 5 -U username -P password -s '200,204,500,403,301,302,308,307' -w /usr/share/wordlists/dirb/common.txt -u http://<target>:<port>/ >> <output>.txt
 Findings UrlsHttp: (^http.+)\s+\(
 Findings UrlsHttpRelative: ^http:\/\/[a-zA-Z0-9.:-_]+(\/.+)\s+\(
 [HTTPS GoBuster]
-Command: gobuster -e -w -r -t 5 -U username -P password -s '200,204,403,500' /usr/share/wordlists/dirb/common.txt -u https://<target>:<port>/ >> <output>.txt
+Command: gobuster -e -r -t 5 -U username -P password -s '200,204,500' -w /usr/share/wordlists/dirb/common.txt -u https://<target>:<port>/ >> <output>.txt
 Findings UrlsHttps: (^http.+)\s+\(
 Findings UrlsHttpsRelative: ^https:\/\/[a-zA-Z0-9.:-_]+(\/.+)\s+\(
 [HTTP GoBuster All Dicts]
-Command: gobuster -e -w -r -t 5 -U username -P password -s '200,204,403,500' http://<target>:<port>/ <List Directories> >> <output>.txt
+Command: gobuster -e -r -t 5 -U username -P password -s '200,204,500' -u http://<target>:<port>/ -w <List Directories> >> <output>.txt
 Findings UrlsHttp: (^http.+)\s+\(
 Findings UrlsHttpRelative: ^http:\/\/[a-zA-Z0-9.:-_]+(\/.+)\s+\(
 [HTTPS GoBuster All Dicts]
-Command: gobuster -e -w -r -t 5 -U username -P password -s '200,204,403,500' https://<target>:<port>/ <List Directories> >> <output>.txt
+Command: gobuster -e -r -t 5 -U username -P password -s '200,204,500' -u https://<target>:<port>/ -w <List Directories> >> <output>.txt
+Findings UrlsHttps: (^http.+)\s+\(
+Findings UrlsHttpsRelative: ^https:\/\/[a-zA-Z0-9.:-_]+(\/.+)\s+\(
+[HTTP GoBuster Findings All Dicts]
+Command: gobuster -e -r -t 5 -U username -P password -s '200,204,500' -u <FindingsList urlshttp> -w <List Directories> >> <output>.txt
+Findings UrlsHttp: (^http.+)\s+\(
+Findings UrlsHttpRelative: ^http:\/\/[a-zA-Z0-9.:-_]+(\/.+)\s+\(
+[HTTPS GoBuster Findings All Dicts]
+Command: gobuster -e -r -t 5 -U username -P password -s '200,204,500' -u <FindingsList urlshttps> -w <List Directories> >> <output>.txt
 Findings UrlsHttps: (^http.+)\s+\(
 Findings UrlsHttpsRelative: ^https:\/\/[a-zA-Z0-9.:-_]+(\/.+)\s+\(
 [HTTP Web Application Firewall]
@@ -497,6 +506,8 @@ Findings Credentials: ^\[.+(login:.+)
 
 
 #= Hydra Password Brute Forcing =============================
+[Hydra password list]
+Command: hydra -L <Findings users> -P <Findings passwordlist> ../ <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
 [Hydra wfuzz-common]
 Command: hydra -L <Findings users> -P <wfuzz-common> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
 Findings Credentials: ^\[.+(login:.+)