Add files via upload

Added always: item parameter / Added command parameter to pass all host ports comma separated or space separated

Vanquish2.py

@@ -376,6 +376,9 @@ def enumerate(self,phase_name):
         self.thread_pool_errors = []
         for host in self.nmap_dict:
             logger.debug("enumerate() - Host: " + host)
+            host_ports = [d['portid'] for d in self.nmap_dict[host]['ports'] if 'portid' in d]
+            if self.plan.has_option(phase_name, 'always'):
+                self.nmap_dict[host]['ports'].append({'state':'open','name':'always','portid':'0','product':'Vanquish Added Always Service'})
             for service in self.nmap_dict[host]['ports']:
                 logger.debug("\tenumerate() - port_number: " + str(service))
                 for known_service, ports in self.config.items('Service Ports'):
@@ -390,6 +393,8 @@ def enumerate(self,phase_name):
                                         'domain': self.args.domain,
                                         'service': service['name'],
                                         'port':service['portid'],
+                                        'host ports comma': ",".join(host_ports),
+                                        'host ports space': " ".join(host_ports)
                                     }
                                     base, filename = os.path.split(command_keys['output']) # Resume file already exists
                                     if not self.args.noResume and self.find_files(base,filename+".*").__len__()>0:

attackplan.ini

@@ -17,6 +17,7 @@ Order: Information Gathering,User Enumeration,Password Enumeration,Vulnerablity
 
 #= Enumeration Phases ============
 # The following sections detail the specific commands that will be run (found in the config.ini) at each enumeration phase
+# a special always: item can be specified to always run these commands against a host once.
 [Information Gathering]
 http: NMap Http Shell Shock,
 https: NMap SSL Heartbleed,SSLScan,SSLyze,
@@ -43,8 +44,8 @@ ntp:NTP NTPQ Version,NTP NTPQ Readlist,NTP NTPQ Hostnames,NTP Nmap All
 pop3: POP3 Nmap Enum
 imap: IMAP Nmap Enum
 [Web Site Scanning]
-http: HTTP GoBuster,Nmap Web Scan,HTTP What Web,HTTP Wordpress Scan 1,HTTP Wordpress Scan 2,HTTP BlindElephant Guess
-https: HTTPS GoBuster,Nmap Web Scan,HTTPS What Web,HTTPS Wordpress Scan 1,HTTPS Wordpress Scan 2,HTTPS BlindElephant Guess
+http: Nmap Web Scan,HTTP What Web,HTTP Wordpress Scan 1,HTTP Wordpress Scan 2,HTTP BlindElephant Guess
+https: Nmap Web Scan,HTTPS What Web,HTTPS Wordpress Scan 1,HTTPS Wordpress Scan 2,HTTPS BlindElephant Guess
 [Web Site Nikto Scanning]
 http: HTTP Nikto
 https: HTTPS Nikto
@@ -65,6 +66,7 @@ smtp:SMTP Emum Users Name,SMTP Emum Users Unix Users
 [Password Enumeration Bruteforce]
 http:
 [Vulnerablity Analysis]
+always: Nmap Vulnerability Scan All Host Ports
 http: HTTP Nmap Vuln Scan
 https: HTTP Nmap Vuln Scan
 ftp: FTP Nmap Vuln Scan

config.ini

@@ -1,60 +1,15 @@
-#Vanquish config file
-#= System Configuration ==============================
-[System]
-Debug: 0
-Verbose: 0
-
-#= Service Ports ==============================
-# The following services will be associated with port numbers in cases where services cannot be identified by Nmap
-[Service Ports]
-http: 80,8080,8081,8000,8008,8180,8888
-https: 443,8443,9443
-ftp: 21
-telnet: 23
-ssh: 22
-msrpc: 135
-netbios-ssn: 139
-msrpc: 135,1025
-smb: 445
-wsdapi: 5357
-dns: 53
-snmp: 161
-smtp: 25
-rdp: 3389
-mysql: 3306
-ms-sql-s: 1433,27900
-ntp: 123
-rexec: 512
-rlogin: 513
-vnc: 5800,5900
-finger: 79
-rpc: 111
-ldap: 389
-ldaps: 636
-nfs: 2049
-james-admin: 4555
-ident: 113
-tftp: 69
-
-#= Service Labels ==============================
-# The following NMAP services will be replaced with labels in order to ease command mapping
-[Service Labels]
-ms-wbt-server: rdp
-rpcbind: rpc
-netbios-ssn: smb
-microsoft-ds: smb
-nfs_acl: nfs
-
 #= Commands ==============================
 # The following INI sections are enumeration commands which have the following dynamic replacement values
-# <target>      = IP Address that the command will be run against
-# <output>      = Path to the output file specific to this command
-# <port>        = Port number of this service
-# <service>     = Service name identified by Nmap
-# <domain>      = Domain specified by the command line parameter -domain
-# <username>    = Username that was discovered for this host and service
-# <password>    = Password that was discovered for this host and service
-# <community>   = File path to the SNMP community string list
+# <target>              = IP Address that the command will be run against
+# <output>              = Path to the output file specific to this command
+# <port>                = Port number of this service
+# <service>             = Service name identified by Nmap
+# <domain>              = Domain specified by the command line parameter -domain
+# <username>            = Username that was discovered for this host and service
+# <password>            = Password that was discovered for this host and service
+# <community>           = File path to the SNMP community string list
+# <host ports comma>    = List of all ports on host separated by a comma
+# <host ports space>    = List of all ports on host separated by a space
 # <dirshort>
 # <dirlong>
 # <passlong>
@@ -215,6 +170,8 @@ Command: nmap -v -p <port> --script=tftp-enum <target> -d -oN <output>.nmap -oX
 Command: nmap -v -sV -p <port> --script="pop3-capabilities or pop3-ntlm-info" <target> -d -oN <output>.nmap -oX <output>.xml >> <output>.txt
 [IMAP Nmap Enum]
 Command: nmap -v -sV -p <port> --script="imap-capabilities or imap-ntlm-info" <target> -d -oN <output>.nmap -oX <output>.xml >> <output>.txt
+[Nmap Vulnerability Scan All Host Ports]
+Command: nmap -v -p <host ports comma>  -d --script=*vuln* --script-args=unsafe=1 <target> -d -oN <output>.nmap -oX <output>.xml >> <output>.txt
 #= Slow Enumeration Commands ====================
 # The following commands can take up to 20 minutes to run
 [DNS Recon]
@@ -296,11 +253,11 @@ Command: mount -t cifs -o user=me,pass=mypass,sec=ntlm //server/share /mnt/point
 #= Username, Password and Directory Lists ==============================
 [List Directories]
 # 15 Lines
-best15: /usr/share/wordlists/dirb/other/best15.txt
+best15: /usr/share/wordlists/dirb/others/best15.txt
 # 49 lines
 mutations_common: /usr/share/wordlists/dirb/mutations_common.txt
 # 110 lines
-best110: /usr/share/wordlists/dirb/other/best110.txt
+best110: /usr/share/wordlists/dirb/others/best110.txt
 # 161 lines
 catala: /usr/share/wordlists/dirb/catala.txt
 # 197 lines
@@ -312,15 +269,15 @@ indexes: /usr/share/wordlists/dirb/indexes.txt
 # 959 lines
 small: /usr/share/wordlists/dirb/small.txt
 # 1049 lines
-best1050: /usr/share/wordlists/dirb/other/best1050.txt
+best1050: /usr/share/wordlists/dirb/others/best1050.txt
 # 449 lines
 spanish: /usr/share/wordlists/dirb/spanish.txt
 # 4614 lines
 common: /usr/share/wordlists/dirb/common.txt
 # 20469 lines
 big: /usr/share/wordlists/dirb/big.txt
 # 8607 lines
-names: /usr/share/wordlists/dirb/other/names.txt
+names: /usr/share/wordlists/dirb/others/names.txt
 # 30 Lines
 apache: /usr/share/wordlists/dirb/vulns/apache.txt
 # 17 Lines
@@ -422,4 +379,51 @@ metasploit-passwords: /usr/share/wordlists/metasploit/password.lst
 #1202867 Lines
 sql-map: /usr/share/wordlists/sqlmap.txt
 #14344392 Lines
-rockyou: /usr/share/wordlists/rockyou.txt
+rockyou: /usr/share/wordlists/rockyou.txt
+
+#= Service Ports ==============================
+# The following services will be associated with port numbers in cases where services cannot be identified by Nmap
+[Service Ports]
+always: 0
+http: 80,8080,8081,8000,8008,8180,8888
+https: 443,8443,9443
+ftp: 21
+telnet: 23
+ssh: 22
+msrpc: 135
+netbios-ssn: 139
+msrpc: 135,1025
+smb: 445
+wsdapi: 5357
+dns: 53
+snmp: 161
+smtp: 25
+rdp: 3389
+mysql: 3306
+ms-sql-s: 1433,27900
+ntp: 123
+rexec: 512
+rlogin: 513
+vnc: 5800,5900
+finger: 79
+rpc: 111
+ldap: 389
+ldaps: 636
+nfs: 2049
+james-admin: 4555
+ident: 113
+tftp: 69
+#= Service Labels ==============================
+# The following NMAP services will be replaced with labels in order to ease command mapping
+[Service Labels]
+ms-wbt-server: rdp
+rpcbind: rpc
+netbios-ssn: smb
+microsoft-ds: smb
+nfs_acl: nfs
+
+#Vanquish config file
+#= System Configuration ==============================
+[System]
+Debug: 0
+Verbose: 0