Add files via upload

Updated Configuration files and attack plan new enumerations and bug fixes

attackplan.ini

@@ -6,23 +6,23 @@
 #= Nmap Scan Ordering ============
 # The Vanquish script will alternate between an Nmap scan and the enumeration Plan
 [Nmap Scans]
-Order: Nmap Fast TCP and UDP,Nmap All TCP Ports
+Order: Nmap Fast TCP and UDP Plan,Nmap All TCP Ports Plan
 
 #= Phase Ordering ============
 # The following section defines the scan and enumeration phase ordering
 #   Scans Start = The scans to complete upfront before any enumeration has started... these should be quick
 #   Scans Background = The slow scans that will run in the background while the enumeration phases are executing
 #   Enumeration Plan = The order in which the enumeration phases will be executed
-[Nmap Fast TCP and UDP]
+[Nmap Fast TCP and UDP Plan]
 Order: Nmap Scan Fast TCP,Nmap Scan Fast UDP
-[Nmap All TCP Ports]
+[Nmap All TCP Ports Plan]
 Order: Nmap Scan All TCP
-[Nmap All UDP Ports]
+[Nmap All UDP Ports Plan]
 Order: Nmap Scan All UDP
 [Enumeration Plan]
 Order: Information Gathering,User Enumeration,Web Site Scanning,Password List Generation,User Enumeration Bruteforce
 [Post Enumeration Plan]
-Order: Metasploit Database Start,Metasploit Database Import,Metasploit Report Generation,Vulnerablity Analysis,Web Content Detection,Web Exploitation,Nmap HTTP Scan,Brute Forcing Lite,Web Site Nikto Tests,Brute Forcing,Nmap All UDP Ports
+Order: Metasploit Database Start,Metasploit Database Import,Metasploit Report Generation,Web Content Detection,Web Exploitation,Nmap HTTP Scan,Brute Forcing Lite,Vulnerablity Analysis,Vulnerability Validation,Web Site Nikto Tests,Brute Forcing,Nmap Scan All UDP
 
 #= Nmap Phases ============
 # The following sections detail the specific commands that will be run (found in the config.ini) at each nmap phase
@@ -63,20 +63,21 @@ msrpc: Msrpc Nmap Enum,Msrpc Enum4linux
 rdp: RDP Nmap Enum Encryption,RDP Nmap Vuln Scan
 rpc: RPC RPCClient Help,RPC RPCClient Enumprivs,RPC RPCClient Netshareenum,RPC RPCClient Srvinfo,RPC RPCClient Lookupnames Root,RPC Nmap RPC Info
 kerberos: Kerberos
-nfs: NFS List Shares
+nfs: NFS List Shares,NFS NMAP Showmount
 james-admin: James-Admin
 ntp:NTP NTPQ Version,NTP NTPQ Readlist,NTP NTPQ Hostnames,NTP Nmap All
 pop3: POP3 Nmap Enum
 imap: IMAP Nmap Enum
+ms-sql-s: MS-SQL-S Nmap MS-SQL Info
 [Web Site Scanning]
 http: HTTP What Web,HTTP Wordpress Scan 1,HTTP Wordpress Scan 2,HTTP BlindElephant Guess,HTTP Cewl Password List,HTTP Robots
 https: HTTPS What Web,HTTPS Wordpress Scan 1,HTTPS Wordpress Scan 2,HTTPS BlindElephant Guess,HTTPS Cewl Password List,HTTPS Robots
 [Web Site Nikto Tests]
 http: HTTP Nikto Tests
 https: HTTPS Nikto Tests
 [Web Content Detection]
-http: HTTP GoBuster,HTTP What Web All Urls,HTTP BlindElephant Guess All Urls,HTTP Wordpress Scan All Urls
-https: HTTPS GoBuster,HTTPS What Web All Urls,HTTPS BlindElephant Guess All Urls,HTTPS Wordpress Scan All Urls
+http: HTTP GoBuster,HTTP What Web All Urls,HTTP BlindElephant Guess All Urls,HTTP Wordpress Scan All Urls,HTTP Method Check
+https: HTTPS GoBuster,HTTPS What Web All Urls,HTTPS BlindElephant Guess All Urls,HTTPS Wordpress Scan All Urls,HTTPS Method Check
 [Web Exploitation]
 http: HTTP Nmap SQL Injection Scan,HTTP Nmap SQL Injection Findings List Scan
 https: HTTP Nmap SQL Injection Scan,HTTPS Nmap SQL Injection Findings List Scan
@@ -107,11 +108,9 @@ snmp: SNMP Nmap All
 ms-sql-s: MS-SQL Nmap All
 smb: Samba Nmap Vuln Scan
 [Vulnerability Validation]
-always:
-http:
-ssh:
-https:
-ftp:
+run once: Create File For Upload Test
+http: HTTP Put Method Exploit
+https: HTTPS Put Method Exploit
 [Brute Forcing Lite]
 ftp: Hydra dirb-passwords-top-110
 ftps: Hydra dirb-passwords-top-110

config.ini

@@ -69,7 +69,7 @@ Command: nmap -sV -sC -O --version-all <nmap dns server> -F <target> -oN <output
 [Nmap Fast UDP with Port Identification]
 Command: nmap -sU -p 123,161,162,137,138 -sV <nmap dns server> --version-all <target> -oN <output>.nmap -oX <output nmap>.xml >> <output>.txt
 [Nmap All TCP]
-Command: nmap -A -p- <nmap dns server> <target> -oN <output>.nmap -oX <output nmap>.xml >> <output>.txt
+Command: nmap -A -p- -O --version-all <nmap dns server> <target> -oN <output>.nmap -oX <output nmap>.xml >> <output>.txt
 [Nmap All UDP]
 Command: nmap -A -sU -p- <nmap dns server> <target> -oN <output>.nmap -oX <output nmap>.xml >> <output>.txt
 [Nmap All TCP Comprehensive]
@@ -85,7 +85,7 @@ Command: searchsploit --json --colour <target> >> <output>.json
 [SearchSploit Txt]
 Command: searchsploit --colour <target> >> <output>.txt
 [SearchSploit Nmap]
-Command: for f in <output folder>/Nmap/*.xml; do echo "Processing $f file.."; searchsploit --nmap $f >> <output>$f.txt; done >> <output>.txt
+Command: for f in <output folder>/Nmap/*.xml; do echo "Processing $f file.."; searchsploit --nmap $f --colour >> <output>_results.txt; done; >> <output>.txt
 [NMap Vulscan and Version Detection]
 Command: nmap -sV -p- -O --script=vulscan/vulscan.nse -oN <output>.nmap -oX <output>.xml <target> >> <output>.txt
 Findings OS: OS details: (.+)\n
@@ -243,6 +243,8 @@ Command: nmap -v -p <port> --script=rpcinfo <target> -d -oN <output>.nmap -oX <o
 Command: searchsploit --colour MS14-068 >> <output>.txt
 [NFS List Shares]
 Command: showmount -e <target> >> <output>.txt
+[NFS NMAP Showmount]
+Command: nmap -sV --script=nfs-showmount <target> >> <output>.txt
 [James-Admin]
 Command: searchsploit --colour "apache james" >> <output>.txt
 [NTP NTPQ Version]
@@ -266,28 +268,30 @@ Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
 Command: nmap -sV -p <port> --script=http-sql-injection --script-args=unsafe=1 <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
 Findings SqlInjection: \| (http-sql-injection:(\s*\|\s+.+$)+\s+\|_\s+.+$)
 [HTTP Nmap SQL Injection Findings List Scan]
-Command: nmap -sV -p <port> --script=http-sql-injection --script-args=http-sql-injection.url=<FindingsList UrlsHttpRelative> <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
+Command: nmap -sV -p <port> --script=http-sql-injection --script-args=http-sql-injection.url=<FindingsList urlshttprelative> <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
 Findings SqlInjection: \| (http-sql-injection:(\s*\|\s+.+$)+\s+\|_\s+.+$)
 [HTTPS Nmap SQL Injection Findings List Scan]
-Command: nmap -sV -p <port> --script=http-sql-injection --script-args=http-sql-injection.url=<FindingsList UrlsHttpsRelative> <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
+Command: nmap -sV -p <port> --script=http-sql-injection --script-args=http-sql-injection.url=<FindingsList urlshttpsrelative> <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
 Findings SqlInjection: \| (http-sql-injection:(\s*\|\s+.+$)+\s+\|_\s+.+$)
 [HTTP Nmap Form Brute Findings List]
-Command: nmap -sV -p <port> --script=http-form-brute --script-args=http-form-brute.path=<FindingsList UrlsHttpRelative> <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
+Command: nmap -sV -p <port> --script=http-form-brute --script-args=http-form-brute.path=<FindingsList urlshttprelative> <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
 Findings HttpFormBrute: \| (http-form-brute:(\s*\|\s+.+$)+\s+\|_\s+.+$)
 [HTTPS Nmap Form Brute Findings List]
-Command: nmap -sV -p <port> --script=http-form-brute --script-args=http-form-brute.path=<FindingsList UrlsHttpsRelative> <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
+Command: nmap -sV -p <port> --script=http-form-brute --script-args=http-form-brute.path=<FindingsList urlshttpsrelative> <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
 Findings HttpsFormBrute: \| (http-form-brute:(\s*\|\s+.+$)+\s+\|_\s+.+$)
 [HTTP Nmap Form Fuzzer]
 Command: nmap -sV -p <port> --script=http-form-fuzzer <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
 Findings HttpFormFuzzer: \| (http-form-fuzzer:(\s*\|\s+.+$)+\s+\|_\s+.+$)
 [HTTP Nmap Form Fuzzer Findings List]
-Command: nmap -sV -p <port> --script=http-form-fuzzer --script-args=http-form-fuzzer.targets={{path="<FindingsList UrlsHttpRelative>"}} <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
+Command: nmap -sV -p <port> --script=http-form-fuzzer --script-args=http-form-fuzzer.targets={{path="<FindingsList urlshttprelative>"}} <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
 Findings HttpFormFuzzer: \| (http-form-fuzzer:(\s*\|\s+.+$)+\s+\|_\s+.+$)
 [HTTPS Nmap Form Fuzzer Findings List]
-Command: nmap -sV -p <port> --script=http-form-fuzzer --script-args=http-form-fuzzer.targets={{path="<FindingsList UrlsHttpsRelative>"}} <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
+Command: nmap -sV -p <port> --script=http-form-fuzzer --script-args=http-form-fuzzer.targets={{path="<FindingsList urlshttpsrelative>"}} <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
 Findings HttpFormFuzzer: \| (http-form-fuzzer:(\s*\|\s+.+$)+\s+\|_\s+.+$)
 [XProbe2 OS Enumeration]
 Command: xprobe2 <target> >> <output>.txt
+[MS-SQL-S Nmap MS-SQL Info]
+Command: nmap -p <port> --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes  --script-args mssql.instance-port=<port>,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
 #= Slow Enumeration Commands ====================
 # The following commands can take up to 20 minutes to run
 [DNS Recon]
@@ -312,7 +316,7 @@ Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
 Command: nmap -sV -Pn -vv -p <port> --script=snmp* -oN <output>.nmap -oX <output>.xml <target> >> <output>.txt
 Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
 [HTTP Nikto Fast]
-Command: nikto -nointeractive -maxtime 30m -Plugins 'paths;outdated;report_sqlg;auth;content_search;report_text;fileops;parked;shellshock;report_html;cgi;headers;report_nbe;favicon;cookies;robots;report_xml;report_csv;ms10_070;msgs;drupal;apache_expect_xss;siebel;put_del_test;apacheusers;dictionary;embedded;ssl;clientaccesspolicy;httpoptions;subdomain;negotiate;sitefiles;mutiple_index' -C all -host http://<target>/ -port <port> >> <output>.txt
+Command: nikto -nointeractive -maxtime 30m -Plugins 'paths;outdated;report_sqlg;auth;content_search;report_text;fileops;parked;shellshock;report_html;cgi;headers;report_nbe;favicon;cookies;robots;report_xml;report_csv;ms10_070;msgs;drupal;apache_expect_xss;siebel;put_del_test;apacheusers;dictionary;embedded;ssl;clientaccesspolicy;httpoptions;subdomain;negotiate;sitefiles;mutiple_index' -C all -host http://<target>:<port>/ -port <port> >> <output>.txt
 Findings Vulnerabilities1: \+ (\/.+)
 Findings Vulnerabilities2: \+ (Allowed HTTP Methods\:.+)
 Findings Vulnerabilities3: \+\s(.+\: \/.+\: Site appears.+\.)
@@ -325,7 +329,7 @@ Findings Vulnerabilities9: \+ (Entry.+)
 Findings Services: \+ Server\: (.+)\s+\+
 Findings Announce: \+.+\: .+\'(shellshock)\'.+
 [HTTPS Nikto Fast]
-Command: nikto -nointeractive -maxtime 30m -Plugins 'paths;outdated;report_sqlg;auth;content_search;report_text;fileops;parked;shellshock;report_html;cgi;headers;report_nbe;favicon;cookies;robots;report_xml;report_csv;ms10_070;msgs;drupal;apache_expect_xss;siebel;put_del_test;apacheusers;dictionary;embedded;ssl;clientaccesspolicy;httpoptions;subdomain;negotiate;sitefiles;mutiple_index' -C all -host https://<target>/ -port <port> >> <output>.txt
+Command: nikto -nointeractive -maxtime 30m -Plugins 'paths;outdated;report_sqlg;auth;content_search;report_text;fileops;parked;shellshock;report_html;cgi;headers;report_nbe;favicon;cookies;robots;report_xml;report_csv;ms10_070;msgs;drupal;apache_expect_xss;siebel;put_del_test;apacheusers;dictionary;embedded;ssl;clientaccesspolicy;httpoptions;subdomain;negotiate;sitefiles;mutiple_index' -C all -host https://<target>:<port>/ -port <port> >> <output>.txt
 Findings Vulnerabilities1: \+ (\/.+)
 Findings Vulnerabilities2: \+ (Allowed HTTP Methods\:.+)
 Findings Vulnerabilities3: \+\s(.+\: \/.+\: Site appears.+\.)
@@ -338,7 +342,7 @@ Findings Vulnerabilities9: \+ (Entry.+)
 Findings Services: \+ Server\: (.+)\s+\+
 Findings Announce: \+.+\: .+\'(shellshock)\'.+
 [HTTP Nikto Tests]
-Command: nikto -nointeractive -maxtime 90m -Plugins 'tests' -C all -host http://<target>/ -port <port> >> <output>.txt
+Command: nikto -nointeractive -maxtime 90m -Plugins 'tests' -C all -host http://<target>:<port>/ -port <port> >> <output>.txt
 Findings Vulnerabilities1: \+ (\/.+)
 Findings Vulnerabilities2: \+ (Allowed HTTP Methods\:.+)
 Findings Vulnerabilities3: \+\s(.+\: \/.+\: Site appears.+\.)
@@ -351,7 +355,7 @@ Findings Vulnerabilities9: \+ (Entry.+)
 Findings Services: \+ Server\: (.+)\s+\+
 Findings Announce: \+.+\: .+\'(shellshock)\'.+
 [HTTPS Nikto Tests]
-Command: nikto -nointeractive -maxtime 90m -Plugins 'tests' -C all -host https://<target>/ -port <port> >> <output>.txt
+Command: nikto -nointeractive -maxtime 90m -Plugins 'tests' -C all -host https://<target>:<port>/ -port <port> >> <output>.txt
 Findings Vulnerabilities1: \+ (\/.+)
 Findings Vulnerabilities2: \+ (Allowed HTTP Methods\:.+)
 Findings Vulnerabilities3: \+\s(.+\: \/.+\: Site appears.+\.)
@@ -448,6 +452,12 @@ Findings UrlsHttp: (^http.+)
 [HTTPS Robots]
 Command: curl https://<target>:<port>/robots.txt --user-agent "Googlebot/2.1 (+http://www.google.com/bot.html)" --connect-timeout 30 --max-time 180 |grep 'Allow\|Disallow' | sed "s|[a-zA-Z]*\:[[:blank:]]*/|https://<target>:<port>/|" >> <output>.txt
 Findings UrlsHttps: (^http.+)
+[HTTP Method Check]
+Command: nmap -p <port> --script http-methods --script-args http-methods.url-path='<FindingsList urlshttprelative>' <target> >> <output>.txt
+Findings VulnerableHTTPPutMethod: (.+PUT.+)
+[HTTPS Method Check]
+Command: nmap -p <port> --script http-methods --script-args http-methods.url-path='<FindingsList urlshttpsrelative>' <target> >> <output>.txt
+Findings VulnerableHTTPSPutMethod: (.+PUT.+)
 #= User Enumeration =========================
 [SMTP Emum Users Name] # http://pentestmonkey.net/tools/smtp-user-enum
 Command: smtp-user-enum -U <namelist> -t <target> -p <port> >> <output>.txt
@@ -507,7 +517,8 @@ Findings Credentials: ^\[.+(login:.+)
 
 #= Hydra Password Brute Forcing =============================
 [Hydra password list]
-Command: hydra -L <Findings users> -P <Findings passwordlist> ../ <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
+Command: hydra -L <Findings users> -P <Findings passwordlist> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
+Findings Credentials: ^\[.+(login:.+)
 [Hydra wfuzz-common]
 Command: hydra -L <Findings users> -P <wfuzz-common> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
 Findings Credentials: ^\[.+(login:.+)
@@ -535,6 +546,9 @@ Findings Credentials: ^\[.+(login:.+)
 [Hydra sql-map]
 Command: hydra -L <Findings users> -P <sql-map> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
 Findings Credentials: ^\[.+(login:.+)
+[Hydra 1 to 4  lowercase characters]
+hydra -x 1:4:a -L <Findings users> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
+
 # login:test@test.com password:TheP@ssw0rd!
 # Hydra Supported Services:
 #asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form
@@ -554,6 +568,14 @@ Findings Credentials: ^\[.+(login:.+)
 # Credentials can be manually added to this file in this format and tested against multiple services
 # by rerunning vanquish.
 # The dynamic replacement values <login> and <password> will execute the command for each set of credentials.
+[Create File For Upload Test]
+Command: echo Hello from Vanquish! > ./uploadtest.txt
+[HTTP Put Method Exploit]
+Command: nmap -p <port> <target> --script http-put --script-args http-put.url='<FindingsList urlshttprelative>/uploadtest.txt',http-put.file='./uploadtest.txt' >> <output>.txt
+Findings ExploitHTTPPut: (.+successfully.+)
+[HTTPS Put Method Exploit]
+Command: nmap -p <port> <target> --script http-put --script-args http-put.url='<FindingsList urlshttpsrelative>/uploadtest.txt',http-put.file='./uploadtest.txt' >> <output>.txt
+Findings ExploitHTTPSPut: (.+successfully.+)
 [MySQL Exploit Nmap Audit]
 Command: nmap -p <port> --script mysql-audit --script-args "mysql-audit.username='<login>',mysql-audit.password='<password>',mysql-audit.filename='nselib/data/mysql-cis.audit'" <target> >> <output>_<login>.txt
 [Rdp Exploit]
@@ -610,13 +632,13 @@ Command: sqlmap -u "https://<FindingsList urlshttps>:<port>" --batch --crawl=5 -
 #= Metasploit Database Sync =============================
 # Vanquish will load any findings into the Metasploit database
 [Metasploit Start Database]
-Command: systemctl start postgresql
+Command: systemctl start postgresql >> <output>.txt
 [Metasploit Import Database]
-Command: msfconsole -x "workspace -a <workspace>; db_import <output folder>/Nmap/**/*.xml; exit;"
+Command: msfconsole -x "workspace -a <workspace>; db_import <output folder>/Nmap/**/*.xml; exit;" >> <output>.txt
 [Metasploit Hosts Report]
-Command: msfconsole -x "workspace <workspace>; hosts -o <output folder>/msfhosts.csv; exit;"
+Command: msfconsole -x "workspace <workspace>; hosts -o <output folder>/msfhosts.csv; exit;" >> <output>.txt
 [Metasploit Services Report]
-Command: msfconsole -x "workspace <workspace>; services -o <output folder>/msfservices.csv; exit;"
+Command: msfconsole -x "workspace <workspace>; services -o <output folder>/msfservices.csv; exit;" >> <output>.txt
 
 #= Username, Password and Directory Lists ==============================
 [List Directories]