├── LICENSE ├── CONTRIBUTING.md ├── README.md └── nmapAutomator.sh /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 21y4d 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | ## Coding Standards 4 | 5 | `nmapAutomator` is 100% POSIX compatible, and should run with `/bin/sh`. To keep it compatible, please try to follow these Coding Standards: 6 | - Keep the current indentation and code structure. *You can use VSCode to automatically format it.* 7 | - For any variables/functions added, please use Camel Casing 'e.g. `newVariable`'. 8 | - For any output files, please use underscores `_` instead of spaces, and include the `${HOST}` in the name. 9 | - Enclose all variables in `${}` 'e.g. `${myVar}`' 10 | - Always quote the variables 'e.g. `echo "${my_var}"`', *unless you're doing shell-splitting.* 11 | - Always add a comment describing the general purpose of the code 12 | - Use POSIX commands where possible 'i.e. `awk`/`sed`', as some commands may not work with `sh` or older shells. *You may open an issue if you don't know how to write the command you need.* 13 | 14 | You can check the POSIX tools (and the parameters and syntax they accept) in the [IEEE Std 1003.1-2017 Utilities specification](https://pubs.opengroup.org/onlinepubs/9699919799/idx/utilities.html), and the [IEEE Std 1003.1-2017 Built-ins specification](https://pubs.opengroup.org/onlinepubs/9699919799/idx/sbi.html). 15 | 16 | Furthermore, you can always re-use existing code, by looking for adding new recon options, by basing your pull request on existing options in the `reconRecommend()` function. 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # nmapAutomator 2 | 3 | A script you can run in the background! 4 | 5 | ![nmapAutomator](https://i.imgur.com/3cMJIPr.gif) 6 | 7 | ## Summary 8 | 9 | The main goal for this script is to automate the process of enumeration & recon that is run every time, and instead focus our attention on real pentesting. 10 | 11 | This will ensure two things: 12 | 1. Automate nmap scans. 13 | 2. Always have some recon running in the background. 14 | 15 | Once initial ports are found '*in 5-10 seconds*', we can start manually looking into those ports, and let the rest run in the background with no interaction from our side whatsoever. 16 | 17 | ## Features 18 | 19 | ### Scans 20 | 1. **Network** : Shows all live hosts in the host's network (~15 seconds) 21 | 2. **Port** : Shows all open ports (~15 seconds) 22 | 3. **Script** : Runs a script scan on found ports (~5 minutes) 23 | 4. **Full** : Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes) 24 | 5. **UDP** : Runs a UDP scan "requires sudo" (~5 minutes) 25 | 6. **Vulns** : Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes) 26 | 7. **Recon** : Suggests recon commands, then prompts to automatically run them 27 | 8. **All** : Runs all the scans (~20-30 minutes) 28 | 29 | *Note: This is a reconnaissance tool, and it does not perform any exploitation.* 30 | 31 | ### Automatic Recon 32 | With the `recon` option, nmapAutomator will automatically recommend and run the best recon tools for each found port. 33 | If a recommended tool is missing from your machine, nmapAutomator will suggest how to install it. 34 | 35 | ### Runs on any shell 36 | nmapAutomator is 100% POSIX compatible, so it can run on any `sh` shell, and on any unix-based machine (*even a 10 YO router!*), which makes nmapAutomator ideal for lateral movement recon. 37 | 38 | If you want to run nmapAutomator on a remote machine, simply download a static nmap binary from [this link](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/nmap), or with [static-get](https://github.com/minos-org/minos-static), and transfer it to the remote machine. You can then use `-s/--static-nmap` to specify the path to the static nmap binary. 39 | 40 | ### Remote Mode (Beta) 41 | With the `-r/--remote` flag nmapAutomator will run in Remote Mode, which is designed to run using POSIX shell commands only, without relying on any external tools. 42 | Remote Mode is still under development. Only following scans currently work with `-r`: 43 | - [x] Network Scan (currently ping only) 44 | - [ ] Port Scan 45 | - [ ] Full Scan 46 | - [ ] UDP Scan 47 | - [ ] Recon Scan 48 | 49 | ### Output 50 | nmapAutomator saves the output of each type of scan is saved into a separate file, under the output directory. 51 | The entire script output is also saved, which you can view with `less -r outputDir/nmapAutomator_host_type.txt`, or you can simply `cat` it. 52 | 53 | ----- 54 | 55 | ## Requirements: 56 | [ffuf](https://github.com/ffuf/ffuf), which we can install with: 57 | ```bash 58 | sudo apt update 59 | sudo apt install ffuf -y 60 | ``` 61 | 62 | Or [Gobuster](https://github.com/OJ/gobuster) '*v3.0 or higher*', which we can install with: 63 | ```bash 64 | sudo apt update 65 | sudo apt install gobuster -y 66 | ``` 67 | 68 | Other recon tools used within the script include: 69 | |[nmap Vulners](https://github.com/vulnersCom/nmap-vulners)|[sslscan](https://github.com/rbsec/sslscan)|[nikto](https://github.com/sullo/nikto)|[joomscan](https://github.com/rezasp/joomscan)|[wpscan](https://github.com/wpscanteam/wpscan)| 70 | |:-:|:-:|:-:|:-:|:-:| 71 | |[droopescan](https://github.com/droope/droopescan)|[smbmap](https://github.com/ShawnDEvans/smbmap)|[enum4linux](https://github.com/portcullislabs/enum4linux)|[dnsrecon](https://github.com/darkoperator/dnsrecon)|[odat](https://github.com/quentinhardy/odat)| 72 | |[smtp-user-enum](https://github.com/pentestmonkey/smtp-user-enum)|snmp-check|snmpwalk|ldapsearch|| 73 | 74 | 75 | Most of these should be installed by default in [Parrot OS](https://www.parrotsec.org) and [Kali Linux](https://www.kali.org). 76 | *If any recon recommended tools are found to be missing, they will be automatically omitted, and the user will be notified.* 77 | 78 | ## Installation: 79 | ```bash 80 | git clone https://github.com/21y4d/nmapAutomator.git 81 | sudo ln -s $(pwd)/nmapAutomator/nmapAutomator.sh /usr/local/bin/ 82 | ``` 83 | 84 | ----- 85 | 86 | ## Usage: 87 | ``` 88 | ./nmapAutomator.sh -h 89 | Usage: nmapAutomator.sh -H/--host -t/--type 90 | Optional: [-r/--remote ] [-d/--dns ] [-o/--output ] [-s/--static-nmap ] 91 | 92 | Scan Types: 93 | Network : Shows all live hosts in the host's network (~15 seconds) 94 | Port : Shows all open ports (~15 seconds) 95 | Script : Runs a script scan on found ports (~5 minutes) 96 | Full : Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes) 97 | UDP : Runs a UDP scan "requires sudo" (~5 minutes) 98 | Vulns : Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes) 99 | Recon : Suggests recon commands, then prompts to automatically run them 100 | All : Runs all the scans (~20-30 minutes) 101 | ``` 102 | 103 | **Example scans**: 104 | ``` 105 | ./nmapAutomator.sh --host 10.1.1.1 --type All 106 | ./nmapAutomator.sh -H 10.1.1.1 -t Basic 107 | ./nmapAutomator.sh -H academy.htb -t Recon -d 1.1.1.1 108 | ./nmapAutomator.sh -H 10.10.10.10 -t network -s ./nmap 109 | ``` 110 | 111 | ------ 112 | 113 | ## Upcoming Features 114 | - [x] Support URL/DNS - Thanks @KatsuragiCSL 115 | - [x] Add extensions fuzzing for http recon 116 | - [x] Add an nmap progress bar 117 | - [x] List missing tools in recon 118 | - [x] Add option to change output folder 119 | - [x] Save full script output to a file 120 | - [x] Improve performance and efficiency of the script - Thanks @caribpa 121 | - [x] Make nmapAutomater 100% POSIX compatible. - Massive Thanks to @caribpa 122 | - [x] Add network scanning type, so nmapAutomator can discover live hosts on the network. 123 | - [ ] Enable usage of multiple scan types in one scan. 124 | - [ ] Enable scanning of multiple hosts in one scan. 125 | - [ ] Fully implement Remote Mode on all scans 126 | 127 | 128 | **Feel free to send your pull requests :)** 129 | *For any pull requests, please try to follow these [Contributing Guidelines](CONTRIBUTING.md).* 130 | -------------------------------------------------------------------------------- /nmapAutomator.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | #by @21y4d 3 | 4 | # Define ANSI color variables 5 | RED='\033[0;31m' 6 | YELLOW='\033[0;33m' 7 | GREEN='\033[0;32m' 8 | NC='\033[0m' 9 | origIFS="${IFS}" 10 | 11 | # Start timer 12 | elapsedStart="$(date '+%H:%M:%S' | awk -F: '{print $1 * 3600 + $2 * 60 + $3}')" 13 | REMOTE=false 14 | 15 | # Parse flags 16 | while [ $# -gt 0 ]; do 17 | key="$1" 18 | 19 | case "${key}" in 20 | -H | --host) 21 | HOST="$2" 22 | shift 23 | shift 24 | ;; 25 | -t | --type) 26 | TYPE="$2" 27 | shift 28 | shift 29 | ;; 30 | -d | --dns) 31 | DNS="$2" 32 | shift 33 | shift 34 | ;; 35 | -o | --output) 36 | OUTPUTDIR="$2" 37 | shift 38 | shift 39 | ;; 40 | -s | --static-nmap) 41 | NMAPPATH="$2" 42 | shift 43 | shift 44 | ;; 45 | -r | --remote) 46 | REMOTE=true 47 | shift 48 | ;; 49 | *) 50 | POSITIONAL="${POSITIONAL} $1" 51 | shift 52 | ;; 53 | esac 54 | done 55 | set -- ${POSITIONAL} 56 | 57 | # Legacy flags support, if run without -H/-t 58 | if [ -z "${HOST}" ]; then 59 | HOST="$1" 60 | fi 61 | 62 | if [ -z "${TYPE}" ]; then 63 | TYPE="$2" 64 | fi 65 | 66 | # Legacy types support, if quick/basic used 67 | if expr "${TYPE}" : '^\([Qq]uick\)$' >/dev/null; then 68 | TYPE="Port" 69 | elif expr "${TYPE}" : '^\([Bb]asic\)$' >/dev/null; then 70 | TYPE="Script" 71 | fi 72 | 73 | # Set DNS or default to system DNS 74 | if [ -n "${DNS}" ]; then 75 | DNSSERVER="${DNS}" 76 | DNSSTRING="--dns-server=${DNSSERVER}" 77 | else 78 | DNSSERVER="$(grep 'nameserver' /etc/resolv.conf | grep -v '#' | head -n 1 | awk {'print $NF'})" 79 | DNSSTRING="--system-dns" 80 | fi 81 | 82 | # Set output dir or default to host-based dir 83 | if [ -z "${OUTPUTDIR}" ]; then 84 | OUTPUTDIR="${HOST}" 85 | fi 86 | 87 | # Set path to nmap binary or default to nmap in $PATH, or resort to --remote mode 88 | if [ -z "${NMAPPATH}" ] && type nmap >/dev/null 2>&1; then 89 | NMAPPATH="$(type nmap | awk {'print $NF'})" 90 | elif [ -n "${NMAPPATH}" ]; then 91 | NMAPPATH="$(cd "$(dirname ${NMAPPATH})" && pwd -P)/$(basename ${NMAPPATH})" 92 | # Ensure static binary is executable and is nmap 93 | if [ ! -x $NMAPPATH ]; then 94 | printf "${RED}\nFile is not executable! Attempting chmod +x...${NC}\n" 95 | chmod +x $NMAPPATH 2>/dev/null || (printf "${RED}Could not chmod. Running in Remote mode...${NC}\n\n" && REMOTE=true) 96 | elif [ $($NMAPPATH -h | head -c4) != "Nmap" ]; then 97 | printf "${RED}\nStatic binary does not appear to be Nmap! Running in Remote mode...${NC}\n\n" && REMOTE=true 98 | fi 99 | printf "${GREEN}\nUsing static nmap binary at ${NMAPPATH}${NC}\n" 100 | else 101 | printf "${RED}\nNmap is not installed and -s is not used. Running in Remote mode...${NC}\n\n" && REMOTE=true 102 | fi 103 | 104 | # Print usage menu and exit. Used when issues are encountered 105 | # No args needed 106 | usage() { 107 | echo 108 | printf "${RED}Usage: $(basename $0) -H/--host ${NC}${RED} -t/--type ${NC}${RED}\n" 109 | printf "${YELLOW}Optional: [-r/--remote ${NC}${YELLOW}] [-d/--dns ${NC}${YELLOW}] [-o/--output ${NC}${YELLOW}] [-s/--static-nmap ${NC}${YELLOW}]\n\n" 110 | printf "Scan Types:\n" 111 | printf "${YELLOW}\tNetwork : ${NC}Shows all live hosts in the host's network ${YELLOW}(~15 seconds)\n" 112 | printf "${YELLOW}\tPort : ${NC}Shows all open ports ${YELLOW}(~15 seconds)\n" 113 | printf "${YELLOW}\tScript : ${NC}Runs a script scan on found ports ${YELLOW}(~5 minutes)\n" 114 | printf "${YELLOW}\tFull : ${NC}Runs a full range port scan, then runs a script scan on new ports ${YELLOW}(~5-10 minutes)\n" 115 | printf "${YELLOW}\tUDP : ${NC}Runs a UDP scan \"requires sudo\" ${YELLOW}(~5 minutes)\n" 116 | printf "${YELLOW}\tVulns : ${NC}Runs CVE scan and nmap Vulns scan on all found ports ${YELLOW}(~5-15 minutes)\n" 117 | printf "${YELLOW}\tRecon : ${NC}Suggests recon commands, then prompts to automatically run them\n" 118 | printf "${YELLOW}\tAll : ${NC}Runs all the scans ${YELLOW}(~20-30 minutes)\n" 119 | printf "${NC}\n" 120 | exit 1 121 | } 122 | 123 | # Print initial header and set initial variables before scans start 124 | # No args needed 125 | header() { 126 | echo 127 | 128 | # Print scan type 129 | if expr "${TYPE}" : '^\([Aa]ll\)$' >/dev/null; then 130 | printf "${YELLOW}Running all scans on ${NC}${HOST}" 131 | else 132 | printf "${YELLOW}Running a ${TYPE} scan on ${NC}${HOST}" 133 | fi 134 | 135 | if expr "${HOST}" : '^\(\([[:alnum:]-]\{1,63\}\.\)*[[:alpha:]]\{2,6\}\)$' >/dev/null; then 136 | urlIP="$(host -4 -W 1 ${HOST} ${DNSSERVER} 2>/dev/null | grep ${HOST} | head -n 1 | awk {'print $NF'})" 137 | if [ -n "${urlIP}" ]; then 138 | printf "${YELLOW} with IP ${NC}${urlIP}\n\n" 139 | else 140 | printf ".. ${RED}Could not resolve IP of ${NC}${HOST}\n\n" 141 | fi 142 | else 143 | printf "\n" 144 | fi 145 | 146 | if $REMOTE; then 147 | printf "${YELLOW}Running in Remote mode! Some scans will be limited.\n" 148 | fi 149 | 150 | # Set $subnet variable 151 | if expr "${HOST}" : '^\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)$' >/dev/null; then 152 | subnet="$(echo "${HOST}" | cut -d "." -f 1,2,3).0" 153 | fi 154 | 155 | # Set $nmapType variable based on ping 156 | kernel="$(uname -s)" 157 | checkPing="$(checkPing "${urlIP:-$HOST}")" 158 | nmapType="$(echo "${checkPing}" | head -n 1)" 159 | 160 | # Set if host is pingable 'for ping scans' 161 | if expr "${nmapType}" : ".*-Pn$" >/dev/null; then 162 | pingable=false 163 | printf "${NC}\n" 164 | printf "${YELLOW}No ping detected.. Will not use ping scans!\n" 165 | printf "${NC}\n" 166 | else 167 | pingable=true 168 | 169 | fi 170 | 171 | # OS Detection 172 | ttl="$(echo "${checkPing}" | tail -n 1)" 173 | if [ "${ttl}" != "nmap -Pn" ]; then 174 | osType="$(checkOS "${ttl}")" 175 | printf "${NC}\n" 176 | printf "${GREEN}Host is likely running ${osType}\n" 177 | fi 178 | 179 | echo 180 | echo 181 | } 182 | 183 | # Used Before and After each nmap scan, to keep found ports consistent across the script 184 | # $1 is $HOST 185 | assignPorts() { 186 | # Set $commonPorts based on Port scan 187 | if [ -f "nmap/Port_$1.nmap" ]; then 188 | commonPorts="$(awk -vORS=, -F/ '/^[0-9]/{print $1}' "nmap/Port_$1.nmap" | sed 's/.$//')" 189 | fi 190 | 191 | # Set $allPorts based on Full scan or both Port and Full scans 192 | if [ -f "nmap/Full_$1.nmap" ]; then 193 | if [ -f "nmap/Port_$1.nmap" ]; then 194 | allPorts="$(awk -vORS=, -F/ '/^[0-9]/{print $1}' "nmap/Port_$1.nmap" "nmap/Full_$1.nmap" | sed 's/.$//')" 195 | else 196 | allPorts="$(awk -vORS=, -F/ '/^[0-9]/{print $1}' "nmap/Full_$1.nmap" | sed 's/.$//')" 197 | fi 198 | fi 199 | 200 | # Set $udpPorts based on UDP scan 201 | if [ -f "nmap/UDP_$1.nmap" ]; then 202 | udpPorts="$(awk -vORS=, -F/ '/^[0-9]/{print $1}' "nmap/UDP_$1.nmap" | sed 's/.$//')" 203 | if [ "${udpPorts}" = "Al" ]; then 204 | udpPorts="" 205 | fi 206 | fi 207 | } 208 | 209 | # Test whether the host is pingable, and return $nmapType and $ttl 210 | # $1 is $HOST 211 | checkPing() { 212 | # If ping is not returned within a second, then ping scan is disabled with -Pn 213 | if [ $kernel = "Linux" ]; then TW="W"; else TW="t"; fi 214 | pingTest="$(ping -c 1 -${TW} 1 "$1" 2>/dev/null | grep ttl)" 215 | if [ -z "${pingTest}" ]; then 216 | echo "${NMAPPATH} -Pn" 217 | else 218 | echo "${NMAPPATH}" 219 | if expr "$1" : '^\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)$' >/dev/null; then 220 | ttl="$(echo "${pingTest}" | cut -d " " -f 6 | cut -d "=" -f 2)" 221 | else 222 | ttl="$(echo "${pingTest}" | cut -d " " -f 7 | cut -d "=" -f 2)" 223 | fi 224 | echo "${ttl}" 225 | fi 226 | } 227 | 228 | # Detect OS based on $ttl 229 | # $1 is $ttl 230 | checkOS() { 231 | case "$1" in 232 | 25[456]) echo "OpenBSD/Cisco/Oracle" ;; 233 | 12[78]) echo "Windows" ;; 234 | 6[34]) echo "Linux" ;; 235 | *) echo "Unknown OS!" ;; 236 | esac 237 | } 238 | 239 | # Add any extra ports found in Full scan 240 | # No args needed 241 | cmpPorts() { 242 | extraPorts="$(echo ",${allPorts}," | sed 's/,\('"$(echo "${commonPorts}" | sed 's/,/,\\|/g')"',\)\+/,/g; s/^,\|,$//g')" 243 | } 244 | 245 | # Print nmap progress bar 246 | # $1 is $scanType, $2 is $percent, $3 is $elapsed, $4 is $remaining 247 | progressBar() { 248 | [ -z "${2##*[!0-9]*}" ] && return 1 249 | [ "$(stty size | cut -d ' ' -f 2)" -le 120 ] && width=50 || width=100 250 | fill="$(printf "%-$((width == 100 ? $2 : ($2 / 2)))s" "#" | tr ' ' '#')" 251 | empty="$(printf "%-$((width - (width == 100 ? $2 : ($2 / 2))))s" " ")" 252 | printf "In progress: $1 Scan ($3 elapsed - $4 remaining) \n" 253 | printf "[${fill}>${empty}] $2%% done \n" 254 | printf "\e[2A" 255 | } 256 | 257 | # Calculate current progress bar status based on nmap stats (with --stats-every) 258 | # $1 is nmap command to be run, $2 is progress bar $refreshRate 259 | nmapProgressBar() { 260 | refreshRate="${2:-1}" 261 | outputFile="$(echo $1 | sed -e 's/.*-oN \(.*\).nmap.*/\1/').nmap" 262 | tmpOutputFile="${outputFile}.tmp" 263 | 264 | # Run the nmap command 265 | if [ ! -e "${outputFile}" ]; then 266 | $1 --stats-every "${refreshRate}s" >"${tmpOutputFile}" 2>&1 & 267 | fi 268 | 269 | # Keep checking nmap stats and calling progressBar() every $refreshRate 270 | while { [ ! -e "${outputFile}" ] || ! grep -q "Nmap done at" "${outputFile}"; } && { [ ! -e "${tmpOutputFile}" ] || ! grep -i -q "quitting" "${tmpOutputFile}"; }; do 271 | scanType="$(tail -n 2 "${tmpOutputFile}" 2>/dev/null | sed -ne '/elapsed/{s/.*undergoing \(.*\) Scan.*/\1/p}')" 272 | percent="$(tail -n 2 "${tmpOutputFile}" 2>/dev/null | sed -ne '/% done/{s/.*About \(.*\)\..*% done.*/\1/p}')" 273 | elapsed="$(tail -n 2 "${tmpOutputFile}" 2>/dev/null | sed -ne '/elapsed/{s/Stats: \(.*\) elapsed.*/\1/p}')" 274 | remaining="$(tail -n 2 "${tmpOutputFile}" 2>/dev/null | sed -ne '/remaining/{s/.* (\(.*\) remaining.*/\1/p}')" 275 | progressBar "${scanType:-No}" "${percent:-0}" "${elapsed:-0:00:00}" "${remaining:-0:00:00}" 276 | sleep "${refreshRate}" 277 | done 278 | printf "\033[0K\r\n\033[0K\r\n" 279 | 280 | # Print final output, remove extra nmap noise 281 | if [ -e "${outputFile}" ]; then 282 | sed -n '/PORT.*STATE.*SERVICE/,/^# Nmap/H;${x;s/^\n\|\n[^\n]*\n# Nmap.*//gp}' "${outputFile}" | awk '!/^SF(:|-).*$/' | grep -v 'service unrecognized despite' 283 | else 284 | cat "${tmpOutputFile}" 285 | fi 286 | rm -f "${tmpOutputFile}" 287 | } 288 | 289 | # Nmap scan for live hosts 290 | networkScan() { 291 | printf "${GREEN}---------------------Starting Network Scan---------------------\n" 292 | printf "${NC}\n" 293 | 294 | origHOST="${HOST}" 295 | HOST="${urlIP:-$HOST}" 296 | if [ $kernel = "Linux" ]; then TW="W"; else TW="t"; fi 297 | 298 | if ! $REMOTE; then 299 | # Discover live hosts with nmap 300 | nmapProgressBar "${nmapType} -T4 --max-retries 1 --max-scan-delay 20 -n -sn -oN nmap/Network_${HOST}.nmap ${subnet}/24" 301 | printf "${YELLOW}Found the following live hosts:${NC}\n\n" 302 | cat nmap/Network_${HOST}.nmap | grep -v '#' | grep "$(echo $subnet | sed 's/..$//')" | awk {'print $5'} 303 | elif $pingable; then 304 | # Discover live hosts with ping 305 | echo >"nmap/Network_${HOST}.nmap" 306 | for ip in $(seq 0 254); do 307 | (ping -c 1 -${TW} 1 "$(echo $subnet | sed 's/..$//').$ip" 2>/dev/null | grep 'stat' -A1 | xargs | grep -v ', 0.*received' | awk {'print $2'} >>"nmap/Network_${HOST}.nmap") & 308 | done 309 | wait 310 | sed -i '/^$/d' "nmap/Network_${HOST}.nmap" 311 | sort -t . -k 3,3n -k 4,4n "nmap/Network_${HOST}.nmap" 312 | else 313 | printf "${YELLOW}No ping detected.. TCP Network Scan is not implemented yet in Remote mode.\n${NC}" 314 | fi 315 | 316 | HOST="${origHOST}" 317 | 318 | echo 319 | echo 320 | echo 321 | } 322 | 323 | # Port Nmap port scan 324 | portScan() { 325 | printf "${GREEN}---------------------Starting Port Scan-----------------------\n" 326 | printf "${NC}\n" 327 | 328 | if ! $REMOTE; then 329 | nmapProgressBar "${nmapType} -T4 --max-retries 1 --max-scan-delay 20 --open -oN nmap/Port_${HOST}.nmap ${HOST} ${DNSSTRING}" 330 | assignPorts "${HOST}" 331 | else 332 | printf "${YELLOW}Port Scan is not implemented yet in Remote mode.\n${NC}" 333 | fi 334 | 335 | echo 336 | echo 337 | echo 338 | } 339 | 340 | # Nmap version and default script scan on found ports 341 | scriptScan() { 342 | printf "${GREEN}---------------------Starting Script Scan-----------------------\n" 343 | printf "${NC}\n" 344 | 345 | if ! $REMOTE; then 346 | if [ -z "${commonPorts}" ]; then 347 | printf "${YELLOW}No ports in port scan.. Skipping!\n" 348 | else 349 | nmapProgressBar "${nmapType} -sCV -p${commonPorts} --open -oN nmap/Script_${HOST}.nmap ${HOST} ${DNSSTRING}" 2 350 | fi 351 | 352 | # Modify detected OS if Nmap detects a different OS 353 | if [ -f "nmap/Script_${HOST}.nmap" ] && grep -q "Service Info: OS:" "nmap/Script_${HOST}.nmap"; then 354 | serviceOS="$(sed -n '/Service Info/{s/.* \([^;]*\);.*/\1/p;q}' "nmap/Script_${HOST}.nmap")" 355 | if [ "${osType}" != "${serviceOS}" ]; then 356 | osType="${serviceOS}" 357 | printf "${NC}\n" 358 | printf "${NC}\n" 359 | printf "${GREEN}OS Detection modified to: ${osType}\n" 360 | printf "${NC}\n" 361 | fi 362 | fi 363 | else 364 | printf "${YELLOW}Script Scan is not supported in Remote mode.\n${NC}" 365 | fi 366 | 367 | echo 368 | echo 369 | echo 370 | } 371 | 372 | # Nmap scan on all ports 373 | fullScan() { 374 | printf "${GREEN}---------------------Starting Full Scan------------------------\n" 375 | printf "${NC}\n" 376 | 377 | if ! $REMOTE; then 378 | nmapProgressBar "${nmapType} -p- --max-retries 1 --max-rate 500 --max-scan-delay 20 -T4 -v --open -oN nmap/Full_${HOST}.nmap ${HOST} ${DNSSTRING}" 3 379 | assignPorts "${HOST}" 380 | 381 | # Nmap version and default script scan on found ports if Script scan was not run yet 382 | if [ -z "${commonPorts}" ]; then 383 | echo 384 | echo 385 | printf "${YELLOW}Making a script scan on all ports\n" 386 | printf "${NC}\n" 387 | nmapProgressBar "${nmapType} -sCV -p${allPorts} --open -oN nmap/Full_Extra_${HOST}.nmap ${HOST} ${DNSSTRING}" 2 388 | assignPorts "${HOST}" 389 | # Nmap version and default script scan if any extra ports are found 390 | else 391 | cmpPorts 392 | if [ -z "${extraPorts}" ]; then 393 | echo 394 | echo 395 | allPorts="" 396 | printf "${YELLOW}No new ports\n" 397 | printf "${NC}\n" 398 | else 399 | echo 400 | echo 401 | printf "${YELLOW}Making a script scan on extra ports: $(echo "${extraPorts}" | sed 's/,/, /g')\n" 402 | printf "${NC}\n" 403 | nmapProgressBar "${nmapType} -sCV -p${extraPorts} --open -oN nmap/Full_Extra_${HOST}.nmap ${HOST} ${DNSSTRING}" 2 404 | assignPorts "${HOST}" 405 | fi 406 | fi 407 | else 408 | printf "${YELLOW}Full Scan is not implemented yet in Remote mode.\n${NC}" 409 | fi 410 | 411 | echo 412 | echo 413 | echo 414 | } 415 | 416 | # Nmap UDP scan 417 | UDPScan() { 418 | printf "${GREEN}----------------------Starting UDP Scan------------------------\n" 419 | printf "${NC}\n" 420 | 421 | if ! $REMOTE; then 422 | # Ensure UDP scan runs with root priviliges 423 | if [ "${USER}" != 'root' ]; then 424 | echo "UDP needs to be run as root, running with sudo..." 425 | sudo -v 426 | echo 427 | fi 428 | 429 | nmapProgressBar "sudo ${nmapType} -sU --max-retries 1 --open --open -oN nmap/UDP_${HOST}.nmap ${HOST} ${DNSSTRING}" 3 430 | assignPorts "${HOST}" 431 | 432 | # Nmap version and default script scan on found UDP ports 433 | if [ -n "${udpPorts}" ]; then 434 | echo 435 | echo 436 | printf "${YELLOW}Making a script scan on UDP ports: $(echo "${udpPorts}" | sed 's/,/, /g')\n" 437 | printf "${NC}\n" 438 | if [ -f /usr/share/nmap/scripts/vulners.nse ]; then 439 | sudo -v 440 | nmapProgressBar "sudo ${nmapType} -sCVU --script vulners --script-args mincvss=7.0 -p${udpPorts} --open -oN nmap/UDP_Extra_${HOST}.nmap ${HOST} ${DNSSTRING}" 2 441 | else 442 | sudo -v 443 | nmapProgressBar "sudo ${nmapType} -sCVU -p${udpPorts} --open -oN nmap/UDP_Extra_${HOST}.nmap ${HOST} ${DNSSTRING}" 2 444 | fi 445 | else 446 | echo 447 | echo 448 | printf "${YELLOW}No UDP ports are open\n" 449 | printf "${NC}\n" 450 | fi 451 | else 452 | printf "${YELLOW}UDP Scan is not implemented yet in Remote mode.\n${NC}" 453 | fi 454 | 455 | echo 456 | echo 457 | echo 458 | } 459 | 460 | # Nmap vulnerability detection script scan 461 | vulnsScan() { 462 | printf "${GREEN}---------------------Starting Vulns Scan-----------------------\n" 463 | printf "${NC}\n" 464 | 465 | if ! $REMOTE; then 466 | # Set ports to be scanned (common or all) 467 | if [ -z "${allPorts}" ]; then 468 | portType="common" 469 | ports="${commonPorts}" 470 | else 471 | portType="all" 472 | ports="${allPorts}" 473 | fi 474 | 475 | # Ensure the vulners script is available, then run it with nmap 476 | if [ ! -f /usr/share/nmap/scripts/vulners.nse ]; then 477 | printf "${RED}Please install 'vulners.nse' nmap script:\n" 478 | printf "${RED}https://github.com/vulnersCom/nmap-vulners\n" 479 | printf "${RED}\n" 480 | printf "${RED}Skipping CVE scan!\n" 481 | printf "${NC}\n" 482 | else 483 | printf "${YELLOW}Running CVE scan on ${portType} ports\n" 484 | printf "${NC}\n" 485 | nmapProgressBar "${nmapType} -sV --script vulners --script-args mincvss=7.0 -p${ports} --open -oN nmap/CVEs_${HOST}.nmap ${HOST} ${DNSSTRING}" 3 486 | echo 487 | fi 488 | 489 | # Nmap vulnerability detection script scan 490 | echo 491 | printf "${YELLOW}Running Vuln scan on ${portType} ports\n" 492 | printf "${YELLOW}This may take a while, depending on the number of detected services..\n" 493 | printf "${NC}\n" 494 | nmapProgressBar "${nmapType} -sV --script vuln -p${ports} --open -oN nmap/Vulns_${HOST}.nmap ${HOST} ${DNSSTRING}" 3 495 | else 496 | printf "${YELLOW}Vulns Scan is not supported in Remote mode.\n${NC}" 497 | fi 498 | 499 | echo 500 | echo 501 | echo 502 | } 503 | 504 | # Run reconRecommend(), ask user for tools to run, then run runRecon() 505 | recon() { 506 | IFS=" 507 | " 508 | 509 | # Run reconRecommend() 510 | reconRecommend "${HOST}" | tee "nmap/Recon_${HOST}.nmap" 511 | allRecon="$(grep "${HOST}" "nmap/Recon_${HOST}.nmap" | cut -d " " -f 1 | sort | uniq)" 512 | 513 | # Detect any missing tools 514 | for tool in ${allRecon}; do 515 | if ! type "${tool}" >/dev/null 2>&1; then 516 | missingTools="$(echo ${missingTools} ${tool} | awk '{$1=$1};1')" 517 | fi 518 | done 519 | 520 | # Exclude missing tools, and print help for installing them 521 | if [ -n "${missingTools}" ]; then 522 | printf "${RED}Missing tools: ${NC}${missingTools}\n" 523 | printf "\n${RED}You can install with:\n" 524 | printf "${YELLOW}sudo apt install ${missingTools} -y\n" 525 | printf "${NC}\n\n" 526 | 527 | availableRecon="$(echo "${allRecon}" | tr " " "\n" | awk -vORS=', ' '!/'"$(echo "${missingTools}" | tr " " "|")"'/' | sed 's/..$//')" 528 | else 529 | availableRecon="$(echo "${allRecon}" | tr "\n" " " | sed 's/\ /,\ /g' | sed 's/..$//')" 530 | fi 531 | 532 | secs=30 533 | count=0 534 | 535 | # Ask user for which recon tools to run, default to All if no answer is detected in 30s 536 | if [ -n "${availableRecon}" ]; then 537 | while [ "${reconCommand}" != "!" ]; do 538 | printf "${YELLOW}\n" 539 | printf "Which commands would you like to run?${NC}\nAll (Default), ${availableRecon}, Skip \n\n" 540 | while [ ${count} -lt ${secs} ]; do 541 | tlimit=$((secs - count)) 542 | printf "\033[2K\rRunning Default in (${tlimit})s: " 543 | 544 | # Waits 1 second for user's input - POSIX read -t 545 | reconCommand="$(sh -c '{ { sleep 1; kill -sINT $$; } & }; exec head -n 1')" 546 | count=$((count + 1)) 547 | [ -n "${reconCommand}" ] && break 548 | done 549 | if expr "${reconCommand}" : '^\([Aa]ll\)$' >/dev/null || [ -z "${reconCommand}" ]; then 550 | runRecon "${HOST}" "All" 551 | reconCommand="!" 552 | elif expr " ${availableRecon}," : ".* ${reconCommand}," >/dev/null; then 553 | runRecon "${HOST}" "${reconCommand}" 554 | reconCommand="!" 555 | elif [ "${reconCommand}" = "Skip" ] || [ "${reconCommand}" = "!" ]; then 556 | reconCommand="!" 557 | echo 558 | echo 559 | echo 560 | else 561 | printf "${NC}\n" 562 | printf "${RED}Incorrect choice!\n" 563 | printf "${NC}\n" 564 | fi 565 | done 566 | else 567 | printf "${YELLOW}No Recon Recommendations found...\n" 568 | printf "${NC}\n\n\n" 569 | fi 570 | 571 | IFS="${origIFS}" 572 | } 573 | 574 | # Recommend recon tools/commands to be run on found ports 575 | reconRecommend() { 576 | printf "${GREEN}---------------------Recon Recommendations---------------------\n" 577 | printf "${NC}\n" 578 | 579 | IFS=" 580 | " 581 | 582 | # Set $ports and $file variables 583 | if [ -f "nmap/Full_Extra_${HOST}.nmap" ]; then 584 | ports="${allPorts}" 585 | file="$(cat "nmap/Script_${HOST}.nmap" "nmap/Full_Extra_${HOST}.nmap" | grep "open" | grep -v "#" | sort | uniq)" 586 | elif [ -f "nmap/Script_${HOST}.nmap" ]; then 587 | ports="${commonPorts}" 588 | file="$(grep "open" "nmap/Script_${HOST}.nmap" | grep -v "#")" 589 | 590 | fi 591 | 592 | # SMTP recon 593 | if echo "${file}" | grep -q "25/tcp"; then 594 | printf "${NC}\n" 595 | printf "${YELLOW}SMTP Recon:\n" 596 | printf "${NC}\n" 597 | echo "smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt -t \"${HOST}\" | tee \"recon/smtp_user_enum_${HOST}.txt\"" 598 | echo 599 | fi 600 | 601 | # DNS Recon 602 | if echo "${file}" | grep -q "53/tcp" && [ -n "${DNSSERVER}" ]; then 603 | printf "${NC}\n" 604 | printf "${YELLOW}DNS Recon:\n" 605 | printf "${NC}\n" 606 | echo "host -l \"${HOST}\" \"${DNSSERVER}\" | tee \"recon/hostname_${HOST}.txt\"" 607 | echo "dnsrecon -r \"${subnet}/24\" -n \"${DNSSERVER}\" | tee \"recon/dnsrecon_${HOST}.txt\"" 608 | echo "dnsrecon -r 127.0.0.0/24 -n \"${DNSSERVER}\" | tee \"recon/dnsrecon-local_${HOST}.txt\"" 609 | echo "dig -x \"${HOST}\" @${DNSSERVER} | tee \"recon/dig_${HOST}.txt\"" 610 | echo 611 | fi 612 | 613 | # Web recon 614 | if echo "${file}" | grep -i -q http; then 615 | printf "${NC}\n" 616 | printf "${YELLOW}Web Servers Recon:\n" 617 | printf "${NC}\n" 618 | 619 | # HTTP recon 620 | for line in ${file}; do 621 | if echo "${line}" | grep -i -q http; then 622 | port="$(echo "${line}" | cut -d "/" -f 1)" 623 | if echo "${line}" | grep -q ssl/http; then 624 | urlType='https://' 625 | echo "sslscan \"${HOST}\" | tee \"recon/sslscan_${HOST}_${port}.txt\"" 626 | echo "nikto -host \"${urlType}${HOST}:${port}\" -ssl | tee \"recon/nikto_${HOST}_${port}.txt\"" 627 | else 628 | urlType='http://' 629 | echo "nikto -host \"${urlType}${HOST}:${port}\" | tee \"recon/nikto_${HOST}_${port}.txt\"" 630 | fi 631 | if type ffuf >/dev/null 2>&1; then 632 | extensions="$(echo 'index' >./index && ffuf -s -w ./index:FUZZ -mc '200,302' -e '.asp,.aspx,.html,.jsp,.php' -u "${urlType}${HOST}:${port}/FUZZ" 2>/dev/null | awk -vORS=, -F 'index' '{print $2}' | sed 's/.$//' && rm ./index)" 633 | echo "ffuf -ic -w /usr/share/wordlists/dirb/common.txt -e '${extensions}' -u \"${urlType}${HOST}:${port}/FUZZ\" | tee \"recon/ffuf_${HOST}_${port}.txt\"" 634 | else 635 | extensions="$(echo 'index' >./index && gobuster dir -w ./index -t 30 -qnkx '.asp,.aspx,.html,.jsp,.php' -s '200,302' -u "${urlType}${HOST}:${port}" 2>/dev/null | awk -vORS=, -F 'index' '{print $2}' | sed 's/.$//' && rm ./index)" 636 | echo "gobuster dir -w /usr/share/wordlists/dirb/common.txt -t 30 -ekx '${extensions}' -u \"${urlType}${HOST}:${port}\" -o \"recon/gobuster_${HOST}_${port}.txt\"" 637 | fi 638 | echo 639 | fi 640 | done 641 | # CMS recon 642 | if [ -f "nmap/Script_${HOST}.nmap" ]; then 643 | cms="$(grep http-generator "nmap/Script_${HOST}.nmap" | cut -d " " -f 2)" 644 | if [ -n "${cms}" ]; then 645 | for line in ${cms}; do 646 | port="$(sed -n 'H;x;s/\/.*'"${line}"'.*//p' "nmap/Script_${HOST}.nmap")" 647 | 648 | # case returns 0 by default (no match), so ! case returns 1 649 | if ! case "${cms}" in Joomla | WordPress | Drupal) false ;; esac then 650 | printf "${NC}\n" 651 | printf "${YELLOW}CMS Recon:\n" 652 | printf "${NC}\n" 653 | fi 654 | case "${cms}" in 655 | Joomla!) echo "joomscan --url \"${HOST}:${port}\" | tee \"recon/joomscan_${HOST}_${port}.txt\"" ;; 656 | WordPress) echo "wpscan --url \"${HOST}:${port}\" --enumerate p | tee \"recon/wpscan_${HOST}_${port}.txt\"" ;; 657 | Drupal) echo "droopescan scan drupal -u \"${HOST}:${port}\" | tee \"recon/droopescan_${HOST}_${port}.txt\"" ;; 658 | esac 659 | done 660 | fi 661 | fi 662 | fi 663 | 664 | # SNMP recon 665 | if [ -f "nmap/UDP_Extra_${HOST}.nmap" ] && grep -q "161/udp.*open" "nmap/UDP_Extra_${HOST}.nmap"; then 666 | printf "${NC}\n" 667 | printf "${YELLOW}SNMP Recon:\n" 668 | printf "${NC}\n" 669 | echo "snmp-check \"${HOST}\" -c public | tee \"recon/snmpcheck_${HOST}.txt\"" 670 | echo "snmpwalk -Os -c public -v1 \"${HOST}\" | tee \"recon/snmpwalk_${HOST}.txt\"" 671 | echo 672 | fi 673 | 674 | # LDAP recon 675 | if echo "${file}" | grep -q "389/tcp"; then 676 | printf "${NC}\n" 677 | printf "${YELLOW}ldap Recon:\n" 678 | printf "${NC}\n" 679 | echo "ldapsearch -x -h \"${HOST}\" -s base | tee \"recon/ldapsearch_${HOST}.txt\"" 680 | echo "ldapsearch -x -h \"${HOST}\" -b \"\$(grep rootDomainNamingContext \"recon/ldapsearch_${HOST}.txt\" | cut -d ' ' -f2)\" | tee \"recon/ldapsearch_DC_${HOST}.txt\"" 681 | echo "nmap -Pn -p 389 --script ldap-search --script-args 'ldap.username=\"\$(grep rootDomainNamingContext \"recon/ldapsearch_${HOST}.txt\" | cut -d \\" \\" -f2)\"' \"${HOST}\" -oN \"recon/nmap_ldap_${HOST}.txt\"" 682 | echo 683 | fi 684 | 685 | # SMB recon 686 | if echo "${file}" | grep -q "445/tcp"; then 687 | printf "${NC}\n" 688 | printf "${YELLOW}SMB Recon:\n" 689 | printf "${NC}\n" 690 | echo "smbmap -H \"${HOST}\" | tee \"recon/smbmap_${HOST}.txt\"" 691 | echo "smbclient -L \"//${HOST}/\" -U \"guest\"% | tee \"recon/smbclient_${HOST}.txt\"" 692 | if [ "${osType}" = "Windows" ]; then 693 | echo "nmap -Pn -p445 --script vuln -oN \"recon/SMB_vulns_${HOST}.txt\" \"${HOST}\"" 694 | elif [ "${osType}" = "Linux" ]; then 695 | echo "enum4linux -a \"${HOST}\" | tee \"recon/enum4linux_${HOST}.txt\"" 696 | fi 697 | echo 698 | elif echo "${file}" | grep -q "139/tcp" && [ "${osType}" = "Linux" ]; then 699 | printf "${NC}\n" 700 | printf "${YELLOW}SMB Recon:\n" 701 | printf "${NC}\n" 702 | echo "enum4linux -a \"${HOST}\" | tee \"recon/enum4linux_${HOST}.txt\"" 703 | echo 704 | fi 705 | 706 | # Oracle DB recon 707 | if echo "${file}" | grep -q "1521/tcp"; then 708 | printf "${NC}\n" 709 | printf "${YELLOW}Oracle Recon:\n" 710 | printf "${NC}\n" 711 | echo "odat sidguesser -s \"${HOST}\" -p 1521" 712 | echo "odat passwordguesser -s \"${HOST}\" -p 1521 -d XE --accounts-file accounts/accounts-multiple.txt" 713 | echo 714 | fi 715 | 716 | IFS="${origIFS}" 717 | 718 | echo 719 | echo 720 | echo 721 | } 722 | 723 | # Run chosen recon commands 724 | runRecon() { 725 | echo 726 | echo 727 | echo 728 | printf "${GREEN}---------------------Running Recon Commands--------------------\n" 729 | printf "${NC}\n" 730 | 731 | IFS=" 732 | " 733 | 734 | mkdir -p recon/ 735 | 736 | if [ "$2" = "All" ]; then 737 | reconCommands="$(grep "${HOST}" "nmap/Recon_${HOST}.nmap")" 738 | else 739 | reconCommands="$(grep "${HOST}" "nmap/Recon_${HOST}.nmap" | grep "$2")" 740 | fi 741 | 742 | # Run each line 743 | for line in ${reconCommands}; do 744 | currentScan="$(echo "${line}" | cut -d ' ' -f 1)" 745 | fileName="$(echo "${line}" | awk -F "recon/" '{print $2}')" 746 | if [ -n "${fileName}" ] && [ ! -f recon/"${fileName}" ]; then 747 | printf "${NC}\n" 748 | printf "${YELLOW}Starting ${currentScan} scan\n" 749 | printf "${NC}\n" 750 | eval "${line}" 751 | printf "${NC}\n" 752 | printf "${YELLOW}Finished ${currentScan} scan\n" 753 | printf "${NC}\n" 754 | printf "${YELLOW}=========================\n" 755 | fi 756 | done 757 | 758 | IFS="${origIFS}" 759 | 760 | echo 761 | echo 762 | echo 763 | } 764 | 765 | # Print footer with total elapsed time 766 | footer() { 767 | 768 | printf "${GREEN}---------------------Finished all scans------------------------\n" 769 | printf "${NC}\n\n" 770 | 771 | elapsedEnd="$(date '+%H:%M:%S' | awk -F: '{print $1 * 3600 + $2 * 60 + $3}')" 772 | elapsedSeconds=$((elapsedEnd - elapsedStart)) 773 | 774 | if [ ${elapsedSeconds} -gt 3600 ]; then 775 | hours=$((elapsedSeconds / 3600)) 776 | minutes=$(((elapsedSeconds % 3600) / 60)) 777 | seconds=$(((elapsedSeconds % 3600) % 60)) 778 | printf "${YELLOW}Completed in ${hours} hour(s), ${minutes} minute(s) and ${seconds} second(s)\n" 779 | elif [ ${elapsedSeconds} -gt 60 ]; then 780 | minutes=$(((elapsedSeconds % 3600) / 60)) 781 | seconds=$(((elapsedSeconds % 3600) % 60)) 782 | printf "${YELLOW}Completed in ${minutes} minute(s) and ${seconds} second(s)\n" 783 | else 784 | printf "${YELLOW}Completed in ${elapsedSeconds} seconds\n" 785 | fi 786 | printf "${NC}\n" 787 | } 788 | 789 | # Choose run type based on chosen flags 790 | main() { 791 | assignPorts "${HOST}" 792 | 793 | header 794 | 795 | case "${TYPE}" in 796 | [Nn]etwork) networkScan "${HOST}" ;; 797 | [Pp]ort) portScan "${HOST}" ;; 798 | [Ss]cript) 799 | [ ! -f "nmap/Port_${HOST}.nmap" ] && portScan "${HOST}" 800 | scriptScan "${HOST}" 801 | ;; 802 | [Ff]ull) fullScan "${HOST}" ;; 803 | [Uu]dp) UDPScan "${HOST}" ;; 804 | [Vv]ulns) 805 | [ ! -f "nmap/Port_${HOST}.nmap" ] && portScan "${HOST}" 806 | vulnsScan "${HOST}" 807 | ;; 808 | [Rr]econ) 809 | [ ! -f "nmap/Port_${HOST}.nmap" ] && portScan "${HOST}" 810 | [ ! -f "nmap/Script_${HOST}.nmap" ] && scriptScan "${HOST}" 811 | recon "${HOST}" 812 | ;; 813 | [Aa]ll) 814 | portScan "${HOST}" 815 | scriptScan "${HOST}" 816 | fullScan "${HOST}" 817 | UDPScan "${HOST}" 818 | vulnsScan "${HOST}" 819 | recon "${HOST}" 820 | ;; 821 | esac 822 | 823 | footer 824 | } 825 | 826 | # Ensure host and type are passed as arguments 827 | if [ -z "${TYPE}" ] || [ -z "${HOST}" ]; then 828 | usage 829 | fi 830 | 831 | # Ensure $HOST is an IP or a URL 832 | if ! expr "${HOST}" : '^\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)$' >/dev/null && ! expr "${HOST}" : '^\(\([[:alnum:]-]\{1,63\}\.\)*[[:alpha:]]\{2,6\}\)$' >/dev/null; then 833 | printf "${RED}\n" 834 | printf "${RED}Invalid IP or URL!\n" 835 | usage 836 | fi 837 | 838 | # Ensure selected scan type is among available choices, then run the selected scan 839 | if ! case "${TYPE}" in [Nn]etwork | [Pp]ort | [Ss]cript | [Ff]ull | UDP | udp | [Vv]ulns | [Rr]econ | [Aa]ll) false ;; esac then 840 | mkdir -p "${OUTPUTDIR}" && cd "${OUTPUTDIR}" && mkdir -p nmap/ || usage 841 | main | tee "nmapAutomator_${HOST}_${TYPE}.txt" 842 | else 843 | printf "${RED}\n" 844 | printf "${RED}Invalid Type!\n" 845 | usage 846 | fi 847 | --------------------------------------------------------------------------------