├── 0-mix-recon-README.txt ├── 1-mix-ping_sweep.py ├── 2-mix-find_dns.py ├── 3-mix-recon.py ├── README.md └── UNLICENSE /0-mix-recon-README.txt: -------------------------------------------------------------------------------- 1 | python 1-mix-ping_sweep.py 192.168.1.200-254 /root/x.x.x.x 2 | 3 | python 2-mix-find_dns.py /root/192.168.1.0/targets.txt /root/192.168.1.0 4 | 5 | Update TARGETS, OUTDIR, DNSSRV in 3-mix-recon.py 6 | 7 | python 3-mix-recon.py 8 | -------------------------------------------------------------------------------- /1-mix-ping_sweep.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ########################################################################## 3 | ## [Name]: 1-mix-ping_sweep.py -- a recon/enumeration script 4 | ## [Author]: Re4son re4son [at] whitedome.com.au 5 | ##------------------------------------------------------------------------ 6 | ## [Details]: 7 | ## Script to perform a ping sweep over a given range and list each live 8 | ## host in file /targets.txt. 9 | ##------------------------------------------------------------------------ 10 | ## [Usage]: 11 | ## python 1-mix-ping_sweep.py 12 | ########################################################################## 13 | 14 | import subprocess 15 | import sys 16 | import os 17 | 18 | if len(sys.argv) != 3: 19 | print "\nUsage: 1-mix-ping-sweep.py \n" 20 | sys.exit(0) 21 | 22 | RANGE = sys.argv[1].strip() 23 | OUTDIR = sys.argv[2].strip() 24 | 25 | 26 | try: 27 | os.stat(OUTDIR) 28 | except: 29 | os.mkdir(OUTDIR) 30 | print " " 31 | print "[!] %s didn't exist, created %s" % (OUTDIR, OUTDIR) 32 | 33 | outfile = OUTDIR + "/targets.txt" 34 | 35 | res = 0 36 | f = open(outfile, 'w') 37 | print " " 38 | print "[+] Performing ping sweep over %s" % (RANGE) 39 | SWEEP = "nmap -n -sP %s" % (RANGE) 40 | results = subprocess.check_output(SWEEP, shell=True) 41 | lines = results.split("\n") 42 | for line in lines: 43 | line = line.strip() 44 | line = line.rstrip() 45 | if ("Nmap scan report for" in line): 46 | ip_address = line.split(" ")[4] 47 | if (res > 0): 48 | f.write('\n') 49 | f.write("%s" % (ip_address)) 50 | print "[*] %s" % (ip_address) 51 | res += 1 52 | print " " 53 | print "[*] Found %s live hosts" % (res) 54 | print "[*] Created target list %s" % (outfile) 55 | print "[*] Paste %s into 3-mix-recon.py" % (outfile) 56 | print " " 57 | f.close() 58 | -------------------------------------------------------------------------------- /2-mix-find_dns.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | ##################################################################################### 4 | ## [Name]: 2-mix-find_dns.py -- script to find dns servers amongst a list of machines 5 | ##----------------------------------------------------------------------------------- 6 | ## [Author]: Re4son re4son [at] whitedome.com.au 7 | ##----------------------------------------------------------------------------------- 8 | ## [Details]: 9 | ## Script iterates through and checks if TCP port 53 is open. 10 | ## The result is diplayed on screen and written to \DNS-servers.txt 11 | ##----------------------------------------------------------------------------------- 12 | ## [Usage]: 13 | ## python 2-mix-find_dns.py 14 | ##################################################################################### 15 | 16 | import subprocess 17 | import sys 18 | 19 | if len(sys.argv) != 3: 20 | print "\nUsage: python 2-mix-find_dns.py \n" 21 | sys.exit(0) 22 | 23 | TARGETS = sys.argv[1].strip() 24 | OUTDIR = sys.argv[2].strip() 25 | 26 | outfile = OUTDIR + "/DNS-Servers.txt" 27 | 28 | def dnsScan(ip_address): 29 | # Insert dns enumerations such as zone transfers here 30 | # Not required if you only want to identify dns servers 31 | return 32 | 33 | inf = open(TARGETS, 'r') 34 | outf = open(outfile, 'w') 35 | res = 0 36 | print " " 37 | print "[+] Enumerating TCP port 53 to find dns servers" 38 | outf.write("[+] Enumerating TCP port 53 to find dns servers\n") 39 | for ip_address in inf: 40 | ip_address = ip_address.strip() 41 | DNSSCAN = "nmap -n -sV -Pn -vv -p53 %s" % (ip_address) 42 | results = subprocess.check_output(DNSSCAN, shell=True) 43 | lines = results.split("\n") 44 | for line in lines: 45 | line = line.strip() 46 | line = line.rstrip() 47 | if ("53/tcp" in line) and ("open" in line) and ("open" in line) and not ("Discovered" in line): 48 | print "[*] Found DNS service running on: %s/TCP" % (ip_address) 49 | outf.write("[*] Found DNS service running on: %s/TCP\n" % (ip_address)) 50 | print " [>] %s" % (line) 51 | outf.write(" [>] %s\n" % (line)) 52 | res += 1 53 | print " " 54 | outf.write("\n") 55 | print "[*] Found %s DNS servers" % (res) 56 | outf.write("[*] Found %s DNS servers\n" % (res)) 57 | print "[*] Pick one and include in 3-mix-recon.py" 58 | print " " 59 | inf.close() 60 | outf.close() 61 | -------------------------------------------------------------------------------- /3-mix-recon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | ################################################################ 4 | ## [Name]: 3-mix-recon.py -- a recon/enumeration script 5 | ## [Original Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift 6 | ## [Author]: Re4son re4son [at] whitedome.com.au 7 | ##-------------------------------------------------------------- 8 | ## [Details]: 9 | ## This script is intended to be executed remotely against a 10 | ## list of IPs to perform a detailed nmap scan. 11 | ## 12 | ## As opposed to Mike's script, this one only recommends further 13 | ## actions together with the correct command line syntax for 14 | ## cut and past actions so you get immediate high level 15 | ## information and can focus your next steps a little better. 16 | ################################################################ 17 | 18 | import subprocess 19 | import multiprocessing 20 | from multiprocessing import Process, Queue 21 | import os 22 | import time 23 | 24 | TARGETS='/root/192.168.24.0/targets.txt' 25 | OUTDIR='/root/192.168.24.0/' # Can be empty - will use ./mix-recon-OUTPUT 26 | DNSSRV='192.168.24.149' # Can be empty - will skip name resolution 27 | 28 | def multProc(targetin, scanip, port, outputdir): 29 | jobs = [] 30 | p = multiprocessing.Process(target=targetin, args=(scanip, port, outputdir)) 31 | jobs.append(p) 32 | p.start() 33 | return 34 | 35 | def nmapScan(ip_address, outputdir): 36 | ip_address = ip_address.strip() 37 | outfile = outputdir + "/" + ip_address + "_findings.txt" 38 | 39 | print "[+] Starting quick nmap scan for %s" % (ip_address) 40 | QUICKSCAN = "nmap -n -oN '%s/%s.quick.nmap' %s" % (outputdir, ip_address, ip_address) 41 | quickresults = subprocess.check_output(QUICKSCAN, shell=True) 42 | 43 | print "[+] Starting detailed TCP/UDP nmap scans for %s" % (ip_address) 44 | serv_dict = {} 45 | if DNSSRV: 46 | TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 --dns-servers %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s" % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address) 47 | UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 --dns-servers %s -oN '%s/%sU.nmap' -oX '%s/%sU_nmap_scan_import.xml' %s" % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address) 48 | else: 49 | TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -n %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s" % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address) 50 | UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 -n %s -oN '%s/%sU.nmap' -oX '%s/%sU_nmap_scan_import.xml' %s" % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address) 51 | 52 | results = subprocess.check_output(TCPSCAN, shell=True) 53 | udpresults = subprocess.check_output(UDPSCAN, shell=True) 54 | lines = results.split("\n") 55 | for line in lines: 56 | ports = [] 57 | line = line.strip() 58 | if ("tcp" in line) and ("open" in line) and not ("Discovered" in line): 59 | while " " in line: 60 | line = line.replace(" ", " "); 61 | service = line.split(" ")[2] # grab the service name 62 | port = line.split(" ")[0] # grab the port/proto 63 | if service in serv_dict: 64 | ports = serv_dict[service] # if the service is already in the dict, grab the port list 65 | 66 | ports.append(port) 67 | serv_dict[service] = ports # add service to the dictionary along with the associated port(2) 68 | 69 | # go through the service dictionary to give some hints for further enumerations 70 | f = open(outfile, 'w') 71 | for serv in serv_dict: 72 | ports = serv_dict[serv] 73 | if ("ftp" in serv): 74 | for port in ports: 75 | port = port.split("/")[0] 76 | f.write("[*] Found FTP service on %s:%s\n" % (scanip, port)) 77 | f.write(" [>] Use nmap scripts for further enumeration or hydra for password attack, e.g\n") 78 | f.write(" [=] nmap -sV -Pn -vv -p%s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '%s/%s_ftp.nmap' -oX '%s/%s_ftp_nmap_scan_import.xml' %s\n" % (port, outputdir, scanip, outputdir, scanip, scanip)) 79 | f.write(" [=] hydra -L /usr/share/wordlists/webslayer/others/names.txt -P /usr/share/wordlists/webslayer/others/common_pass.txt -f -o %s/%s_ftphydra.txt -u %s -s %s ftp\n" % (outputdir, scanip, scanip, port)) 80 | elif (serv == "http"): 81 | for port in ports: 82 | port = port.split("/")[0] 83 | f.write("[*] Found HTTP service on %s:%s\n" % (scanip, port)) 84 | f.write(" [>] Use nikto & dirb / dirbuster for service enumeration, e.g\n") 85 | f.write(" [=] nikto -h %s -p %s > %s/%s_nikto.txt\n" % (scanip, port, outputdir, scanip)) 86 | f.write(" [=] dirb http://%s:%s/ -o %s/%s_dirb.txt -r -S -x ./dirb-extensions/php.ext\n" % (scanip, port, outputdir, scanip)) 87 | f.write(" [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r %s/%s_dirbuster.txt -u http://%s:%s/\n" % (outputdir, scanip, scanip, port)) 88 | elif (serv == "ssl/http") or ("https" in serv): 89 | for port in ports: 90 | port = port.split("/")[0] 91 | f.write("[*] Found HTTP service on %s:%s\n" % (scanip, port)) 92 | f.write(" [>] Use nikto & dirb / dirbuster for service enumeration, e.g\n") 93 | f.write(" [=] nikto -h %s -p %s > %s/%s_nikto.txt\n" % (scanip, port, outputdir, scanip)) 94 | f.write(" [=] dirb https://%s:%s/ -o %s/%s_dirb.txt -r -S -x ./dirb-extensions/php.ext\n" % (scanip, port, outputdir, scanip)) 95 | f.write(" [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r %s/%s_dirbuster.txt -u http://%s:%s/\n" % (outputdir, scanip, scanip, port)) 96 | elif "mysql" in serv: 97 | for port in ports: 98 | port = port.split("/")[0] 99 | f.write("[*] Found mysql service on %s:%s\n" % (scanip, port)) 100 | f.write(" [>] Check out the server for web applications with sqli vulnerabilities\n") 101 | elif "microsoft-ds" in serv: 102 | for port in ports: 103 | port = port.split("/")[0] 104 | f.write("[*] Found MS SMB service on %s:%s\n" % (scanip, port)) 105 | f.write(" [>] Use nmap scripts or enum4linux for further enumeration, e.g\n") 106 | f.write(" [=] nmap -sV -Pn -vv -p%s --script=\"smb-* -oN '%s/%s_smb.nmap' -oX '%s/%s_smb_nmap_scan_import.xml' %s\n" % (port, outputdir, ip_address, outputdir, ip_address, ip_address)) 107 | f.write(" [=] enum4linux %s\n" % (scanip)) 108 | elif "ms-sql" in serv: 109 | for port in ports: 110 | port = port.split("/")[0] 111 | f.write("[*] Found MS SQL service on %s:%s\n" % (scanip, port)) 112 | f.write(" [>] Use nmap scripts for further enumeration, e.g\n") 113 | f.write(" [=] nmap -vv -sV -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=%s,smsql.username-sa,mssql.password-sa -oX %s/%s_mssql_nmap_scan_import.xml %s" % (port, port, outputdir, ip_address, ip_address)) 114 | elif ("msdrdp" in serv) or ("ms-wbt-server" in serv): 115 | for port in ports: 116 | port = port.split("/")[0] 117 | f.write("[*] Found RDP service on %s:%s\n" % (scanip, port)) 118 | f.write(" [>] Use ncrackpassword cracking, e.g\n") 119 | f.write(" [=] ncrack -vv --user administrator -P /root/rockyou.txt rdp://%s\n" % (scanip)) 120 | elif "smtp" in serv: 121 | for port in ports: 122 | port = port.split("/")[0] 123 | f.write("[*] Found SMTP service on %s:%s\n" % (scanip, port)) 124 | f.write(" [>] Use smtp-user-enum to find users, e.g\n") 125 | f.write(" [=] smtp-user-enum -M VRFY -U /usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/names/namelist.txt -t %s -p %s\n" % (scanip, port)) 126 | elif "snmp" in serv: 127 | for port in ports: 128 | port = port.split("/")[0] 129 | f.write("[*] Found SNMP service on %s:%s\n" % (scanip, port)) 130 | f.write(" [>] Use nmap scripts, onesixtyone or snmwalk for further enumeration, e.g\n") 131 | f.write(" [=] nmap -sV -Pn -vv -p%s --script=snmp-netstat,snmp-processes -oN '%s/%s_snmp.nmap' -oX '%s/%s_snmp_nmap_scan_import.xml' %s\n" % (port, outputdir, scanip, outputdir, scanip, scanip)) 132 | f.write(" [=] onesixtyone %s\n" % (scanip)) 133 | f.write(" [=] snmpwalk -c public -v1 %s > %s/%s_snmpwalk.txt\n" % (scanip, outputdir, scanip)) 134 | elif "ssh" in serv: 135 | for port in ports: 136 | port = port.split("/")[0] 137 | f.write("[*] Found SSH service on %s:%s\n" % (scanip, port)) 138 | f.write(" [>] Use medusa or hydra (unreliable) for password cracking, e.g\n") 139 | f.write(" [=] medusa -u root -P /root/rockyou.txt -e ns -h %s - %s -M ssh\n" % (scanip, port)) 140 | f.write(" [=] hydra -f -V -t 1 -l root -P /root/rockyou.txt -s %s %s ssh\n" % (port, scanip)) 141 | f.close() 142 | print "[*] TCP/UDP Nmap scans completed for " + ip_address 143 | return 144 | 145 | # grab the ping sweep results and start scanning up hosts 146 | print "\n" 147 | print "############################################################" 148 | print "#### NETWORK RECONNAISSANCE ####" 149 | print "############################################################" 150 | print "\n" 151 | 152 | if __name__=='__main__': 153 | f = open(TARGETS, 'r') 154 | 155 | if OUTDIR == '': 156 | OUTDIR = "./mix-recon-OUTPUT" 157 | 158 | try: 159 | os.stat(OUTDIR) 160 | except: 161 | os.mkdir(OUTDIR) 162 | 163 | for scanip in f: 164 | scanip = scanip.strip() 165 | print "[+] Creating directory structure for " + scanip 166 | 167 | hostdir = OUTDIR + "/" + scanip 168 | try: 169 | os.stat(hostdir) 170 | except: 171 | os.mkdir(hostdir) 172 | 173 | nmapdir = hostdir + "/nmap" 174 | try: 175 | os.stat(nmapdir) 176 | except: 177 | os.mkdir(nmapdir) 178 | 179 | exploitdir = hostdir + "/exploit" 180 | try: 181 | os.stat(exploitdir) 182 | except: 183 | os.mkdir(exploitdir) 184 | 185 | lootdir = hostdir + "/loot" 186 | try: 187 | os.stat(lootdir) 188 | except: 189 | os.mkdir(lootdir) 190 | 191 | prooffile = hostdir + "/proof.txt" 192 | open(prooffile, 'a').close() 193 | 194 | namefile = hostdir + "/0-name" 195 | open(namefile, 'a').close() 196 | 197 | jobs = [] 198 | p = multiprocessing.Process(target=nmapScan, args=(scanip, nmapdir)) 199 | jobs.append(p) 200 | p.start() 201 | f.close() 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # mix-recon 2 | Reconnaissance scripts for penetration testing 3 | -------------------------------------------------------------------------------- /UNLICENSE: -------------------------------------------------------------------------------- 1 | This is free and unencumbered software released into the public domain. 2 | 3 | Anyone is free to copy, modify, publish, use, compile, sell, or 4 | distribute this software, either in source code form or as a compiled 5 | binary, for any purpose, commercial or non-commercial, and by any 6 | means. 7 | 8 | In jurisdictions that recognize copyright laws, the author or authors 9 | of this software dedicate any and all copyright interest in the 10 | software to the public domain. We make this dedication for the benefit 11 | of the public at large and to the detriment of our heirs and 12 | successors. We intend this dedication to be an overt act of 13 | relinquishment in perpetuity of all present and future rights to this 14 | software under copyright law. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | OTHER DEALINGS IN THE SOFTWARE. 23 | 24 | For more information, please refer to 25 | --------------------------------------------------------------------------------