├── DNS_lookup.sh ├── README.md ├── SMTP_VRFY.sh ├── dns_zone_transfer.sh ├── forward_DNS.sh ├── list.txt ├── nmap_spam.sh ├── ping_sweep.sh ├── reverse_DNS.sh └── vrfy.py /DNS_lookup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z "$1" ]; then 4 | echo "" 5 | echo "[*] Please enter a valid file" 6 | echo "" 7 | exit 0 8 | fi 9 | 10 | echo "" 11 | echo "[*] These addresses were found based on $1" 12 | echo "" 13 | 14 | for IP in $(cat $1);do 15 | 16 | host $IP | grep "domain name" | cut -d " " -f5 > temp.txt 17 | info=`cat temp.txt` 18 | echo "$IP" " " "$info" 19 | rm temp.txt 20 | done 21 | 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PenTools 2 | This is a bundle of python and bash penetration testing tools for recon and information gathering. Tools included: 3 | 4 | - Mass DNS lookup 5 | - Mass reverse DNS lookup 6 | - DNS Enumerator 7 | - SMTP Username verification 8 | - Ping sweeper 9 | - DNS zone transfer information gatherer 10 | - more to come! 11 | 12 | 13 | ## DNS_lookup.sh 14 | This is just a tool that gets the DNS names for a list of IP address. 15 | #### Usage 16 | Run the script along with a file that contains IP addresses for the argument. 17 | `./DNS_lookup.sh IPs.txt` 18 | Its will output the IP address with the DNS names next to them. IPs that do not have DNS names will have a blank space next to them. 19 | 20 | Sample output: 21 | ``` 22 | [*] These addresses were found based on IPs.txt 23 | 24 | 8.8.8.8 google-public-dns-a.google.com. 25 | 192.168.1.2 26 | 4.4.4.4 alu7750testscr.xyz1.gblx.mgmt.Level3.net. 27 | 192.168.1.1 28 | ``` 29 | ## SMTP_VRFY.sh 30 | This script verifies usernames off of an SMTP server using the VRFY command. Please note that the success of this script really depends on the configuration of the SMTP server. Some servers are configured to give positive or negative verification for all usernames. 31 | 32 | #### Usage 33 | To use the username verifier simply run the script and enter the IP address of the SMTP server you are checking against for the first argument and a text file containing a list of user names for the second argument. 34 | 35 | `./SMTP_VRFY.sh 192.168.1.1 users.txt` 36 | 37 | This should output only the usernames that were verified. 38 | 39 | Sample output: 40 | ``` 41 | root 42 | admin 43 | bob 44 | alice 45 | ``` 46 | ### vrfy.py 47 | 48 | This is a python port of 'SMTP_VRFY.sh". Usage and output are the same. 49 | 50 | 51 | 52 | ## dns_zone_transfer.sh 53 | 54 | This script will find the NS servers for a domain and see if a zone transfer is possible. If it is possible it will return all systems found during the zone transfer. 55 | 56 | #### Usage 57 | 58 | To use just call the script and with a domain as an argument. 59 | 60 | `./dns_zone_transfer.sh megacorpone.com` 61 | 62 | Sample output: 63 | ``` 64 | [*] The following addresses were found 65 | 66 | admin.megacorpone.com 38.100.193.83 67 | beta.megacorpone.com 38.100.193.69 68 | fs1.megacorpone.com 38.100.193.82 69 | intranet.megacorpone.com 38.100.193.81 70 | mail.megacorpone.com 38.100.193.84 71 | mail2.megacorpone.com 38.100.193.73 72 | ns1.megacorpone.com 38.100.193.70 73 | ns2.megacorpone.com 38.100.193.80 74 | ns3.megacorpone.com 38.100.193.90 75 | router.megacorpone.com 38.100.193.91 76 | siem.megacorpone.com 38.100.193.89 77 | snmp.megacorpone.com 38.100.193.85 78 | syslog.megacorpone.com 38.100.193.66 79 | test.megacorpone.com 38.100.193.67 80 | vpn.megacorpone.com 38.100.193.77 81 | www.megacorpone.com 38.100.193.76 82 | www2.megacorpone.com 38.100.193.79 83 | ``` 84 | ## forward_DNS.sh 85 | 86 | This script will enumerate names names from 'list.txt' on a domain and print out ones that were found with IPs. 'list.txt' must contain common prefixes used by companies. 87 | 88 | \* A starter 'list.txt' is included 89 | 90 | #### Usage 91 | Call the script with a domain as the argument. 92 | 93 | `./forward_DNS.sh megacorpone.com` 94 | 95 | ``` 96 | [*] These addresses were found based on list.txt 97 | 98 | www.megacorpone.com 38.100.193.76 99 | mail.megacorpone.com 38.100.193.84 100 | admin.megacorpone.com 38.100.193.83 101 | router.megacorpone.com 38.100.193.91 102 | www2.megacorpone.com 38.100.193.79 103 | ``` 104 | 105 | ## nmap_spam.sh 106 | This script takes nmaping /24s to a new level. It will take a base IP and background multiple nmap scans to increase the speed of scanning. Please note that this is a stupid aggressive script and it will most likely render your internet connection unusable until it is complete. 107 | 108 | \* Needs output to be cleaned up. 109 | 110 | #### Usage 111 | Call the script with an IP base as the argument. 112 | 113 | `./nmap_spam.sh 192.168.2` 114 | 115 | Sample output: 116 | ``` 117 | Nmap done: 1 IP address (1 host up) scanned in 9.31 seconds 118 | Nmap scan report for 192.168.2.112 119 | Host is up (0.042s latency). 120 | Not shown: 996 filtered ports 121 | PORT STATE SERVICE 122 | 80/tcp open http 123 | 135/tcp open msrpc 124 | 139/tcp open netbios-ssn 125 | 49155/tcp open unknown 126 | MAC Address: 00:50:56:AF:6A:D8 127 | 128 | Nmap done: 1 IP address (1 host up) scanned in 8.46 seconds 129 | Nmap scan report for 192.168.2.115 130 | Host is up (0.041s latency). 131 | Not shown: 998 filtered ports 132 | PORT STATE SERVICE 133 | 22/tcp open ssh 134 | 80/tcp open http 135 | MAC Address: 00:50:56:AF:06:1D 136 | 137 | ... 138 | ``` 139 | 140 | 141 | ## ping_sweep.sh 142 | Simple ping sweeper script. Will ping all IPs on a /24. 143 | 144 | #### Usage 145 | Call the script with an IP base as the argument. 146 | 147 | `./ping_sweep.sh 192.168.2` 148 | 149 | Sample output: 150 | ``` 151 | [*] Listing live IPs 152 | 153 | 192.168.2.7 154 | 192.168.2.23 155 | 192.168.2.43 156 | 192.168.2.50 157 | 192.168.2.56 158 | 192.168.2.64 159 | 192.168.2.215 160 | 192.168.2.224 161 | ``` 162 | ## reverse_DNS.sh 163 | This script task a will find all DNS names for a IP range and domain. 164 | 165 | #### Usage 166 | Call the script with the arguments IP base, Domain, Range Start, and Range End. 167 | 168 | `./reverse_DNS.sh 38.100.193 megacorpone.com 72 91` 169 | 170 | Sample output: 171 | 172 | ``` 173 | [*] Listing found addresses 174 | 175 | 72.193.100.38.in-addr.arpa admin.megacorpone.com. 176 | 73.193.100.38.in-addr.arpa mail2.megacorpone.com. 177 | 76.193.100.38.in-addr.arpa www.megacorpone.com. 178 | 77.193.100.38.in-addr.arpa vpn.megacorpone.com. 179 | 80.193.100.38.in-addr.arpa ns2.megacorpone.com. 180 | 84.193.100.38.in-addr.arpa mail.megacorpone.com. 181 | 85.193.100.38.in-addr.arpa snmp.megacorpone.com. 182 | 89.193.100.38.in-addr.arpa siem.megacorpone.com. 183 | 90.193.100.38.in-addr.arpa ns3.megacorpone.com. 184 | 91.193.100.38.in-addr.arpa router.megacorpone.com. 185 | ``` 186 | ### Version 187 | 0.3.1 188 | 189 | ## TO DO 190 | 191 | * Fix and clean up nmap_spammer 192 | * Create grepable output for nmap 193 | 194 | 195 | License 196 | ---- 197 | 198 | MIT 199 | 200 | -------------------------------------------------------------------------------- /SMTP_VRFY.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z "$2" ]; then 4 | echo "" 5 | echo "[*] Please enter a valid URL" 6 | echo "" 7 | exit 0 8 | fi 9 | 10 | 11 | 12 | for user in $(cat $2);do 13 | echo VRFY $user | nc -nv -w 1 $1 25 2>/dev/null|grep ^"250" 14 | done 15 | -------------------------------------------------------------------------------- /dns_zone_transfer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z "$1" ]; then 4 | echo "" 5 | echo "[*] Please enter a valid URL" 6 | echo "" 7 | exit 0 8 | fi 9 | 10 | echo "" 11 | echo "[*] The following addresses were found" 12 | echo "" 13 | 14 | for server in $(host -t ns $1|cut -d" " -f4);do 15 | host -l $1 $server |grep "has address" | cut -d " " -f1,4; 16 | 17 | done 18 | 19 | 20 | -------------------------------------------------------------------------------- /forward_DNS.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z "$1" ]; then 4 | echo "" 5 | echo "[*] Please enter a valid URL" 6 | echo "" 7 | exit 0 8 | fi 9 | 10 | echo "" 11 | echo "[*] These addresses were found based on list.txt" 12 | echo "" 13 | 14 | for name in $(cat list.txt);do 15 | host $name.$1 | grep "has address" | cut -d" " -f1,4 | sort -u 16 | done 17 | 18 | -------------------------------------------------------------------------------- /list.txt: -------------------------------------------------------------------------------- 1 | www 2 | ftp 3 | mail 4 | admin 5 | router 6 | www2 7 | firewall 8 | mx 9 | pop3 10 | smtp 11 | root 12 | -------------------------------------------------------------------------------- /nmap_spam.sh: -------------------------------------------------------------------------------- 1 | #/bin/bash 2 | 3 | 4 | if (-z $1); then 5 | echo "" 6 | echo "[*] Please enter a base ip" 7 | echo "" 8 | exit 0 9 | fi 10 | echo "" 11 | echo "[*] Scan Results" 12 | echo "" 13 | 14 | for ip in $(seq 0 254);do 15 | nmap -sS $1.$ip -o Nmap/output$ip.txt & 16 | done 17 | 18 | nmap -sT $1.255 19 | 20 | for ip in $(seq 0 254);do 21 | cat Nmap/output$ip.txt >> output.txt 22 | rm Nmap/output$ip.txt 23 | done 24 | -------------------------------------------------------------------------------- /ping_sweep.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z "$1" ]; then 4 | echo "" 5 | echo "[*] Please enter a valid base IP" 6 | echo "" 7 | exit 0 8 | fi 9 | 10 | echo "" 11 | echo "[*] Listing live IPs" 12 | echo "" 13 | 14 | for ip in $(seq 0 254); do 15 | ping -c 1 $1.$ip | grep "bytes from" | cut -d " " -f4 | cut -d ":" -f1 >> sweep.txt& 16 | 17 | done 18 | 19 | # Printing from text file for clean output 20 | cat sweep.txt 21 | rm sweep.txt 22 | -------------------------------------------------------------------------------- /reverse_DNS.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z "$4" ]; then 4 | echo "" 5 | echo "[*] Please enter a valid input" 6 | echo "[*] Correct format: 'IP base' 'Domain' 'Range Start' 'Range End'" 7 | echo "[*] Example: 127.0.0 google 1 255" 8 | echo "" 9 | exit 0 10 | fi 11 | 12 | echo "" 13 | echo "[*] Listing found addresses" 14 | echo "" 15 | 16 | for ip in $(seq $3 $4);do 17 | host $1.$ip | grep $2 | cut -d" " -f1,5 18 | done 19 | 20 | -------------------------------------------------------------------------------- /vrfy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | 6 | if len(sys.argv) != 3: 7 | print "[*] Usage: vrfy.py " 8 | sys.exit(0) 9 | 10 | else: 11 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 12 | connect = s.connect((sys.argv[1], 25)) #connets to socket 13 | banner = s.recv(1024) 14 | print banner #prints banner 15 | f1 = open('./'+ sys.argv[2], 'r')#reads input file 16 | f2 = open('./user_results.txt', 'w+') #opens files for writing 17 | 18 | for ln in iter(f1.readline, ''): #runs the VRFY chack and outputs it to a file 19 | s.send('VRFY ' + ln +'\r\n') 20 | result = s.recv(1024) 21 | f2.writelines(result) 22 | print result 23 | 24 | s.close() 25 | 26 | --------------------------------------------------------------------------------