├── .vscode └── settings.json ├── LICENSE ├── README.md └── zsh-pentest.plugin.zsh /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "workbench.colorCustomizations": { 3 | "activityBar.activeBackground": "#95a8b2", 4 | "activityBar.activeBorder": "#f2edf0", 5 | "activityBar.background": "#95a8b2", 6 | "activityBar.foreground": "#15202b", 7 | "activityBar.inactiveForeground": "#15202b99", 8 | "activityBarBadge.background": "#f2edf0", 9 | "activityBarBadge.foreground": "#15202b", 10 | "statusBar.background": "#78909c", 11 | "statusBar.border": "#78909c", 12 | "statusBar.foreground": "#15202b", 13 | "statusBarItem.hoverBackground": "#5f7682", 14 | "titleBar.activeBackground": "#78909c", 15 | "titleBar.activeForeground": "#15202b", 16 | "titleBar.border": "#78909c", 17 | "titleBar.inactiveBackground": "#78909c99", 18 | "titleBar.inactiveForeground": "#15202b99" 19 | }, 20 | "peacock.color": "#78909c" 21 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Jason Wohlgemuth 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | oh-my-zsh pentest plugin 2 | ======================== 3 | > [Aliases](#aliases) and [functions](#functions) for the lazy penetration tester 4 | 5 | Installation 6 | ------------ 7 | 8 | ```bash 9 | git clone https://github.com/jhwohlgemuth/zsh-pentest.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-pentest 10 | ``` 11 | 12 | Usage 13 | ----- 14 | 15 | - Add `zsh-pentest` to the plugins array in your `.zshrc` file: 16 | 17 | ```bash 18 | plugins=(... zsh-pentest) 19 | ``` 20 | 21 | - Open a new terminal or execute `source ~/.zshrc` 22 | 23 | > **Tip**: For epic synergy and awesome productivity, use the [zsh-handy-helpers](https://github.com/jhwohlgemuth/zsh-handy-helpers) plugin too! 24 | 25 | ```bash 26 | plugins=(... zsh-pentest zsh-handy-helpers) 27 | ``` 28 | 29 | Aliases 30 | ------- 31 | > ***Hint:*** The [nmap oh-my-zsh plugin](https://github.com/ohmyzsh/ohmyzsh/tree/master/plugins/nmap) has several great aliases for `nmap` 32 | 33 | | Alias | Command | 34 | | :--- | :--- | 35 | | me | `echo $(ifconfig eth0 \| grep "inet " \| cut -b 9- \| cut -d" " -f2)` | 36 | | cme | `crackmapexec` | 37 | | e4l | `enum4linux -a` | 38 | | h2t | `html2text -style pretty` | 39 | | oso | `onesixtyone ` | 40 | 41 | Functions 42 | --------- 43 | 44 | | Name | Command | Tested | 45 | | :--- | :--- | :--- | 46 | | `create_scan_directory` | Create directory for saving results | yes | 47 | | `enum_snmp` **$IP** [**WORDLIST**] [**NETWORK**] | Create host list and scan **IP** with **WORDLIST** | yes | 48 | | `enum_web` **$IP** [**PORT**] [**WORDLIST**] | Enumerate **IP** with `whatweb` and `nikto` | yes | 49 | | `flush_iptables` | You guessed it...this flushes `iptables` | yes | 50 | | `focus` [**IP**] [**PORT**] | Set RHOST=IP and RPORT=PORT | yes | 51 | | `get_gateway` | Get router IP address | yes | 52 | | `get_hosts` [**PORT**] | Get list of host IP addresses found via `nmap` | yes | 53 | | `get_hostnames` **$IP** | Get list of host names using `nmap` and the **IP** of a known DNS server | yes | 54 | | `htm` [**IP**] | Download **IP** and print with `html2text` | yes | 55 | | `monitor_traffic` [**$IP**] | Monitor bytes over the line with `iptables` | yes | 56 | | `scan_tcp` **$IP** | Scan **IP** with ~~`onetwopunch`~~ [`masscan`](https://github.com/robertdavidgraham/masscan) | yes | 57 | | `serve` [**PORT**] | Start Python server in current directory on **PORT** [default: 80] | yes | 58 | | `sort_ips` **ADDRESSES** | Sort list of IP addresses | yes | 59 | 60 | 61 | Example Usage 62 | ------------- 63 | 64 | This plugin pairs well with the [zsh-handy-helpers]() plugin `iter` function: 65 | ```bash 66 | # Scan all SMB servers for vulnerabilities with nmap scripts 67 | scan() {nmap $1 --script "smb-vuln-*"} 68 | get_hosts 139 | iter scan 69 | ``` 70 | -------------------------------------------------------------------------------- /zsh-pentest.plugin.zsh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env zsh 2 | # 3 | # Aliases 4 | # 5 | alias me='echo $(ifconfig eth0 | grep "inet " | cut -b 9- | cut -d" " -f2)' 6 | alias e4l="enum4linux -a" 7 | alias h2t="html2text -style pretty" 8 | alias oso=onesixtyone 9 | alias cme=crackmapexec 10 | # 11 | # Functions 12 | # 13 | create_scan_directory() { 14 | NAME=${1:-$(date +%Y%m%d-%T)} 15 | SCAN_DIRECTORY=$HOME/.scans/$NAME 16 | mkdir -p "$SCAN_DIRECTORY" 17 | echo "$SCAN_DIRECTORY" 18 | } 19 | enum_snmp() { 20 | STRINGS="/usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt" 21 | WORDLIST=${2:-STRINGS} 22 | NETWORK=${3:-"10.11.1.0"} 23 | HOSTS=$(mktemp --suffix "-$0-hosts-$(date +%Y%m%d)") 24 | get_hosts "none" "$NETWORK" > "$HOSTS" 25 | onesixtyone -i "$HOSTS" -c "$STRINGS" 26 | } 27 | enum_web() { 28 | IP=${1:-$RHOST} 29 | PORT=${2:-80} 30 | # /usr/share/seclists/Discovery/Web_Content/Top1000-RobotsDisallowed.txt 31 | WORDLIST=${3:-"/usr/share/seclists/Discovery/Web-Content/common.txt"} 32 | SAVEPATH=$(create_scan_directory "$IP") 33 | GOBUSTER_OUTPUT="$SAVEPATH"/results_gobuster_$PORT 34 | NIKTO_OUTPUT="$SAVEPATH"/results_nikto_$PORT 35 | touch $GOBUSTER_OUTPUT 36 | touch $NIKTO_OUTPUT 37 | cd "$SAVEPATH" && whatweb -a 3 "$IP" 38 | gobuster dir -w "$WORDLIST" -u http://"$IP":"$PORT" -o "$SAVEPATH"/gobuster --output $GOBUSTER_OUTPUT 39 | nikto -host "$IP" -port "$PORT" -output $NIKTO_OUTPUT -Format txt 40 | } 41 | flush_iptables() { 42 | echo "" 43 | echo ">>> Before flush <<<" 44 | echo "" 45 | iptables -L 46 | iptables -F 47 | iptables -X 48 | iptables -t nat -F 49 | iptables -t nat -X 50 | iptables -t mangle -F 51 | iptables -t mangle -X 52 | iptables -t raw -F 53 | iptables -t raw -X 54 | iptables -P INPUT ACCEPT 55 | iptables -P FORWARD ACCEPT 56 | iptables -P OUTPUT ACCEPT 57 | echo "" 58 | echo "" 59 | echo ">>> After flush <<<" 60 | echo "" 61 | iptables -L 62 | echo "" 63 | } 64 | focus() { 65 | IP=${1:-"EMPTY"} 66 | PORT=${2:-"EMPTY"} 67 | [[ "$IP" != "EMPTY" ]] && RHOST="$IP" 68 | [[ "$PORT" != "EMPTY" ]] && RPORT="$PORT" 69 | echo -e "\$RHOST: ${RHOST:-"NOT SET"}\n\$RPORT: ${RPORT:-"NOT SET"}\n" 70 | } 71 | get_gateway() { 72 | INTERFACE=${1:-tap0} 73 | ip route | grep via | grep "$INTERFACE" | cut -d" " -f3 74 | } 75 | get_hosts() { 76 | PORT=${1:-"none"} 77 | NETWORK=${2:-"10.11.1.0"} 78 | PATTERN="Nmap scan report for ${NETWORK:0:-1}" 79 | get_ip() { 80 | cut -d" " -f5 $1 81 | } 82 | if [[ $PORT == "none" ]]; then 83 | nmap "$NETWORK"/24 -sn | grep "$PATTERN" | get_ip 84 | else 85 | nmap "$NETWORK"/24 -p "$PORT" --open | grep "$PATTERN" | get_ip 86 | fi 87 | } 88 | get_hostnames() { 89 | DNS=$1 90 | NETWORK=${2:-"10.11.1.0"} 91 | PATTERN="Nmap scan report for " 92 | get_ip() { 93 | cut -d" " -f5- $1 94 | } 95 | if [[ ${#1} -gt 0 ]]; then 96 | nmap "$NETWORK"/24 --dns-server "$DNS" -sn | grep "$PATTERN" | get_ip 97 | else 98 | echo "DNS server address required" 99 | fi 100 | } 101 | htm() { curl -s "${1:-$RHOST}:${80:-$RPORT}" | html2text -style pretty; } 102 | monitor_traffic() { 103 | IP=${1:-$RHOST} 104 | iptables -I INPUT 1 -s "$IP" -j ACCEPT 105 | iptables -I OUTPUT 1 -d "$IP" -j ACCEPT 106 | iptables -Z 107 | } 108 | scan_tcp() { 109 | IP=${1:-$RHOST} 110 | INTERFACE=${2:-"tap0"} 111 | SAVEPATH=$(create_scan_directory "$IP") 112 | run() { 113 | masscan "$1" -e "$INTERFACE" --router-ip "$(get_gateway "$INTERFACE")" -p 0-65535 --rate 500 -oL "$SAVEPATH"/ports 114 | } 115 | run "$IP" 116 | } 117 | scan_udp() { 118 | IP=${1:-$RHOST} 119 | SAVEPATH=$(create_scan_directory "$IP") 120 | run() { 121 | nmap -sU -T4 --open --max-retries 1 "$1" -oX "$SAVEPATH"/ports-udp.xml 122 | } 123 | run "$IP" 124 | } 125 | serve() { 126 | PORT=${1:-80} 127 | DIR=${2:-$(pwd)} 128 | echo "Serving files from $DIR" 129 | if type python3 >/dev/null 2>&1; then 130 | python3 -m http.server "$PORT" 131 | else 132 | python -m SimpleHTTPServer "$PORT" 133 | fi 134 | } 135 | sort_ips() { 136 | IPS=$1 137 | sort -t . -k 3,3n -k 4,4n "$IPS" 138 | } 139 | --------------------------------------------------------------------------------